Robert Petrunić

September 4, 2025 9:35 am Published by user_298812

Most companies worldwide use some kind of LDAP (Lightweight Directory Access Protocol), and many of these use Microsoft AD and/or Microsoft Entra AD, because, let's be honest, it's the mostly used LDAP in the world within corporate environments. During the penetration testing engagements, author of this lecture identified many AD misconfigurations which led to partial or in most of the cases complete AD takeover, which is troublesome, to say the least.
There are a lot of attack vectors available for attacking (usually) misconfigured AD, and in this lecture, we will try to discuss some of these, specifically the ones the author usually sees and compromise in PT engagements. The lecture will be demo based, instead of theory based, because the lecture time is limited and it is impossible to cover even 10% of usual attacks in theory, and even less in demo. We will dream big and try to demonstrate and explain as much as possible of the following attacks: Kerberos AS-REQ user enumeration, to identify AD accounts in a really fast and safe way, then AS-REP and kerberoasting (these two are quick, and a good demo for warming-up), followed by DCSync attacks. We will unfortunately have to skip the golden (ticket, certificate, and SAML) attacks, including the Silver ticket attacks, as the time is an issue, and continue with DCSync and (if time permits) unconstrained delegation attacks. The rest of the demo will be devoted to AD CS (Active Directory Certification Services) attacks, and we will cover as much as possible of the E1-E11 elevation paths to domain admin accounts.
The sole purpose of this lecture is for the participants to "feel" how vulnerable they environments could be out of the box and if misconfigured, and to understand the possible implications. Demonstrated attacks show NTLM and Kerberos vulnerabilities.

Robert works as a senior information security consultant in Eduron IS and he’s a lecturer in most successful Croatian private college Algebra. He’s Microsoft certified trainer since 2002, EC-Council certified trainer since 2008 and ISC2 certified trainer since 2014. Since 2004. Robert is working on programs related to ethical hacking and IT security awareness for systems administrators, developers and IT security consultant.

Categorised in: 2025

This post was written by user_298812

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Robert Petrunić

Terms and Conditions

Privacy Statement

Order of payments

Payment Security

Delivery and Disputes

Terms of Use

About Us

Uvjeti korištenja

Izjava o privatnosti

Narudžbe i način plaćanja

Sigurnost plaćanja

Dostava i reklamacije

Uvjeti korištenja

O nama