DOCSLIB.ORG

No Skids Allowed! a Pentester's Primer

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

No Skids Allowed! A Pentester's Primer Christopher M. Steffen May 28, 2020 TABLE OF CONTENTS 1 Fundamentals 3 1.1 Introduction...............................................3 1.2 Ethics...................................................4 1.3 General Knowledge...........................................4 1.4 The Hacker’s Toolkit...........................................5 1.4.1 Virtual Machines and Operating Systems...........................5 1.4.1.1 Microsoft Windows..................................5 1.4.1.2 Apple macOS.....................................6 1.4.1.3 Linux..........................................6 1.4.1.4 And So On. ......................................6 1.4.2 Programming Languages....................................7 1.4.3 Search Engines and Google-Fu.................................7 1.5 Pentest Methodology...........................................7 1.6 Reporting.................................................9 1.7 Hacker Etiquette............................................. 10 1.7.1 Keep it Stable.......................................... 10 1.7.1.1 Don’t be a DoSser................................... 10 1.7.1.2 Avoid Brute-Force................................... 10 1.7.2 Cover Your Tracks....................................... 11 2 Tools and Techniques 13 2.1 General-Purpose............................................. 13 2.1.1 Tools.............................................. 13 2.1.1.1 Netcat: The Network Swiss-Army Knife....................... 13 2.1.1.2 Tee: Transparently Save Output from Tools...................... 15 2.1.2 File Transfers.......................................... 16 2.1.2.1 Transferring Files with Python............................ 16 2.1.3 Popping Shells......................................... 17 2.1.3.1 Netcat Shells...................................... 18 2.2 Enumeration............................................... 19 2.2.1 Tools.............................................. 19 2.2.1.1 ARP-Scan: The ARP Scanner............................. 19 2.2.1.2 Enum4linux: SMB & Samba Enumeration...................... 21 2.2.1.3 Nmap: the Network Mapper.............................. 22 2.2.1.4 smbclient: FTP-Like Client for SMB & Samba.................... 24 2.3 Vulnerability Assessment........................................ 26 2.3.1 Tools.............................................. 26 2.3.1.1 SearchSploit: a Searchable Database of Exploits................... 26 2.4 Exploitation............................................... 28 2.4.1 Tools.............................................. 28 i 2.4.1.1 The Metasploit Framework: Hacking on Rails.................... 28 2.4.1.2 Meterpreter: MSF’s Premier Payload......................... 30 2.5 Post-Exploitation............................................. 31 2.5.1 Windows Post-Exploitation................................... 31 2.5.1.1 Basic Commands................................... 32 3 Walk-Throughs 33 3.1 HackTheBox............................................... 33 3.1.1 Legacy............................................. 34 3.1.1.1 Enumeration...................................... 34 3.1.1.2 Vulnerability Assessment............................... 35 3.1.1.3 Exploitation...................................... 39 3.1.1.4 Capturing Flags.................................... 43 3.1.2 Lame.............................................. 45 3.1.2.1 Enumeration...................................... 45 3.1.2.2 Vulnerability Assessment............................... 50 3.1.2.3 Exploitation...................................... 54 3.2 VulnHub................................................. 60 3.2.1 Kioptrix Level 1......................................... 60 3.2.1.1 Enumeration...................................... 61 3.2.1.2 Vulnerability Assessment............................... 67 3.2.1.3 Exploitation...................................... 69 4 Quick Reference 77 4.1 CTF Platforms.............................................. 77 4.2 Pentesting Methodologies........................................ 77 4.3 Search Engines and OSINT Resources................................. 77 4.3.1 OSINT Resources........................................ 77 4.3.2 General-Purpose........................................ 77 4.3.3 Google Dorks.......................................... 78 4.3.4 Exploits and Vulnerabilities................................... 78 4.3.5 Images.............................................. 78 4.3.6 Internet-Connected Devices.................................. 78 4.3.7 Source Code........................................... 78 4.3.8 Usernames........................................... 78 5 Glossary 79 Index 81 ii No Skids Allowed! A Pentester's Primer Warning: The contents of this compendium are provided as educational and reference material for those interested in legal hacking. They are not intended to promote nor encourage illegal activities. The creators of this guide are not responsible for the actions of its readers. GET CONNECTED! • Read the Guide Online! • Read the Guide on Tor! • Get the Latest PDF! • Join the Team on Keybase! • Help Build the Guide! CHANGE LOG This version of No Skids Allowed! was published May 28th, 2020. • 2020.05.28: Revised layout and added walk-through of Lame from HackTheBox. • 2020.05.10: Reorganized document in preparation of expansion. Added etiquette. • 2020.04.10: Created website (with Tor support) and Keybase team. • 2020.04.07: Finished walk-through of Kioptrix Level 1 from VulnHub. • 2020.03.16: Finished “First Steps” chapter, detailing walk-through of Legacy from HackTheBox. TABLE OF CONTENTS 1 No Skids Allowed! A Pentester's Primer 2 TABLE OF CONTENTS CHAPTER ONE FUNDAMENTALS The following sections cover the basic knowledge and skills you’ll need in order to start your journey as a computer hacker. 1.1 Introduction In common usage, a script kiddie (or skid) is an unskilled individual who uses other people’s tools and exploits without understanding how or why they work, all the while calling themself a “hacker.” The term is sometimes used as a form of gate-keeping, putting down novice “wannabe” hackers for lacking knowledge they’ve had no chance to obtain. Is there anything in your life that you take for granted, without really understanding how it works? I drive my car every day, but I’m no mechanic. I couldn’t tell you how microwaves work, but I use them to make popcorn. I use other people’s inventions every day without ever knowing how they work. I don’t pretend to be a mechanic when I change my oil, nor a physicist when I make popcorn, but the fact remains: in many aspects of life, I’m a total skid. And that’s okay. In the Hacker Jargon File, a hacker is “an expert or enthusiast of any kind,” or “one who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.” If we apply the same liberal brush to the term “script kiddie,” we could say that a skid is someone who takes advantage of systems in their environment without any deeper understanding or appreciation for how those systems function. If this is the case, then we’re all skids at first. We’re born skids, dependent on the world and people around us, and utterly clueless as to how any of it works. But as we learn, we grow, until we’re not so skiddish anymore. And that’s the secret: To stop being a skid, all you gotta do is stay curious, and keep learning. That’s what No Skids Allowed! is all about. It’s not about skid-shaming, it’s about learning and improving and growing, and keeping each other accountable, so that we might accurately call ourselves “hackers.” It’s not an easy path. Learning can be quite challenging, especially when the topic is as complex and diverse as In- formation Security. Whoever said, “Do what you love, and you’ll never work a day in your life” clearly wasn’t a hacker. Even the most passionate and skilled professional knows that attaining mastery over a skill takes persever- ance and strength of will. And sometimes, no matter how good you are, you’re just going to have a rough day. It’s totally fine to be an amateur, to make mistakes, to lack knowledge and skill. If you haven’t failed, you haven’t tried. And if you ever feel like you’re in over your head, just remember the wise words of Jake the Dog: 3 No Skids Allowed! A Pentester's Primer Fig. 1: “Sucking at something is the first step to becoming sorta good at something.” -Jake the Dog Image and quote from Adventure Time by Pendleton Ward 1.2 Ethics The art of hacking can be legally and ethically ambiguous at times. For professionals, proper permission can make the difference between a paycheck and a prison term. Pentesters must work within the boundaries of a defined scope, which provides the parameters and restrictions of the penetration test. Violating the scope of a penetration test can lead to dire legal consequences. However, legality isn’t the only consideration to be made. That which is legal is not always ethical, and that which is ethical is not always legal. It is vital that hackers consider the ethics of their actions, and the potential consequences those actions may have in the world. The subject of ethics weighs heavily into discussions about the disclosure of vulnerabilities, hacktivism, state- sponsored cyber-warfare, “hack-back” legislation, and many others. These subjects are highly subjective and widely debated, and will continue to evolve along with technology and global views on ethics. This guide is written for ethical hackers. To be an ethical hacker, one must have a code of ethics. The authors of this guide
Recommended publications
  • Introduction to Fmxlinux Delphi's Firemonkey For

    Introduction to Fmxlinux Delphi's Firemonkey For

    Introduction to FmxLinux Delphi’s FireMonkey for Linux Solution Jim McKeeth Embarcadero Technologies [email protected] Chief Developer Advocate & Engineer For quality purposes, all lines except the presenter are muted IT’S OK TO ASK QUESTIONS! Use the Q&A Panel on the Right This webinar is being recorded for future playback. Recordings will be available on Embarcadero’s YouTube channel Your Presenter: Jim McKeeth Embarcadero Technologies [email protected] | @JimMcKeeth Chief Developer Advocate & Engineer Agenda • Overview • Installation • Supported platforms • PAServer • SDK & Packages • Usage • UI Elements • Samples • Database Access FireDAC • Migrating from Windows VCL • midaconverter.com • 3rd Party Support • Broadway Web Why FMX on Linux? • Education - Save money on Windows licenses • Kiosk or Point of Sale - Single purpose computers with locked down user interfaces • Security - Linux offers more security options • IoT & Industrial Automation - Add user interfaces for integrated systems • Federal Government - Many govt systems require Linux support • Choice - Now you can, so might as well! Delphi for Linux History • 1999 Kylix: aka Delphi for Linux, introduced • It was a port of the IDE to Linux • Linux x86 32-bit compiler • Used the Trolltech QT widget library • 2002 Kylix 3 was the last update to Kylix • 2017 Delphi 10.2 “Tokyo” introduced Delphi for x86 64-bit Linux • IDE runs on Windows, cross compiles to Linux via the PAServer • Designed for server side development - no desktop widget GUI library • 2017 Eugene
  • Mac OS X and Ios Zero- Day Exploit

    Mac OS X and Ios Zero- Day Exploit

    Mac OS X and iOS Zero- Day Exploit Security Advisory AE-Advisory 16-08 Criticality High Advisory Released On 28 March 2016 Impact Allows someone to escalate privileges and also to bypass system integrity Solution See the solution section below for mitigation processes. Affected Platforms Mac OS X 10.11.3 and older, iOS 9.2 and older Summary aeCERT has researched and found out about a new threat on Apple Mac OS X and iOS; with the release of OS X El Capitan, Apple introduced a security protection feature to the OS X kernel called System Integrity Protection (SIP). The feature is designed to prevent potentially malicious or bad software from modifying protected files and folders on your Mac. The purpose of SIP is to restrict the root account of OS X devices and limit the actions a root user can perform on protected parts of the system in an effort to reduce the chance of malicious code hijacking a device or performing privilege escalation. However, it has been uncovered a critical vulnerability in both OS X and iOS that allows for local privilege escalation as well as bypasses SIP without karnel exploit impacting all versions to date. Threat Details The zero day vulnerability is a Non-Memory Corruption bug that allows hackers to execute arbitrary code on any targeted machine, perform remote code execution (RCE) or sandbox escapes. The attacker then escalates the malware's privileges to bypass System Integrity Protection SIP, alter system files, and then stay on the infected system. By default, System Integrity Protection or SIP protects these folders: /System.
  • Some Ethical Hacking Possibilities in Kali Linux Environment

    Some Ethical Hacking Possibilities in Kali Linux Environment

    Vol. 9, No. 4, 2019 pp. 129-149 http://doi.org/10.24368/jates.v9i4.139 21 129 Journal of Applied Technical and Educational Sciences jATES ISSN 2560-5429 http://jates.org Some ethical hacking possibilities in Kali Linux environment Petar Cisara, Robert Pinterb aUniversity of Criminal Investigation and Police Studies, Cara Dusana 196, 11080 Zemun, Serbia, [email protected] bSubotica Tech - College of Applied Sciences, Marka Oreskovica 16, 24000 Subotica, Serbia, [email protected] Abstract This paper deals with the problem of ethical hacking and security of computer systems. When we talk about security of an information system, we actually mean the primary three attributes of the system: confidentiality, integrity and availability. There are various approaches with aim to identify existing security weaknesses and security assessment. One of them is using Kali Linux operating system with its integrated effective tools specially adapted to the realization of various types of attacks. The paper gives a general overview of some Kali attacking possibilities on client and server side and highlights their specificities. The undoubted benefit of this operating system is a large collection of different hacking tools in one place which significantly facilitates vulnerability assessment and security testing. Keywords: Kali Linux; tools; attack; security; ethical hacking 1. Introduction In general, four main categories (or phases) of information security assessments can be identified (Hertzog, 2017): a vulnerability assessment, a compliance (audit) test, a traditional internal/external penetration test, and an application assessment. There are various methods with aim to identify existing security weaknesses and security assessment (Allen, 2014).
  • Blackarch Linux, the Blackarch Linux Guide

    Blackarch Linux, the Blackarch Linux Guide

    BlackArch Linux The BlackArch Linux Guide http://www.blackarch.org/ February 5, 2014 Contents 1 Introduction 3 1.1 What is BlackArch Linux?................................ 3 1.2 Get involved....................................... 3 2 User Guide 4 2.1 Installation........................................ 4 2.1.1 Setting up repository .............................. 4 2.1.2 Installing packages ............................... 5 2.1.3 Installing packages from source......................... 5 2.1.4 Installing from live-, netinstall- ISO or ArchLinux ............... 6 3 Developer Guide7 3.1 Contributing to repository................................ 7 3.1.1 Required tutorials................................ 7 3.1.2 Steps for contributing.............................. 7 3.1.3 Example..................................... 8 3.1.3.1 Fetch PKGBUILD........................... 8 3.1.3.2 Clean up PKGBUILD......................... 8 3.1.3.3 Adjust PKGBUILD.......................... 8 3.1.3.4 Build the package........................... 8 3.1.3.5 Install and test the package ..................... 9 3.1.3.6 Add, commit and push package ................... 9 3.1.3.7 Create a pull request......................... 9 3.1.4 Requests..................................... 9 3.1.5 General tips................................... 9 A Appendix 10 A.1 FAQs........................................... 10 A.2 AUTHORS........................................ 10 2 Chapter 1 Introduction 1.1 What is BlackArch Linux? BlackArch Linux is a lightweight expansion to Arch Linux for penetration testers. The toolset is distributed as an Arch Linux unofficial user repository so you can install BlackArch- Linux on top of an existing Arch Linux installation. Packages may be installed individually or by category. We currently have over 650 tools in our toolset and the repository is constantly expanding. All tools are thoroughly tested before being added to the codebase to maintain the quality of the repository.
  • Download the Ethical Hacker's Guide to System Hacking

    Download the Ethical Hacker's Guide to System Hacking

    The Ethical Hacker's Guide To System Hacking Attacker acquires information through techniques such as foot printing, scanning and enumeration to hack the target system. 1 Footprinting Scanning Enumeration Module Vulnerability Analysis It is the process of accumulating data Vulnerability Assessment is an This is a procedure for identifying This is a method of intrusive probing, Footprinting Scanning System Hacking regarding a specific network environment. active hosts, open ports, and unnecessary through which attackers gather examination of the ability of a system or In this phase, the attacker creates a profile services enabled on ports. Attackers use information such as network user lists, application, including current security CEH concepts of the target organization, obtaining different types of scanning, such as port routing tables, security flaws, and procedures, and controls to with stand 2 information such as its IP address range, scanning network scanning, and simple network protocol data (SNMP) assault. Attackers perform this analysis Methodology Vulnerability namespace and employees. Enumeration vulnerability, scanning of target networks data. to identify security loopholes, in the target Analysis Footprinting eases the process of or systems which help in identifying organization’s network, communication system hacking by revealing its possible vulnerabilities. infrastructure, and end systems. vulnerabilities 3 Clearing Logs Maintaining Access Gaining Access Hacking Stage Escalating Privileges Hacking Stage Gaining Access It involves gaining access to To maintain future system access, After gaining access to the target low-privileged user accounts by To acquire the rights of To bypass access CEH Hacking attackers attempt to avoid recognition system, attackers work to maintain cracking passwords through Goal another user or Goal controls to gain System Hacking by legitimate system users.
  • Android Exploits Commanding Higher Price Than Ever Before

    Android Exploits Commanding Higher Price Than Ever Before

    Memo 10/09/2019 - TLP:WHITE Android exploits commanding higher price than ever before Reference: Memo [190910-1] – Version: 1.0 Keywords: Android, iOS, exploit, vulnerability Sources: Zerodium, Google, Wired Key Points The price of android exploits exceeds the price of iOS exploits for the first time This is possibly because Android security is improving over iOS The release of Android 10 is also a likely cause for the price hike Summary Zerodium1, a cyber security exploit broker dealing in zero-day vulnerabilities, has published its most recent price list. It indicates that the price of an Android full-chain exploit with persistence can fetch the developer up to 2,500,000 dollars. The going rate for a similar exploit for Apple’s iOS has gone down by 500,000 dollars and is now worth 2,000,000. This is the first confirmed time when Android exploits are valued more than iOS. Zerodium payouts for mobile devices Up to $2,500,000 Android zero click full compromise chain with persistence. Up to $2,000,000 iOS zero click full compromise chain with persistence. Up to $1,500,000 WhatsApp zero click remote code execution with iMessage remote code execution with local local privilege escalation on iOS or Android. privilege escalation. Up to $1,000,000 WhatsApp remote code execution with local privilege SMS/MMS remote code execution with local escalation on iOS or Android. privilege escalation on iOS or Android. Comments Zero-click exploits do not require interaction from the user. This is very difficult to achieve and thus commands the highest prices.
  • Extreme Privilege Escalation on Windows 8/UEFI Systems

    Extreme Privilege Escalation on Windows 8/UEFI Systems

    Extreme Privilege Escalation on Windows 8/UEFI Systems C o r e y K a l l e n b e r g @ c o r e y k a l X e n o K o v a h @ x e n o k o v a h John Butterworth @jwbutterworth3 Sam Cornwell @ssc0rnwell © 2014 The MITRE Corporation. All rights reserved. | 2 | Introduction . Who we are: – Trusted Computing and firmware security researchers at The MITRE Corporation . What MITRE is: – A not-for-profit company that runs six US Government "Federally Funded Research & Development Centers" (FFRDCs) dedicated to working in the public interest – Technical lead for a number of standards and structured data exchange formats such as CVE, CWE, OVAL, CAPEC, STIX, TAXII, etc – The first .org, !(.mil | .gov | .com | .edu | .net), on the ARPANET © 2014 The MITRE Corporation. All rights reserved. | 3 | Attack Model (1 of 2) . We’ve gained administrator access on a victim Windows 8 machine . But we are still constrained by the limits of Ring 3 © 2014 The MITRE Corporation. All rights reserved. | 4 | Attack Model (2 of 2) . As attackers we always want – More Power – More Persistence – More Stealth © 2014 The MITRE Corporation. All rights reserved. | 5 | Typical Post-Exploitation Privilege Escalation . Starting with x64 Windows vista, kernel drivers must be signed and contain an Authenticode certificate . In a typical post-exploitation privilege escalation, attacker wants to bypass the signed driver requirement to install a kernel level rootkit . Various methods to achieve this are possible, including: – Exploit existing kernel drivers – Install a legitimate (signed), but vulnerable, driver and exploit it .
  • Towards Taming Privilege-Escalation Attacks on Android

    Towards Taming Privilege-Escalation Attacks on Android

    Towards Taming Privilege-Escalation Attacks on Android Sven Bugiel1, Lucas Davi1, Alexandra Dmitrienko3, Thomas Fischer2, Ahmad-Reza Sadeghi1;3, Bhargava Shastry3 1CASED/Technische Universitat¨ Darmstadt, Germany 2Ruhr-Universitat¨ Bochum, Germany fsven.bugiel,lucas.davi,[email protected] thomas.fi[email protected] 3Fraunhofer SIT, Darmstadt, Germany falexandra.dmitrienko,ahmad.sadeghi,[email protected] Abstract 1. Introduction Android’s security framework has been an appealing sub- Google Android [1] has become one of the most popular ject of research in the last few years. Android has been operating systems for various mobile platforms [23, 3, 31] shown to be vulnerable to application-level privilege esca- with a growing market share [21]. Concerning security and lation attacks, such as confused deputy attacks, and more privacy aspects, Android deploys application sandboxing recently, attacks by colluding applications. While most of and a permission framework implemented as a reference the proposed approaches aim at solving confused deputy at- monitor at the middleware layer to control access to system tacks, there is still no solution that simultaneously addresses resources and mediate application communication. collusion attacks. The current Android business and usage model allows developers to upload arbitrary applications to the Android In this paper, we investigate the problem of designing and app market1 and involves the end-user in granting permis- implementing a practical security framework for Android to sions to applications at install-time. This, however, opens protect against confused deputy and collusion attacks. We attack surfaces for malicious applications to be installed on realize that defeating collusion attacks calls for a rather users’ devices (see, for instance, the recent DroidDream system-centric solution as opposed to application-dependent Trojan [6]).
  • By Zohaib & Vlad

    By Zohaib & Vlad

    Follow the slides: goo.gl/bvmYgb Privilege Escalation in Windows OS by Zohaib & Vlad Follow the slides: goo.gl/bvmYgb What is Privilege Escalation? An act of exploiting a bug, design flaw or configuration oversight with the goal to gain elevated access to application resources ● Gives the ability to perform unauthorized actions in software, web apps, operating systems What is Privilege Escalation? Vertical Horizontal Accesses to functions that are Accesses functions that are reserved for higher privilege users accessible by other normal users. or applications. ● gaining administrative privileges ● Accessing accounts on the same user level ● Jailbreaking Devices ● Lock Screen Bypass ● Stealing usernames/passwords Vertical: Cross-zone scripting A web browser exploit that takes advantage of a zone-based vulnerability http://windowsupdate.microsoft.com%2f.example.com/ Windows Permission Structure ● root is “Local System” Account ● Windows UAC (User Account Control) ○ disabled admin account, instead uses UAC ● “sudo” is “runas” to run with privileges Types of Accounts: ● Local User ● Domain User ● The LocalSystem Windows with User Access Control ● All users run as an unprivileged user by default, even when logged on as an Administrator. ● Once running, the privilege of an application cannot be changed. ● Users are prompted to provide explicit consent before using elevated privilege, which then lasts for the life of the process. Windows OS Privilege Escalation ● replacing “screensaver” binary ● scan the registry for ○ logon Information ○ network
  • All Roads Lead to SYSTEM

    All Roads Lead to SYSTEM

    MWR Labs Whitepaper All Roads Lead to SYSTEM Kostas Lintovois Contents page Contents page............................................................................................ 2 1. Introduction ............................................................................................ 3 1.1 Windows Service Accounts ......................................................................... 4 2. Auditing Windows Services ......................................................................... 5 2.1 Insecure File System Permissions .................................................................. 5 2.2 Insecure Registry Permissions ...................................................................... 8 2.3 Insecure Named Pipe Permissions ................................................................ 10 2.4 Insecure Service Permissions ...................................................................... 12 2.5 Missing DLLs......................................................................................... 15 2.6 Unquoted Service Binary Paths ................................................................... 18 3. Service Exploitation ................................................................................ 21 4. Scripted Assessment ............................................................................... 23 5. Summary .............................................................................................. 24 6. References ..........................................................................................
  • W32.Stuxnet Dossier Version 1.3 (November 2010)

    W32.Stuxnet Dossier Version 1.3 (November 2010)

    Security Response W32.Stuxnet Dossier Version 1.3 (November 2010) Nicolas Falliere, Liam O Murchu, and Eric Chien While the bulk of the analysis is complete, Stuxnet is an incredibly large and Contents complex threat. The authors expect to make revisions to this document Introduction ....................................................... 1 shortly after release as new information is uncovered or may be publicly Executive Summary ........................................... 2 disclosed. This paper is the work of numerous individuals on the Syman- Attack Scenario .................................................. 3 tec Security Response team over the last three months well beyond the Timeline .............................................................. 4 cited authors. Without their assistance, this paper would not be possible. Infection Statistics ............................................. 5 Stuxnet Architecture.......................................... 8 Introduction Installation ....................................................... 12 Load Point ........................................................ 16 W32.Stuxnet has gained a lot of attention from researchers and me- Command and Control ......................................17 dia recently. There is good reason for this. Stuxnet is one of the Windows Rootkit Functionality ....................... 20 most complex threats we have analyzed. In this paper we take a de- Stuxnet Propagation Methods......................... 21 tailed look at Stuxnet and its various components and particularly
  • Active Directory Privilege Escalation

    Active Directory Privilege Escalation

    Active Directory Privilege Escalation The World’s #1 Cyber Security Risk Contents 1. Executive Summary (Non-Technical Audience) …………….……………………………………….. 1 2. Executive Summary (Technical Audience) ……..………………………………………………………. 2 3. Root Cause Example, Top-5 Attack Vectors, Multi-step Escalation …..………….….. 3 – 5 4. Minutes to Compromise, Six Myths, 100% Mitigatable, Risk Mitigation ……....... 6 – 9 Active Directory Privilege Escalation Executive Summary Microsoft Active Directory is the very foundation of cyber security and privileged access at 85% of organizations, and within Active Directory deployments lie thousands of privilege escalation paths. Anyone who could identify these privilege escalation paths in Active Directory could easily compromise virtually any IT resource of choice, and in the worst case, the entire foundational Active Directory itself. This is alarming considering that historically 100% of all major recent cyber security breaches involved the compromise and misuse of a single account that possessed privileged access in Active Directory. In organizations that operate on the Microsoft Windows Server platform, the entirety of their building blocks of cyber security i.e. all organizational user accounts, computer accounts, and security groups that protect all organizational IT resources, are stored, managed and secured in Active Directory. These building blocks are represented as Active Directory objects and protected by access control lists (ACLs) within which lie permissions that allow and deny access to a large number of users and groups. In every Active Directory domain, within ACLs of thousands of Active Directory objects lie hundreds of thousands of permissions and it is their net cumulative resulting effect i.e. effective permissions that govern who has what privileged access on each one of these thousands of Active Directory objects.