Username Extraction
Using the TGT of the tiffany.molina user, I will be able to extract all the domain users
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ KRB5CCNAME=tiffany.molina@dc.intelligence.htb.ccache impacket-GetADUsers intelligence.htb/ -k -no-pass -all -dc-ip $IP
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Getting machine hostname
[*] Querying DC for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
administrator 2021-04-19 02:18:37.324158 2023-09-27 01:13:34.201277
Guest <never> <never>
krbtgt 2021-04-19 02:42:42.123388 <never>
danny.matthews 2021-04-19 02:49:34.063349 <never>
jose.williams 2021-04-19 02:49:35.172890 <never>
jason.wright 2021-04-19 02:49:36.219546 <never>
samuel.richardson 2021-04-19 02:49:37.360187 <never>
david.mcbride 2021-04-19 02:49:37.969688 <never>
scott.scott 2021-04-19 02:49:38.063339 <never>
david.reed 2021-04-19 02:49:38.157197 <never>
ian.duncan 2021-04-19 02:49:38.235337 <never>
michelle.kent 2021-04-19 02:49:38.423023 <never>
jennifer.thomas 2021-04-19 02:49:38.579790 <never>
kaitlyn.zimmerman 2021-04-19 02:49:38.673809 <never>
travis.evans 2021-04-19 02:49:38.782055 <never>
kelly.long 2021-04-19 02:49:38.875947 <never>
nicole.brock 2021-04-19 02:49:38.953928 <never>
stephanie.young 2021-04-19 02:49:39.048651 <never>
john.coleman 2021-04-19 02:49:39.157099 <never>
thomas.valenzuela 2021-04-19 02:49:39.282178 <never>
thomas.hall 2021-04-19 02:49:39.391518 <never>
brian.baker 2021-04-19 02:49:39.516521 <never>
richard.williams 2021-04-19 02:49:39.626151 <never>
teresa.williamson 2021-04-19 02:49:39.720413 <never>
david.wilson 2021-04-19 02:49:39.813382 <never>
darryl.harris 2021-04-19 02:49:39.907066 <never>
william.lee 2021-04-19 02:49:40.032313 <never>
thomas.wise 2021-04-19 02:49:40.125883 <never>
veronica.patel 2021-04-19 02:49:40.219553 <never>
joel.crawford 2021-04-19 02:49:41.016652 <never>
jean.walter 2021-04-19 02:49:41.110193 <never>
anita.roberts 2021-04-19 02:49:41.188396 <never>
brian.morris 2021-04-19 02:49:41.282116 <never>
daniel.shelton 2021-04-19 02:49:41.360886 <never>
jessica.moody 2021-04-19 02:49:41.454425 <never>
tiffany.molina 2021-04-19 02:49:41.532178 2023-09-27 01:35:20.865669
james.curbow 2021-04-19 02:49:41.641481 <never>
jeremy.mora 2021-04-19 02:49:41.735760 <never>
jason.patterson 2021-04-19 02:49:41.828961 <never>
laura.lee 2021-04-19 02:49:41.907116 <never>
ted.graves 2021-04-19 02:49:42.032265 2023-09-27 01:33:34.214440 Not only that all the domain users are retrieved, I am able to also see that the ted.graves user has recently logged on
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ cat dum | cut -d ' ' -f1 | tr -d [:blank:] > users.txt
┌──(kali㉿kali)-[~/archive/htb/labs/intelligence]
└─$ wc -l users.txt
41 users.txtNonetheless, I will save the list to a file; users.txt