Prabh Nair
Avsnitt

Practical Active Directory Pentesting Masterclass 2026

Dela

In this episode, Prabh hosts Siva for a deep, practical masterclass on Active Directory (AD) security — covering how AD works, why it becomes the single biggest “blast radius” in most enterprises, and how attackers exploit misconfigurations to compromise an entire organization.What You’ll Learn in This SessionActive Directory components explained (Domain Controllers, LDAP, NTDS.DIT, trusts, OUs)Why AD compromise usually equals full enterprise compromiseReal-world AD attack vectors and how attackers gain initial accessLLMNR poisoning and NTLM authentication abuseNTLM hash cracking with Hashcat (and why cracking “hash → hash” matters)BloodHound for AD security mapping and privilege path discoveryAD Certificate Services (ADCS) vulnerabilities (ESC-style misconfigs)Certificate-based impersonation of Domain AdminsDCSync, DACL abuse, GenericAll permissions, and persistence techniquesKerberos attacks: Golden Ticket, Silver Ticket, KerberoastingWhy Active Directory Security MattersActive Directory is the identity backbone for most enterprises.If AD is compromised, attackers can gain:Domain-wide credentialsAdmin privileges across systemsLateral movement capabilityLong-term persistenceThis masterclass focuses on understanding how the attack works, not just “which command to run.”Active Directory Fundamentals (Quick Breakdown)We cover core AD concepts including:Forest & Domain (security boundaries)Trust relationships (especially during mergers & acquisitions)Organizational Units (OUs) for policy enforcementDomain Controller role and directory servicesLDAP as the protocol used for AD interactionNTDS.DIT and why it’s one of the most dangerous files to loseNTDS.DIT: The “Crown Jewel” RiskSiva demonstrates how extracting NTDS.DIT can reveal:User accountsPassword hashesTrust relationshipsDomain secretsOne compromised file can lead to credential exposure across the entire organization.LLMNR Poisoning & NTLM Attacks (Hands-On)A major portion of this episode focuses on the classic but still deadly chain:Broadcast name resolution (LLMNR)Attacker responds as the “fake resolver”Captures NTLM authentication hashesHashes are cracked for credentials or reused for accessWe also clarify key concepts:LM Hash vs NT Hash vs NTLMWhy cracking NTLM is often the real gateway to exploitationNTLM Hash Cracking With Hashcat (Real Practical)Siva demonstrates:Why Hashcat is preferred for crackingHow password list choice matters (e.g., WeakPass)A powerful technique: cracking NTLMv1 → converting to NT hash for broader attack coverageThis is one of those “real pentesting tricks” many people miss.BloodHound: Visualizing AD Attack PathsSiva demonstrates BloodHound to:Identify Domain AdminsMap group membershipsDiscover privilege escalation pathsUnderstand why local admin access can quickly become domain admin compromiseWe also discuss best practices such as limiting local admin privileges and following Microsoft’s tiering model.AD Certificate Services (ADCS): Domain Compromise in MinutesThis is one of the most critical sections of the session.Siva explains how ADCS misconfigurations can allow attackers to:Request certificates for other usersImpersonate domain adminsAuthenticate using certificate-based logonExtract hashes and elevate privilege rapidlyWe cover how dangerous “Supply in the request” + client authentication permissions can be in certificate templates.DCSync, DACLs, GenericAll & PersistenceWe explore advanced but realistic misconfigurations that don’t always show up as CVEs:DCSync (replication permissions abuse)DACL vulnerabilities (outbound permissions that let you control other objects)GenericAll leading to shadow credentials and persistent accessHow persistence can survive password changes without changing passwords directlyKerberos Attacks ExplainedSiva breaks down Kerberos concepts and vulnerabilities including:Golden TicketSilver TicketKerberoasting

Podden och tillhörande omslagsbild på den här sidan tillhör Prabh Nair. Innehållet i podden är skapat av Prabh Nair och inte av, eller tillsammans med, Poddtoppen.