How do I continue pentesting with access to local station?

manpreet Best Answer 2 years ago

I started learning hobbyist penetration testing a while ago, and as far as penetrating a computer I have physical access to, all is good. Mainly using Hiren bootCD, it is easy to gain access to an local administrator account, if nothing else then through offline cracking of the poorly encrypted local passwords.

However, once I have secured access to the local admin account, I do not know how to continue on. The MsCache is strong, and rarely contains anything worthwhile, I even read that most good admins turn caching off.

The most promising things I have seen so far was the pass-the-hash toolkit, based on dumping LSA secrets, which promised to "compromise a whole Windows domain after compromising a single machine that was a member of that domain." However, that failed to work on the Vista domain I am pentesting right now.

What are the general strategies in this situation? What are the specific ones?