KDC
Nmap discovered a KDC server on the target port 88 and 464
The running service is Microsoft Windows Kerberos
While I do not know the naming convention that the target domain uses, I will attempt to enumerate usernames as much as possible by brute-forcing the KDC For efficiency, I will get that running in the background while enumerating other service
Username enumeration
┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ kerbrute userenum --dc dc.support.htb -d SUPPORT.HTB /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 10/04/23 - Ronnie Flathers @ropnop
2023/10/04 06:08:14 > Using KDC(s):
2023/10/04 06:08:14 > dc.support.htb:88
2023/10/04 06:08:22 > [+] VALID USERNAME: support@SUPPORT.HTB
2023/10/04 06:08:26 > [+] VALID USERNAME: guest@SUPPORT.HTB
2023/10/04 06:08:49 > [+] VALID USERNAME: administrator@SUPPORT.HTB
2023/10/04 06:12:17 > [+] VALID USERNAME: Guest@SUPPORT.HTB
2023/10/04 06:12:19 > [+] VALID USERNAME: Administrator@SUPPORT.HTB
2023/10/04 06:24:07 > [+] VALID USERNAME: management@SUPPORT.HTB
2023/10/04 06:26:03 > [+] VALID USERNAME: Support@SUPPORT.HTB
2023/10/04 06:32:06 > [+] VALID USERNAME: GUEST@SUPPORT.HTBkerbrute has been running in the background for over half an hour and found a few domain users;
supportguestadministratormanagement
As discovered, the target domain appears to follow a specific naming convention While it could be leveraged by creating a list of potential usernames to further enumerate the remaining domain users, I will skip for now