Attacking ntds
NTDS.dit is a database that stores Active Directory data, including information about user objects, groups, and group membership. It is located in the C:\Windows\NTDS folder by default. The file also stores the password hashes for all users in the domain. Dumping the contents of NTDS.dit reveals the password hashes that can be cracked.
Username
In a black box pentest engagement, the usernames of employees can be enumerated with various methods.
- Search on social media for firstname and lastname of employees (LinkedIn, Facebook, Instagram, Twitter, etc)
- use Google Dorks, example
"Companyname" "filetype:pdf"
After finding several names, use username-anarchy to create a list of possible usernames.
Kerberos
If you have access to the Domain Controller from the network, try to use Nmap for the enumeration of usernames.