Breaching
Introduction
What?
Why?
How?
NTLM authenticated services
Password spraying
LDAP bind credentials
LDAP pass-back
Rogue LDAP server
Capturing LDAP credentials
Authentication relays
Server Message Block
LLMNR, NBT-NS, and WPAD
Intercepting NetNTLM challenge
Microsoft Deployment Toolkit
Configuration files
Configuration file credentials
Enumerating
Introduction
What?
Why?
How?
Setup for THM AD
Credential injection
Through Microsoft Management Console
Through Command Prompt
Through PowerShell
Through Bloodhound
Cleanup
Lateral movement and pivoting
Introduction
What?
Why?
How?
Setup for THM AD
Moving through the network
Spawning processes remotely
PsExec
WinRM
sc.exe
schtasks
Flag
Moving laterally using wmi
Connecting to wmi from powershell
Remote process creation
Run a command remotely
Creating services remotely
Scheduled tasks
Use of alternate authentication material
NTLM authentication flow
Kerberos authentication flow
Cracking hashes
NTLM hash (NTHash)
NTLMv1 (Net-NTLMv1) hash
NTLMv2 (Net-NTLMv2) hash
Pass-the-hash
Pass-the-ticket
Overpass-the-hash/Pass-the-key
Flags
Inject with mimikatz
Impacket from kali
Kerberos
Abusing user behaviour
Writable Shares
Backdooring .vbs Scripts
Backdooring .exe Files
RDP Session hijacking
Flag
Port forwarding
SSH tunnelling
SSH remote port forwarding
SSH local port forwarding
Port forwarding with socat
Dynamic port forwarding and SOCKS
Flags
RDP to THMIIS
Exploit Rejetto HFS on the Domain Controller
Resources
Cleanup
Exploiting
Introduction
What?
Why?
How?
Setup for THM AD
Connecting to the network
Edit DNS configuration
Test hostname lookups
Request credentials
Jump in
Exploiting permission delegation
Exploiting ACEs
Bloodhound
Privilege Escalation
Add AD account to the IT Support group
Force a new password on a T2 Admin
Exploiting kerberos delegation
Unconstrained Delegation
Constrained Delegation
Resource-Based Constrained Delegation
Lab: Constrained Delegation Exploitation
Enumeration
Dumping secrets with mimikatz
Kekeo
Back to mimikatz
Get the flag
Exploiting automated relays
Machine accounts
The Printer Bug
Verify the Print Spooler service is running
Verify SMB signing enforcement
Exploit authentication relay
Exploiting AD users
Payload
Transfer the payload to the target
Get flag
Exploiting GPOs
THMWRK1
THMWRK2
Exploiting certificates
Finding vulnerable certificate templates
Exploiting a Certificate Template
User impersonation through a certificate
Exploiting domain trusts
KRBTGT and Golden tickets
Dumping the KRBTGT hash
Getting the SIDs
Exploiting domain trusts
Persisting
Introduction
What?
Why?
How?
Setup for THM AD
Connecting to the network
Edit DNS configuration
Test hostname lookups
Request credentials
Jump in
Persistence through credentials
Passwords
Order of Operations
DC Sync
Log file
One-liner
Persistence through tickets
Kerberos authentication flow
Golden Tickets
Silver Tickets
Forging tickets
Resources
Persistence through certificates
Extract the CA’s Private Key
Create a certificate for the domain administrator account
Persistence through SID history
Resources
Persistence through group membership
Warning
Create groups
Nesting
Verify inherited privileges
Persistence through ACLs
Modify the AdminSDHolder template
WinRM to the Domain Controller
Persistence through GPOs
Resources
Credentials harvesting
Introduction
What?
Why?
How?
Credential access
PowerShell history
Database Files
Password Managers
Memory Dump
Active Directory
Network Sniffing
Resources
Local Windows credentials
Security Account Manager (SAM)
Shadow Copy
Registry Hives
Local Security Authority Subsystem Service
Protected LSASS and Mimikatz
Again
Windows Credential Manager
Credential Dumping
RunAs
Mimikatz
Domain Controller
NTDS
Ntdsutil
Local Dumping (No Credentials)
Remote Dumping (With Credentials)
Local Administrator Password Solution
Hashes and tickets
Mythical blue lake
Ty Myrddin Home
Unseen University
Improbability Blog
About
Contact
Index