OSCP Practice Lab: Active Directory Attack Path #2 (Back to the Basics)
Vložit
- čas přidán 3. 07. 2024
- This video walks through one of the paths to complete domain compromise I practiced for passing the OSCP. Specifically this video is going "back to the basics" and showing the tools, methods, and tactics I practiced first, before moving on to move complex ones. I'm thinking the next attack path I share will be one of the more 'advanced' flows.
Thank you for watching and I hope this helps you with your journey!
The link to setting up this lab environment is here: • OSCP Practice Lab: How...
0:00 Intro
2:29 OpenVPN
4:40 /etc/hosts
7:39 MS01 Enumeration
21:36 MS01 Information Disclosure
26:59 MS01 Password Spraying with Hydra
29:57 MS01 Password Spraying with CrackMapExec
33:23 MS01 Initial Foothold: FTP
34:24 MS01 Hunting for an Exploitable Service
41:44 Using Shellcode
47:30 MS01 Application Exploitation
51:45 MS01 winPEAS
59:39 MS01 Priv Esc: Scheduled Task
1:13:09 Backdoor Acct and RDP Access
1:20:42 MS01 Mimikatz
1:28:35 Cracking with Hashcat
1:32:50 Pivoting with Ligolo-ng
1:42:39 Kerberoasting
1:44:30 AS-REP Roasting
1:49:55 Credential Spraying AD
1:59:57 crackmapexec
2:03:03 enum4linux
2:04:24 smbclient
2:07:42 crackmapexec for WinRM
2:08:55 crackmapexec for RDP
2:10:20 RDP Access with xfreerdp
2:12:23 MS02 Priv Esc
2:18:00 Payload Transfer to the Inside
2:23:35 MS02 Mimikatz
2:26:28 Cracking with Hashcat
2:28:46 DC01 Pass-The-Hash with evil-winrm
2:31:46 BONUS: Port Forwarding to Transfer Payloads
2:37:29 BONUS: Port Forwarding to Catch Shells
2:43:16 BONUS: Bind Shells
![[Attack]tive Directory: Compromising a Network in 20 Minutes Through Active Directory](/img/n.gif)
DOOON'T STOP POSTING VIDEOS MAAAN!!! THIS IS PUUUURE GOLD!!!!
currently preparing oscp and watched a few times on this video and i kept learning from you and even listening while i'm walking back home. very good walkthrough and i learned a lot of things from you. Thank you so much and looking forward to your other videos!
Definitely waiting for the next one. After seeing you use ligolo, using chisel and proxychains feels stupid, thank you for introducing me to this tool.
you're most welcome! I also used chisel and proxychains a lot and I still feel those pains 😖 once ligolo came out that was a game changer
Thank you very much for your videos, keep going...You have made one of the best AD Series that exits over internet I am going do download all this series as my disaster recovery plan in order not to be deleted from youtube :)
Great walkthrough! Doing PEN-200 right now, starting the last three AD chapters as of now and then move on to practicing machines. Great way to kick start the AD section! Looking forward to more content and tips from you.
oh man that is such great content in there, I hope you're enjoying PEN-200! Best of luck on your OSCP endeavor!
Such a great video. I really like how you explain each step including trying different methods when one didn't work. Keep up the good work.
Great video! Thanks for sharing!
Hey! Glad to see another AD attack path from you!
Awesome walkthrought and explaination, Darron. Hope you do more videos like this in future. God bless you man.
so glad you made a new one, thanks and please keep posting such videos
one of the best videos on CZcams
That's a great video. Very informative. Especially your notes and thoughts
Great explanation!!!
Love your videos man!! Keep doing stuff like these please
Dude, this is sooo helpful
Great job!
Leaned about the bind shell working from the last part of the video it was very informative
Really nice and informative video, I just got my PNPT and I am now preparing for my OSCP now. This is gold, I'm making notes from these videos and doing HTB side by side. Really good work mate, keep them coming. 😄
I'm glad this is helpful on your journey; congrats on the PNPT!!
i was sooooo happy that i clicked the like button 3 times. thanx man.
awesome, great i was having a lot of trouble for reverse shell in pivoting, msfconsole doesn't helpme out that muuch and all the other pivoting options are way too complicated you made it so fcking easy, loved it great work please post these contents regularly learnt a lot
Omg, this helps me so much for OSCP prep! Good pace, great info, good summary. Also very much enjoy that you say what tools you dont like and why. Cause i feel like I get flooded with tools all the time. Also enjoy details like "msrpc is not really covered in PEN200". Its true, I spend so many hours on pentesting msrpc already, but never got foothold over it.
This is pure gold. Hope you make another one soon :)
You make really good videos very informative and helpful keep up the good work man
great work keep going
Thank you, I like your content, keep it up
We need more AD content brother! Linogo part was amazing. CarrotOvergrown has a quick start script he made on his github.
Your videos are awesome. I've recommended your channel to a few people studying for the oscp
Yea exactly 💯
that's the highest of compliments, thank you so much!
you are the best
Thanks for this tutorial man. It is very structed and methodical which helps us form our own methodology. By the way did you msfvenom at all in your OSCP?
I absolutely did! You can use msfvenom as many times as you want on the exam, it's msfconsole (metasploit) that you're limited to attacking only one target with. and I did end up needing to use that once against a target I needed priv esc on. I knew the vulnerability but I was out of time to try and exploit it so... I used the quick/easy module within metasploit.
Amazing content!!! Very helpful, the question is, how can I create that environment or if there is somewhere to download it. And thanks again
why sometimes is it oscp\wade and sometimes its oscp.lab\wade is it the same thing?
How do i create these ad environments and can do practice?
Many thanks, This is a useful vdo for who need to take the OSCP certification don't miss.
Can you please share your cheatsheet link?
I have my collection of notes/references but I don't have a specific cheat sheet. That said, I'm a big fan of S1ren's common: sirensecurity.io/blog/common/
First of all, thanks alot pro for your very interesting sharing. I've learnt many new techniques from your videos. I have one unsure question:
At time point about 1:37:23 , Are you sure this hash can be abused to pass the hash? If it is, show me how.
At my point, this hash is not ntlm hash, it is ntlm.v2 respond hash which is created from ntlm hash in NTML protocols. So we can not abuse it to pass the hash.
Isn't using bloodhound better? Can I use it on the exam??
you ABSOLUTELY can use bloodhound on the exam and I encourage it! I didn't use it on the first two videos as I wanted to show folks the basics and also how to perform enumeration manually. I did add bloodhound into the 3rd video and I'll be using it in a 4th video also. great question!
1:41:36 i did not go deep on ligolo but proxychain cant work with ligolo like chisel? or its you dont prefer using proxychain?
thanks
Would it be possible to get Powershell Scripts to set this up?
Are these box are up to the level of oscp???
Up
I see a lot of tools being used, but are most of them not blocked by Windows defender. I know mimikatz don't go well on windows. even though you disable Defender it will still try to block the exe. and also if trying to post code to Powershell that could look like mimi. i also think that a lot of the attacks would easily get flagged when trying different brute force methods
utils like certutil.exe also get blocked and detected as a trojan if you try to transfere files. this guide my in an totally unprotected environment
instead of using mimikatz at 1:24 could you not have just used sceretsdump with your admin privs?
1:02:01
Can you teach me?
If I had more time I would take on more mentoring opportunities. In the meantime videos like these are the best I can offer 😊
What a outstanding series you are creating of this walkthrough 😁... By the way Is there is any PayPal or buymecoffe of yours?
thank you!! I really appreciate the feedback! No PP or buymecoffee, as of today. I'm just doing this to give back to the community and help others where I felt there was a lack of info out there.