Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
1 views5 pages

Chapter-3 Ethical Hacking

Uploaded by

abhishekbro0945
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
1 views5 pages

Chapter-3 Ethical Hacking

Uploaded by

abhishekbro0945
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

HACKERS ACADEMY BY (PS)

COURSE SUMMERY
🧱 Book Structure (Table of Contents):

1. Introduction to Ethical Hacking

2. Linux Basics for Hackers

3. Red Hat System Overview

4. Setting Up Your Lab

5. Reconnaissance and Information Gathering

6. Scanning and Enumeration

7. Vulnerability Analysis

8. Exploitation Techniques on Red Hat Systems

9. Privilege Escalation in Linux

10. Post Exploitation Techniques

11. Web App Hacking in Red Hat Environment

12. Password Cracking and Brute Force

13. Networking Attacks and Defense

14. Firewalls, SELinux & Security Modules

15. Forensics and Log Analysis

16. Writing Bash & Python Scripts for Automation

17. Securing Red Hat Systems

18. CTFs and Practice Labs

19. Red Hat Certification (RHCSA/RHCE) & Security Focus

20. Final Thoughts and Career Path

Page | 1
📘 Module 13: Privilege Escalation on Active Directory (AD)
Active Directory (AD) is the backbone of most enterprise environments. Escalating privileges within AD allows
attackers to take over domains, access sensitive data, and deploy persistence across entire networks.

🧭 Learning Objectives

By the end of this module, readers will:

 Understand the structure and components of Active Directory

 Learn how to enumerate users, groups, and privileges in a domain

 Discover attack paths for escalating privileges to Domain Admin

 Use tools like BloodHound, SharpHound, and PowerView

 Execute attacks such as Kerberoasting, AS-REP Roasting, and DCSync

📖 Course Content for the Book

🔹 13.1 What is Active Directory?

Active Directory is Microsoft’s centralized identity management service used in most corporate networks. It manages:

 Users, groups, and computers

 Authentication and authorization (Kerberos, NTLM)

 Policies and trust relationships

Key components:

 Domain Controller (DC)

 Users & Security Groups

 Organizational Units (OUs)

 Group Policy Objects (GPOs)

🔹 13.2 Enumeration in Active Directory

13.2.1 PowerView (from PowerSploit)


Page | 2
powershell

CopyEdit

Import-Module .\PowerView.ps1

Get-NetUser

Get-NetGroup

Get-NetDomainController

13.2.2 BloodHound and SharpHound

BloodHound uses graph theory to map attack paths in AD.

powershell

CopyEdit

.\SharpHound.exe -c All

Then upload results to BloodHound GUI for analysis.

🔹 13.3 Common AD Privilege Escalation Techniques

13.3.1 Kerberoasting

 Extract Kerberos service tickets (TGS) for accounts with SPNs

 Crack offline using tools like Hashcat

powershell

CopyEdit

GetUserSPNs.py -request -dc-ip <IP> domain/user:pass

13.3.2 AS-REP Roasting

 Exploit users with Do not require Kerberos pre-authentication

powershell

CopyEdit

GetNPUsers.py domain.local/ -usersfile users.txt -no-pass

13.3.3 DCSync Attack (Dump all domain password hashes)

If you have Replication privileges:


Page | 3
powershell

CopyEdit

mimikatz

lsadump::dcsync /domain:domain.local /user:Administrator

13.3.4 Overpass-the-Hash (Pass-the-Key)

Use NTLM hash to request Kerberos TGT and move across the domain.

🔹 13.4 Exploiting Group Policy Preferences (GPP)

Older Windows versions stored passwords in Group Policy XML files:

bash

CopyEdit

\\domain.local\SYSVOL\domain.local\Policies\

Look for Groups.xml and decrypt the cpassword using tools like GPPDecrypt.

🔹 13.5 Exploiting Delegation and Misconfigured ACLs

 Unconstrained Delegation: Can capture TGTs and impersonate users

 ACL Attacks: Use BloodHound to find paths where you can modify another user or group

🔹 13.6 Tools Summary

Tool Purpose

PowerView Manual AD enumeration via PowerShell

BloodHound Visual AD attack path mapping

SharpHound Data collector for BloodHound

Mimikatz DCSync, Pass-the-Hash, token abuse

Impacket Kerberoasting, AS-REP roasting, etc.

Page | 4
📌 Chapter Summary

 AD privilege escalation targets domain-level access

 Use PowerView and BloodHound for enumeration and mapping

 Key techniques: Kerberoasting, AS-REP Roasting, DCSync

 Misconfigurations in ACLs and delegations create attack paths

 These attacks are powerful — only practice in isolated lab environments

✅ Exercises
1. Use PowerView to enumerate domain users, groups, and DCs

2. Run SharpHound and upload results to BloodHound

3. Perform Kerberoasting and crack service account hashes offline

4. Test AS-REP Roasting on lab users without pre-authentication

5. Execute DCSync in lab after gaining proper privileges

Page | 5

You might also like