book

Pentesting Active Directory and Windows-based Infrastructure

Name: Pentesting Active Directory and Windows-based Infrastructure
Author: Denis Isakov
ISBN: 9781804611364

by Denis Isakov

November 2023

Intermediate to advanced

360 pages

8h 19m

English

Packt Publishing

Read now

Unlock full access

Pentesting Active Directory and Windows-based Infrastructure
ContributorsAbout the authorAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookConventions usedGet in touchShare Your ThoughtsDownload a free PDF copy of this book
Chapter 1: Getting the Lab Ready and Attacking Exchange Server
Technical requirementsLab architecture and deploymentActive Directory kill chainWhy we will not cover initial access and host-related topicsAttacking Exchange ServerUser enumeration and password sprayingDumping and exfiltratingZero2Hero exploitsGaining a footholdSummaryFurther reading
Chapter 2: Defense Evasion
Technical requirementsAMSI, PowerShell CLM, and AppLockerAntimalware Scan InterfaceWay 1 – Error forcingWay 2 – ObfuscationWay 3 – Memory patchAppLocker and PowerShell CLMPowerShell Enhanced Logging and SysmonEvent Tracing for Windows (ETW)SummaryReferencesFurther reading
Chapter 3: Domain Reconnaissance and Discovery
Technical requirementsEnumeration using built-in capabilitiesPowerShell cmdletWMInet.exeLDAPEnumeration toolsSharpView/PowerViewBloodHoundEnumerating services and hunting for usersSPNThe file serverUser huntingEnumeration detection evasionMicrosoft ATAHoney tokensSummaryReferencesFurther reading
Chapter 4: Credential Access in Domain
Technical requirementsClear-text credentials in the domainOld, but still worth tryingPassword in the description fieldPassword sprayCapture the hashForced authenticationMS-RPRN abuse (PrinterBug)MS-EFSR abuse (PetitPotam)WebDAV abuseMS-FSRVP abuse (ShadowCoerce)MS-DFSNM abuse (DFSCoerce)Roasting the three-headed dogKerberos 101ASREQRoastKRB_AS_REP roasting (ASREPRoast)KerberoastingAutomatic password management in the domainLAPSgMSANTDS secretsDCSyncDumping user credentials in clear text via DPAPISummaryReferencesFurther reading
Chapter 5: Lateral Movement in Domain and Across Forests
Technical requirementsUsage of administration protocols in the domainPSRemoting and JEARDPOther protocols with ImpacketRelaying the hashPass-the-whateverPass-the-hashPass-the-key and overpass-the-hashPass-the-ticketKerberos delegationUnconstrained delegationResource-based constrained delegationConstrained delegationBronze Bit attack aka CVE-2020-17049Abusing trust for lateral movementSummaryReferencesFurther reading
Chapter 6: Domain Privilege Escalation
Technical requirementsZero2Hero exploitsMS14-068Zerologon (CVE-2020-1472)PrintNightmare (CVE-2021-1675 & CVE-2021-34527)sAMAccountName Spoofing and noPac (CVE-2021-42278/CVE-2021-42287)RemotePotato0ACL abuseGroupComputerUserDCSyncGroup Policy abuseOther privilege escalation vectorsBuilt-in security groupsDNSAdmins abuse (CVE-2021-40469)Child/parent domain escalationPrivileged Access ManagementSummaryReferencesFurther reading
Chapter 7: Persistence on Domain Level
Technical requirementsDomain persistenceForged ticketsA domain object’s ACL and attribute manipulationsDCShadowGolden gMSADomain controller persistenceSkeleton KeyA malicious SSPDSRMSecurity descriptor alterationSummaryReferences
Chapter 8: Abusing Active Directory Certificate Services
Technical requirementsPKI theoryCertificate theftTHEFT1 – Exporting certificates using the CryptoAPITHEFT2 – User certificate theft via DPAPITHEFT3 – Machine certificate theft via DPAPITHEFT4 – Harvest for certificate filesTHEFT5 – NTLM credential theft via PKINIT (nPAC-the-hash)Account persistencePERSIST1 – Active user credential theft via certificatesPERSIST2 – Machine persistence via certificatesPERSIST3 – Account persistence via certificate renewalShadow credentialsDomain privilege escalationCertifried (CVE-2022-26923)Template and extension misconfigurationsImproper access controlsCA misconfigurationRelay attacksDomain persistenceDPERSIST1 – Forge certificates with stolen CA certificateDPERSIST2 – Trusting rogue CA certificatesDPERSIST3 – Malicious misconfigurationSummaryReferences

Chapter 9: Compromising Microsoft SQL Server
Technical requirementsIntroduction, discovery, and enumerationSQL Server introductionDiscoveryBrute forceDatabase enumerationPrivilege escalationImpersonationTRUSTWORTHY misconfigurationUNC path injectionFrom a service account to SYSTEMFrom a local administrator to sysadminOS command executionxp_cmdshellA custom extended stored procedureCustom CLR assembliesOLE automation proceduresAgent jobsExternal scriptsLateral movementShared service accountsDatabase linksPersistenceFile and registry autorunsStartup stored proceduresMalicious triggersSummaryFurther reading
Chapter 10: Taking Over WSUS and SCCM
Technical requirementsAbusing WSUSIntroduction to MECM/SCCMDeploymentReconnaissancePrivilege escalationClient push authentication coercionCredential harvestingLateral movementClient push authentication relay attackSite takeoverAbuse of Microsoft SQL ServerDeploying an applicationDefensive recommendationsSummaryReferencesFurther reading
Index
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare Your ThoughtsDownload a free PDF copy of this book

Content preview from Pentesting Active Directory and Windows-based Infrastructure

10 Taking Over WSUS and SCCM

In this final chapter of the book, we will focus on attacking infrastructure management solutions. These are valuable and attractive targets for an adversary as such systems are operated under highly privileged accounts with access to almost every piece of the target environment. Windows Server Update Services (WSUS) is a service to deploy updates to the client computers in a centralized manner. Microsoft Endpoint Configuration Management (MECM) – formerly known as System Center Configuration Manager (SCCM) – is an on-premises management solution for endpoints. This product helps IT professionals run system inventory, patching, software deployment, and so on.

We will start by discussing known attacks on WSUS and ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

CCNA 200-301 Official Cert Guide Library

Publisher Resources

ISBN: 9781804611364

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Pentesting Active Directory and Windows-based Infrastructure

by Denis Isakov

10

Taking Over WSUS and SCCM

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.