Pentesting Active Directory and Windows-Based Infrastructure : A Comprehensive Practical Guide to Penetration Testing Microsoft Infrastructure / Denis Isakov.

Format:

Book

Author/Creator:

Isakov, Denis, author.

Language:

English

Subjects (All):

Penetration testing (Computer security).

Microsoft software--Testing.

Microsoft software.

Computer security.

Physical Description:

1 online resource (360 pages)

Edition:

First edition.

Place of Publication:

Birmingham, England : Packt Publishing, [2023]

Summary:

Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations Key Features Find out how to attack real-life Microsoft infrastructure Discover how to detect adversary activities and remediate your environment Apply the knowledge you've gained by working on hands-on exercises Purchase of the print or Kindle book includes a free PDF eBook Book Description This book teaches you the tactics and techniques used to attack a Windows-based environment, along with showing you how to detect malicious activities and remediate misconfigurations and vulnerabilities. You'll begin by deploying your lab, where every technique can be replicated. The chapters help you master every step of the attack kill chain and put new knowledge into practice. You'll discover how to evade defense of common built-in security mechanisms, such as AMSI, AppLocker, and Sysmon; perform reconnaissance and discovery activities in the domain environment by using common protocols and tools; and harvest domain-wide credentials. You'll also learn how to move laterally by blending into the environment's traffic to stay under radar, escalate privileges inside the domain and across the forest, and achieve persistence at the domain level and on the domain controller. Every chapter discusses OpSec considerations for each technique, and you'll apply this kill chain to perform the security assessment of other Microsoft products and services, such as Exchange, SQL Server, and SCCM. By the end of this book, you'll be able to perform a full-fledged security assessment of the Microsoft environment, detect malicious activity in your network, and guide IT engineers on remediation steps to improve the security posture of the company. What you will learn Understand and adopt the Microsoft infrastructure kill chain methodology Attack Windows services, such as Active Directory, Exchange, WSUS, SCCM, AD CS, and SQL Server Disappear from the defender's eyesight by tampering with defensive capabilities Upskill yourself in offensive OpSec to stay under the radar Find out how to detect adversary activities in your Windows environment Get to grips with the steps needed to remediate misconfigurations Prepare yourself for real-life scenarios by getting hands-on experience with exercises Who this book is for This book is for pentesters and red teamers, security and IT engineers, as well as blue teamers and incident responders interested in Windows infrastructure security. The book is packed with practical examples, tooling, and attack-defense guidelines to help you assess and improve the security of your real-life environments. To get the most out of this book, you should have basic knowledge of Windows services and Active Directory.

Contents:

Cover

Title Page

Copyright and Credits

Dedications

Contributors

Table of Contents

Preface

Chapter 1: Getting the Lab Ready and Attacking Exchange Server

Technical requirements

Lab architecture and deployment

Active Directory kill chain

Why we will not cover initial access and host-related topics

Attacking Exchange Server

User enumeration and password spraying

Dumping and exfiltrating

Zero2Hero exploits

Gaining a foothold

Summary

Further reading

Chapter 2: Defense Evasion

AMSI, PowerShell CLM, and AppLocker

Antimalware Scan Interface

Way 1 - Error forcing

Way 2 - Obfuscation

Way 3 - Memory patch

AppLocker and PowerShell CLM

PowerShell Enhanced Logging and Sysmon

Event Tracing for Windows (ETW)

References

Chapter 3: Domain Reconnaissance and Discovery

Enumeration using built-in capabilities

PowerShell cmdlet

WMI

net.exe

LDAP

Enumeration tools

SharpView/PowerView

BloodHound

Enumerating services and hunting for users

SPN

The file server

User hunting

Enumeration detection evasion

Microsoft ATA

Honey tokens

Chapter 4: Credential Access in Domain

Clear-text credentials in the domain

Old, but still worth trying

Password in the description field

Password spray

Capture the hash

Forced authentication

MS-RPRN abuse (PrinterBug)

MS-EFSR abuse (PetitPotam)

WebDAV abuse

MS-FSRVP abuse (ShadowCoerce)

MS-DFSNM abuse (DFSCoerce)

Roasting the three-headed dog

Kerberos 101

ASREQRoast

KRB_AS_REP roasting (ASREPRoast)

Kerberoasting

Automatic password management in the domain

LAPS

gMSA

NTDS secrets

DCSync.

Dumping user credentials in clear text via DPAPI

Chapter 5: Lateral Movement in Domain and Across Forests

Usage of administration protocols in the domain

PSRemoting and JEA

RDP

Other protocols with Impacket

Relaying the hash

Pass-the-whatever

Pass-the-hash

Pass-the-key and overpass-the-hash

Pass-the-ticket

Kerberos delegation

Unconstrained delegation

Resource-based constrained delegation

Constrained delegation

Bronze Bit attack aka CVE-2020-17049

Abusing trust for lateral movement

Chapter 6: Domain Privilege Escalation

MS14-068

Zerologon (CVE-2020-1472)

PrintNightmare (CVE-2021-1675 &amp

CVE-2021-34527)

sAMAccountName Spoofing and noPac (CVE-2021-42278/CVE-2021-42287)

RemotePotato0

ACL abuse

Group

Computer

User

DCSync

Group Policy abuse

Other privilege escalation vectors

Built-in security groups

DNSAdmins abuse (CVE-2021-40469)

Child/parent domain escalation

Privileged Access Management

Chapter 7: Persistence on Domain Level

Domain persistence

Forged tickets

A domain object's ACL and attribute manipulations

DCShadow

Golden gMSA

Domain controller persistence

Skeleton Key

A malicious SSP

DSRM

Security descriptor alteration

Chapter 8: Abusing Active Directory Certificate Services

PKI theory

Certificate theft

THEFT1 - Exporting certificates using the CryptoAPI

THEFT2 - User certificate theft via DPAPI

THEFT3 - Machine certificate theft via DPAPI

THEFT4 - Harvest for certificate files.

THEFT5 - NTLM credential theft via PKINIT (nPAC-the-hash)

Account persistence

PERSIST1 - Active user credential theft via certificates

PERSIST2 - Machine persistence via certificates

PERSIST3 - Account persistence via certificate renewal

Shadow credentials

Domain privilege escalation

Certifried (CVE-2022-26923)

Template and extension misconfigurations

Improper access controls

CA misconfiguration

Relay attacks

DPERSIST1 - Forge certificates with stolen CA certificate

DPERSIST2 - Trusting rogue CA certificates

DPERSIST3 - Malicious misconfiguration

Chapter 9: Compromise Microsoft SQL Server

Introduction, discovery, and enumeration

SQL Server introduction

Discovery

Brute force

Database enumeration

Privilege escalation

Impersonation

TRUSTWORTHY misconfiguration

UNC path injection

From a service account to SYSTEM

From a local administrator to sysadmin

OS command execution

xp_cmdshell

A custom extended stored procedure

Custom CLR assemblies

OLE automation procedures

Agent jobs

External scripts

Lateral movement

Shared service accounts

Database links

Persistence

File and registry autoruns

Startup stored procedures

Malicious triggers

Chapter 10: Taking Over WSUS and SCCM

Abusing WSUS

Introduction to MECM/SCCM

Deployment

Reconnaissance

Client push authentication coercion

Credential harvesting

Client push authentication relay attack

Site takeover

Abuse of Microsoft SQL Server

Deploying an application

Defensive recommendations

Index

Other Books You May Enjoy.

Notes:

Description based upon print version of record.

Child/parent domain escalation

Includes bibliographical references and index.

Description based on print version record.

ISBN:

9781804618271

1804618276

OCLC:

1407315625