Member-only story
Review & Sharing experience Active Directory (AD) Attack
Intro
First of all, This blog I use lab from CRTP in pentester academy to study and I will preview just some exploit from my understanding not full method.It is recommand for people without background AD attack but want to start as beginner.It use pure powershell exploit.No post exploitation framework because it really beginner.
In CRTP course provide both video walkthough and walkthough pdf and tools available on study lab.So, you not need to worry that you will not be able to solve lab but you have to dig deep into detail by yourself more than course provided.I wrote this blog because I want to show some method which not refer in CRTP course or detail much in walkthough to help you understand AD attack
Okays, from this picture it start from external recon and then compromise machine.You can try since start like this from ePTXv2 because it will teach external recon from kali machine scan all IP network find which port can try attack or find all users in company for do social engineering and then embeded macro into excel file and delivery via email outlook (Insider attack).You can read Social engineering solution on ePTXv2 from this blog.He may pretend to be some user in company and sent it to IT department that has rights to access all servers in company to open that macro file and then a attacker get shell to one server in company after IT guy click open that macro which is compromise machine.
But I do not recommend people to buy ePTXv2 if no background on AD attack. You can read review from someone here. ePTX is good course but not friendly for beginner.It is my personal experience because I bought both ePTXv2 and CRTP and feel like CRTP make me understand more from basic.
In CRTP, it assume you compromise server and start from internal recon that above picture and main focus on powershell command.
Internal Recon
- What role we are now? => whoami
- Which privilege group we are? => whoami /groups
For example:
1) Result show we are in group BUILTIN\Administrator
