Skip to main content

Initial Attack Vectors: Multipurpose

This chapter is "multipurpose" in the sense that the attacks listed here could be carried out on the same Local Area Network (LAN) as the targets or via a pivot such as SOCKS proxies or layer 3 tunneling.

Enumerating Hosts and Identifying the Domain Controllers

Fingerprinting Domain Controllers PORT STATE SERVICE 53/tcp open domain 88/tcp open...

Passback Attacks

What's the Flaw? Usually involves an unsecure device -- like a printer or multifunction device -...

SMB Relay

Note: Network Environment This attack works best in a flat network. However, as long as the atta...

NULL Session Enumeration

NULL Session LDAP, SMB, and RPC may allow a user to authenticate to the service without providin...

Kerberos Pre-Auth Username Enumeration

How it Works We can send a request for a TGT --- without a pre-authentication hash --- to the Ker...

AS-REP Roasting

AS-REP Roasting If Kerberos pre-authentication is disabled on a user account in Active Directory...

NTLM Credential Stuffing

NTLM Basic Authentication Could obtain a list of usernames via OSINT, or via something like RI...

PrintNightmare

Remote Code Execution https://github.com/cube0x0/CVE-2021-1675 Contains full details on scanning ...
Back to top