8 Windows post-exploitation

 

This chapter covers

  • Maintaining persistent Meterpreter access
  • Harvesting domain-cached credentials
  • Extracting clear-text credentials from memory
  • Searching the filesystem for credentials in configuration files
  • Using Pass-the-Hash to move laterally

Now that our movie heist crew has successfully broken into or penetrated several areas of their target facility, it’s time for them to move on to the next phase of their engagement. Smash into the vault room, grab the jewels, and run? No, not quite yet. That would cause a lot of commotion, and they would probably get caught. Their plan instead is to blend in with the workers at the facility and slowly remove incrementally larger amounts of loot without arousing suspicions before eventually disappearing without a trace. At least, that’s the best-case scenario they are hoping for. In a movie, they will most likely make a mistake eventually for the sake of plot thickness.

Nonetheless, the next thing they need to concern themselves with is how to move freely throughout the compound and come and go as they please. They might steal uniforms from a supply closet so they look the part, create fake employee records in the company database, and maybe even print out working badges, assuming they have that level of access. This scenario is similar to post-exploitation on a pentest--which is exactly what we’re going to discuss in this chapter, starting with Windows systems.

8.1 Fundamental post-exploitation objectives

8.1.1 Maintaining reliable re-entry

8.1.2 Harvesting credentials

8.1.3 Moving laterally

8.2 Maintaining reliable re-entry with Meterpreter

8.2.1 Installing a Meterpreter autorun backdoor executable

8.3 Harvesting credentials with Mimikatz

8.3.1 Using the Meterpreter extension

8.4 Harvesting domain cached credentials

8.4.1 Using the Meterpreter post module

8.4.2 Cracking cached credentials with John the Ripper

8.4.3 Using a dictionary file with John the Ripper

8.5 Harvesting credentials from the filesystem