Довольно интересна и свежая серия статей, в частности по AD и чуть-чуть туннелям

1. https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform

2. https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-2

3. https://blog.bitsadmin.com/living-off-the-foreign-land-windows-as-offensive-platform-part-3

#ad #pentest #redteam #lofl

Offensive SCCM Summary

Table of Contents:
- Tooling & Who To Follow
- SCCM Attack Paths
- Recon – Find SCCM Infrastructure
- Credential Access – Obtain PXE Media File
- Credential Access – Obtain NAA Creds
- Credential Access – Read unattend.xml
- Recon – Identify Site Information
- Enumeration – Logs
- Enumeration – Previously Executed Scripts
- Recon – Enumerate SiteStore Scripts
- Enumeration – SCCMContentLib
- Enumeration – PXEBoot Shares
-Credential Access – NAA
- ms-DS-MachineAccountQuota
- Credential Access – Client Push Account
- Lateral Movement – Client Push Account
- Lateral Movement – Via SQL
- Lateral Movement – Via AdminService API
- Lateral Movement – NTLM Relay To Other SCCM Clients
- SQL DB Admin To Primary Site DB (Obtain SCCM User Creds, Dumping Task Sequences)
- Coerce NTLM Authentication
- Primary Site Admin
- Recon – Perform Recon Queries
- Lateral Movement – Deploy an application
- Lateral Movement – Arbitrary NTLM Coercion

🔑 HAITI

Hash type identifier (CLI & lib)

Features:
— 519+ hash types detected
— Modern algorithms supported (SHA3, Keccak, Blake2, etc.)
— Hashcat and John the Ripper references
— CLI tool & library
— Hackable

вот тебе матрицы, на вебера и на инфру, что тебе ближе и к чему душа лежит - решать тебе, на какие сертификации равняться, чтобы видеть уровень - тоже есть.

инфра: https://docs.google.com/spreadsheets/d/1yrQRyYS7Li3UpDwJoRqJ7uxD0g-ctm3I9-o-jHgzymg/edit#gid=1689065888
веб: https://docs.google.com/spreadsheets/d/1yrQRyYS7Li3UpDwJoRqJ7uxD0g-ctm3I9-o-jHgzymg/edit#gid=0

Реверс-инжиниринг встраиваемых систем, Усанов А. Е., 2023