Using Bloodhound to Map the Domain

Bloodhound is an extremely useful tool that will map out active directory relationships throughout the network. In a pentest, this is critical because after the initial foothold, it gives you insight on what to attack next. In enterprise domains with thousands of workstations, users, and servers, blindly exploiting boxes is a sure way to get … Continue reading Using Bloodhound to Map the Domain

Automating the Pentesting Process: Using NTLM Relaying & Deathstar to get Domain Admin

What I’m using: Responder Empire Deathstar Ntlmrelayx.py (Install Guide here) Operating Systems Host: Ubuntu 16.04, Kali Linux (Latest) Target 1: Windows Server 2008 R2 (Dummy server) Target 2: Windows Server 2008 R2 (Domain Controller) In a domain, it’s not uncommon for NTLMv2 hashes to be captured in some way while doing a penetration test. The problem … Continue reading Automating the Pentesting Process: Using NTLM Relaying & Deathstar to get Domain Admin

Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin

In the previous two articles, I gathered local user credentials and escalated to local administrator, with my next step is getting to domain admin. Since I have local admin, I'll be using a tool called Bloodhound that will map out the entire domain for me and show where my next target will be. After getting … Continue reading Domain Penetration Testing: Using BloodHound, Crackmapexec, & Mimikatz to get Domain Admin

Domain Penetration Testing: Privilege Escalation via Group Policy Preferences (GPP)

In my previous article, I used LLMNR poisoning to gather credentials of a low-privilege user on the network. Now, I will attempt to escalate those privileges by exploiting a common misconfiguration in group policy preferences. Prior to patch MS14-025, there was a horrible storage of local administrator password, in a readable SMB share, SYSVOL, if … Continue reading Domain Penetration Testing: Privilege Escalation via Group Policy Preferences (GPP)