 Hello, I'm Didier Stevens and this is another video on what you can do when you have a copy of the Active Directory database file. So this time we are going to use Mimicats. So on this machine I'm on a workstation. I am just a normal user, a least privileged local user, and I will run Mimicats. And what I'm going to try now is use dcsync, a command from Mimicats, to recover hashes from the domain controller. The command is dcsync, we need to give it the name of the domain, name of the local, and the name of the user for which we want to retrieve the hashes, like this. And this doesn't work of course, we get an error, error 5 which is access denied. As a normal user, and especially a local user, I cannot do that. I need to be a domain administrator to be able to pull this off or have the necessary rights delegated to me. Now, but since we have a copy of the Active Directory database file and Mimicats, we can create a golden ticket to impersonate a domain administrator. And that's what we are going to do now. So I have no tickets here for the moment, and now I will create a golden ticket. I need the hash of the krbtgt account. And this is something that I can find back in the information that I extracted from the Active Database file. Here I have a text file output. This file here is the output you get from the dsusers command which we used in other blog posts. And I just added exactly the same command as in that blog post, except that I also used the membership option so that I can see which groups the users belong to. So let's open this. And I'm going to search for 512, because 512 is the domain admins group. Okay, so this user here, administrator, is the domain admin. So we are going to impersonate that user. And like I said, we need the krbtgt hash. Here we have that user, and here we have the hash. So let's copy this and paste it in the command. So the admin user I want to impersonate is administrators. Sorry, administrator. Then I need to provide the domain, which is demo local. Now in case you didn't find that information, you don't know that information, you can find it back in the files we exported here. In this file here, datadaple3, if you open that file, if we now search for LDAP. Okay, so here we have an LDAP entry. Okay, and here you can see dcdemo, dclocal. So that tells us that the domain is demo.local. Next, we need sid of the domain. And if we go to our output here, you have, for example, this user here. This is the sid of the user, 502. This is sid of the domain, 513. This part here, that is the sid of the domain. We can copy that. And then I just need to provide the file where I want to write a ticket to. Okay, and the ticket has been created and saved to file. Now this is something you can do on any machine. You don't need to be on a machine that is member of the domain. You can do this anywhere. And now we are going to use this ticket. Pass the ticket like this. And if we do a list, you can see we have a ticket. And now if we go back to our dc sync command, you can see now that we get the output that we are able to recover the hashes of user1, user1, and here and the lmhash and lmhash.