Windows Post-Exploitation - Writeups
- http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
- https://www.exploit-db.com/docs/18229.pdf
- http://pentestmonkey.net/uncategorized/from-local-admin-to-domain-admin
In the event of unstable results from the above after compromise ,you could also use setoolkit's Powershell Attack Vectors, which is option Nine(9) of their social engineering module.
Windows Post-Exploitation - Tools
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa
- https://github.com/mubix/post-exploitation/wiki/windows
- https://github.com/gentilkiwi/mimikatz/releases
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/nccgroup/Winpayloads
- https://github.com/byt3bl33d3r/pth-toolkit
- https://github.com/AlessandroZ/LaZagne -- All password recovery on windows
- Colbat Strike
- https://github.com/samratashok/nishang
- https://github.com/nccgroup/redsnarf
- https://github.com/mubix/netview
Windows Commands for Post Exploitation
One liners
Launch cmd.exe as local system w/ psexec
psexec -s cmd.exe
Enable rdp with CLI
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Launch ARP scan
for /L %i in (1,1,255) do @start /b ping -n 1 -w 1 192.168.1.%i
Capture all IPv4 traffic, TCP only, which matches the IP address on a 64 bit Windows 7/Windows 2008
or newer box, continue the capture even if the computer restarts, save capture to a nondefault location.
Captures can then be analysed with Microsoft's Message Analyser
http://www.microsoft.com/en-us/download/details.aspx?id=44226
netsh trace start capture=yes Ethernet.Type=IPv4 IPv4.Address=157.59.136.1 Protocol=TCP persistent=yes traceFile=C:\Users\Public\trace.etl
Stop the capture
netsh trace stop