Kerberos
Nmap discovered a KDC service on the target port 88 and 464
The running service is Microsoft Windows Kerberos
While I do not know the naming convention that the target domain uses, I will attempt to enumerate usernames as much as possible by brute-forcing the KDC For efficiency, I will get that running in the background while enumerating other services
Username enumeration
┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ kerbrute userenum --dc resolute.megabank.local -d MEGABANK.LOCAL /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 06/10/23 - Ronnie Flathers @ropnop
2023/06/10 16:29:08 > Using KDC(s):
2023/06/10 16:29:08 > resolute.megabank.local:88
2023/06/10 16:29:08 > [+] VALID USERNAME: steve@MEGABANK.LOCAL
2023/06/10 16:29:09 > [+] VALID USERNAME: fred@MEGABANK.LOCAL
2023/06/10 16:29:09 > [+] VALID USERNAME: marcus@MEGABANK.LOCAL
2023/06/10 16:29:10 > [+] VALID USERNAME: simon@MEGABANK.LOCAL
2023/06/10 16:29:10 > [+] VALID USERNAME: ryan@MEGABANK.LOCAL
2023/06/10 16:29:10 > [+] VALID USERNAME: stevie@MEGABANK.LOCAL
2023/06/10 16:29:11 > [+] VALID USERNAME: angela@MEGABANK.LOCAL
2023/06/10 16:29:13 > [+] VALID USERNAME: Steve@MEGABANK.LOCAL
2023/06/10 16:29:15 > [+] VALID USERNAME: claire@MEGABANK.LOCAL
2023/06/10 16:29:17 > [+] VALID USERNAME: sally@MEGABANK.LOCAL
2023/06/10 16:29:19 > [+] VALID USERNAME: claude@MEGABANK.LOCAL
2023/06/10 16:29:23 > [+] VALID USERNAME: melanie@MEGABANK.LOCAL
2023/06/10 16:29:26 > [+] VALID USERNAME: administrator@MEGABANK.LOCAL
2023/06/10 16:29:28 > [+] VALID USERNAME: gustavo@MEGABANK.LOCAL
2023/06/10 16:29:28 > [+] VALID USERNAME: STEVE@MEGABANK.LOCAL
2023/06/10 16:29:32 > [+] VALID USERNAME: marko@MEGABANK.LOCAL
2023/06/10 16:29:34 > [+] VALID USERNAME: Marcus@MEGABANK.LOCAL
2023/06/10 16:29:41 > [+] VALID USERNAME: Angela@MEGABANK.LOCAL
2023/06/10 16:29:45 > [+] VALID USERNAME: Ryan@MEGABANK.LOCAL
2023/06/10 16:29:45 > [+] VALID USERNAME: Fred@MEGABANK.LOCAL
2023/06/10 16:29:47 > [+] VALID USERNAME: paulo@MEGABANK.LOCAL
2023/06/10 16:29:50 > [+] VALID USERNAME: felicia@MEGABANK.LOCAL
2023/06/10 16:29:52 > [+] VALID USERNAME: annette@MEGABANK.LOCAL
2023/06/10 16:29:52 > [+] VALID USERNAME: abigail@MEGABANK.LOCAL
2023/06/10 16:29:58 > [+] VALID USERNAME: Stevie@MEGABANK.LOCAL
2023/06/10 16:29:59 > [+] VALID USERNAME: FRED@MEGABANK.LOCAL
2023/06/10 16:30:04 > [+] VALID USERNAME: Simon@MEGABANK.LOCAL
2023/06/10 16:30:20 > [+] VALID USERNAME: Annette@MEGABANK.LOCAL
2023/06/10 16:30:45 > [+] VALID USERNAME: annika@MEGABANK.LOCAL
2023/06/10 16:30:46 > [+] VALID USERNAME: Claude@MEGABANK.LOCAL
2023/06/10 16:31:12 > [+] VALID USERNAME: per@MEGABANK.LOCAL
2023/06/10 16:31:20 > [+] VALID USERNAME: Administrator@MEGABANK.LOCAL
2023/06/10 16:31:44 > [+] VALID USERNAME: Sally@MEGABANK.LOCAL
2023/06/10 16:31:45 > [+] VALID USERNAME: MARCUS@MEGABANK.LOCAL
2023/06/10 16:32:03 > [+] VALID USERNAME: Claire@MEGABANK.LOCAL
2023/06/10 16:32:04 > [+] VALID USERNAME: ANGELA@MEGABANK.LOCAL
2023/06/10 16:32:10 > [+] VALID USERNAME: naoki@MEGABANK.LOCAL
2023/06/10 16:32:22 > [+] VALID USERNAME: Melanie@MEGABANK.LOCAL
2023/06/10 16:32:22 > [+] VALID USERNAME: Marko@MEGABANK.LOCAL
2023/06/10 16:32:47 > [+] VALID USERNAME: SIMON@MEGABANK.LOCAL
2023/06/10 16:32:52 > [+] VALID USERNAME: zach@MEGABANK.LOCAL
2023/06/10 16:33:59 > [+] VALID USERNAME: Paulo@MEGABANK.LOCAL
2023/06/10 16:34:02 > [+] VALID USERNAME: CLAUDE@MEGABANK.LOCAL
2023/06/10 16:34:54 > [+] VALID USERNAME: Felicia@MEGABANK.LOCAL
2023/06/10 16:35:03 > [+] VALID USERNAME: ulf@MEGABANK.LOCAL
2023/06/10 16:36:05 > [+] VALID USERNAME: RYAN@MEGABANK.LOCAL
2023/06/10 16:37:59 > [+] VALID USERNAME: MELANIE@MEGABANK.LOCAL
2023/06/10 16:38:02 > [+] VALID USERNAME: Gustavo@MEGABANK.LOCAL
2023/06/10 16:38:51 > [+] VALID USERNAME: resolute@MEGABANK.LOCAL
2023/06/10 16:41:18 > [+] VALID USERNAME: ANNETTE@MEGABANK.LOCAL
2023/06/10 16:46:51 > [+] VALID USERNAME: STEVIE@MEGABANK.LOCAL
2023/06/10 16:46:56 > [+] VALID USERNAME: PAULO@MEGABANK.LOCAL
2023/06/10 16:47:02 > [+] VALID USERNAME: MARKO@MEGABANK.LOCAL
2023/06/10 16:47:11 > [+] VALID USERNAME: GUSTAVO@MEGABANK.LOCAL
2023/06/10 16:47:20 > [+] VALID USERNAME: CLAIRE@MEGABANK.LOCAL
2023/06/10 16:47:27 > [+] VALID USERNAME: Annika@MEGABANK.LOCAL
2023/06/10 17:00:41 > [+] VALID USERNAME: Ulf@MEGABANK.LOCAL
2023/06/10 17:01:07 > [+] VALID USERNAME: Per@MEGABANK.LOCAL
2023/06/10 17:01:13 > [+] VALID USERNAME: NAOKI@MEGABANK.LOCAL
2023/06/10 17:02:24 > [+] VALID USERNAME: Abigail@MEGABANK.LOCAL
2023/06/10 17:02:25 > [+] VALID USERNAME: ABIGAIL@MEGABANK.LOCAL
2023/06/10 17:09:14 > [+] VALID USERNAME: sunita@MEGABANK.LOCALKerbrute was able to enumerate a total of 25 domain users Based on the username, it would appear that the naming convention is just the firstname
┌──(kali㉿kali)-[~/archive/htb/labs/resolute]
└─$ wc -l kerbrute.txt
25 kerbrute.txtI will save them to a list