Launching HTB CWEE: Certified Web Exploitation Expert Learn More

NTLM Relay Attacks

The NTLM authentication protocol is commonly used within Windows-based networks to facilitate authentication between clients and servers. However, NTLM's inherent weaknesses make it susceptible to Adversary-in-the-Middle attacks, providing a significant attack vector. This module focuses on the various NTLM relay attacks that attackers use to compromise Active Directory networks.

4.79

Created by plaintextHTB
Co-Authors: Pedant, dpgg1, nwodtuhs

Hard Offensive

Summary

NTLM relay is a powerful offensive technique attackers use to compromise Active Directory environments, allowing them to perform horizontal and vertical privilege escalation and move laterally across Active Directory networks, most importantly, without requiring an NTLM password hash or cleartext credentials for an account in the domain.

In this module, we will first understand the NTLM authentication protocol and the session security SSPI provides for NTLM sessions. Then, we will deep dive into the NTLM Relay attack and its phases, covering the many techniques and tools attackers use in each phase. Afterward, we will learn about and perform various NTLM post-relay attacks, starting with basic same-protocol relaying and mounting attacks such as SAM dumping. Then, we will move to advanced cross-protocol relay attacks and mounting attacks such as computer account creation and privilege escalation. Subsequently, we will learn about farming hashes and the paramount technique of authentication coercion, covering various tools. Armed with the power of authentication coercion, we will subsequently abuse the NTLM relay attack to conduct advanced attacks against Kerberos and ADCS, including RBCD abuse, Shadow Credentials, and ESC8/ESC11.


CREST CPSA/CRT-related Sections:

  • The NTLM Authentication Protocol
  • The NTLM Relay Attack
  • NTLM Relay over SMB Attacks
  • NTLMRelayx Use Cases
  • NTLM Cross-protocol Relay Attacks
  • Farming Hashes

This module is broken down into sections with accompanying hands-on exercises to practice each of the tactics and techniques that we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.

As you work through the module, you will see example commands and command output for the topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts presented in each section.

The module is classified as "Hard" as it assumes a working knowledge of the Linux command line and an understanding of information security fundamentals.

A firm grasp of the following modules can be considered a prerequisite for the successful completion of this module:

  • Networking Fundamentals
  • Linux Fundamentals
  • Windows Fundamentals
  • Introduction To Active Directory
  • Active Directory Enumeration & Attacks

The NTLM Authentication Protocol


During our engagements with Active Directory networks, we will encounter different authentication protocols hosts use, with Kerberos being the most common. However, another protocol, NTLM, is still widely used, despite its known vulnerabilities and cryptographic weaknesses. Understanding how NTLM works internally is crucial to attacking it effectively and increasing the likelihood of a successful engagement.

NTLM


NT Lan Manager (NTLM/MS-NLMP) is the name of a family of security protocols, consisting of LM, NTLMv1, and NTLMv2, used by application protocols on various Windows-based networks to authenticate remote users and optionally provide session security when requested by the application. The NTLM security protocols are all embedded protocols, meaning that although NTLM has messages and a state machine like other protocols, it does not have a network protocol stack layer. This nature of NTLM allows any protocol with a defined layer in the network stack (such as SMB, HTTP(S), and LDAP(S)) to utilize it. For the application protocol using it, NTLMv2 provides three primary operations:

  1. Authentication.
  2. Message integrity, known as message signing in the NTLM terminology.
  3. Message confidentiality, known as message sealing in the NTLM terminology.

NTLM is a challenge-response protocol that uses nonces, pseudo-random numbers generated for one-time use, as a defensive mechanism against replaying attacks. Although each protocol has two variants, connection-oriented and connectionless, we will primarily only be concerned about the former (refer to Overview in MS-NLMP to know the differences between the two).

Unlike normal protocol implementations, NTLM is best implemented as a function library that can be called by application protocols rather than as a layer in a network protocol stack. Security Support Provider Interface (SSPI), the foundation of Windows authentication, is an API that allows connected applications to call one of several security providers to establish authenticated connections and to exchange data securely over those connections. A security support provider (SSP) is a dynamic-link library (DLL) responsible for implementing the SSPI by exposing one or more security packages to applications; each security package provides mappings between an application's SSPI function calls and an actual security model's functions. These security packages support various security protocols, including NTLM.

NTLM SSP (located at %Windir%\System32\msv1_0.dll) is a binary messaging protocol utilized by SSPI to facilitate NTLM challenge-response authentication and to negotiate options for integrity and confidentiality. The NTLM SSP encompasses both the NTLM and NTLMv2 authentication protocols. In this section, we will understand the details of the NTLM protocol's internal workings and state messages rather than discussing how NTLM SSP provides them to applications or transfers NTLM messages within a network.

Both domain-joined and workgroup computers can utilize NTLM for authentication; however, we will focus on the former because we will attack AD environments. While reading the rest of the section, always keep in mind the following:

  • The NTLM version used on hosts, whether NTLMv1 or NTLMv2, is configured out-of-band before authentication.
  • Using a secure mechanism, the client and server/DC share a secret key (the user's password's hash) before authentication.
  • Neither plaintext credentials nor the shared secret key are sent over the wire.

Authentication Workflow

The NTLM authentication workflow for domain-joined computers starts with the client exchanging implementation-specific application protocol messages with the server (where the desired service is), indicating that it wants to authenticate. Subsequently, the client and server exchange three NTLM-specific messages during authentication (embedded in application protocol messages):

  1. NEGOTIATE_MESSAGE (also known as Type 1 message)
  2. CHALLENGE_MESSAGE (also known as Type 2 message)
  3. AUTHENTICATE_MESSAGE (also known as Type 3 message)

Once it receives the AUTHENTICATE_MESSAGE, and because it does not possess the client's secret key, the server delegates the verification of the user's identity to a DC (a procedure known as Pass-through authentication) by invoking NetrLogonSamLogonWithFlags, which contains NETLOGON_NETWORK_INFO, a data structure populated with the various fields that the DC requires to verify the user. If authentication is successful, the DC returns a NETLOGON_VALIDATION_SAM_INFO4 data structure to the server, and the server establishes an authenticated session with the client; otherwise, the DC returns an error, and the server might return an error message to the client, or, it can simply terminate the connection.

The diagram below is NTLM's pass-through authentication:

Domain-joined_Computers_NTLM_Authentication.png

The only difference for workgroup authentication is that the server verifies the user's identity instead of delegating it to the DC:

Workgroup_Computers_NTLM_Authentication.png

We will review the three main NTLM messages to understand what gets sent within them.

NTLM Messages

Each NTLM message is variable-length, containing a fixed-length header and a variable-sized message payload. The header always starts with the Signature and MessageType fields, and depending on the latter, messages can have additional message-dependent fixed-length fields. A variable-length message payload follows these fields.

NTLM_Message_Fields.png

Field Meaning
Signature An 8-byte NULL-terminated ASCII string always set to [N, T, L, M, S, S, P, \0].
MessageType A 4-byte unsigned integer always set to either 0x00000001 (NtLmNegotiate) to indicate that the NTLM message is a NEGOTIATE_MESSAGE or 0x00000002 (NtLmChallenge) to indicate that the NTLM message is a CHALLENGE_MESSAGE or 0x00000003 (NtLmAuthenticate) to indicate that the NTLM message is an AUTHENTICATE_MESSAGE.
MessageDependentFields A variable-length field that contains the NTLM message contents.
payload A variable-length field that contains a message-dependent number of individual payload messages, referenced by byte offsets in MessageDependentFields.

NEGOTIATE_MESSAGE

The NEGOTIATE_MESSAGE is the first NTLM-specific message, sent by the client indicating that it wants to authenticate to the server and specifying its supported/requested NTLM options. It contains four message-dependent fixed-length fields. One important field to know about is NegotiateFlags; this 4-bytes field, present in all three NTLM messages and not exclusive to NEGOTIATE_MESSAGE, is a NEGOTIATE structure consisting of 32 1-bit flags that allow indicating which NTLM capabilities are supported/requested by the sender.

CHALLENGE_MESSAGE

The CHALLENGE_MESSAGE is the second NTLM-specific message, sent by the server to the client to state the NTLM options it can support and challenge the client to prove its identity. It contains six message-dependent fixed-length fields, two important to know about, NegotiateFlags and ServerChallenge. NegotiateFlags holds the flags the server has chosen from the options offered/requested by the client in NegotiateFlags of the NEGOTIATE_MESSAGE. At the same time, ServerChallenge is a 64-bit nonce that holds the NTLM challenge generated by the server.

Some tools, such as NTLM Challenger, ntlm-info, NTLMRecon, and DumpNTLMInfo.py perform reconnaissance against endpoints/hosts that accept NTLM authentication by parsing the information returned within the CHALLENGE_MESSAGE (review its other fields to know why this is possible):

[!bash!]$ python3 examples/DumpNTLMInfo.py 172.16.117.3

Impacket v0.12.0.dev1+20230803.144057.e2092339 - Copyright 2023 Fortra

[+] SMBv1 Enabled   : False
[+] Prefered Dialect: SMB 3.0
[+] Server Security : SIGNING_ENABLED | SIGNING_REQUIRED
[+] Max Read Size   : 8.0 MB (8388608 bytes)
[+] Max Write Size  : 8.0 MB (8388608 bytes)
[+] Current Time    : 2023-08-14 17:39:26.822236+00:00
[+] Name            : DC01
[+] Domain          : INLANEFREIGHT
[+] DNS Tree Name   : INLANEFREIGHT.LOCAL
[+] DNS Domain Name : INLANEFREIGHT.LOCAL
[+] DNS Host Name   : DC01.INLANEFREIGHT.LOCAL
[+] OS              : Windows NT 10.0 Build 17763
[+] Null Session    : True

AUTHENTICATE_MESSAGE

The AUTHENTICATE_MESSAGE is the third and last NTLM-specific message, sent by the client to the server to prove its possession of the shared secret key. It contains nine message-dependent fixed-length fields, two important to know about, LmChallengeResponseFields and NtChallengeResponseFields. For the pseudocode provided by MS-NLMP, we will also refer to the relevant implementation of impacket's NTLM.

NTLMv1 Response Calculation

If NTLMSSP_NEGOTIATE_LM_KEY (the G bit in NEGOTIATE) was agreed upon by the server and client in NegotiateFlags, then, if NTLMv1 is used, LmChallengeResponseFields contains a LM_RESPONSE structure, otherwise, if NTLMv2 is used, LmChallengeResponseFields will contain a LMv2_RESPONSE structure. LM_RESPONSE contains one field, which is Response, a 24-byte array of unsigned char that contains the client's LmChallengeResponse. While for LMv2_RESPONSE, it contains two fields, Response and ChallengeFromClient; Response is a 16-byte array of unsigned char that contains the clients LM challenge-response, while ChallengeFromClient is an 8-byte array of unsigned char that contains a challenge generated by the client. To compute the Response field of LM_RESPONSE or LMv2_RESPONSE, MS-NLMP provides pseudocode.

For NTLMv1 authentication, NTOWFv1 (used only by NTLMv1 and implemented in the compute_nthash function), is an NT LAN Manager (NT) one-way function that creates a hash based on the user's password to generate a principal's security key: instead of using the user's plaintext password, the resultant hash of this function gets used in computing the response. LMOWFv1 (implemented in the compute_lmhash function), used only by LM and NTLMv1, is an NT LAN Manager (LM) one-way function that also creates a hash based on the user's password to generate a principal's security key. The client uses these two functions to calculate the response it returns to the server; the pseudocode for the response calculation is implemented in the function computeResponseNTLMv1.

For NtChallengeResponseFields, if NTLMv1 is used, NtChallengeResponse will contain an NTLM_RESPONSE structure, otherwise, if NTLMv2 is used, then NtChallengeResponse will contain a NTLMv2_RESPONSE structure; NTLM_RESPONSE contains one field, which is Response, a 24-byte array of unsigned char that contains the client's NtChallengeResponse. For NTLMv2_RESPONSE, it contains two fields, Response and a NTLMv2_CLIENT_CHALLENGE structure; Response is a 16-byte array of unsigned char that contains the client's NtChallengeResponse, while NTLMv2_CLIENT_CHALLENGE is a variable-length byte array that contains eight fixed-length variables, including ChallengeFromClient. If we were to capture an NTLMv1 hash using Responder (a powerful tool we will learn about in the next section), it will display it using the format User::HostName:LmChallengeResponse:NtChallengeResponse:ServerChallenge:

[SMB] NTLMv1 Client   : 172.19.117.36
[SMB] NTLMv1 Username : Support1
[SMB] NTLMv1 Hash     : Support1::WIN-OLMHXGAP0V2:e2dL3196O8f55fB6:Q49S19A2937J6XC3CKA418EI4958OHB9:xF2K324O5L6Q7V8C

NTLMv2 Response Calculation

For the response calculation of NTLMv2 authentication, NTOWFv2 and LMOWFv2 (both are version-dependent and only used by NTLMv2, they are implemented in the functions LMOWFv2 and NTOWFv2, respectively) are the one-way functions used to create a hash based on the user's password to generate a principal's security key. With these two functions, the client calculates the response it returns to the server as described in pseudocode (implemented in the function computeResponseNTLMv2). If we were to capture an NTLMv2 hash using Responder, it will display it using the format User::Domain:ServerChallenge:Response:NTLMv2_CLIENT_CHALLENGE:

[SMB] NTLMv2-SSP Client   : 172.19.117.55
[SMB] NTLMv2-SSP Username : INLANEFREIGHT\Support2
[SMB] NTLMv2-SSP Hash     : Support2::INLANEFREIGHT:e2d2339638fc5fd6:D4979A923DD76BC3CFA418E94958E2B0:010100000000000000E0550D97CCD901509F9CE743AB58760000000002000800350034005800360001001E00570049004E002D00390038004B005100480054005300390048004200550004003400570049004E002D00390038004B00510048005400530039004800420055002E0035003400580036002E004C004F00430041004C000300140035003400580036002E004C004F00430041004C000500140035003400580036002E004C004F00430041004C000700080000E0550D97CCD901060004000200000008003000300000000000000000000000004000002DB95E9E27F0AD66CAA477372F555B500CFEA9C5A231FC68F0DA4FABFF76607E0A001000000000000000000000000000000000000900240063006900660073002F003100370032002E00310036002E003100310037002E00330030000000000000000000

NTLM Session Security


If the client and server negotiate it, session security provides message integrity (signing) and message confidentiality (sealing). The NTLM protocol itself does not provide session security; instead, SSPI provides it. NTLMv1, supplanted by NTLMv2, does not support sealing but only signing; therefore, Microsoft strongly recommends against its usage (and the deprecated LM authentication protocol also).

Message Signing and Sealing

Message signing provides message integrity and helps against relay attacks; it is a critical security feature designed to enhance the security of messages sent between the client and server during NTLM communications. When session signing is negotiated, the client and server negotiate a session key to sign all messages exchanged. The session key is generated using a combination of the client's and server's challenge messages and the user's password hash. Once the session key is established, all messages between the client and server are signed using a MAC. The MAC is generated by applying a cryptographic algorithm to the message and the session key. The server can verify the MAC by using the same algorithm as the message and the session key and comparing the result to the MAC provided by the client. Although an adversary might be eavesdropping, they don't possess the user's password hash since it is never transmitted over the wire, and therefore cannot sign messages. Based on the blog post The Basics of SMB Signing (covering both SMB1 and SMB2), we can know the default SMB signing settings for hosts in the network depending on the SMB version they are running. Except for SMB1, which has three possible settings, Required, Enabled, or Disabled, SMB2 and SMB3 only have Required or Not Required:

Host Default Signing Setting
SMB1 Client Enabled
SMB1 Server Disabled
SMB2 & SMB3 Clients Not Required
SMB2 & SMB3 Servers Not Required
Domain Controllers Required

Due to the ever-lasting abuse of the default SMB signing settings by adversaries, Microsoft released an update to enforce SMB signing on Windows 11 Insider editions (and later on for major releases). Microsoft decided, for a better security stature, to finally let go of the legacy behavior where Windows 10 and 11 required SMB signing by default only when connecting to shares named SYSVOL and NETLOGON and where DCs required SMB signing when any client connected to them. Ned Pyle, a Principal Program Manager at Microsoft, wrote the following regretful statement in the post SMB signing required by default in Windows Insider:

"SMB encryption is far more secure than signing, but environments still run legacy systems that don't support SMB 3.0 and later. If I could time travel to the 1990s, SMB signing would've always been on and we'd have introduced SMB encryption much sooner; sadly, I was both in high school and not in charge. We'll continue to push out more secure SMB defaults and many new SMB security options in the coming years; I know they can be painful for application compatibility and Windows has a legacy of ensuring ease of use, but security cannot be left to chance."

Message sealing provides message confidentiality by implementing a symmetric-key encryption mechanism; it ensures that the content of the messages exchanged between the client and server remains secure and that adversaries cannot read or tamper with them. In the context of NTLM, sealing also implies signing because every sealed message is also signed.

Extended Protection for Authentication (EPA)

Extended Protection for Authentication (EPA), based on RFC 5056, is a feature introduced in Windows Server 2008 and later versions that enhance the security of NTLM authentication. When EPA is enabled, the client and server establish a secure channel using a channel binding token (CBT). The CBT binds the authentication to the specific channel characteristics, such as the IP address and port, preventing the authentication from replaying on a different channel. EPA is designed to work with SMB and HTTP protocols, providing additional security for applications and services that rely on NTLM authentication; however, it requires the client and server to support it to establish a secure channel.

Coming Next


After a brief understanding of NTLM's fundamentals, the next section will thoroughly review the NTLM relay attack, exploring its different phases and learning about the tools and techniques we can use throughout each phase.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Relevant Paths

This module progresses you towards the following Paths

CREST CPSA/CRT Preparation

This is a skill path to prepare you for CREST's CPSA and CRT exams. The following CPSA/CRT syllabus areas (IDs) are covered: A1, A2, A3, A4, A5, B1, B4, B5, B6, B8, B9, B13, B14, C1, C2, C3, C4, D1, D2, E1, E2, E3, E4, E5, E9, F1, F2, F3, F4, F5, F6, F7, F8, F9, G1, G2, G4, G5, G6, G7, G8, G9, H1, H2, H3, H4, H5, H6, H8, H9, H10, H11, H12, H13, I1, I2, I3, I6, J1, J2, J3. Take your time to complete all related sections and when you are ready you can book your CREST exam through the following links. CREST CPSA: https://www.crest-approved.org/certification-careers/crest-certifications/crest-practitioner-security-analyst/. CREST CRT: https://www.crest-approved.org/certification-careers/crest-certifications/crest-registered-penetration-tester/.

Medium Path Sections 837 Sections
Required: 7300
Reward: +1580
Path Modules
Fundamental
Path Sections 21 Sections
Reward: +10
As an information security professional, a firm grasp of networking fundamentals and the required components is necessary. Without a strong foundation in networking, it will be tough to progress in any area of information security. Understanding how a network is structured and how the communication between the individual hosts and servers takes place using the various protocols allows us to understand the entire network structure and its network traffic in detail and how different communication standards are handled. This knowledge is essential to create our tools and to interact with the protocols.
Fundamental
Path Sections 8 Sections
Reward: +10
This module introduces the topic of HTTP web requests and how different web applications utilize them to communicate with their backends.
Fundamental
Path Sections 17 Sections
Reward: +10
In the Introduction to Web Applications module, you will learn all of the basics of how web applications work and begin to look at them from an information security perspective.
Fundamental
Path Sections 30 Sections
Reward: +10
This module covers the fundamentals required to work comfortably with the Linux operating system and shell.
Fundamental
Path Sections 14 Sections
Reward: +10
This module covers the fundamentals required to work comfortably with the Windows operating system.
Easy
Path Sections 23 Sections
Reward: +10
As administrators and Pentesters, we may not always be able to utilize a graphical user interface for the actions we need to perform. Introduction to Windows Command Line aims to introduce students to the wide range of uses for Command Prompt and PowerShell within a Windows environment. We will cover basic usage of both key executables for administration, useful PowerShell cmdlets and modules, and different ways to leverage these tools to our benefit.
Medium
Path Sections 6 Sections
Reward: +20
This module covers the exploration of Windows Event Logs and their significance in uncovering suspicious activities. Throughout the course, we delve into the anatomy of Windows Event Logs and highlight the logs that hold the most valuable information for investigations. The module also focuses on utilizing Sysmon and Event Logs for detecting and analyzing malicious behavior. Additionally, we delve into Event Tracing for Windows (ETW), explaining its architecture and components, and provide ETW-based detection examples. To streamline the analysis process, we introduce the powerful Get-WinEvent cmdlet.
Hard
Path Sections 9 Sections
Reward: +20
This module offers an exploration of malware analysis, specifically targeting Windows-based threats. The module covers Static Analysis utilizing Linux and Windows tools, Malware Unpacking, Dynamic Analysis (including malware traffic analysis), Reverse Engineering for Code Analysis, and Debugging using x64dbg. Real-world malware examples such as WannaCry, DoomJuice, Brbbot, Dharma, and Meterpreter are analyzed to provide practical experience.
Medium
Path Sections 15 Sections
Reward: +10
Network traffic analysis is used by security teams to monitor network activity and look for anomalies that could indicate security and operational issues. Offensive security practitioners can use network traffic analysis to search for sensitive data such as credentials, hidden applications, reachable network segments, or other potentially sensitive information "on the wire." Network traffic analysis has many uses for attackers and defenders alike.
Easy
Path Sections 18 Sections
Reward: +20
Through network traffic analysis, this module sharpens skills in detecting link layer attacks such as ARP anomalies and rogue access points, identifying network abnormalities like IP spoofing and TCP handshake irregularities, and uncovering application layer threats from web-based vulnerabilities to peculiar DNS activities.
Fundamental
Path Sections 15 Sections
Reward: +10
This module teaches the penetration testing process broken down into each stage and discussed in detail. We will cover many aspects of the role of a penetration tester during a penetration test, explained and illustrated with detailed examples. The module also covers pre-engagement steps like the criteria for establishing a contract with a client for a penetration testing engagement.
Easy
Path Sections 12 Sections
Reward: +10
Nmap is one of the most used networking mapping and discovery tools because of its accurate results and efficiency. The tool is widely used by both offensive and defensive security practitioners. This module covers fundamentals that will be needed to use the Nmap tool for performing effective network enumeration.
Medium
Path Sections 21 Sections
Reward: +20
This module covers techniques for footprinting the most commonly used services in almost all enterprise and business IT infrastructures. Footprinting is an essential phase of any penetration test or security audit to identify and prevent information disclosure. Using this process, we examine the individual services and attempt to obtain as much information from them as possible.
Easy
Path Sections 19 Sections
Reward: +20 NEW
This module equips learners with essential web reconnaissance skills, crucial for ethical hacking and penetration testing. It explores both active and passive techniques, including DNS enumeration, web crawling, analysis of web archives and HTTP headers, and fingerprinting web technologies.
Easy
Path Sections 17 Sections
Reward: +10
This module introduces the concept of Vulnerability Assessments. We will review the differences between vulnerability assessments and penetration tests, how to carry out a vulnerability assessment, how to interpret the assessment results, and how to deliver an effective vulnerability assessment report.
Medium
Path Sections 10 Sections
Reward: +10
During an assessment, it is very common for us to transfer files to and from a target system. This module covers file transfer techniques leveraging tools commonly available across all versions of Windows and Linux systems.
Medium
Path Sections 17 Sections
Reward: +10
Gain the knowledge and skills to identify and use shells & payloads to establish a foothold on vulnerable Windows & Linux systems. This module utilizes a fictitious scenario where the learner will place themselves in the perspective of a sysadmin trying out for a position on CAT5 Security's network penetration testing team.
Easy
Path Sections 15 Sections
Reward: +10
The Metasploit Framework is an open-source set of tools used for network enumeration, attacks, testing security vulnerabilities, evading detection, performing privilege escalation attacks, and performing post-exploitation.
Medium
Path Sections 22 Sections
Reward: +10
Passwords are still the primary method of authentication in corporate networks. If strong password policies are not in place, users will often opt for weak, easy-to-remember passwords that can often be cracked offline and used to further our access. We will encounter passwords in many forms during our assessments. We must understand the various ways they are stored, how they can be retrieved, methods to crack weak passwords, ways to use hashes that cannot be cracked, and hunting for weak/default password usage.
Medium
Path Sections 19 Sections
Reward: +20
Organizations regularly use a standard set of services for different purposes. It is vital to conduct penetration testing activities on each service internally and externally to ensure that they are not introducing security threats. This module will cover how to enumerate each service and test it against known vulnerabilities and exploits with a standard set of tools.
Medium
Path Sections 14 Sections
Reward: +20
This module covers the fundamentals of password cracking using the Hashcat tool.
Fundamental
Path Sections 16 Sections
Reward: +10
Active Directory (AD) is present in the majority of corporate environments. Due to its many features and complexity, it presents a vast attack surface. To be successful as penetration testers and information security professionals, we must have a firm understanding of Active Directory fundamentals, AD structures, functionality, common AD flaws, misconfigurations, and defensive measures.
Medium
Path Sections 18 Sections
Reward: +20
Once a foothold is gained during an assessment, it may be in scope to move laterally and vertically within a target network. Using one compromised machine to access another is called pivoting and allows us to access networks and resources that are not directly accessible to us through the compromised host. Port forwarding accepts the traffic on a given IP address and port and redirects it to a different IP address and port combination. Tunneling is a technique that allows us to encapsulate traffic within another protocol so that it looks like a benign traffic stream.
Medium
Path Sections 9 Sections
Reward: +200
This module covers AD enumeration focusing on the PowerView and SharpView tools. We will cover various techniques for enumerating key AD objects that will inform our attacks in later modules.
Medium
Path Sections 36 Sections
Reward: +20
Active Directory (AD) is the leading enterprise domain management suite, providing identity and access management, centralized domain administration, authentication, and much more. Due to the many features and complexity of AD, it presents a large attack surface that is difficult to secure properly. To be successful as infosec professionals, we must understand AD architectures and how to secure our enterprise environments. As Penetration testers, having a firm grasp of what tools, techniques, and procedures are available to us for enumerating and attacking AD environments and commonly seen AD misconfigurations is a must.
Easy
Path Sections 28 Sections
Reward: +20
Privilege escalation is a crucial phase during any security assessment. During this phase, we attempt to gain access to additional users, hosts, and resources to move closer to the assessment's overall goal. There are many ways to escalate privileges. This module aims to cover the most common methods emphasizing real-world misconfigurations and flaws that we may encounter in a client environment. The techniques covered in this module are not an exhaustive list of all possibilities and aim to avoid extreme "edge-case" tactics that may be seen in a Capture the Flag (CTF) exercise.
Medium
Path Sections 33 Sections
Reward: +20
After gaining a foothold, elevating our privileges will provide more options for persistence and may reveal information stored locally that can further our access in the environment. Enumeration is the key to privilege escalation. When you gain initial shell access to the host, it is important to gain situational awareness and uncover details relating to the OS version, patch level, any installed software, our current privileges, group memberships, and more. Windows presents an enormous attack surface and, being that most companies run Windows hosts in some way, we will more often than not find ourselves gaining access to Windows machines during our assessments. This covers common methods while emphasizing real-world misconfigurations and flaws that we may encounter during an assessment. There are many additional "edge-case" possibilities not covered in this module. We will cover both modern and legacy Windows Server and Desktop versions that may be present in a client environment.
Hard
Path Sections 23 Sections
Reward: +100
Kerberos is an authentication protocol that allows users to authenticate and access services on a potentially insecure network. Due to its prevalence throughout an Active Directory environment, it presents us with a significant attack surface when assessing internal networks. This module will explain how Kerberos works thoroughly and examines several scenarios to practice the most common attacks against it from multiple perspectives.
Hard
Path Sections 10 Sections
Reward: +100
The NTLM authentication protocol is commonly used within Windows-based networks to facilitate authentication between clients and servers. However, NTLM's inherent weaknesses make it susceptible to Adversary-in-the-Middle attacks, providing a significant attack vector. This module focuses on the various NTLM relay attacks that attackers use to compromise Active Directory networks.
DACL Attacks I
mini module tag Mini-Module
Hard
Path Sections 7 Sections
Reward: +100
Discretionary Access Control Lists (DACLs), found within security descriptors, are a fundamental component of the security model of Windows and Active Directory, defining and enforcing access to the various system resources. This mini-module will cover enumerating and attacking common DACL misconfigurations, allowing us to escalate our privileges horizontally and vertically and move laterally across an Active Directory network.
Medium
Path Sections 13 Sections
Reward: +10
Buffer overflows are common vulnerabilities in software applications that can be exploited to achieve remote code execution (RCE) or perform a Denial-of-Service (DoS) attack. These vulnerabilities are caused by insecure coding, resulting in an attacker being able to overrun a program's buffer and overwrite adjacent memory locations, changing the program's execution path and resulting in unintended actions.
Medium
Path Sections 11 Sections
Reward: +10
This module is your first step into Windows Binary Exploitation, and it will teach you how to exploit local and remote buffer overflow vulnerabilities on Windows machines.
Easy
Path Sections 15 Sections
Reward: +20
Web application penetration testing frameworks are an essential part of any web penetration test. This module will teach you two of the best frameworks: Burp Suite and OWASP ZAP.
Easy
Path Sections 13 Sections
Reward: +10
This module covers the fundamental enumeration skills of web fuzzing and directory brute forcing using the Ffuf tool. The techniques learned in this module will help us in locating hidden pages, directories, and parameters when targeting web applications.
Easy
Path Sections 11 Sections
Reward: +20
Learn how to brute force logins for various types of services and create custom wordlists based on your target.
Medium
Path Sections 15 Sections
Reward: +100
This module covers details on Transport Layer Security (TLS) and how it helps to make HTTP secure with the widely used HTTPS. That includes how TLS works, how TLS sessions are established, common TLS misconfigurations, as well as famous attacks on TLS. We will discuss how to identify, exploit, and prevent TLS attacks.
Easy
Path Sections 10 Sections
Reward: +20
Cross-Site Scripting (XSS) vulnerabilities are among the most common web application vulnerabilities. An XSS vulnerability may allow an attacker to execute arbitrary JavaScript code within the target's browser and result in complete web application compromise if chained together with other vulnerabilities. This module will teach you how to identify XSS vulnerabilities and exploit them.
Medium
Path Sections 14 Sections
Reward: +20
Maintaining and keeping track of a user's session is an integral part of web applications. It is an area that requires extensive testing to ensure it is set up robustly and securely. This module covers the most common attacks and vulnerabilities that can affect web application sessions, such as Session Hijacking, Session Fixation, Cross-Site Request Forgery, Cross-Site Scripting, and Open Redirects.
Medium
Path Sections 17 Sections
Reward: +10
Databases are an important part of web application infrastructure and SQL (Structured Query Language) to store, retrieve, and manipulate information stored in them. SQL injection is a code injection technique used to take advantage of coding vulnerabilities and inject SQL queries via an application to bypass authentication, retrieve data from the back-end database, or achieve code execution on the underlying server.
Easy
Path Sections 11 Sections
Reward: +20
The SQLMap Essentials module will teach you the basics of using SQLMap to discover various types of SQL Injection vulnerabilities, all the way to the advanced enumeration of databases to retrieve all data of interest.
Medium
Path Sections 11 Sections
Reward: +10
File Inclusion is a common web application vulnerability, which can be easily overlooked as part of a web application's functionality.
Medium
Path Sections 11 Sections
Reward: +20
Arbitrary file uploads are among the most critical web vulnerabilities. These flaws enable attackers to upload malicious files, execute arbitrary commands on the back-end server, and even take control over the entire server and all web applications hosted on it and potentially gain access to sensitive data or cause a service disruption.
Medium
Path Sections 12 Sections
Reward: +20
Command injection vulnerabilities can be leveraged to compromise a hosting server and its entire network. This module will teach you how to identify and exploit command injection vulnerabilities and how to use various filter bypassing techniques to avoid security mitigations.
Medium
Path Sections 14 Sections
Reward: +20 NEW
Authentication is probably the most straightforward and prevalent measure used to secure access to resources, and it's the first line of defense against unauthorized access. Broken authentication is listed as #7 on the 2021 OWASP Top 10 Web Application Security Risks, falling under the broader category of Identification and Authentication failures. A vulnerability or misconfiguration at the authentication stage can impact an application's overall security.
Medium
Path Sections 18 Sections
Reward: +20
This module covers three common web vulnerabilities, HTTP Verb Tampering, IDOR, and XXE, each of which can have a significant impact on a company's systems. We will cover how to identify, exploit, and prevent each of them through various methods.
Medium
Path Sections 33 Sections
Reward: +20
Penetration Testers can come across various applications, such as Content Management Systems, custom web applications, internal portals used by developers and sysadmins, and more. It's common to find the same applications across many different environments. While an application may not be vulnerable in one environment, it may be misconfigured or unpatched in the next. It is important as an assessor to have a firm grasp of enumerating and attacking the common applications discussed in this module. This knowledge will help when encountering other types of applications during assessments.
Medium
Path Sections 13 Sections
Reward: +20
Web services and APIs are frequently exposed to provide certain functionalities in a programmatic way between heterogeneous devices and software components. Both web services and APIs can assist in integrating different applications or facilitate separation within a given application. This module covers how to identify the functionality a web service or API offers and exploit any security-related inefficiencies.
Hard
Path Sections 16 Sections
Reward: +100
In this module, we cover blind SQL injection attacks and MSSQL-specific attacks.
Hard
Path Sections 12 Sections
Reward: +100
This module covers advanced SQL injection techniques with a focus on white-box testing, Java/Spring and PostgreSQL.
Hard
Path Sections 21 Sections
Reward: +100
This 'secure coding' module teaches how to identify logic bugs through code review and analysis, and covers three types of logic bugs caused by user input manipulation.
Easy
Path Sections 16 Sections
Reward: +20
WordPress is an open-source Content Management System (CMS) that can be used for multiple purposes.
Easy
Path Sections 8 Sections
Reward: +20
Proper documentation is paramount during any engagement. The end goal of a technical assessment is the report deliverable which will often be presented to a broad audience within the target organization. We must take detailed notes and be very organized in our documentation, which will help us in the event of an incident during the assessment. This will also help ensure that our reports contain enough detail to illustrate the impact of our findings properly.