Kerberos
Nmap discovered a KDC service on the target ports 88 and 464
The running service is Microsoft Windows Kerberos
While I do not know the naming convention that the target domain uses, I will attempt to enumerate usernames as much as possible by brute-forcing the KDC For efficiency, I will get that running in the background while enumerating other services
┌──(kali㉿kali)-[~/archive/htb/labs/axlle]
└─$ kerbrute userenum --dc mainframe.axlle.htb -d AXLLE.HTB /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t 200
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 06/26/24 - Ronnie Flathers @ropnop
2024/06/26 16:55:29 > Using KDC(s):
2024/06/26 16:55:29 > mainframe.axlle.htb:88
2024/06/26 16:55:30 > [+] VALID USERNAME: administrator@AXLLE.HTB
2024/06/26 16:55:38 > [+] VALID USERNAME: Administrator@AXLLE.HTB
2024/06/26 17:21:51 > [+] VALID USERNAME: mainframe@AXLLE.HTB
2024/06/26 17:45:53 > Done! Tested 8295455 usernames (3 valid) in 3024.360 secondsI had kerbrute running in the background for a while and found 2 valid domain users;
administratormainframe(machine account)