Post Exploitation: Attacks

Usage and Help Display the xfreerdp3 man page man xfreerdp3 Display the xfreerdp3 help output ...

Overview Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and...

Overview Cracked a hash or discovered a password for a domain user. Use the password and nxc to ...

Kerberos Encryption Keys Policies on the domain controller will dictate which encryption algorit...

Cracking PFX Archives A .pfx archive is a way to bundle the certificate, key, and metadata in on...

Anatomy of a Kerberos Ticket [0;97d82]-2-0-40e10000-t2_felicia.dean@krbtgt-ZA.TRYHACKME.COM.kirb...

User Emumeration You have enumerated users with one of the methods defined here: NetExec Pow...

RunasCs.exe Project GitHub https://github.com/antonioCoco/RunasCs/releases Example Usage Spaw...

Overview The attacker uses a known username and password of a user on a domain. A typical Kerbe...

Credential Enumeration cmdkey /list In reverse shells, I have noticed that it's impossible to s...

Post-Compromise on Target Lsass Process Dump Sysinternals ProcDump Download ProcDump here # D...

When to Use You'll know when you've found a domain controller, because it will have several port...

Overview https://github.com/gentilkiwi/mimikatz There are various spin-offs of the Mimikatz pro...

Overview GPP allows admins to create policies with embedded credentials. The credentials are enc...

When to Use Could be used post-compromise upon enumerating the  ms-DS-MachineAccountQuota policy....

DCSync Overview DC Sync is a legitimate function of Active Directory environments where a domain...

Overview Tokens are temporary keys that allow a user to perform actions on a system or network w...

Problem evil-winrm works great in a pinch, but is often very buggy, so I've documented some work...

Local Privilege Escalation https://github.com/calebstewart/CVE-2021-1675

Caution This can potentially break a domain controller, due the fact that this attack temporaril...