Exploitation & Initial Access

This phase covers techniques to gain initial access and harvest credentials on internal networks, including password attacks, relay attacks, and Active Directory exploitation. Each attack category has its own comprehensive guide with detailed techniques, automation scripts, and practice labs.

Warning

Always ensure you have proper authorization before attempting any exploitation techniques. Document all actions taken for the final report.

Exploitation Guides

Credential Attacks

A07

LLMNR/NBT-NS poisoning with Responder, hash capture and cracking with Hashcat and John, password spraying, and brute force attacks.

Responder Hashcat Spraying

NTLM Relay Attacks

A07

ntlmrelayx attacks, SMB to LDAP relay, IPv6 DNS takeover with mitm6, LDAPS relay for privilege escalation, and computer account creation.

ntlmrelayx mitm6 LDAPS

Kerberos Attacks

A02

Kerberoasting, AS-REP roasting, Pass-the-Ticket, Golden/Silver ticket attacks, and Kerberos delegation abuse techniques.

Kerberoast AS-REP Golden Ticket

Lateral Movement

A01

Pass-the-Hash, PsExec, WMI execution, WinRM/Evil-WinRM, SMB execution, DCOM lateral movement, and RDP pivoting techniques.

PtH PsExec WinRM DCOM

Privilege Escalation

A01

Token manipulation, service account abuse, UAC bypass, PrintSpoofer, Potato attacks, SeImpersonate privilege abuse, and scheduled task exploitation.

Potato UAC Bypass Tokens

Active Directory Exploitation

A01

DCSync attacks, GPO abuse, ACL exploitation, AdminSDHolder abuse, LAPS abuse, constrained delegation, and resource-based constrained delegation.

DCSync GPO ACL RBCD

Credential Dumping

A07

SAM database extraction, LSASS memory dumps with Mimikatz and pypykatz, secretsdump, NTDS.dit extraction, and credential caching attacks.

Mimikatz LSASS NTDS.dit

Known Vulnerabilities

A06

EternalBlue (MS17-010), ZeroLogon (CVE-2020-1472), PrintNightmare (CVE-2021-34527), PetitPotam, and other critical Windows/AD vulnerabilities.

EternalBlue ZeroLogon PrintNightmare

Attack Flow Overview

Quick Reference

Exploitation Methodology

  1. Identify attack surface - Map network services, protocols, and potential targets
  2. Choose attack vector - Select appropriate technique based on available access
  3. Execute exploitation - Use the detailed guides above for specific attack vectors
  4. Harvest credentials - Extract hashes, tickets, or plaintext credentials
  5. Move laterally - Pivot to additional systems using captured credentials

Information

Documentation is Key: Screenshot every successful exploitation attempt, note the exact command used, and document the impact clearly for the final report.

Command Quick Reference

Attack Tool Command
LLMNR Poison Responder sudo responder -I eth0 -dwPv
NTLM Relay ntlmrelayx ntlmrelayx.py -tf targets.txt -smb2support
Kerberoast GetUserSPNs GetUserSPNs.py domain/user:pass -request
AS-REP Roast GetNPUsers GetNPUsers.py domain/user:pass -request
Remote Shell psexec.py psexec.py domain/admin:pass@TARGET

Related Topics

AD Attack Paths

Deep dive into Active Directory attacks

Post-Exploitation

Persistence and lateral movement

Impacket Cheatsheet

Python AD attack tools

CrackMapExec Cheatsheet

Network pentesting swiss army knife

BloodHound Cheatsheet

AD relationship mapping

Authentication Remediation

Secure credential management