General Blog, Pentesting

Top Ways Penetration Testers Get Domain Admin

Very brief post, but will be expanded on with additional details as time allows.

  • Breached Credentials
  • Credential Stuffing & Password Spraying
  • LLMNR & NBT Poisioning
  • Relay Attacks
  • Null Sessions on Domain Controller(s)
  • Token Impersonation on Low Priv Boxes
  • MiTM6 to Exploit IPv6
  • Kerberoasting
  • MS17-010 and Poor Patch Management
  • SYSVOL Credentials and GPP
  • Lack of Segmentation of Administrative Privileges
  • Insecurely Stored Credentials (Office Documents, Outlook Notes, etc.)
  • Default Credentials on Databases/Networked Devices

References

https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes
https://adsecurity.org/?p=2288
https://www.pentestpartners.com/security-blog/top-10-stupidest-ways-weve-got-domain-admin/
https://chessict.co.uk/media/4712/12-common-vulnerabilities-found-during-penetration-testing.pdf