johnny@cybersec ~ KALI | Attack Platform

KALI is the dedicated offensive engine of the lab. This box allows me to not only attack the vulnerable environment, but attack the remediation strategies as well, this drives the "Purple Team" feedback loop by generating the attack traffic that defenders must detect.

⚔️ Exploitation

Credential Harvesting Suite Lateral Movement Framework Privilege Escalation Tools Persistence Mechanisms

🔍 Reconnaissance

Domain Enumeration (BloodHound) Network Discovery (Nmap) Service Enumeration (SMB/LDAP) Vulnerability Assessment

Active Capabilities

🔍 Network Enumeration (T1046)

Nmap service discovery and port scanning to identify attack surface across domain hosts.

Target: Service Discovery

🗺️ Active Directory Mapping (T1087.002)

BloodHound/SharpHound automated AD object ingestion to identify shortest path to Domain Admin.

Target: Attack Path Analysis

🎫 Kerberoasting (T1558.003)

GetUserSPNs.py requesting TGS tickets for service accounts, enabling offline password cracking.

Target: Service Account Passwords

🔓 AS-REP Roasting (T1558.004)

GetNPUsers.py extracting AS-REP hashes from accounts without Kerberos pre-authentication.

Target: No Pre-Auth Accounts

🔨 Offline Password Cracking (T1110.002)

Hashcat and John the Ripper brute forcing captured NTLM and Kerberos ticket hashes.

Target: Weak Passwords

📝 NTLM Relay Attack (T1557.001)

Responder + ntlmrelayx capturing and relaying authentication to high-value targets.

Target: SMB Signing Disabled

🔐 Database Brute Force (T1110.001)

Hydra credential stuffing attacks against MySQL root account with weak authentication.

Target: Remote Database Access

🔀 Remote Code Execution (T1021.002)

Impacket psexec.py and wmiexec.py for authenticated remote command execution via SMB.

Target: Lateral Movement

🌐 RDP Session Hijacking (T1563.002)

Exploiting unrestricted RDP access and disabled NLA to hijack executive sessions.

Target: Domain Admin Sessions

🔑 Pass-the-Hash (T1550.002)

CrackMapExec using captured NTLM hashes for authentication without cracking passwords.

Target: Credential Reuse

🔄 DCSync Attack (T1003.006)

Secretsdump.py leveraging DCSync rights to dump all domain password hashes from DC01.

Target: Domain Credential Dumping

🎭 Token Impersonation (T1134.001)

Juicy Potato and PrintSpoofer exploiting SeImpersonate privilege for SYSTEM escalation.

Target: Service Account Escalation

🐚 Web Shell Deployment (T1505.003)

Uploading ASP.NET web shells to IIS wwwroot via weak directory permissions for persistence.

Target: Web Server Backdoor

🔒 Registry Auto-Run (T1547.001)

Creating Run keys for malicious payloads ensuring execution on system startup.

Target: Persistent Access

📤 Data Exfiltration (T1041)

MySQL data dumping and SMB file transfer simulating sensitive data theft via C2 channel.

Target: Database & File Exfiltration