Getting Logon Tokens - Post Root-Admin

So I wanna see some writeups for windows boxes. On nix* I can get root and just cat /etc/shadow for the token.

Windows is a different story, the AV or PS amsi is a pain in the ass.

Just wondering how you guys are getting token for windows boxes. Getting an Invoke-mimikatz.ps1 or mimi.exe on the machines is almost impossible before it gets blocked. What are you guys doing post admin/root flag to get the tokens to see some writeups? Thanks

Comments

  • edited August 2020

    Instead of using mimikatz, you could reg save both the SAM and SYSTEM hives and download them to your machine.

    After that you can use pypykatz to dump the NTLM hashes locally.

  • Sir.... Just tried that on a fully patched windows 2019 server. GENIUS idea.
    Seems soo simple compared to using complicated dll patching to get amsi to stop or using tools encoded so their hash doesnt trip av. Where were you 30+ machines ago.

Sign In to comment.