DCSync module is broken

[swisskyrepo]

Hi,

The dcsync module is not parsing correctly the output of Mimikatz, it is sometimes capturing the Security ID instead of the Realm, and the Relative ID instead of the password's hash

I think the Mimikatz output changed when targeting a single account. Here is an extract of the new output, some fields are also omitted when the arg "/all" is used

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )     # not present using /all
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :                              # not present using /all
Password last change : 6/4/2022 7:45:12 PM          # not present using /all
Object Security ID   : S-1-5-21-117627179-2072415408-3747117325-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: e19ccf75ee54e06b06a5907af13cef42

Apollo/Payload_Type/apollo/mythic/agent_functions/dcsync.py

Line 129 in 2472fe7

passwd = lines[i+2].split(" : ")[1].strip()

I have reproduced the problem on a Microsoft Windows Server 2019 Standard / 10.0.17763 N/A Build 17763

[djhohnstein]

Tracking!