Post Exploitation: Attacks
Mimikatz
Overview https://github.com/gentilkiwi/mimikatz There are various spin-offs of the Mimikatz pro...
Dumping Passwords from Windows Credential Manager
Credential Enumeration cmdkey /list In reverse shells, I have noticed that it's impossible to s...
Dumping Hashes without Mimikatz
Post-Compromise on Target Lsass Process Dump Sysinternals ProcDump Download ProcDump here # D...
Impacket-Addcomputer
When to Use Could be used post-compromise upon enumerating the ms-DS-MachineAccountQuota policy....
DCSync
DCSync Overview DC Sync is a legitimate function of Active Directory environments where a domain...
Pass the Password
Overview Cracked a hash or discovered a password for a domain user. Use the password and crackma...
Pass the Hash
Overview Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and...
Pass the Ticket
Anatomy of a Kerberos Ticket [0;97d82]-2-0-40e10000-t2_felicia.dean@krbtgt-ZA.TRYHACKME.COM.kirb...
Pass the Key
Kerberos Encryption Keys Policies on the domain controller will dictate which encryption algorit...
Password & Credential Brute Force
User Emumeration You have enumerated users with one of the methods defined here: CrackMapExec...
Token Impersonation
Overview Tokens are temporary keys that allow a user to perform actions on a system or network w...
Spawn Processes as Other Users
RunasCs.exe Project GitHub https://github.com/antonioCoco/RunasCs/releases Example Usage Spaw...
Kerberoasting
Overview The attacker uses a known username and password of a user on a domain. A typical Kerbe...
Group Policy Preferences (GPP)
Overview GPP allows admins to create policies with embedded credentials. The credentials are enc...
PrintNightmare
Local Privilege Escalation https://github.com/calebstewart/CVE-2021-1675
ZeroLogon
Caution This can potentially break a domain controller, due the fact that this attack temporaril...
xfreerdp
Usage and Help Display the xfreerdp man page man xfreerdp Display the xfreerdp help output on ...