Initial Access in Active Directory
Getting those initial credentials and enumerating AD
Last updated: May 4th, 2023Initial Access
- NTLM Authenticated Services
- Heavily used by the services on a domain
- Mail servers that expose an OWA portal
- RDP servers on the internet
- VPNs
- WebApps
- Brute-force
- Password Spraying
- LDAP Bind Credentials
- LDAP Pass-back Attacks
- Hosting a Rogue LDAP Server
- Capturing LDAP Credentials
- Authentication Relays
- SMB
- LLMNR, NBT, WPAD
- Intercepting NetNTLM Challenge
- Relaying the Challenge
- Microsoft Deployment Toolkit
- MDT and SCCM
- PXE Boot
- Configuration Files
- Runas
runas.exe /netonly /user:\ cmd.exe
Enumeration
- Credential Injection
- MMC
- CMD
- PSH
- Bloodhound