Kerberos
Nmap has also enumerated that the target system is running the Kerberos service on port 88 and 464
Kerbrute User Enumeration
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ kerbrute userenum -d htb.local --dc mantis.htb.local /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/10/23 - Ronnie Flathers @ropnop
2023/01/10 15:03:20 > Using KDC(s):
2023/01/10 15:03:20 > mantis.htb.local:88
2023/01/10 15:03:25 > [+] VALID USERNAME: james@htb.local
2023/01/10 15:03:26 > [+] VALID USERNAME: James@htb.local
2023/01/10 15:03:30 > [+] VALID USERNAME: administrator@htb.local
2023/01/10 15:03:36 > [+] VALID USERNAME: mantis@htb.local
2023/01/10 15:03:46 > [+] VALID USERNAME: JAMES@htb.local
2023/01/10 15:04:08 > [+] VALID USERNAME: Administrator@htb.local
2023/01/10 15:04:27 > [+] VALID USERNAME: Mantis@htb.local
2023/01/10 15:32:38 > [+] VALID USERNAME: MANTIS@htb.local
For now, I don’t know the naming scheme if there is any, but I tried brute-forcing against the target Kerberos for domain usernames with kerbrute.
kerbrute found a total of 3 valid domain users:
jamesadministratormantis
I had this running for half an hour as the wordlist is very long.