Introduction In Part 1, we talked about how we can extract credentials from NTDS using DCSync and VSS. Now, it is time to think about how to best handle the NTDS file. Extracting NTDS is typically the last step in a CTF, but it is just the first one here: Extract NTDS → Clean/Organise NTDS → Crack hashes → Generate stats. The good news is that this part is technically much simpler; no need to talk about weird acronyms, protocols, and methods. We just need to decide what we actually need from NTDS and extract it. ...

Introduction Although there are a few CAPE-related articles and videos out there, some can make the exam look scarier and more complicated than it actually is; they certainly had that effect for me! For instance, my biggest concern after reading them was evasion, as this is one of my weakest areas. In addition to that, I am working from a laptop with fairly limited resources, and let’s just say that installing Visual Studio and compiling stuff on it is not ideal. ...

Introduction This article is about pentesting, not red teaming. We are given a DA account to extract NTDS, we don’t need to be stealthy or anything of that sort. Therefore, OPSEC considerations out of scope. I recently went from just testing (close-to-zero-functionality) web apps and APIs to doing more varied stuff, including internal assessments. An internal test consists of many different parts, one of which is assessing the passwords used within the domain (what we call a password audit). ...