book

Pentesting Active Directory and Windows-based Infrastructure

Name: Pentesting Active Directory and Windows-based Infrastructure
Author: Denis Isakov
ISBN: 9781804611364

by Denis Isakov

November 2023

Intermediate to advanced

360 pages

8h 19m

English

Packt Publishing

Read now

Unlock full access

Pentesting Active Directory and Windows-based Infrastructure
ContributorsAbout the authorAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookConventions usedGet in touchShare Your ThoughtsDownload a free PDF copy of this book
Chapter 1: Getting the Lab Ready and Attacking Exchange Server
Technical requirementsLab architecture and deploymentActive Directory kill chainWhy we will not cover initial access and host-related topicsAttacking Exchange ServerUser enumeration and password sprayingDumping and exfiltratingZero2Hero exploitsGaining a footholdSummaryFurther reading
Chapter 2: Defense Evasion
Technical requirementsAMSI, PowerShell CLM, and AppLockerAntimalware Scan InterfaceWay 1 – Error forcingWay 2 – ObfuscationWay 3 – Memory patchAppLocker and PowerShell CLMPowerShell Enhanced Logging and SysmonEvent Tracing for Windows (ETW)SummaryReferencesFurther reading
Chapter 3: Domain Reconnaissance and Discovery
Technical requirementsEnumeration using built-in capabilitiesPowerShell cmdletWMInet.exeLDAPEnumeration toolsSharpView/PowerViewBloodHoundEnumerating services and hunting for usersSPNThe file serverUser huntingEnumeration detection evasionMicrosoft ATAHoney tokensSummaryReferencesFurther reading
Chapter 4: Credential Access in Domain
Technical requirementsClear-text credentials in the domainOld, but still worth tryingPassword in the description fieldPassword sprayCapture the hashForced authenticationMS-RPRN abuse (PrinterBug)MS-EFSR abuse (PetitPotam)WebDAV abuseMS-FSRVP abuse (ShadowCoerce)MS-DFSNM abuse (DFSCoerce)Roasting the three-headed dogKerberos 101ASREQRoastKRB_AS_REP roasting (ASREPRoast)KerberoastingAutomatic password management in the domainLAPSgMSANTDS secretsDCSyncDumping user credentials in clear text via DPAPISummaryReferencesFurther reading
Chapter 5: Lateral Movement in Domain and Across Forests
Technical requirementsUsage of administration protocols in the domainPSRemoting and JEARDPOther protocols with ImpacketRelaying the hashPass-the-whateverPass-the-hashPass-the-key and overpass-the-hashPass-the-ticketKerberos delegationUnconstrained delegationResource-based constrained delegationConstrained delegationBronze Bit attack aka CVE-2020-17049Abusing trust for lateral movementSummaryReferencesFurther reading
Chapter 6: Domain Privilege Escalation
Technical requirementsZero2Hero exploitsMS14-068Zerologon (CVE-2020-1472)PrintNightmare (CVE-2021-1675 & CVE-2021-34527)sAMAccountName Spoofing and noPac (CVE-2021-42278/CVE-2021-42287)RemotePotato0ACL abuseGroupComputerUserDCSyncGroup Policy abuseOther privilege escalation vectorsBuilt-in security groupsDNSAdmins abuse (CVE-2021-40469)Child/parent domain escalationPrivileged Access ManagementSummaryReferencesFurther reading
Chapter 7: Persistence on Domain Level
Technical requirementsDomain persistenceForged ticketsA domain object’s ACL and attribute manipulationsDCShadowGolden gMSADomain controller persistenceSkeleton KeyA malicious SSPDSRMSecurity descriptor alterationSummaryReferences
Chapter 8: Abusing Active Directory Certificate Services
Technical requirementsPKI theoryCertificate theftTHEFT1 – Exporting certificates using the CryptoAPITHEFT2 – User certificate theft via DPAPITHEFT3 – Machine certificate theft via DPAPITHEFT4 – Harvest for certificate filesTHEFT5 – NTLM credential theft via PKINIT (nPAC-the-hash)Account persistencePERSIST1 – Active user credential theft via certificatesPERSIST2 – Machine persistence via certificatesPERSIST3 – Account persistence via certificate renewalShadow credentialsDomain privilege escalationCertifried (CVE-2022-26923)Template and extension misconfigurationsImproper access controlsCA misconfigurationRelay attacksDomain persistenceDPERSIST1 – Forge certificates with stolen CA certificateDPERSIST2 – Trusting rogue CA certificatesDPERSIST3 – Malicious misconfigurationSummaryReferences

Chapter 9: Compromising Microsoft SQL Server
Technical requirementsIntroduction, discovery, and enumerationSQL Server introductionDiscoveryBrute forceDatabase enumerationPrivilege escalationImpersonationTRUSTWORTHY misconfigurationUNC path injectionFrom a service account to SYSTEMFrom a local administrator to sysadminOS command executionxp_cmdshellA custom extended stored procedureCustom CLR assembliesOLE automation proceduresAgent jobsExternal scriptsLateral movementShared service accountsDatabase linksPersistenceFile and registry autorunsStartup stored proceduresMalicious triggersSummaryFurther reading
Chapter 10: Taking Over WSUS and SCCM
Technical requirementsAbusing WSUSIntroduction to MECM/SCCMDeploymentReconnaissancePrivilege escalationClient push authentication coercionCredential harvestingLateral movementClient push authentication relay attackSite takeoverAbuse of Microsoft SQL ServerDeploying an applicationDefensive recommendationsSummaryReferencesFurther reading
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your ThoughtsDownload a free PDF copy of this book

Overview

"Pentesting Active Directory and Windows-based Infrastructure" is a hands-on guide to conducting penetration tests on Microsoft infrastructures. You will learn tactics to identify and exploit vulnerabilities in Windows environments while also discovering methods to detect and remediate threats for improved security.

What this Book will help me do

Understand the steps in the Microsoft infrastructure kill chain for a comprehensive penetration test.
Learn techniques to attack and defend Windows services, including Active Directory and SQL Server.
Perform recon and lateral movement to uncover security vulnerabilities in a controlled lab environment.
Gain expertise in detecting and remediating adversary activities in Microsoft networks.
Apply the knowledge through practical exercises to simulate real-world attack and defense scenarios.

Author(s)

Denis Isakov is a cybersecurity expert specializing in penetration testing and Microsoft infrastructures. With years of hands-on experience, Denis has a knack for demystifying complex technical concepts and presenting them in a practical, comprehensible manner. His approach focuses on actionable insights and real-world applicability to empower readers.

Who is it for?

The book is ideal for penetration testers, red team operators, and IT security professionals looking to deepen their expertise in Microsoft environments. Readers should be familiar with Windows systems and networking concepts. It also serves IT staff and incident responders aiming to fortify their organization's security. It's practical, example-driven, and tailored for professionals wanting to master both offensive and defensive techniques in Microsoft infrastructures.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

CCNA 200-301 Official Cert Guide Library

Publisher Resources

ISBN: 9781804611364

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills