InfoSec LAB

Scrambled_Naming_Convention

Created: 2 min read

Naming Convention

A potential naming convention that the target organization uses was initially suspected while attempting to enumerate valid domain users by performing a brute-force attack against the target KDC.

At a later stage, a valid domain user, suspected to be an admin user, has been disclosed in the supportrequest.html file during the Web enumeration. Observation to the username structure suggests that it follows and matches the very same naming convention, discovered during the Kerberos enumeration earlier.

The discovered naming convention is the first letter of firstname, followed by lastname

In the following sections, A list of potential usernames will be generated, following the discovered naming convention of the target organization

Wordlist

┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ python3 ~/Tools/username_generator.py
Choose username format:
1) hsimpson
2) h.simpson
3) homersimpson
4) homer.simpson
5) hjsimpson
6) homerjsimpson
7) homerjaysimpson
8) homersimpsonb
Option: 1
Mail domain (example: ...@domain.com) [Default: none]: 
Domain (example: domain\...) [Default: none]: 
Surnames file path: /usr/share/wordlists/seclists/Usernames/Names/familynames-usa-top1000.txt
Output file [Default: results.txt]: /home/kali/archive/htb/labs/scrambled/list.txt
Output saved in /home/kali/archive/htb/labs/scrambled/list.txt

Username generation complete

┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ wc -l list.txt                                                             
26000 list.txt

The generated list contains 26,000 potential usernames

Username Extraction

┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ kerbrute userenum --dc dc1.scrm.local -d SCRM.LOCAL ./list.txt
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
version: v1.0.3 (9dad6e1) - 11/17/23 - Ronnie Flathers @ropnop
 
2023/11/17 21:51:37 >  Using KDC(s):
2023/11/17 21:51:37 >  	dc1.scrm.local:88
 
2023/11/17 21:51:37 >  [+] VALID USERNAME:	 aSMITH@SCRM.LOCAL
2023/11/17 21:51:53 >  [+] VALID USERNAME:	 jHALL@SCRM.LOCAL
2023/11/17 21:52:31 >  [+] VALID USERNAME:	 sJENKINS@SCRM.LOCAL
2023/11/17 21:53:00 >  [+] VALID USERNAME:	 kSIMPSON@SCRM.LOCAL
2023/11/17 21:53:03 >  [+] VALID USERNAME:	 kHICKS@SCRM.LOCAL
2023/11/17 22:02:49 >  Done! Tested 26000 usernames (5 valid) in 671.318 seconds

While performing a brute-force attack against the target KDC server confirms the presence of the ksimpson user, alongside the 3 already-discovered users, it also finds a single additional domain user; khicks

All these usernames will be saved into a file

Interactive Graph View

Backlinks