OSCP Practice Lab: Active Directory Attack Path #1

Подписаться 3,5 тыс.

Просмотров 45 тыс.

50% 1

Putting this out there as I searched around and didn't find a lot of content on practicing Active Directory attacks in a home lab. This walks through one of the paths to complete domain compromise I practiced for passing the OSCP.
The link to setting up this lab environment is here: • OSCP Practice Lab: How...
If there's enough interest I may generate some videos of my other AD attacks also.
0:00 Intro
1:30 OpenVPN
3:21 Start the Attack!
5:20 MS01 Enumeration
21:55 MS01 Application Exploit
28:16 MS01 Initial Foothold
33:35 MS01 Priv Esc Hunting
38:25 MS01 Priv Esc
47:50 Notes
50:33 Active Directory Enumeration
55:45 Pivoting with Ligolo-NG
1:05:04 Domain Controller Enumeration
1:14:10 Kerberoasting and AS-REP Roasting
1:19:27 Password Cracking with Hashcat
1:25:50 Credential Spraying with CrackMapExec
1:29:37 Crack Encrypted Zip File with JohnTheRipper
1:36:08 Credential Spraying with CrackMapExec
1:37:28 MS02 Initial Foothold with PSExec
1:45:05 MS02 Enumeration
1:46:40 MS02 Credential Dump with secretsdump
1:49:35 Domain Pwnage with evil-winrm
1:54:54 Recap

Опубликовано:

30 июн 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 139

@beastmodejj8588 7 дней назад

Gotta say, more than being good informative and easy on the ears, the video is just entertaining to watch which is more than you can say for any other video like this, keep it up and we will keep watching!!

@bramha7 3 дня назад

Hey man! I just watch your oscp AD and I got impressed with your explaination. Its' 10 out of 10. Hope to see more of you in upcoming days💌🥰

@michael5743 14 дней назад

Derron, you've got to do more of these!! You're an amazing teacher man. Thank you!

@aaryanbhagat4852 6 месяцев назад

These playthroughs are worth it, very nicely explained, even the thought process!

@ianp6742 8 месяцев назад

This is a fantastic walk through. Very detailed and you did a good job of explaining your methodology and thought process. I am retaking the OSCP in December, this video will help me succeed and I would love to see more attack paths from you.

@derronc 8 месяцев назад

thanks so much, I'm glad it helps. Best of luck on your retake!! I'll try and post another attack path soon.

@takatoekoe 3 месяца назад

Do you have the eJPT cert? also did u pass the OSCP?

@etcissue8965 8 месяцев назад

Awesome video!!! One of the best i have ever seen!! keep going for next videos!!!

@MotivationbyDesign 7 месяцев назад

great video. I think the way you go through it is both entertaining and very informational.

@longtran7196 8 месяцев назад

How wonderful knowledge ! Love this every minute

@infosecrisk5393 8 месяцев назад

Really nice and helpful. Thanks a lot for your awesome content.

@mikedunn330 7 месяцев назад

Without a doubt the most helpful thing I've seen! Taking your time and explaining "why" you're running commands was awesome. Thank you so much. I will be watching more of your content.

@Ibr8kThingz 4 месяца назад

Outstanding content and well explained! I'm all for fresh content! Thanks so much for sharing. It's greatly helpful for a fellow student like myself prepping for the OSCP.

@monsterkush11 8 месяцев назад

Thank you . Learned about some new tools and more about windows . Great content

@0xolv069 8 месяцев назад

This walk through is amazing thank you a lot

@shivendraprajapati7200 8 месяцев назад

Very detailed Explained , I Enjoyed every bit of it !

@bendum-zb4km 13 дней назад

Watched it all, Insane video Man !! Much appreciated.

@briangrier3287 8 месяцев назад

Actual GOAT, watched video start to finish! Seeing your step by step process and methodology completing these 3 boxes was super inspiring! W video, please keep this content coming!

@derronc 8 месяцев назад

Thank you so much, I appreciate the compliment!! I'll try and post some more content soon

@ministeredelacybersecurite7074 2 месяца назад

@@derronc Please make more awesome!

@gwalchmei 2 месяца назад

I don't often comment on videos but I simply have to say that your material is absolutely phenomenal. Am preparing to take the OSCP and wanted to really get practice in and you came through in such a big way (in the way that there's no way I can go forward in cybersecurity without acknowledging how important your guides have been). I adapted your setup to run on proxmox and I wanted to say thank you very much :)

@AnkitKumar-px6dr Месяц назад

Thank you for such great insight into the scenario loved every bit of it

@gnuPirate 2 месяца назад

Really awesome topic really well covered. Instant sub. Looking forward to working through this.

@infosecabdul 7 месяцев назад

Well explained and demonstrated. Followed through till the end. Thank you

@DocGMoney 2 месяца назад

Future Offsec teacher right here man! This is the second video of yours I've watched and 2/2 your killing it man. Pure GOLD!!!! Your helping at least one person out beyond measure! Have my sub :)

@podavu7044 8 месяцев назад

I love the methodology ! Thank you for this amazing content

@derronc 8 месяцев назад

my pleasure! I'm glad you enjoy it

@timecop1983Two 3 месяца назад

Thanks man now I have an idea! Just having an idea what tools will be used and you should think, and how you should write notes is awesome! Now I have a full clear understanding and idea keep up the work!!!

@jasond580 8 месяцев назад

Thank you for this. Very helpful!

@gabrydanto778 4 месяца назад

Very fantastic walktrough🎉 Superman 😮

@user-zi4el6cn6d 5 месяцев назад

THIS IS PURE GOLD! THANK YOU MASTER! 🙏

@truth_4lif399 8 месяцев назад

That was just awesome 👌 👏 👍🏾 🔥 🔥

@1a4s4l7 8 месяцев назад

This is fantastic!

@0xarun 7 месяцев назад

Great shot!

@cy_wareye7395 8 месяцев назад

i learn lot new stuff about Windows enumeration from this video

@lloydchan9606 7 месяцев назад

Subscribed within the first minute, i can't believe this stuff is free. Thank you!

@derronc 7 месяцев назад

Thanks for the sub! I'm so glad you appreciate the content

@sweno9007 8 месяцев назад

thank you very much for the video very clear loved every minute

@derronc 8 месяцев назад

You're very welcome and thanks for the feedback!

@TienNguyenXuan-so6vl Месяц назад

Love your mindset!

@AlexSec 7 месяцев назад

Love it! Good job.

@mpotisambo2465 8 месяцев назад

man man man thanks for the content once again

@derronc 8 месяцев назад

I'm so glad it was helpful!

@MentalMarathon_ 8 месяцев назад

Thank you for sharing ‼️

@oliviermenager9702 8 месяцев назад

Top content. Congratulations.

@daviddeschamps444 7 месяцев назад

A perfect video really ! Very inspiring and useful thank you so much :)

@alirezazebka6847 7 месяцев назад

This is So ispiring man. Keep Going

@moustafaahmed8294 3 месяца назад

Very fantastic and helpful. Thank you so much ✨

@Heisenberg696 7 месяцев назад

keep it up bro keep making this kind of videos

@colinrogers9927 8 месяцев назад

This is a great walkthrough. I watched your previous video about setup and I ran in to a lot of perm issues when getting foothold on this video

@derronc 8 месяцев назад

oh no! can you elaborate on the permission issues? I will do my best to help

@colinrogers9927 8 месяцев назад

@@derronc essentially everything is caught by the av even if tamper is turned off.

@snarfallymunchacen85 2 месяца назад

This was a great lesson for me..

@internexus1 Месяц назад

Your. Ideas are so valuable for helping to develop and fine tune methodologies, I appreciate this greatly and look forward to more from you! Also a small recommendation, consider picking up a mic as your keyboard comes through rather heavy 😉

@drewalleman 8 месяцев назад

Helpful thanks!

@nicksmith5400 Месяц назад

I have my OSCP retempt comming up tomorrow and I have been using your videos the last few weeks to study with. Really great stuff, the way offsec explains AD seems overly complicated. I just needed DA then I think I had it my last attempt, so fingers crossed we get it this time :) Thanks for the videos, please make more!

@derronc Месяц назад

much thanks for those kind words and best of luck tomorrow!!! you got this

@daddyyankeee4477 Месяц назад

Were you able to make it brother?

@orca2162 4 месяца назад

Great video, thank u ❤

@kevinhoy6838 3 месяца назад

Hell yeah!! Thank you!!

@martinlastname8548 Месяц назад

I have been watching this for two days writing up an attack plan and tool list on Obsidian

@ferasalfarsi897 8 месяцев назад

Please, continue!

@romilthakkar404 4 месяца назад

Keep making these man! Loved it… I failed OsCP on first attempt because of AD section. I pawned the first one, created tunnel as well.. and forgot about routing! If I would have done routing, I would have passed! I knew all the things but didnt know about tunnel and routing properly. Thanks a lot 👍

@elilanz 4 месяца назад

When did you took your exam? Seems I can join some dots in your statement

@romilthakkar404 4 месяца назад

@@elilanz End of July 2023.

@elilanz 4 месяца назад

@@romilthakkar404 aah okay okay

@ashishratnawat2711 8 месяцев назад

thank you

@lamjerry9977 24 дня назад

Thank you!

@ihuang694 23 дня назад

you are the best!

@IntroMakerNET 6 месяцев назад

Two strange things on this lab: 1) You find a .exe file and you're immediately suspecting that .exe is running on the server, I mean why? 2) Why would someone look for a .txt file specifically in one users folder? I mean, I could take it if you do it from c:\users, but in a specific user's folder? That was too specific. This kind of things makes me think if I'm in the right path. I don't think I would pass this test. Anyway, thank you for the video, it's great.

@charlesnathansmith 2 месяца назад

It's a new server install so there probably aren't random user files in an upload directory. It's not unreasonable to assume the admin uploaded it with the intention of running it on the server or somewhere proximal so that he wants easy access to it. That could be a wrong assumption, but it would make sense enough to look into. Esp with an exam or CTF, there can be a few red herrings but most unusual things you find are there to clue you onto something Also, exams and CTFs usually have user and admin flags you're supposed to find in standard places. You should always rummage through any user files you have access to anyway because in real life people leave all kinds of important things lying around and challenge authors often try to mimick that

@LakeE. 21 день назад

How does he immediately suspect the binary is running on the server? He takes the information received from the nmap scan which showed a port sending information that matches with the exploit code which gives reason to believe that the software is running on the server.

@shaggyasir 5 месяцев назад

Nice vid

@jackkelly6890 3 месяца назад

Excellent tutorial. Maybe the most useful AD tutorial for OSCP on youtube! Hopefully plan to give back once I pass. Thankyou for the effort you've put in here. Did you build the labs yourself?

@derronc 3 месяца назад

so glad it has been helpful! I did build these myself, as a result of not finding much practice material out there.

@IAmWrk_ 3 месяца назад

2).Hey man don’t be discouraged, it comes from practicing and familiarity of common human habits. I happen to work in a Windows IT environment, Most people save important documents right in their desktop or in documents folder (Linux users do too). This would spark my interest in checking those folders first if i get user access to a box 1)Working in windows you notice exe files and ps files often work without needing to install an outside source “bash” for example you need the pc to have bash to run bash scripts, if you don’t have admin priv it’s harder to install bash is my understanding I still suck though so i still feel the same as you lol doubt ima pass lol

@derekr4132 3 месяца назад

Bro. Your methodology and flow is much appreciated. Do you have a OSCP cheatsheet that you care to share?

@I_Unintentionally_Morph Месяц назад

wow thank you

@vlad7269 7 месяцев назад

Better than my teachers at university...

@ashleyscott7762 5 месяцев назад

Really good run through; I am currently running through some courses with TCM to get up to a proficient standard to do my oscp. Any advice you would pass on and also how long did it take you to feel confident and what would you do differently now you are at this point? Thanks

@Ravindunethsara 7 месяцев назад

Great content. Correction @1.42 .zip file cracked with JTR

@lemarou 7 месяцев назад

Great video! Your content is awesome and really informative. However, I'm currently stuck with the OpenVPN configuration. Any additional tips would be greatly appreciated. Thanks!

@achillesmyrmidon4424 4 месяца назад

Hi @derronc, halfway in your vid and it is super nice so far. Do you have any tips for terminal logger? Or it is not that important with logger?

@cvport8155 7 месяцев назад

Please make more vd for advanced techniques red team and ad attack good work bro ❤

@derronc 7 месяцев назад

thank you! I'm currently working on posting another attack path soon 😊

@adrianosela 4 месяца назад

This is awesome. Is there a repo for your environment? e.g. docker-compose, terraform, anything so I can reproduce it?

@obipixel 4 месяца назад

Great work dude. Do you perhaps have the virtual machines as a setup I can use to practice with?

@obipixel 4 месяца назад

I ask because I have my own labs I use to teach students. I’m missing a good one for Active Directory.

@testis-iw3rr 7 месяцев назад

I'm ducking love you

@vedanttare9425 2 месяца назад

Awesome walkthrough! Really interesting and engaging. Wanted to know, What is the configuration of your kali OS? How much RAM have you given it as well as memory? Also, how much RAM does your actual system have? Because my Kali lags so much when there is firefox, burp and other tools running simultaneously. Just curious as its really frustrating to work with a slow kali sometimes.

@derronc 2 месяца назад

Thanks for the feedback! when it comes to the VMs... I've been deploying the .ova from kali.org/get-kali and 4cpu / 4GB memory. I've run into issues with vmware workstation and my macbook a few times and had to reinstall macOS just to get rid of glitchy behavior 😭

@Foobar1835 3 месяца назад

great video. did you create the vulnerable machines or were they premade?

@derronc 3 месяца назад

thank you! I built all these machines from scratch and include the how-to guide in my video series. that way you can build them too :)

@behindYOUR6 7 месяцев назад

❤‍🔥❤‍🔥❤‍🔥

@devakabari 4 месяца назад

cool

@J_B-jh4ke 3 месяца назад

At DC machine, let pass the hash with 0:NT_hash . I think it works because you lost LM_hash in form of ntlm in set of exec tool

@derronc 3 месяца назад

great catch! Yes, you can split the hash and only need to use the NT piece for pass-the-hash. LM is around for backwards compatibility and can't be passed but can be easily cracked (with the right wordlist/rules)

@sandiproy9810 8 месяцев назад

hey please make other attack path video as soon as possible

@AMINE_47 8 месяцев назад

Really nice content , please where can i find a similiar environnement

@derronc 8 месяцев назад

Aside from my video on how to build the lab, I had a hard time finding this type of material as well. I was only able to find bits and pieces, but nothing that would take me through the entire process. I may share another scenario in the future.

@dgoncalo 8 месяцев назад

Great content! Just one question, why no minimatz?

@derronc 8 месяцев назад

that's a great question! I do use mimikatz for many of my scenarios, but this one in particular I wanted to try and do a lot of things remotely from the kali machine. so I opted for impacket-secretsdump instead. I just think of it as remote mimikatz 😂 I appreciate the question, I think I'll make a future video with different tactics: including mimikatz

@sandiproy9810 8 месяцев назад

@@derronc kerberoasting and asreproasting part would a lot clear if u use bloodhound as for ms02 machine u have smb access. and that would be better when someone sees the gui and that kind of stuffs.

@snarfallymunchacen85 2 месяца назад

Have you used netexec in place of crackmap? thoughts?

@ickoxii 8 месяцев назад

nice video! what terminal emulator do you use?

@derronc 7 месяцев назад

thanks! I like iterm2 but the terminal I used in the video is just the default kali terminal

@LightAura 2 месяца назад

Great walkthrough, but there is one thing I don't understand. @23:15 you modified the exploit to run certutil.exe with some arguments. How does this work when the string you are typing is not run in CMD or PowerShell? As far as I understood, you are typing in the start menu, so it's a search bar.

@matteosteksy7656 7 месяцев назад

hi Derron, great work!! I have a doubt, in MS01 Priv Esc, you renamed the malicious payload to "Wise.exe" and put it in the "C:/apps/Wise/" folder...at this point why, after rebooting, the system executed the "Wise.exe" file?

@derronc 7 месяцев назад

great question! so this is abusing "unquoted service paths". basically the service for the Wise application is referenced without quotes, but there is a space in the folder structure. this allows us to place Wise.exe where the space break is and when the service is started it attempts to find an executable called "Wise.exe" as part of the way windows processes/enumerates an unquoted service path. rebooting the host forces the service to restart and kick off this vulnerability we have exploited. for more info the PEN-200 course is here: portal.offsec.com/courses/pen-200/books-and-videos/modal/modules/windows-privilege-escalation/leveraging-windows-services/unquoted-service-paths otherwise a public post is here: medium.com/@SumitVerma101/windows-privilege-escalation-part-1-unquoted-service-path-c7a011a8d8ae

@matteosteksy7656 7 месяцев назад

@@derroncthank you so much, another question, as written in a previous comment, everyone will now move to the cloud environment, how will all this impact cyber security and hacking in general?

@derronc 7 месяцев назад

@@matteosteksy7656 great question but also a loaded one :) the short answer is it is expanding the attack surface and is an addition to Active Directory on-premise. attackers and defenders are learning/exploring cloud identity (Azure AD/Entra), cloud infrastructure (IaaS), and SaaS/PaaS services. what this means for us is more lateral movement options (from on-premise to cloud, and vice-versa), and more attack surface (for example: password spraying against cloud services, in addition to on-premise services).

@extraordinay 8 месяцев назад

Thank you sir, can you do some cryphotgraphy ctf too?

@derronc 8 месяцев назад

ooo I hadn't really thought about that. I can't say I'm great at it, but I'll keep this in mind for the future. thanks for the suggestion!

@user-ve8hg7bi1y 7 месяцев назад

so is evilwinrm considered a stable shell? for getting the point on oscp a winrm shell is enought or we should rev shell it via pivoting?

@derronc 7 месяцев назад

that's a great question, thank you for asking! I can tell you that I used evil-winrm in my OSCP exam and was given credit. That said, if you have the time and want to go the extra credit you could totally use evil-winrm to upload a reverse shell payload and then execute it to call back home. BUT if you do that you'll need to port forward through MS01 to get back to your kali machine. I might try that out in a future video just to show how to do it.

@user-ve8hg7bi1y 7 месяцев назад

thanks for the answer, during my last attempt I spent 40minutes trying to rev shell via pivoting haha, this time I will go by evilwinrm, thanks@@derronc

@fatewalker6463 7 месяцев назад

Nice video, just a reminder, cached domain hashes cant be used for PASS THE HASH

@derronc 7 месяцев назад

yes, there are so many nuances to pth that it can get confusing. I'm not sure if I misspoke in this video but just to be clear for anyone reading: NTLM hashes can be passed, NTLMv2 hashes can't. NTLM hashes can only be passed if the environment hasn't been secured against it, and even then there are caveats. I think I'm going to include some examples in my next video to help illustrate. thank you for the feeback!

@0xdhacker 7 месяцев назад

Can you tell me why you have used the ligolo-ng and that ip route please

@derronc 7 месяцев назад

Absolutely! I use ligolo-ng to proxy my traffic (like nmap scans, evil-winrm, smbclient, etc) from kali through MS01 to attack MS02 and DC01. The ip route command is used to tell kali route to the oscp outside subnet (192.168.100.0) via the ligolo tunnel interface.

@koushiksuthar95 5 месяцев назад

Is it possible to download your lab setup?

@basictodynamic6590 7 месяцев назад

i am wondering, you are not able to ping ms02, but able to do nmap without -Pn flag.

@derronc 7 месяцев назад

that's a great point and something I didn't think too much about at the time. but you're right, the Windows firewall was blocking icmp but somehow... nmap decided it didn't care and it ran the scan anyway 🤷‍♂️

@cyberdemo 7 месяцев назад

Are you allowed to run winpeas in OSCP exam?

@derronc 7 месяцев назад

you are! you can use any basically any automated enumeration tool, but you are NOT allowed to use any auto EXPLOIT tool. the exception is metasploit, which you are allowed to use against only one target.

@cyberdemo 7 месяцев назад

It means that to are allowed to use enumerations tools like let's say like the way you grab the winpeas from the github are you allowed to use google to search things like that?? @@derronc

@iv3995 2 месяца назад

great vid, but -1 for nano

@anaykamal4499 3 месяца назад

Is winpeas allowed in OSCP?

@derronc 2 месяца назад

it is! It's actually the most used enumeration tool on the OSCP :)

@intruder70 6 месяцев назад

i wanna see about OSWE, can you show please?😢

@derronc 6 месяцев назад

perhaps in the future; I don't have my OSWE but if/when I do go for it I'll try and share some insights :)

@justethical280 8 месяцев назад

but but , everything is in the cloud now.

@gnuhatt 7 месяцев назад

ur keyboard sounds like drum😂

@derronc 7 месяцев назад

it totally does!! my apologies for that, it annoys me too. I'm upgrading my mic to hopefully remove/reduce the drumming 😂

@pppkenken6610 7 месяцев назад

Makes path

@sandiproy9810 8 месяцев назад

😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀😀

@darshannn10 6 месяцев назад

Is there a similar box on htb or some other platform to practise the same stuff?

@derronc 6 месяцев назад

I've had a hard time finding this type of set up for free. I believe HTB might have some AD sets, but not quite like this/OSCP-like. THM has also had some AD sets in the past but they tend to become $$ options very quickly. These are some of the big reasons I decided to build out this content myself and share it. I just haven't found much of anything that helped me prepare more than building it and practicing myself.