KDC
Nmap discovered a KDC server on the target port 88 and 464
The running service is Microsoft Windows Kerberos
While I do not know the naming convention that the target domain uses, I will attempt to enumerate usernames as much as possible by brute-forcing the KDC For efficiency, I will get that running in the background while enumerating other services
kerbrute
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ kerbrute userenum --dc dc.outdated.htb -d OUTDATED.HTB /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t 200
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/03/24 - Ronnie Flathers @ropnop
2024/01/03 12:41:45 > Using KDC(s):
2024/01/03 12:41:45 > dc.outdated.htb:88
2024/01/03 12:41:45 > [+] VALID USERNAME: guest@OUTDATED.HTB
2024/01/03 12:41:45 > [+] VALID USERNAME: administrator@OUTDATED.HTB
2024/01/03 12:41:49 > [+] VALID USERNAME: client@OUTDATED.HTB
2024/01/03 12:43:23 > [+] VALID USERNAME: sflowers@OUTDATED.HTB
2024/01/03 13:37:51 > Done! Tested 8295455 usernames (8 valid) in 3366.807 secondsI had kerbrute running in the background for awhile and it returned a total of 2 none default users.
- While these discovered usernames will be saved into a file, I also found an interesting fact
- Based on the structure of a discovered username, it appears to follow a specific naming convention.
- The suspected naming convention is the first letter of firstname followed by lastname;
sflowers
- The suspected naming convention is the first letter of firstname followed by lastname;
- Based on the structure of a discovered username, it appears to follow a specific naming convention.
This information maybe used to further enumerate valid domain users