Kerberos
Nmap discovered a KDC server on the target port 88 and 464
The running service is Microsoft Windows Kerberos
While I do not know the naming convention that the target domain uses, I will attempt to enumerate usernames as much as possible by brute-forcing the KDC For efficiency, I will get that running in the background while enumerating other services
kerbrute
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ kerbrute userenum --dc dc1.scrm.local -d SCRM.LOCAL /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 11/17/23 - Ronnie Flathers @ropnop
2023/11/17 20:21:08 > Using KDC(s):
2023/11/17 20:21:08 > dc1.scrm.local:88
2023/11/17 20:21:56 > [+] VALID USERNAME: administrator@SCRM.LOCAL
2023/11/17 20:24:00 > [+] VALID USERNAME: asmith@SCRM.LOCAL
2023/11/17 20:27:03 > [+] VALID USERNAME: Administrator@SCRM.LOCAL
2023/11/17 20:29:29 > [+] VALID USERNAME: jhall@SCRM.LOCAL
2023/11/17 20:46:53 > [+] VALID USERNAME: sjenkins@SCRM.LOCAL
^CI had kerbrute running in the background for awhile and it returned a total of 3 none default users. While these discovered usernames will be saved into a file, I also found an interesting fact Based on the structure of discovered usernames, it appears to follow a specific naming convention.
The suspected naming convention is the first letter of firstname followed by lastname This information maybe used to further extract valid domain users