{"version":1,"pages":[{"id":"mWmL7STjA1NAGSH0eM3U","title":"Building a Windows AD lab","pathname":"/building-a-windows-ad-lab","siteSpaceId":"sitesp_H5kZG","description":"In this GitBook 0xjs and JustRelax will demonstrate how to build a vulnerable Active Directory(AD) lab for learning pentesting windows domains. Creating misconfigurations, abusing and patching them."},{"id":"6hfmzXtTC672fX59prxG","title":"Lab overview","pathname":"/building-a-windows-ad-lab/lab-setup/lab-overview","siteSpaceId":"sitesp_H5kZG","description":"This page is a overview of the whole lab. It will get updates as the lab expands.","breadcrumbs":[{"label":"Lab-setup"}]},{"id":"pKSNZFh0sRdgN59OfFrc","title":"Building the lab","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab","siteSpaceId":"sitesp_H5kZG","description":"Follow the pages in chronological order to create the lab.","breadcrumbs":[{"label":"Lab-setup"}]},{"id":"JRvgJfpRhZzj2R3kXeyd","title":"Prerequisite","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/prerequisite","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"}]},{"id":"LjJmfmR9xr1iq9OeHDcU","title":"Creating images","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-images","siteSpaceId":"sitesp_H5kZG","description":"We are expecting that you know how to create a virtual machine and install a Windows client or server. Below is a short manual on how to do so for some guidance.","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"}]},{"id":"mmHK9UjheKcHFcbZlRQH","title":"Optional: Install software & Settings","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-images/optional-install-software-and-settings","siteSpaceId":"sitesp_H5kZG","description":"Optionally we could install some software such as BGInfo from sysinternals, Notepad++ or VMware tools.","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating images"}]},{"id":"O2ePtjPexgaGZUnVOPrn","title":"Network setup","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/network-setup","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"}]},{"id":"js0JQHLBeprwljwW0cnu","title":"Cloning & Creating VM's","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/cloning-and-creating-vms","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"}]},{"id":"YID9EvjXp56qIJjqPIax","title":"Creating bank.local","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"}]},{"id":"8y6tjmay80Do5IfbIHBl","title":"Creating Domain Controller - DC01","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-domain-controller-dc01","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"}]},{"id":"IIkSn5znSpNK6FexsORT","title":"Enable RDP","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-domain-controller-dc01/enable-rdp","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating Domain Controller - DC01"}]},{"id":"0S4btvl6fWTBJJN7pya7","title":"Creating amsterdam.bank.local","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"}]},{"id":"4hwoCIhAHYWGNhVfeX5R","title":"Creating Domain Controller - DC02","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-domain-controller-dc02","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"}]},{"id":"9UzFbJLnvTuWRF6qAhea","title":"Creating a AD structure","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-domain-controller-dc02/creating-a-ad-structure","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"},{"label":"Creating Domain Controller - DC02"}]},{"id":"aFpVqK3TBXLSLvh3Dyco","title":"Create a CA","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-domain-controller-dc02/create-a-ca","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"},{"label":"Creating Domain Controller - DC02"}]},{"id":"Tn1MVpA27b4GoQ9k1BnO","title":"Configure LDAPS","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-domain-controller-dc02/configure-ldaps","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"},{"label":"Creating Domain Controller - DC02"}]},{"id":"ZsynS7pwGGTNnmv9NkBj","title":"Creating Fileserver - FILE01","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-fileserver-file01","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"}]},{"id":"2wIP3yKbubp7AyTCtZU5","title":"File services","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-fileserver-file01/file-services","siteSpaceId":"sitesp_H5kZG","description":"Shares are used a lot in infrastructures and we often see shares that are open for all domain users. Sometimes passwords or other sensitive information can be found on shares.","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"},{"label":"Creating Fileserver - FILE01"}]},{"id":"YGCqE6qXJbJB60cyNZsA","title":"Creating W10 client - WS01","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-w10-client-ws01","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"}]},{"id":"G1KTWnRGZCuhWc8tLVx7","title":"PSRemoting","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-w10-client-ws01/psremoting","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"},{"label":"Creating W10 client - WS01"}]},{"id":"geACt10V6cGfvvOFKxn6","title":"Creating Webserver - WEB01","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-webserver-web01","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"}]},{"id":"urywGCzMpCBZgGiWoRoB","title":"Web Services","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-webserver-web01/web-services","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"},{"label":"Creating Webserver - WEB01"}]},{"id":"ARgERV4UXmwqBgJi3u55","title":"SQL Server","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-webserver-web01/sql-server","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"},{"label":"Creating Webserver - WEB01"}]},{"id":"nVGeFhObX4RXe3M9jUmQ","title":"Create database","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-bank.local/creating-amsterdam.bank.local/creating-webserver-web01/sql-server/create-database","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating bank.local"},{"label":"Creating amsterdam.bank.local"},{"label":"Creating Webserver - WEB01"},{"label":"SQL Server"}]},{"id":"rdQG9HacXDNIA1cdkg1O","title":"Creating secure.local","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-secure.local","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"}]},{"id":"0spyJLYmBA5mJJJhGtTy","title":"Creating Domain Controller - DC03","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-secure.local/creating-domain-controller-dc03","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating secure.local"}]},{"id":"ALnkFNJNmUKILZYXlXgB","title":"Creating File/SQL Server - DATA01","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-secure.local/creating-file-sql-server-data01","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating secure.local"}]},{"id":"boaDACQ37NMee5lDE52x","title":"SQL Server","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-secure.local/creating-file-sql-server-data01/sql-server","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating secure.local"},{"label":"Creating File/SQL Server - DATA01"}]},{"id":"xW2zf0wFTxRvZOs6rqN0","title":"Create database","pathname":"/building-a-windows-ad-lab/lab-setup/building-the-lab/creating-secure.local/creating-file-sql-server-data01/sql-server/create-database","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Building the lab"},{"label":"Creating secure.local"},{"label":"Creating File/SQL Server - DATA01"},{"label":"SQL Server"}]},{"id":"gda7rsSrsoW1X0MvBEvQ","title":"Attack Paths","pathname":"/building-a-windows-ad-lab/lab-setup/attack-paths","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"}]},{"id":"AysDjjCActZapvKA4Uqy","title":"Attack path 1 (hard)","pathname":"/building-a-windows-ad-lab/lab-setup/attack-paths/attack-path-1-hard","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Attack Paths"}]},{"id":"k2lRhIcOXrhZ4sIHpUcl","title":"Configuring","pathname":"/building-a-windows-ad-lab/lab-setup/attack-paths/attack-path-1-hard/configuring","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Attack Paths"},{"label":"Attack path 1 (hard)"}]},{"id":"gUvd78T0aouE2B6TK1RE","title":"Tasks","pathname":"/building-a-windows-ad-lab/lab-setup/attack-paths/attack-path-1-hard/tasks","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Attack Paths"},{"label":"Attack path 1 (hard)"}]},{"id":"xJRPlnQyQti1aoMWh1wi","title":"Manual","pathname":"/building-a-windows-ad-lab/lab-setup/attack-paths/attack-path-1-hard/manual","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Attack Paths"},{"label":"Attack path 1 (hard)"}]},{"id":"7oZKZsBEHuN56bSLbS4A","title":"Attack path 2","pathname":"/building-a-windows-ad-lab/lab-setup/attack-paths/attack-path-2","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Attack Paths"}]},{"id":"NMEnclbtoP5pPw7rjo92","title":"Configuring","pathname":"/building-a-windows-ad-lab/lab-setup/attack-paths/attack-path-2/configuring","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Attack Paths"},{"label":"Attack path 2"}]},{"id":"lmMJWpZ6nzv1Y9w1jtsb","title":"Task","pathname":"/building-a-windows-ad-lab/lab-setup/attack-paths/attack-path-2/task","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Attack Paths"},{"label":"Attack path 2"}]},{"id":"2vGAm6MEjquRUD7T8quc","title":"Manual","pathname":"/building-a-windows-ad-lab/lab-setup/attack-paths/attack-path-2/manual","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"},{"label":"Attack Paths"},{"label":"Attack path 2"}]},{"id":"pJsto3pT75Q4wG1wqiUz","title":"Troubleshooting","pathname":"/building-a-windows-ad-lab/lab-setup/troubleshooting","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"}]},{"id":"2jBX3OvhKSzPElZDvXIr","title":"To-Do","pathname":"/building-a-windows-ad-lab/lab-setup/to-do","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Lab-setup"}]},{"id":"aBRPa8b1sPUNfm9xNZfe","title":"Initial Access Attacks","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"}]},{"id":"mHubbJmNpQh3FWav68zp","title":"Username Enumeration","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks/username-enumeration","siteSpaceId":"sitesp_H5kZG","description":"It is possible to enumerate valid usernames without authentication by sending TGT requests with no pre-authentication.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Initial Access Attacks"}]},{"id":"Q8xmp0DnTS5Z7XgSvWnd","title":"Password Spraying","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks/username-enumeration/password-spraying","siteSpaceId":"sitesp_H5kZG","description":"People don't always choose strong passwords, neither do IT people for temporary accounts. Spraying passwords against all found user accounts is effective for getting access to the domain.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Initial Access Attacks"},{"label":"Username Enumeration"}]},{"id":"fBAwcQwf43xhEL23msGy","title":"AS-REP Roasting","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks/username-enumeration/as-rep-roasting","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Initial Access Attacks"},{"label":"Username Enumeration"}]},{"id":"p3wG37NJj6sRH8CXR3HA","title":"Empty Password","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks/username-enumeration/empty-password","siteSpaceId":"sitesp_H5kZG","description":"It is possible that accounts have an empty password if the useraccountcontrol attribute contains the value PASSWD_NOT_REQ.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Initial Access Attacks"},{"label":"Username Enumeration"}]},{"id":"bJjZxLralNjhjgwJX3AR","title":"SMB Relaying","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks/smb-relaying","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Initial Access Attacks"}]},{"id":"7yVAqmaUjIviZZ0g3oPo","title":"SMB Null-Session (To-Do)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks/page-3","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Initial Access Attacks"}]},{"id":"OzkAMecUgjd8hzzk10ik","title":"SQL Server default login","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/initial-access-attacks/sql-server-default-login","siteSpaceId":"sitesp_H5kZG","description":"By default the SA user is NOT enabled. Administrators might enable it during the installation and choose a weak password.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Initial Access Attacks"}]},{"id":"gNJ2UM7pbZQxp3hv5EEM","title":"Active Directory Attacks","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"}]},{"id":"fcJpYDAkCr8gq4FZdjWc","title":"Password spraying","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/password-spraying","siteSpaceId":"sitesp_H5kZG","description":"People don't always choose strong passwords, neither do IT people for temporary accounts. Spraying passwords against all user accounts is effective for moving laterally and escalating privileges.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"nVKTCo2G6l9jSLCHaXTM","title":"AS-REP Roasting","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"1iKq2mh2qScHKyLiEaOK","title":"Empty password","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3-1","siteSpaceId":"sitesp_H5kZG","description":"It is possible that accounts have an empty password if the useraccountcontrol attribute contains the value PASSWD_NOT_REQ.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"pHNWTNdPODZQt7bZXEAx","title":"Password in description","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3-2","siteSpaceId":"sitesp_H5kZG","description":"A old habit from IT people was to write down the password for shared user accounts in the description field, which every user with a bit of knowledge can read from all users!","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"SkedRxGllG514wW92hH2","title":"Kerberoasting","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3-3","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"mMn10zSMrB19jNRsNdrA","title":"Delegation Attacks","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"mACzmdzGG8oWuvr3Qlrf","title":"Unconstrained Delegation","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/unconstrained-delegation","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Delegation Attacks"}]},{"id":"JwVfPEyReVKqX6hHKXRS","title":"Printerbug","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/unconstrained-delegation/page-3","siteSpaceId":"sitesp_H5kZG","description":"Abusing unconstrained delegation and the printspooler service.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Delegation Attacks"},{"label":"Unconstrained Delegation"}]},{"id":"qzuKKoCtiCPNgZIWwOjK","title":"Constrained Delegation","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/page-3","siteSpaceId":"sitesp_H5kZG","description":"If a user or computer has constrained delegation configured, it's possible to impersonate any domain user and authenticate to a service that the user account is trusted to delegate to. It is also poss","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Delegation Attacks"}]},{"id":"7U6HOgtVof3JXBb5jQG4","title":"Resource Based Constrained Delegation","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Delegation Attacks"}]},{"id":"MOogSCPgy1yZcLGkAPq2","title":"Computeraccount Takeover","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation/computeraccount-takeover","siteSpaceId":"sitesp_H5kZG","description":"If you have GenericAll or GenericWrite rights to a computer object you can write to the attribute msds-AllowedToActOnBehalfOfOtherIdentity and the abuse the delegation to take over the system","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Delegation Attacks"},{"label":"Resource Based Constrained Delegation"}]},{"id":"h40Dk0dUe4CjO5OqmwZk","title":"Change-LockScreen","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation/resource-based-constrained-delegation","siteSpaceId":"sitesp_H5kZG","description":"Abuse the lockscreen image changing functionality to achieve a webdav network authentication as SYSTEM from the given computer. Then relay the authentication to the Active Directory LDAP service in or","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Delegation Attacks"},{"label":"Resource Based Constrained Delegation"}]},{"id":"1B0NQZLoybOXNKjBo0aJ","title":"Webclient Attack (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation/webclient-attack-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Delegation Attacks"},{"label":"Resource Based Constrained Delegation"}]},{"id":"T7DcgOUKHFqXdPtMrAIE","title":"DACL-Abuses","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"gpZoMTuaiO26xOwb32jm","title":"Write Owner","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/page-2","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"DACL-Abuses"}]},{"id":"BgXHpzkPLUzj81ysjIoL","title":"Owns","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/owns","siteSpaceId":"sitesp_H5kZG","description":"If you are \"Owner\" of a object, you can change the DACL of the object.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"DACL-Abuses"}]},{"id":"OPMFVudTjPLTVthgatcu","title":"WriteDacl","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/writedacl","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"DACL-Abuses"}]},{"id":"0av0vUyAJhP2H3SJj0nE","title":"GenericAll","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/genericall","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"DACL-Abuses"}]},{"id":"Rb3rn5vfKeod7t0ELQLF","title":"GenericWrite (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/genericwrite-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"DACL-Abuses"}]},{"id":"y3WVp5205BvoV7yAhZ6U","title":"ForceChangePassword","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/forcechangepassword","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"DACL-Abuses"}]},{"id":"2viqIOiHkElNpV3sNBkw","title":"Add user to group (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/add-user-to-group-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"DACL-Abuses"}]},{"id":"EvcG7mXeZ57n98uruvBm","title":"Targeted Kerberoast (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/targeted-kerberoast-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"DACL-Abuses"}]},{"id":"VodCix6ht67b5lB2pFni","title":"Get-Changes","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/get-changes","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"DACL-Abuses"}]},{"id":"NXypGmw5yuCJPm88kGRF","title":"Reused local administrator (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/reused-local-administrator-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"f6uuWoSy1oeCVLG8my2F","title":"SQL Server Attacks (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"rRSuI2SVcG1ViUXIPcM6","title":"Initial Access","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/initial-access","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"}]},{"id":"ET6xOQS69vJQqHOqJfoD","title":"SQL Server default login","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/initial-access/sql-server-default-login","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"},{"label":"Initial Access"}]},{"id":"qB32tCgObrEYZKLqTafy","title":"Normal domain user access","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/initial-access/normal-domain-user-access","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"},{"label":"Initial Access"}]},{"id":"MTmumTGbv2URbkcgd3Iz","title":"Privilege Escalation","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"}]},{"id":"kXbJcxl7XAuCxVM817Ap","title":"Impersonation","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/impersonation","siteSpaceId":"sitesp_H5kZG","description":"SQL Server has a special permission, named impersonate, this enables one user to operate with the permissions of another user as well as their own permissions.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"},{"label":"Privilege Escalation"}]},{"id":"NmzfwS7nQTZlBvI1fSnW","title":"DB-Owner","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/db-owner","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"},{"label":"Privilege Escalation"}]},{"id":"MDCdLpwaWHJN7DjAqxXN","title":"Enumerate Logins","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/enumerate-logins","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"},{"label":"Privilege Escalation"}]},{"id":"2n8D63xjGWCUTqxAvQaC","title":"Weak passwords","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/enumerate-logins/weak-passwords","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"},{"label":"Privilege Escalation"},{"label":"Enumerate Logins"}]},{"id":"8Jb6EIbewuWtB6niRRoj","title":"Executing Commands","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/executing-commands","siteSpaceId":"sitesp_H5kZG","description":"xp_cmdshell could be used to execute commands on the SQL Server.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"}]},{"id":"sxQ82Vl8G3bKp5a1G5Na","title":"Database-Links","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/database-links","siteSpaceId":"sitesp_H5kZG","description":"SQL Servers can be configured to link to other SQL Servers.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"}]},{"id":"gRoLjBNSMflQzxXRd9Gp","title":"Capturing hashes & Relaying","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/capturing-hashes-and-relaying","siteSpaceId":"sitesp_H5kZG","description":"SQL servers by default run as a service with a local account, but might run under a domain user account. These are normally local admin on a server and might be on multiple SQL Servers.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"SQL Server Attacks (todo)"}]},{"id":"jHzJhNgowfbW59CVapYr","title":"Reading LAPS passwords (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/laps","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"H2UEfcs6XZrBGtbBzhli","title":"Priviliged Groups (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"Q4slQHC88WQMiMbPVZgA","title":"DNS-Admins (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/dns-admins","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Priviliged Groups (todo)"}]},{"id":"PicrLdkT5teONE2qxXHN","title":"Account Operators (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/account-operators","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Priviliged Groups (todo)"}]},{"id":"5UyNtDM933aEzLtxUFwY","title":"Backup Operators","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/backup-operators","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Priviliged Groups (todo)"}]},{"id":"ZeHcR7Kmi8v9N5hYWucL","title":"Server Operators (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/server-operators-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Priviliged Groups (todo)"}]},{"id":"ZjjO2YtKemSpWtw2xxYt","title":"Hopping domains and forests","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"}]},{"id":"swsUtFfayUwTHrzBeJYn","title":"Child to parent domain","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Hopping domains and forests"}]},{"id":"zEbDTprdT83SwTtoQgxw","title":"Krbtgt hash","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain/page-3","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Hopping domains and forests"},{"label":"Child to parent domain"}]},{"id":"WQil1xzFpxFkRVg2k1di","title":"Trust key","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain/page-3-1","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Hopping domains and forests"},{"label":"Child to parent domain"}]},{"id":"sEUaOcpAQiMDD1KPN2FT","title":"Cross forest Attacks (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/cross-forest-attacks-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Hopping domains and forests"}]},{"id":"pOSp3ECnqqZQPk80V3Sa","title":"Foreign user","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/cross-forest-attacks-todo/page-3","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Active Directory Attacks"},{"label":"Hopping domains and forests"},{"label":"Cross forest Attacks (todo)"}]},{"id":"Niq7dPFb8VRksFvqj0o6","title":"Misc","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"}]},{"id":"8OhhbkYce91NLD3a7XgW","title":"Reverse shell trick","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/reverse-shell-trick","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"}]},{"id":"oEgDsF8t1pZEr2QOgqiA","title":"Lateral Movement","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/lateral-movement","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"}]},{"id":"C5v204Xxo20vM0Haa90A","title":"PSRemoting","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/lateral-movement/psremoting","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"},{"label":"Lateral Movement"}]},{"id":"XRmt7jjPz2X8XSWCM0UW","title":"PsExec (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/lateral-movement/psexec-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"},{"label":"Lateral Movement"}]},{"id":"mQLjXxmvji62KCnp6MyL","title":"Misconfigured Service (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/misconfigured-service-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"}]},{"id":"87u45ZXbHTfGtEE9TWM7","title":"Unqouted Service Path","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/misconfigured-service-todo/unqouted-service-path","siteSpaceId":"sitesp_H5kZG","description":"We will create a service with a Unquoted Service Path to escalate privileges from a low privileges user account to SYSTEM.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"},{"label":"Misconfigured Service (todo)"}]},{"id":"0GXLOMc0L3j6WXGKWSIQ","title":"Discovering Shares","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"}]},{"id":"JgCz1YvhDq0Vwjhw7IH5","title":"Password on shares","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3-1","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"}]},{"id":"qQ2inE9CW3ZX9odWCE9n","title":"Different methods of dumping credentials","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/different-methods-of-dumping-credentials","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"}]},{"id":"Y2yO74Lohb3IcgGv0D4j","title":"LSASS (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/different-methods-of-dumping-credentials/lsass-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"},{"label":"Different methods of dumping credentials"}]},{"id":"ommy6TG7AtXe3jXrVXc3","title":"Dumping DPAPI","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/different-methods-of-dumping-credentials/page-3","siteSpaceId":"sitesp_H5kZG","description":"DPAPI stands for Data Protection API. Which is used by windows to securely save credentials.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"},{"label":"Different methods of dumping credentials"}]},{"id":"ihimh4kSCoNoWMLJikQX","title":"Browser passwords","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/different-methods-of-dumping-credentials/page-3/page-3","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"},{"label":"Different methods of dumping credentials"},{"label":"Dumping DPAPI"}]},{"id":"NutdRgKBm54LNvn2e4I2","title":"Scheduled tasks (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/different-methods-of-dumping-credentials/scheduled-tasks-todo","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"},{"label":"Different methods of dumping credentials"}]},{"id":"aNRnRIeFov3WQn1BC5i2","title":"Services (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/different-methods-of-dumping-credentials/services-todo","siteSpaceId":"sitesp_H5kZG","description":"It's possible to create custom services, which will run with a local or a domain account. When you have high enough privilege's, it's possible to retrieve the credentials of the service.","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"},{"label":"Different methods of dumping credentials"}]},{"id":"7OZ66Hwe5RmFKdifht58","title":"Vssadmin Shadow Copy","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/different-methods-of-dumping-credentials/page-3-1","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"},{"label":"Different methods of dumping credentials"}]},{"id":"SwGq8q0ow2o8DlcSgm4L","title":"ms-ds-machineaccountquota (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3-2","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"}]},{"id":"4b3yAb4yypFDv7oeFQCK","title":"add DNS Records (todo)","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3-3","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"}]},{"id":"t8JP1lUfojSVbfGm1Oyh","title":"Bypassing UAC","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/misc/page-3-4","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"},{"label":"Misc"}]},{"id":"AUOjqZgwzH31lnMmeFTi","title":"Template page","pathname":"/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/page-3","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Vulnerabilities & Misconfigurations & Attacks"}]},{"id":"Hv1Sb4Or8VIV2YetOY2O","title":"Detection","pathname":"/building-a-windows-ad-lab/defence/detection","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"}]},{"id":"NfA09iqKSAf2rQKoLgdS","title":"Hardening","pathname":"/building-a-windows-ad-lab/defence/hardening","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"}]},{"id":"dPpexwA9MnPwfx8bYRT3","title":"LDAP","pathname":"/building-a-windows-ad-lab/defence/hardening/ldap","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"},{"label":"Hardening"}]},{"id":"5onhSFIG41miRXuqaFs6","title":"LDAP Signing","pathname":"/building-a-windows-ad-lab/defence/hardening/ldap/ldap-signing","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"},{"label":"Hardening"},{"label":"LDAP"}]},{"id":"hSltdCbjrk0nLm5cHkeb","title":"LDAPS Binding","pathname":"/building-a-windows-ad-lab/defence/hardening/ldap/ldaps-binding","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"},{"label":"Hardening"},{"label":"LDAP"}]},{"id":"WgMZMQE4cWeYS8XsSa9A","title":"Strong Password Policy","pathname":"/building-a-windows-ad-lab/defence/hardening/strong-password-policy","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"},{"label":"Hardening"}]},{"id":"RzFOteGoHljAfanVyMhB","title":"Change who can join computers to the domain","pathname":"/building-a-windows-ad-lab/defence/hardening/change-who-can-join-computers-to-the-domain","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"},{"label":"Hardening"}]},{"id":"iMFADnHkMGydBbaHUAgT","title":"Protected users group","pathname":"/building-a-windows-ad-lab/defence/hardening/protected-users-group","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"},{"label":"Hardening"}]},{"id":"CY9hfYh51egLauZSaUF8","title":"Account is sensitive and cannot be delegated","pathname":"/building-a-windows-ad-lab/defence/hardening/account-is-sensitive-and-cannot-be-delegated","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"},{"label":"Hardening"}]},{"id":"DB3pPll8VysXEB446i4B","title":"Powershell Execution Policy","pathname":"/building-a-windows-ad-lab/defence/hardening/powershell-execution-policy","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"},{"label":"Hardening"}]},{"id":"IG4tUY3uZhJgQXqNhrFi","title":"Template page","pathname":"/building-a-windows-ad-lab/defence/hardening/template-page","siteSpaceId":"sitesp_H5kZG","description":"","breadcrumbs":[{"label":"Defence"},{"label":"Hardening"}]}]}