Enumerating Protocols - Identify Users

Tools and Techniques

Kerbrute
LDAP Null Sessions
SMB Null Session
RPC Null session

Kerbrute

Installation

[]

Identifying Usernames

<aside> 💡 When you fail in finding username from other ports, attempt kerbrute with teh list of username to identify valid users

</aside>

./kerbrute userenum --domain htb.local  --dc 10.10.10.52 ~/Downloads/wordlists/xato-net-10-million-usernames.txt

2023/05/23 13:45:54 >  [+] VALID USERNAME:       [email protected]
2023/05/23 13:45:55 >  [+] VALID USERNAME:       [email protected]
2023/05/23 13:46:00 >  [+] VALID USERNAME:       [email protected]
2023/05/23 13:46:05 >  [+] VALID USERNAME:       [email protected]
2023/05/23 13:46:17 >  [+] VALID USERNAME:       [email protected]
2023/05/23 13:46:41 >  [+] VALID USERNAME:       [email protected]
2023/05/23 13:47:03 >  [+] VALID USERNAME:       [email protected]

Use Kerbrute in conjunction with the jsmith.txt or jsmith2.txt user lists from Insidetrust.

zink0x001@htb[/htb]$ kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users

2021/11/17 23:01:46 >  Using KDC(s):
2021/11/17 23:01:46 >   172.16.5.5:88
2021/11/17 23:01:46 >  [+] VALID USERNAME:       [email protected]
2021/11/17 23:01:46 >  [+] VALID USERNAME:       [email protected]
2021/11/17 23:01:46 >  [+] VALID USERNAME:       [email protected]
2021/11/17 23:01:50 >  [+] VALID USERNAME:       [email protected]

 <SNIP>
 
2021/11/17 23:01:51 >  [+] VALID USERNAME:       [email protected]
2021/11/17 23:01:51 >  [+] VALID USERNAME:       [email protected]
2021/11/17 23:01:51 >  [+] VALID USERNAME:       [email protected]
2021/11/17 23:01:51 >  [+] VALID USERNAME:       [email protected]
2021/11/17 23:01:51 >  [+] VALID USERNAME:       [email protected]
2021/11/17 23:01:52 >  [+] VALID USERNAME:       [email protected]
2021/11/17 23:01:56 >  Done! Tested 48705 usernames (56 valid) in 9.940 seconds