Kerberos
Nmap discovered a KDC server on the target ports 88 and 464
The running service is Microsoft Windows Kerberos
While I do not know the naming convention that the target domain uses, I will attempt to enumerate usernames as much as possible by brute-forcing the KDC I will get that running in the background while enumerating other services for efficiency
Username Enumeration
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ kerbrute userenum --dc hutchdc.hutch.offsec -d HUTCH.OFFSEC /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 05/01/25 - Ronnie Flathers @ropnop
2025/05/01 14:39:38 > Using KDC(s):
2025/05/01 14:39:38 > hutchdc.hutch.offsec:88
2025/05/01 14:39:38 > [+] VALID USERNAME: admin@HUTCH.OFFSEC
2025/05/01 14:39:42 > [+] VALID USERNAME: administrator@HUTCH.OFFSEC
2025/05/01 14:39:42 > [+] VALID USERNAME: Admin@HUTCH.OFFSEC
2025/05/01 14:40:05 > [+] VALID USERNAME: Administrator@HUTCH.OFFSEC
2025/05/01 14:42:05 > [+] VALID USERNAME: ADMIN@HUTCH.OFFSECI had kerbrute running for a while and found a none default user; admin