7MS #446: Certified Red Team Professional - Part 2

Today's episode continues part 1 of our series on the Certified Red Team Professional certification. Key points from today's episode include:

• It's probably a better idea to run Bloodhound on your local machine so you don't crush the student VM's resources

• Running Invoke-Command is one of my new favorite things. Check this post for a bunch of cheatsheet tips for running commands in PowerShell against other hosts.

• Silver, gold and skeleton key attacks in AD - are they awesome? Yes? Do I see myself using those in short-term pentest enagements? Meh.

• Wanna build a home lab to do some of these fun pentest stuff? Our buddy k3nundrum in Slack recommended we check out this. It looks awesome. And the devs of the tool have a video on it here.

• When you're popping shells and privs all over the place in the lab, it can be confusing to figure out which machines you have what privileges on. I like using the klist command. Or, from a mimikatz prompt, try kerberos::list /export.