InfoSec LAB

Rebound_Naming_Convention

Created: 2 min read

Naming Convention

I found 4 valid domain users while performing a brute force attack against the target KDC Those 4 domain users are;

  • jjones
  • tbrady
  • ppaul
  • mmalone

Based on the structure of usernames, it is reasonable to assume that the target domain has a specific naming convention It appears to be the initial letter of the firstname followed by the lastname

Assuming that is the actual naming convention that the target organization uses, I could attempt to generate a list of possible usernames following the same structure

Wordlist

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ python3 ~/Tools/username_generator.py
Choose username format:
1) hsimpson
2) h.simpson
3) homersimpson
4) homer.simpson
5) hjsimpson
6) homerjsimpson
7) homerjaysimpson
8) homersimpsonb
Option: 1
Mail domain (example: ...@domain.com) [Default: none]: 
Domain (example: domain\...) [Default: none]: 
Surnames file path: /usr/share/wordlists/seclists/Usernames/Names/familynames-usa-top1000.txt
Output file [Default: results.txt]: /home/kali/archive/htb/labs/rebound/potential_usernames.txt
Output saved in /home/kali/archive/htb/labs/rebound/potential_usernames.txt
 
┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ wc -l potential_usernames.txt                                          
26000 potential_usernames.txt

Using a custom Python script, I generated a wordlist containing potential usernames; potential_usernames.txt

Username Extraction

┌──(kali㉿kali)-[~/archive/htb/labs/rebound]
└─$ kerbrute userenum --dc dc01.rebound.htb -d REBOUND.HTB ./potential_usernames.txt 
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
version: v1.0.3 (9dad6e1) - 09/11/23 - Ronnie Flathers @ropnop
 
2023/09/11 02:34:05 >  Using KDC(s):
2023/09/11 02:34:05 >  	dc01.rebound.htb:88
 
2023/09/11 02:34:05 >  [+] VALID USERNAME:	 jJONES@REBOUND.HTB
2023/09/11 02:34:31 >  [+] VALID USERNAME:	 mMALONE@REBOUND.HTB
2023/09/11 02:34:31 >  [+] VALID USERNAME:	 pPAUL@REBOUND.HTB
2023/09/11 02:34:34 >  [+] VALID USERNAME:	 tBRADY@REBOUND.HTB
2023/09/11 02:35:09 >  Done! Tested 26000 usernames (4 valid) in 64.170 seconds

No additional domain users found. Those 4 users are the ones that I have to work with for now.

Interactive Graph View

Backlinks