Active Directory Certificate Services (AD CS) for Pentesters The Trust Engine You Were Never Meant to Touch Active Directory Certificate Services (AD CS) is the Windows PKI infrastructure that hands out digital certificates to people, computers, and services. It’s built to enable trust — but trust, as every good pentester knows, can be a weapon. […]
PowerShell Remoting Setup Between Two Windows Machines This guide walks you through setting up PowerShell Remoting between two Windows machines (attacker and target) in a non-domain (workgroup) environment. It covers user creation, enabling remoting, setting TrustedHosts, and allowing unencrypted traffic — ideal for labs. On the Target Machine 1. Create a New Local User 2.
Responder: Capturing Credentials Like a Network Bandit Responder is a powerful LLMNR, NBT-NS, and MDNS poisoner designed for internal network attacks. It listens on a network interface and responds to broadcast name resolution requests, tricking machines into sending authentication attempts to the attacker’s machine — often handing over NTLMv1/v2 hashes or even clear-text creds if
NetExec: NetExec (formerly known as CrackMapExec or CME) is a powerful post-exploitation framework used by penetration testers and red teamers to automate the enumeration and exploitation of network protocols, particularly in Active Directory environments. It’s the tool you reach for when you have credentials and want to move fast — from validating access to enumerating
Mastering mssqlclient.py for Pentesters mssqlclient.py is part of the Impacket collection, and it’s one of the go-to tools for enumerating and interacting with Microsoft SQL Servers during a pentest. When you land credentials to a SQL Server or discover an exposed database instance, this tool can open the door to privilege escalation, lateral movement, or
The Mindset of a Professional AD Pentester If you’re reading this, you’re probably not new to hacking — but cracking into an Active Directory environment is its own beast. It’s layered, it’s political (yes, really), and it demands a workflow built on logic, creativity, and adaptability. In this post, we’re not going to just throw
Exploring sc, sc qc, and icacls for Privilege Escalation on Windows When you land on a Windows machine as a low-privileged user, your next job is to enumerate the environment mercilessly. You want to find services you can hijack, permissions you can abuse, and binaries that’ll help you escalate to SYSTEM. This is where commands
Privilege Escalation via $PATH Hijacking and SUID Binaries In this post, we’re diving into a classic privilege escalation trick that catches a lot of vulnerable systems (and beginner CTF players) off guard: abusing the $PATH environment variable to hijack execution flow in SUID binaries. If you’re not looking closely, it’s easy to miss. But once
Downloading Files from a Web Server in PowerShell & CMD 🔹 1. CertUtil (CMD-based, built-in since Windows XP) 🔹 2. Invoke-WebRequest (PowerShell) 🔹 3. Invoke-RestMethod (PowerShell) 🔹 4. BitsAdmin (Deprecated, but still present on many systems) 🔹 5. PowerShell WebClient (Legacy Method) Tips
winPEAS for Windows PrivEsc When you gain initial access on a Windows machine — whether through a low-privileged user shell, a foothold via Metasploit, or a reverse shell — the next step is often privilege escalation. One of the most powerful tools to automate and accelerate this process is winPEAS. This post covers: What is
