Most companies worldwide use some kind of LDAP (Lightweight Directory Access Protocol), and many of these use Microsoft AD and/or Microsoft Entra, because, let's be honest, it's the mostly used LDAP in the world within corporate environments. During the penetration testing engagements, author of this lecture identified many AD misconfigurations which led to partial or in most of the cases complete AD takeover, which is troublesome, to say the least.
There are a lot of attack vectors available for attacking (usually) misconfigured AD, and in this lecture, we will try to discuss some of these, specifically the ones the author usually sees and compromise in PT engagements. The lecture will be demo based, instead of theory based, because the lecture time is limited and it is impossible to cover even 10% of usual attacks in theory, and even less in demo. We will dream big and try to demonstrate and explain as much as possible of the following attacks: Kerberos AS-REQ user enumeration, to identify AD accounts in a really fast and safe way, then AS-REP and kerberoasting (these two are quick, and a good demo for warming-up). We will unfortunately have to skip the golden (ticket, certificate, and SAML) attacks, including the Silver ticket attacks, as the time is an issue, and continue with DCSync and (if time permits) unconstrained delegation attacks. The rest of the demo will try to show some other interesting ways to compromise AD, like AD CS (Active Directory Certification Services) attacks (only E3 as an overview, because there will be a preconf workshop drilling into AD CS issues), and if time permits, we will continue with some more complex AD attack paths.

The sole purpose of this lecture is for the participants to "feel" how vulnerable they environments could be out of the box and if misconfigured, and to understand the possible implications. Demonstrated attacks show both NTLM and Kerberos vulnerabilities.