Differences

This shows you the differences between two versions of the page.

--- method_5_post-exploitation [2023/01/12 00:16] – gman
+++ method_5_post-exploitation [2023/01/12 00:31] (current) – [First Thing] gman
@@ Line 33: / Line 33: @@
     * Concealment
     * Retain Access
+----
+===== First Thing =====
+After you've compromised a system, one of the //**first things**// you want to try is acquiring the local credential store (passwords).
+**Windows:** The go-to tool is ''mimikatz'' (it can read hashes directly from memory).
+**Linux:** The ''creddump'' package contains...
+  - ''cachedump'': dumps cashed credentials
+  - ''lsadump'': dumps LSA Secrets
+  - ''pwdump'': dumps password hashes
+Linux passwords are usually found in ''/etc/shadow''.
+  * You can simply copy that file to your attack machine and crack offline (if you have root).
+  * Therefore, priv esc is a key part of acquiring credentials.
 ----
@@ Line 216: / Line 233: @@
 ===== Windoze =====
+==== LSA Secrets Registry ====
+The **LSA Secrets Registry** contains the password of the currently logged-in user in an encrypted form.
+  * You can find the LSA Secrets Registry here: ''HKEY_LOCAL_MACHINE/Security/Policy/Secrets''
+  * You can find the encryption key to the user's password in the parent directory: ''HKEY_LOCAL_MACHINE/Security/Policy''
+So, if you have admin access to the Windows Registry, you can recover the encrypted password and its key fairly easily.