Comments (10)
Amazing :)
Thank you @MichaelGrafnetter and @rmbolger !
I even didn't know that a domain could be renamed :)
Luckily the kull_m_rpc_drsr.h
file is ready to embed the dwReplEpoch
:)
typedef struct _DRS_EXTENSIONS_INT {
DWORD cb;
DWORD dwFlags;
//GUID SiteObjGuid;
//DWORD Pid;
//DWORD dwReplEpoch;
//DWORD dwFlagsExt;
//GUID ConfigObjGUID;
//DWORD dwExtCaps;
} DRS_EXTENSIONS_INT, *PDRS_EXTENSIONS_INT;
I'll take a look, maybe this week end !
from mimikatz.
Glad to help. And yeah, domain renames are definitely rare and can be cumbersome if you have a lot of services already running against it. But I think the process has been officially supported since at least AD 2003.
from mimikatz.
Cool :) thanks for updating
בתאריך יום ו׳, 29 באפר׳ 2016 ב-0:58 מאת Ryan Bolger <
[email protected]>:
Glad to help. And yeah, domain renames are definitely rare and can be
cumbersome if you have a lot of services already running against it. But I
think the process has been officially supported since at least AD 2003.—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#35 (comment)
from mimikatz.
Well, the documentation on dwReplEpoch clearly says that
This value is set to zero by all client callers.
Lessons learned: Do not trust the documentation. ;-) On the other hand, mimikatz or DSInternals do way more than a regular client caller.
from mimikatz.
Or we must read the all the documentation :D
If the client is a DC, it reads the value of msDS-ReplicationEpoch from its nTDSDSA object and assigns this value to the dwReplEpoch field of the DRS_EXTENSIONS_INT structure; otherwise, it sets the dwReplEpoch field of the DRS_EXTENSIONS_INT structure to zero.
On my side I tried to minimize this struct size to minimize error on input... at least we must now go to this field ;)
from mimikatz.
This is the first time I've read this deep into the replication protocol. And I'm confused about their "client" and "server" terms. Can't decide whether they mean a generic client/server like caller/endpoint...or more specifically a replication client vs a replication server. And since mimikats is impersonating a server in this case, it would need to follow the second sentence.
The server sets this value by assigning the value of msDS-ReplicationEpoch from its nTDSDSA object.
But because we're only a fake server, we don't actually have an nTDSDSA object of our own to check. So we need to cheat, check the target DC's value, and match it.
from mimikatz.
I think it will not be a problem because we must get uuidDsaObjDest
from NtdsDsaObjectGuid
so I presume it will be easy to get dwReplEpoch
from this previous bind.
from mimikatz.
Here's a better reference in the docs for IDL_DRSBind.
The client uses pextClient to pass a properly initialized DRS_EXTENSIONS_INT structure to the server. If the client is a DC, it reads the value of msDS-ReplicationEpoch from its nTDSDSA object and assigns this value to the dwReplEpoch field of the DRS_EXTENSIONS_INT structure;
from mimikatz.
Of course that by client they mean Windows 7, which uses IDL_DRSCrackNames extensively. That is the security problem of this protocol: It mixes DC-DC, client-DC and admin-DC communication, so you cannot block it by firewall.
from mimikatz.
Damned, even MS can update its code ;)
https://community.office365.com/en-us/f/156/t/172670 -> http://social.technet.microsoft.com/wiki/contents/articles/18429.dirsync-directory-sync-tool-version-release-history.aspx#AO5
from mimikatz.
Related Issues (20)
- Can't find way to run Mimikatz in context of a domain administrator on non-domain-joined PC for DC Shadow attack HOT 8
- can't find a syntax to call Mimikatz from the command line with embedded quotes HOT 1
- Mimikatz on Windows 11 with/without Credential Guard HOT 5
- ts::logonpasswords no passwords in latest win10 build HOT 2
- Same old "ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list" again... HOT 6
- Windows 11 Build 10.0.22621.1848 HOT 2
- Problem with Decrypting Masterkeys HOT 2
- Cant export certificate and its public key to DER HOT 1
- Function kull_m_cred_create does not copy actual credentials blob size HOT 2
- arm架构上不支持凭证注入进程 HOT 3
- Not displaying passords in plain text. HOT 1
- ERROR kuhl_m_sekurlsa_acquireLSA ; Logon list on win11-22h2-pro HOT 2
- EFS files - Masterkey with empty user password in windows login HOT 1
- UTF-8 / nanodump -> mimikatz and pypykatz errors HOT 4
- Problem Working for Windows 11 ARM64
- Mimikatz Golden Ticket fails to create PAC attribute RequestorSID
- Why i am not Getting the MasterKey
- Skeleton Key on "MSV" SSP HOT 1
- I detect a trojan when downloading the zip Trojan:Win32/Vigorf.A zip HOT 1
- oxnan/mimikatz issue : windows 21h2 22000.318 run error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mimikatz.