DarthSidious
  • Darth Sidious
  • GETTING STARTED
    • Getting started
    • External network access to Domain Admin
    • Intro to Windows hashes
  • Building a lab
    • Building a lab
    • Preparing Kali
    • Building a small lab
    • Building a lab with ESXI and Vagrant
    • Cuckoo malware analysis lab
  • Initial access
    • Password spraying
    • Initial access through exchange
  • ENUMERATION
    • Powershell
    • BloodHound
    • PowerView
    • Azure enumeration
  • Execution
    • Pass the hash
    • Responder with NTLM relay and Empire
    • DeathStar
    • CrackMapExec
  • Privilege escalation
    • Mimikatz
    • Token Impersonation
    • Juicy Potato
    • ALPC bug 0day
  • Defense evasion
    • Bypassing Applocker and Powershell contstrained language mode
    • From RDS app to Empire shell
    • Stealth
  • OTHER
    • Link encyclopedia
    • Writeups
      • lkylabs v1
    • War stories
      • Domain admin in 30 minutes
  • Credential access
    • Password cracking and auditing
  • Command & Control
    • SILENTTRINITY
Powered by GitBook
On this page
  1. GETTING STARTED

Getting started

PreviousDarth SidiousNextExternal network access to Domain Admin

Last updated 7 years ago

This guide/tutorial will teach you the following:

  • Creating a virtual Active Directory domain lab environment

  • Credential Replay Attacks

  • Domain Privilege Escalation

  • Dumping System and Domain Secrets

  • Tools like Empire, Bloodhound and ranger

  • Actual pentest experiences

If you have no idea what you are doing, we recommend reading the and then begin .

If you have an idea what you're doing and/or already have a lab environment I recommend you check out the article for a general approach to hacking Active Directory domains.

Obvious disclaimer is obvious

The tools demonstrated in this book should not be used in an environment without complete authorization from it's legal owner. I.e. don't be stupid and don't run commands you don't know what does.

Todo list

  • Stealth - improve article

  • Introduction to Active Directory

  • Kerberos and authentication in AD

  • Introduction to PowerShell

  • Exploiting MSSQL Servers

  • Client Side Attacks

  • Domain Enumeration and Information Gathering

  • Local Privilege Escalation

  • Exchange enumeration and attacks

  • Sharepoint enumeration and attack

  • Mitigations against common attacks

  • General recommendations for securing AD

Future plans

  • Kerberos Attacks and Defense (Golden, Silver tickets and more)

  • Delegation Issues

  • Persistence Techniques

  • Abusing SQL Server Trusts in an AD Environment

  • Backdoors and Command and Control

  • Forest and domain trusts in AD

  • Detecting attack techniques

  • Defending an Active Directory Environment

  • LDAP integration with non-Microsoft products

Mini guide to Windows
Building a lab
Network access to Domain Admin
Attacking domain trusts