Tools for Forging Kerberos Tickets When it comes to attacking Active Directory through Kerberos, few techniques are as powerful—or as misunderstood—as ticket forging. This post breaks down the core tools every pentester should know to manipulate, forge, and abuse Kerberos tickets during red team operations. We’ll explore how each tool fits into the picture and […]
Forging Kerberos Tickets Read More »
BloodHound-Relevant ACE Permissions (Access Rights) Permission What It Lets You Do What You Can’t Do GenericAll Full control over the object — add/remove members, reset passwords, modify ACLs N/A — this is the highest possible permission GenericWrite Modify most properties (e.g., member, description, servicePrincipalName) Can’t edit the object’s DACL or owner WriteOwner Change the owner
Access Control Entry (ACE’s) Read More »
Active Directory More Enumeration This post serves as a reference sheet for enumerating Active Directory (AD) environments using a combination of graphical and command-line methods. It includes usage of runas, RDP sessions, MMC (Microsoft Management Console), and the classic net command — all practical and stealthy methods to gather critical domain information. Credential Injection with
What is Kerberos? Kerberos is the default authentication protocol in modern Windows Active Directory environments. It’s like a digital passport system: The Core Players in Kerberos Let’s introduce the main characters: Role Description Client The user’s computer User You, logging in Service What you want to access (e.g., file share, SQL server) KDC (Key Distribution
Kerberos in Detail Read More »
Active Directory Attack Lab Walkthrough – Part 2: Golden Tickets, Silver Tickets, DCSync, and RBCD This guide builds on Part 1 and walks you through more advanced, high-impact techniques in Active Directory exploitation. These are techniques used to maintain persistence, move laterally with stealth, and access sensitive data without triggering typical defenses. Golden Ticket Attack
AD Lab Walkthrough Part 2 Read More »
Realistic Active Directory Attack Lab Walkthrough: From Enumeration to Post-Exploitation This hands-on guide is designed for your BadBlood AD lab and structured like a real-world AD attack path — from discovery to domain dominance. It’s meant to be practical, repeatable, and help you develop offensive intuition. Phase 1: Enumeration – Users, Groups, and OUs Goal:
AD Lab Walkthrough Part 1 Read More »
BadBlood: Seeding Active Directory with Chaos BadBlood is a tool designed to populate an Active Directory environment with realistic, messy, and intentionally vulnerable objects — users, groups, computers, OUs, ACLs, and more. If you’ve ever built a clean, empty AD lab and then opened BloodHound just to see… nothing — BadBlood fixes that. 🧪 Why
BloodHound Pre-Built Queries Explained A practical guide for pentesters Domain Information • Find all Domain Admins What it does: Lists all users in the Domain Admins group.Why use it: Identifying Domain Admins is critical — compromising any of them often means full domain takeover.When to use: Early recon, privilege targeting. • Map Domain Trusts What
BloodHound Queries Read More »
smbmap: Overview SMBMap is a powerful post-exploitation and enumeration tool used to gain insight into Windows file shares across a network. It allows pentesters to: Unlike tools like smbclient or rpcclient, smbmap is more intuitive and fast for automated enumeration during internal network engagements. It’s especially useful when looking for open shares that might contain
Exploiting MSSQL Impersonation and xp_cmdshell to Gain Remote Access When it comes to real-world exploitation, SQL Server misconfigurations can sometimes give you a direct pathway from a low-privileged database user all the way to system-level code execution. In this post, we’ll walk through a full MSSQL attack chain involving privilege escalation through user impersonation and
MSSQL – attack example Read More »
