Skip to main content
Advanced Search
Search Terms
Content Type

Exact Matches
Tag Searches
Date Options
Updated after
Updated before
Created after
Created before

Search Results

163 total results found

Information Technology

information-technology
IT
systems-administration
sysadmin
network-administration
network-administration

Defensive Cybersecurity

defend
cybersecurity
threat-hunting
siem

Offensive Cybersecurity

attack
pentesting
red-team

Active Directory

Also, consider taking a look at my Active Directory Attack Map. While it doesn't cover every possible attack avenue, and isn't as sophisticated as some other mindmaps, I think it does a pretty good job of visualizing some of the information found in this book.

active-directory

Hash Cracking

hash
encryption
hashing
hashes

Web

www
html
http
javascript
css
web

Nmap

nmap
networking

Network Pivoting

networking
pivoting
lateral-movement

File Transfers and Data Exfiltration

file-transfer
data-exfiltration

Kali Optimizations

Mail

smtp
email
pentesting

Proxmox

Repository for any notes, snippets, cheat sheets pertaining to Proxmox

proxmox

Wazuh

Repository for any notes, snippets, and cheat sheets pertaining to the overall Wazuh tech stack.

wazuh

WordPress Administration

Repository for notes, snippets, and cheat sheets pertaining to WordPress.

wordpress
web-administration

Fleet DM

Repository for notes, snippets, and cheat sheets pertaining to Fleet DM for osquery.

osquery
fleetdm

Ansible

Repository for notes, snippets, and cheat sheets pertaining to Ansible.

ansible

Linux Administration

systems-administration
linux

Windows Administration

systems-administration
windows

SSH Administration

systems-administration
ssh

Certificates and Encryption

systems-administration
encryption

Computer Networking

network-administration
networking

Memory Forensics

digital-forensics
memory-forensics
defend
attack

PJPT & PNPT Study Group Lessons

This book will hold all of the lesson plans and/or supplementary material for when I teach in the PJPT study group in the F0xhunt Discord server (https://discord.gg/f0xhunt)

pentesting
study
tcm-pjpt

Post Exploitation: Enumeration

Active Directory

post-exploitation
active-directory

Post Exploitation: Attacks

Active Directory

active-directory
post-exploitation
attack-vectors

FFUF

Web

ffuf
brute-force
web

Port Forwarding

Network Pivoting

port-forwarding

gobuster

Web

gobuster

Automation with Ansible

Ansible

automation
information-technology
ansible

FleetDM On Debian 11

Fleet DM

fleetdm
osquery
defend

Initial Attack Vectors

Active Directory

Internal: --------- Attack vectors that are ideal for internal penetration tests, where the attacker plants a device on the network or uploads tools to a compromised host. External: --------- Attack vectors that could work in both internal and external ...

attack-vectors
active-directory

Mapping Mailboxes with Mutt

Mail

General

Web

General Information

web

Command Line Tricks

Linux Administration

command-line
shell

WordPress

Web

web
enumeration
nmap
wordpress

Session 2: Nov. 13, 2023

PJPT & PNPT Study Group Lessons

pentesting
study
tcm-pjpt

Computer Networking Fundamentals

Computer Networking

computer-networking
networking
computer-network-101

Brute Force Web Logins with Hydra

Hydra

web
hydra
brute-force
password-spraying
credential-spraying

Joining Linux Hosts to Active Directory Domain

Linux Administration

active-directory
linux
systems-administration
sysadmin

Session 8: Jan. 8, 2024

PJPT & PNPT Study Group Lessons

Session 10: Jan. 18, 2024

PJPT & PNPT Study Group Lessons

active-directory
internal

LLMNR Poisoning (Internal)

Active Directory Initial Attack Vectors

Note: Network Environment Given that LLMNR is a name resolution protocol that works on the Local Area Network (LAN), this attack method cannot be performed from a different subnet. The attacker would have to compromise a host on the LAN and upload tools, or p...

llmnr
internal
llmnr-poisoning

SMB Relay (Internal/External)

Active Directory Initial Attack Vectors

Note: Network Environment This attack works best in a flat network. However, as long as the attacker machine and target(s) are routeable and no firewalls are blocking required ports, it could work across network segments. What is SMB Relay? A man-in-the-m...

smb
active-directory
external
internal

IPv6 DNS Spoofing (Internal)

Active Directory Initial Attack Vectors

Note: Network Environment This spoofing attack and works by sending a router announcement to multicast ff02::1. Therefore, it will only affect domain-joined hosts on the same segment as the attacker machine. What is IPv6 DNS Spoofing? An attacker announ...

ipb6
active-directory
internal

Passback Attacks (Internal/External)

Active Directory Initial Attack Vectors

What's the Flaw? Usually involves an unsecure device -- like a printer or multifunction device -- which is configured with an LDAP or SMTP client and credentials. It could be a web server too -- where there is an LDAP or SMTP client. The credentials are usual...

internal
passback
active-directory
external

PowerView

Active Directory Post Exploitation: Enumeration

Overview A set of PowerShell functions that can be used to enumerate ActiveDirectory. Part of the larger PowerSploit Framework Usage Transfer PowerView.ps1 to the compromised target. Requires a PowerShell session. Then, source the file into the current se...

BloodHound

Active Directory Post Exploitation: Enumeration

1. Installation sudo apt install -y neo4j bloodhound 2. Setup sudo neo4j console & Navigate to http://localhost:7474 Login is neo4j and change the default password sudo bloodhound & Log into the neo4j user account with the new password 3. Data...

Manual Enumeration

Active Directory Post Exploitation: Enumeration

net.exe Drawbacks net does not show nested groups net only shows up to 10 groups even if a user is in more Local System net user – Enumerate system local users net user user.name – Get information about a specific local user net localgroup – Enume...

Pass the Password

Active Directory Post Exploitation: Attacks

Overview Cracked a hash or discovered a password for a domain user. Use the password and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential Attack 1: crackmapexec sudo crackmapexec smb <target-or...

Pass the Hash

Active Directory Post Exploitation: Attacks

Overview Dumped the SAM or LSA and now have hashes for domain or a local users. Use the hash and crackmapexec to pass it around the network and see if we can log into any other target(s) with that credential Anatomy of a Windows Hash username:SID:LM_HASH:NT...

Token Impersonation

Active Directory Post Exploitation: Attacks

Overview Tokens are temporary keys that allow a user to perform actions on a system or network without having to provide a password; similar to session cookies on a web site. The tokens are generated once a user logs onto a system or RDP session. They remain ...

Kerberoasting

Active Directory Post Exploitation: Attacks

Overview The attacker uses a known username and password of a user on a domain. A typical Kerberos workflow is: Once a user logs into a domain-joined system, they get a TGT (ticket-granting ticket). Then, they'll use that TGT to request a TGS (ticket-gra...

Group Policy Preferences (GPP)

Active Directory Post Exploitation: Attacks

Overview GPP allows admins to create policies with embedded credentials. The credentials are encrypted and stored in a cPassword. The key was accidentally released. What's the Flaw? The MS14-025 patch does not apply to GPP passwords embedded prior to the ...

PrintNightmare

Active Directory Post Exploitation: Attacks

Local Privilege Escalation https://github.com/calebstewart/CVE-2021-1675

PrintNightmare (Internal/External)

Active Directory Initial Attack Vectors

Remote Code Execution https://github.com/cube0x0/CVE-2021-1675 Contains full details on scanning and mitigation. Could potentially be used against a domain controller for easy access to a reverse shell.   Create payload msfvenom -p <payload> LHOST=<kali-i...

print-nightmare
active-directory
external
internal

Mimikatz

Active Directory Post Exploitation: Attacks

Overview https://github.com/gentilkiwi/mimikatz There are various spin-offs of the Mimikatz project, including a PowerShell variety. Mimkatz is primarily used to dump hashes from  LSASS, pass hashes, or generating Kerberos tickets for use in attacks.     ...

ZeroLogon

Active Directory Post Exploitation: Attacks

Caution This can potentially break a domain controller, due the fact that this attack temporarily removes the password from a domain controller. After testing this attack, the original password should be restored. ZeroLogon Checker https://github.com/Secu...

AES 256 ECB

Hash Cracking

Example from Vulnhub https://www.vulnhub.com/entry/prime-1,358/ In this challenge, a script outputs an AES-256 encrypted file and a hint in key.txt The hint says to hash the word "ippsec" with the MD5 algorithm This is the key to decrypt the hash Hash Base 6...

aes-256-ecb
aes
hash

Use FFUF to Brute Force Login

Web FFUF

Brute Force with a Request File Start Burp Make a randomized login to the target web page Copy the output, for example: POST /login HTTP/1.1 Host: 10.10.10.10 Content-Length: 37 Accept: application/json, text/plain, */* User-Agent: Mozilla/5.0 (Windows NT ...

Hydra Overview

Hydra

Understanding Hydra Help Viewing Hydra Modules Print the hydra help output hydra -h Notice the Supported services section. These are the modules that the hydra binary installed on your system can use. Supported services: adam6500 asterisk cisco cisco-enab...

Nmap Scanning with Categories

Nmap

Example 1: Nmap script scan with categories Categories https://nmap.org/book/nse-usage.html#nse-categories auth broadcast brute default discovery dos exploit external fuzzer intrusive malware safe version vuln # Scan UDP/161 with all snmp-* scripts # Do ...