Exploitation & Initial Access

This phase covers techniques to gain initial access and harvest credentials on internal networks, including password attacks, relay attacks, and Active Directory exploitation. Each attack category has its own comprehensive guide with detailed techniques, automation scripts, and practice labs.

Warning

Always ensure you have proper authorization before attempting any exploitation techniques. Document all actions taken for the final report.

Exploitation Guides

Credential Attacks

A07

LLMNR/NBT-NS poisoning with Responder, hash capture and cracking with Hashcat and John, password spraying, and brute force attacks.

Responder Hashcat Spraying

NTLM Relay Attacks

A07

ntlmrelayx attacks, SMB to LDAP relay, IPv6 DNS takeover with mitm6, LDAPS relay for privilege escalation, and computer account creation.

ntlmrelayx mitm6 LDAPS

Kerberos Attacks

A02

Kerberoasting, AS-REP roasting, Pass-the-Ticket, Golden/Silver ticket attacks, and Kerberos delegation abuse techniques.

Kerberoast AS-REP Golden Ticket

Lateral Movement

A01

Pass-the-Hash, PsExec, WMI execution, WinRM/Evil-WinRM, SMB execution, DCOM lateral movement, and RDP pivoting techniques.

PtH PsExec WinRM DCOM

Privilege Escalation

A01

Token manipulation, service account abuse, UAC bypass, PrintSpoofer, Potato attacks, SeImpersonate privilege abuse, and scheduled task exploitation.

Potato UAC Bypass Tokens

Active Directory Exploitation

A01

DCSync attacks, GPO abuse, ACL exploitation, AdminSDHolder abuse, LAPS abuse, constrained delegation, and resource-based constrained delegation.

DCSync GPO ACL RBCD

Credential Dumping

A07

SAM database extraction, LSASS memory dumps with Mimikatz and pypykatz, secretsdump, NTDS.dit extraction, and credential caching attacks.

Mimikatz LSASS NTDS.dit

Known Vulnerabilities

A06

EternalBlue (MS17-010), ZeroLogon (CVE-2020-1472), PrintNightmare (CVE-2021-34527), PetitPotam, and other critical Windows/AD vulnerabilities.

EternalBlue ZeroLogon PrintNightmare

ADCS Attacks

ESC1-ESC13

Active Directory Certificate Services abuse — template misconfigurations, relay to HTTP enrollment, and certificate theft.

Certipy Certify ForgeCert

Shadow Credentials

msDS-KeyCredentialLink

Key Trust abuse via msDS-KeyCredentialLink attribute modification for stealthy account takeover.

Whisker pywhisker Rubeus

Coercion Attacks

RPC Abuse

PetitPotam, PrinterBug, DFSCoerce, and ShadowCoerce — force machine authentication for relay or credential capture.

PetitPotam SpoolSample Coercer

Delegation Attacks

S4U / RBCD

Unconstrained, constrained, and resource-based constrained delegation abuse for service impersonation.

Rubeus Impacket StandIn

gMSA & LAPS Abuse

Credential Theft

Extract group Managed Service Account passwords and Local Administrator Password Solution credentials from AD.

gMSADumper LAPSDumper NetExec

AD Trust Attacks

Cross-Domain

Forest trust exploitation, SID History injection, ExtraSids golden tickets, and cross-forest lateral movement.

Mimikatz Rubeus BloodHound

NTLM Downgrade

Drop The MIC

NTLMv2→v1 downgrade, advanced relay techniques, WebDAV relay, and EPA bypass attacks.

Responder ntlmrelayx crack.sh

Hybrid Identity

Azure AD Connect

Azure AD Connect exploitation, PTA backdoors, Seamless SSO silver tickets, and PRT theft for on-prem→cloud pivots.

AADInternals ROADtools Mimikatz

Attack Flow Overview

Quick Reference

Exploitation Methodology

  1. Identify attack surface - Map network services, protocols, and potential targets
  2. Choose attack vector - Select appropriate technique based on available access
  3. Execute exploitation - Use the detailed guides above for specific attack vectors
  4. Harvest credentials - Extract hashes, tickets, or plaintext credentials
  5. Move laterally - Pivot to additional systems using captured credentials

Information

Documentation is Key: Screenshot every successful exploitation attempt, note the exact command used, and document the impact clearly for the final report.

Command Quick Reference

Attack Tool Command
LLMNR Poison Responder sudo responder -I eth0 -dwPv
NTLM Relay ntlmrelayx ntlmrelayx.py -tf targets.txt -smb2support
Kerberoast GetUserSPNs GetUserSPNs.py domain/user:pass -request
AS-REP Roast GetNPUsers GetNPUsers.py domain/user:pass -request
Remote Shell psexec.py psexec.py domain/admin:pass@TARGET

📚 Recommended Reading

The Art of Network Penetration Testing

The Art of Network Penetration Testing

Royce Davis

Modern internal pentest walkthrough — enumeration, exploitation, pivoting, and AD attacks with real-world methodology.

 Hacking APIs

Hacking APIs

Corey Ball (2022)

Exploiting internal and web APIs — authentication flaws, BOLA, injection, and mass assignment in modern environments.

Related Topics

AD Attack Paths

Deep dive into Active Directory attacks

Post-Exploitation

Persistence and lateral movement

Impacket Cheatsheet

Python AD attack tools

nxc Cheatsheet

Network pentesting swiss army knife

BloodHound Cheatsheet

AD relationship mapping

Authentication Remediation

Secure credential management

As an Amazon Associate I earn from qualifying purchases.