<aside> ☎️ Active directory fundamentals

Internal penetration tests are now often done remotely. The most common method is to send the target company a computer or a micro-computer with a VPN installed. The company install this computer and connect it to its infrastructure to simulate an intrusion.

Introduction to Active Directory

</aside>

<aside> <img src="/icons/binoculars_blue.svg" alt="/icons/binoculars_blue.svg" width="40px" /> Initial Attack Vectors

LLMNR Poisoning

SMB Relay

Shell Access

IPv6 Attacks

🖨️ Printer attack - Passback attacks

Conclusion

</aside>

<aside> <img src="/icons/sync_green.svg" alt="/icons/sync_green.svg" width="40px" /> Post Compromise Enumeration

LDAP Domain Dump

Bloodhound

PingCastle

Plumhound

Netexec

</aside>

<aside> <img src="/icons/key_brown.svg" alt="/icons/key_brown.svg" width="40px" /> Post-Compromise Attacks

Pass Attacks

Dump and Crack Hashes

Kerberoasting

Token Impersonation

URL File Attacks

GPP / cPassword Attacks

Mimikatz

Zero Logon

PrintNightmare

</aside>

<aside> <img src="/icons/postcard_yellow.svg" alt="/icons/postcard_yellow.svg" width="40px" /> Post-Domain Compromise Attacks

The role of a pentester is to bring as much information as possible to the client. Then when you get Domain Administrator, the objective is now to find new ways to get there as well as enumerate all the vulnerabilities you can see as Domain Admin. Moreover, you should create a Domain Administrator account first to get a backdoor but also to check if the company detect it or not.

NTDS.dit

Golden Ticket

</aside>

<aside> 👉 Pivoting

Initial vector

Fundamental of pivoting

Enumeration

Proxy

SSH Tunnelling / Port Forwarding

Plink.exe

Socat

Chisel

sshuttle

</aside>