Pentesting Active Directory and Windows-Based Infrastructure A Comprehensive Practical Guide to Penetration Testing Microsoft Infrastructure
To get the most out of this book, you should have basic knowledge of Windows services and Active Directory
| Main Author: | |
|---|---|
| Format: | eBook |
| Language: | English |
| Published: |
Birmingham
Packt Publishing, Limited
2023
|
| Edition: | 1st edition |
| Subjects: | |
| Online Access: | |
| Collection: | O'Reilly - Collection details see MPG.ReNa |
Table of Contents:
- Constrained delegation
- Bronze Bit attack aka CVE-2020-17049
- Abusing trust for lateral movement
- Summary
- References
- Further reading
- Chapter 6: Domain Privilege Escalation
- Technical requirements
- Zero2Hero exploits
- MS14-068
- Zerologon (CVE-2020-1472)
- PrintNightmare (CVE-2021-1675 & CVE-2021-34527)
- sAMAccountName Spoofing and noPac (CVE-2021-42278/CVE-2021-42287)
- RemotePotato0
- ACL abuse
- Group
- Computer
- User
- DCSync
- Group Policy abuse
- Other privilege escalation vectors
- Built-in security groups
- DNSAdmins abuse (CVE-2021-40469)
- Antimalware Scan Interface
- Way 1
- Error forcing
- Way 2
- Obfuscation
- Way 3
- Memory patch
- AppLocker and PowerShell CLM
- PowerShell Enhanced Logging and Sysmon
- Event Tracing for Windows (ETW)
- Summary
- References
- Further reading
- Chapter 3: Domain Reconnaissance and Discovery
- Technical requirements
- Enumeration using built-in capabilities
- PowerShell cmdlet
- WMI
- net.exe
- LDAP
- Enumeration tools
- SharpView/PowerView
- BloodHound
- Enumerating services and hunting for users
- SPN
- The file server
- User hunting
- Enumeration detection evasion
- Microsoft ATA
- Honey tokens
- Summary
- References
- Further reading
- Chapter 4: Credential Access in Domain
- Technical requirements
- Clear-text credentials in the domain
- Old, but still worth trying
- Password in the description field
- Password spray
- Capture the hash
- Forced authentication
- MS-RPRN abuse (PrinterBug)
- MS-EFSR abuse (PetitPotam)
- WebDAV abuse
- MS-FSRVP abuse (ShadowCoerce)
- MS-DFSNM abuse (DFSCoerce)
- Roasting the three-headed dog
- Kerberos 101
- ASREQRoast
- KRB_AS_REP roasting (ASREPRoast)
- Kerberoasting
- Automatic password management in the domain
- LAPS
- gMSA
- NTDS secrets
- DCSync
- Dumping user credentials in clear text via DPAPI
- Summary
- References
- Further reading
- Chapter 5: Lateral Movement in Domain and Across Forests
- Technical requirements
- Usage of administration protocols in the domain
- PSRemoting and JEA
- RDP
- Other protocols with Impacket
- Relaying the hash
- Pass-the-whatever
- Pass-the-hash
- Pass-the-key and overpass-the-hash
- Pass-the-ticket
- Kerberos delegation
- Unconstrained delegation
- Resource-based constrained delegation
- Cover
- Title Page
- Copyright and Credits
- Dedications
- Contributors
- Table of Contents
- Preface
- Chapter 1: Getting the Lab Ready and Attacking Exchange Server
- Technical requirements
- Lab architecture and deployment
- Active Directory kill chain
- Why we will not cover initial access and host-related topics
- Attacking Exchange Server
- User enumeration and password spraying
- Dumping and exfiltrating
- Zero2Hero exploits
- Gaining a foothold
- Summary
- Further reading
- Chapter 2: Defense Evasion
- Technical requirements
- AMSI, PowerShell CLM, and AppLocker