Lateral movement is the process of moving from one compromised host to another. Penetration testers and red teamers alike commonly used to accomplish this by executing powershell.exe to run a base64 encoded command on the remote host, which would return a beacon. The problem with this is that offensive PowerShell is not a new concept […]
Penetration Testing Active Directory, Part II
In the previous article, I obtained credentials to the domain three different ways. For most of this part of the series, I will use the rsmith user credentials, as they are low-level, forcing us to do privilege escalation. Privilege escalation in Windows can of course come from a missing patch or unquoted service paths, but … Continue reading Penetration Testing Active Directory, Part II
Yet Another OSCP Exam Blog Post
I started my OSCP journey well over a year ago, almost two. It was a long time ago, but I remember still not knowing a lot and having anxiety because I'm not sure I'd do so well. When I finally decided to enroll, it was because someone told me that I didn't have enough experience … Continue reading Yet Another OSCP Exam Blog Post
BloodHound and CypherDog Cheatsheet
Bloodhound is a phenominal tool that should be in every pentester's toolkit, as it literally graphs an attack plan, but that also means that it's just as useful to the blue team. When I do pentests or risk assessments and show the client Bloodhound, they're both AmazedConfused on how to use it The tool in … Continue reading BloodHound and CypherDog Cheatsheet
Penetration Testing Active Directory, Part I
I've had several customers come to me before a pentest and say they think they're in a good shape because their vulnerability scan shows no critical vulnerabilities and that they're ready for a pentest, which then leads me to getting domain administrator in fifteen minutes by just exploiting misconfigurations in AD. One of the lapses … Continue reading Penetration Testing Active Directory, Part I
