User enumeration allows attackers to conduct dictionary attacks against systems and reveals information about who has access to them. Against Windows systems, there are two known techniques to enumerate the users in the system: SAMR enumeration and LSA bruteforcing. Both user enumeration techniques are implemented in the Nmap Scripting Engine. While this attack requires a valid account on most systems, some systems (Windows 2000 by default) allow user enumeration anonymously.
This recipe shows how to enumerate the users that have logged in a Microsoft Windows system with Nmap.
Open your terminal and enter the following Nmap command:
$ nmap -p139,445 --script smb-enum-users <target>
If the system allows user enumeration anonymously, the user list will be included in the scan results. Remember that in modern systems, you need to provide valid credentials as anonymous access is disabled by default:
Host script results: | smb...