Testlab
Virtual machines
Network tools
Wireless tools
Preparation
Reconnaissance
Enumeration
Notes on techniques
Introduction
What?
Why?
How?
Packet manipulation
PCAP files
Example
Sniffing
Forging and decoding packets
Resources
Wireless intrusions
Common attack vectors wireless
Common Wi-Fi attack scenarios
WEP
WPA and WPA2
WPA3
Scanning and sniffing
Probe-Request
Hidden SSID
Deauthentication attacks
Example deauthentication attack
Cracking WEP
Verify wireless NIC
Discover networks with Airodump-ng
Capture traffic with Airodump-ng
Associate with access point and replay traffic
Crack the WEP key
WPS pin attack
Verify wireless NIC
Scan for potential WPS vulnerable networks
Brute-force the WPS pin
Cracking WPA/WPA2 keys
Verify wireless NIC
Discover networks with Airodump-ng
Perform deauthentication attack
Crack the WPA/WPA2 key
Using Wifite
Dragonblood attack
Rogue access points
Evil twin attack
Karma attack
Captive portal
Downgrade and SSL strip
Resources
Bluetooth barrages
Protocol stacks
Classic Bluetooth protocol stack
BLE – Bluetooth Low Energy
Device discovery
HCI
Simple python scanner script
Bluejacking
Network access altercations
Simple ARP spoofing
Network ARP cache poisoning
Attacking the spanning tree protocol
VLAN hopping attacks
Switch spoofing
Double tagging
Bypassing access controls
Compromise router
Port redirection
Sources
Internet incursions
IP spoofing
Denial of Service (DoS)
Distributed Denial of Service (DDoS)
Distributed Deflection Denial of Service (DrDoS)
On-path attack (alias MitM)
Transport raids
Replay attack
TCP sequence number prediction attack
Hijack session
BGP hijack
Application layer hacks
Attacks against SSL
SSL stripping
SSL hijacking
SSL beast
HTTPS spoofing
Resources
Name resolution skirmishes
DNS attacks
DNS cache snooping
DNS spoofing
Example: DNS spoofing and cache poisoning
Example: Forging redirection records for poisoning
Attacking LLMNR and NetBIOS
Example: LLMNR/NBT-NS poisoning through SMB
Example: LLMNR/NBT-NS poisoning through WPAD
NTLM relay attack
Example NTLM relay attack
Active directory run-ins
Main concepts of an Active Directory
Attack scenario
Kerberos authentication
Transport layer
Agents
Encryption keys
Tickets
PAC
Messages
Kerberos tickets overview
Attack privilege requirements
Active directory vulnerabilities
Users having rights to add computers to domain
AdminCount attribute set on common users
High number of users in privileged groups
Service accounts are members of Domain Admins
Excessive privileges shadow Domain Admins
Service accounts vulnerable to Kerberoasting
Users with non-expiring passwords
Users with password not required
Storing passwords using reversible encryption
Storing passwords using LM hashes
Service accounts vulnerable to AS-REP roasting
Weak domain password policy
Inactive domain accounts
Privileged users with password reset overdue
Users with a weak password
Credentials in SYSVOL
Post exploitation basics
Enumeration with Powerview
Enumeration with Bloodhound
Dumping hashes with mimikatz
Golden ticket attacks with mimikatz
Maintaining Access
Network pentesting scripts
MAC changer
ARP spoofer
File interceptor
Code injector
Client-server skeleton
Network scanner
DNS spoofer
Packet sniffer
Netcat replace
Wireless
TryHackMe rooms
Introduction
What?
Why?
How?
Attacktive directory
Attack tree
Scan with nmap
Enumerate 139/445
Enumerate the DC
Exploiting Kerberos
Enumerate the DC further
Elevate privileges within the domain
Tools
Attacking kerberos
Attack tree
Scan with nmap
Enumerate DC users
Harvesting & password spraying
Harvesting
Password spraying
Kerberoasting
AS-REP Roasting
Pass the ticket
Golden/silver ticket attacks
Dump the sqlservice and Administrator hash
Dump the krbtgt hash
Create a golden/silver ticket
Use the ticket to access other machines
Kerberos backdoors
Tools
More
Mythical blue lake (scenario)
Riches in the ground
Ty Myrddin Home
Unseen University
Improbability Blog
About
Contact
Index