OSCP Active Directory Attacks 2

Question 1

What PowerShell module is commonly used for Active Directory enumeration without BloodHound in OSCP?

Accepted Answer

PowerSploit / PowerView

Answer

PowerView (part of PowerSploit) provides cmdlets for enumerating users, groups, computers, trusts, and ACLs in Active Directory without requiring RSAT or AD module installation.

Question 2

What is LDAP anonymous bind and why is it a security concern in Active Directory?

Accepted Answer

It allows querying Active Directory without authentication, potentially exposing user accounts and organizational structure

Answer

Anonymous LDAP bind allows unauthenticated queries to Active Directory, potentially exposing user accounts, groups, computer names, and organizational structure that aids attackers in reconnaissance.

Question 3

What is a Silver Ticket attack and how does it differ from a Golden Ticket?

Accepted Answer

A Silver Ticket forges a TGS for a specific service using that service account's hash, bypassing the KDC; a Golden Ticket forges the TGT itself

Answer

A Silver Ticket forges a TGS (service ticket) for a specific service using the service account's hash, bypassing the KDC entirely; a Golden Ticket forges the TGT (master ticket) using the krbtgt hash.

Question 4

What is the significance of finding 'GenericAll' ACL permission on a user object in BloodHound?

Accepted Answer

It grants full control over the object, enabling password reset, adding to groups, or configuring Kerberos delegation

Answer

GenericAll is the highest-privilege ACL right, granting full control over an AD object, including the ability to reset passwords, add group memberships, or configure Kerberos-based attacks.

Question 5

What is Unconstrained Delegation in Active Directory and why is it dangerous?

Accepted Answer

It allows a service account to delegate to any other service, caching users' TGTs which can be extracted and reused

Answer

Unconstrained Delegation allows a service to authenticate to any other service as the connecting user; Windows caches the user's TGT on the delegating host, where it can be extracted with Mimikatz and reused.

OSCP Practice Test

OSCP Practice Test

OSCP Active Directory Attacks 2