Kerberos
Nmap discovered a KDC on the target port 88 and 464
The running service is Microsoft Windows Kerberos
Username Enumeration
While I do not know the naming convention that the target domain uses, I will attempt to enumerate usernames as much as possible by brute-forcing the KDC I will get that running in the background while enumerating other services for efficiency
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ kerbrute userenum --dc dc01.infiltrator.htb -d INFILTRATOR.HTB /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t 200
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 08/31/24 - Ronnie Flathers @ropnop
2024/08/31 23:13:38 > Using KDC(s):
2024/08/31 23:13:38 > dc01.infiltrator.htb:88
2024/08/31 23:13:39 > [+] VALID USERNAME: administrator@INFILTRATOR.HTB
2024/08/31 23:13:41 > [+] VALID USERNAME: Administrator@INFILTRATOR.HTB
2024/09/01 00:00:51 > [+] VALID USERNAME: dc01@INFILTRATOR.HTB
2024/09/01 00:08:39 > [+] VALID USERNAME: a.walker@INFILTRATOR.HTB
2024/09/01 00:13:00 > Done! Tested 8295455 usernames (4 valid) in 3562.337 secondsI had kerbrute running in the background for awhile.
It has found a valid domain user; a.walker
The target organization appears to use the following naming convention;
First letter of the firstname + lastname