Detecting Active Directory Enumeration


This is another post to document my journey of learning Threat Hunting. In today’s post we’re going to perform threat hunting activities with the aim of hunting for AD domain enumeration.

We’re going to heavily rely on FireEye’s SilkETW and we’ll search for suspicious LDAP queries generated by our endpoints.

SilkETW is a handy wrapper for Event Tracing for Windows (ETW) that will allow us to perform searches and ship to centralised logging platforms like ElasticSearch. ETW is defined by Microsoft as:

Event Tracing for Windows (ETW) is an efficient kernel-level tracing facility that lets you log kernel or application-defined…

This is going to be a quick post on some tips that will make your BloodHound analysis much more fluid and painless 😎. BloodHound is a great tool for both attackers and defenders, but too often people (including myself) only use its top 5% functionalities, leaving a lot of goodies behind.

I’m not inventing anything here, and if you already have experience using BloodHound this may be useless. This is meant to be a collection (and a reminder for myself) of things that I whish I knew from the beginning. …

Original blog post:

Unconstrained Delegation + The Printer Bug = DCSync

Nothing new under the sun, this post is just part of my series of experiments and practice of active directory exploitation. We’re going to exploit the well-known issue of Kerberos Unconstrained Delegation using the Printer Bug.

Will Harmjoy and Co. used this technique to cross the forest boundary in particular scenarios, but since I’m a little boy we’ll start small and care only about the domain context.

The Theory

Today we’re going to see how to exploit unconstrained delegation with the objective of compromising the whole AD domain. But what’s unconstrained delegation?

Well Kerberos is a mess so…

Original blog post:

Today we’re going to make a quick review of the course I recently purchased: Attacking and Defending Active Directory offered by PentesterAcademy. You can find the course here:

The course’s aim is to give the student a basic working knowledge of Active Directory and to present the main security issues related to AD deployments in modern environments such as:

  • Enumeration or how much information you can extract from an AD with regular user privileges (you’ll be surprised!)
  • Privilege escalation or how to get from zero to hero (Domain Admin and beyond)
  • The main concepts for persistence…

The original blog post:

The eLearnSecurity Penetration Testing eXtreme or PTX is the most advanced offensive course offered by eLearnSecurity. You can find the official course page here.
Let me clarify this first, I haven’t completed the course yet (I’m about at 60%) so my opinion on this MAY change over the next few months.

The PTX course is about advanced exploitation concepts in modern environments like (and only?) Active Directory. …

Original blog post:


Today we are going to explore some of the security risks associated with Docker, specifically we are going to examine the consequences of exposing the native Docker API to the external world.
By default when you install docker on a host, you can access the docker API only from the loopback interface. This is great but apparently for some reasons you might want to expose those APIs in order to use some external tool like Portainer. …

Today we are going to chain two nice exploits: Bad PDF and SMB Relay.
We hope to gain a few shells just by tricking a user to open a PDF file, awesome isn’t it?
Let’s see how to make everything work!

You can find the original blog post here:

The Setup

For this test my setup is the following:

  • Windows Server 2012 with Active Directory (
  • Windows 10 Workstation (
  • My machine, which is a simple Ubuntu (
  • Latest version of Adobe Acrobat Reader DC
  • Latest version of Responder


The bad PDF is a recent attack discovered by Checkpoint Security Research Team…

What is this? Another boring post on OSCP?

You can read the original post in my personal blog, check it out!

The material

As you may already know, after you complete the order you receive the material from OffSec:
- A 400 page PDF that guides you through the pentesting process.
- ~8h of video materials, the content is not totally overlapped with the PDF and I stringly advice you to study both.
- A VMWare virtual machine with an installation of Kali (32bit), this machine contains every tool you’ll ever need in order to survive the labs and pass the exam. …

An informal review of one of the top penetration testing certification out there


FIrst of all, what am i going to talk about?

eLearnSecurity Professional Penetration Testing (PTP from now) is a course offered from eLearnSecurity, a company based in Dubai, Santa Clara and… Pisa.
Yeah Pisa always makes me smile, mainly because I am from Florence (the historical enemy of Pisa, you know, Tuscany stuff)
The aim of the course is to take you from a beginner level to a job-ready penetration tester (and that worked pretty well with me ;) ) and eventually obtain the eLearnSecurity Certified Professional Penetration Tester Certification (let’s just call it eCPPT ok!? )

Now you may…

Part 1: Abusing Old Elasticsearch

Today I put my hands on a new toy called Metasploitable3, the successor of Metasploitable2.
For those who don’t know what Metasploitable is, it’s a intentionally vulnerable VM built by Rapid7 for training/testing, you can find it here.

I’m really glad that Rapid7 guys came out with this new (well, months ago)
The older version of metasploitable was just too easy to break, it wasn’t challenging anymore and most of all, it’s Windows based!

The building was pretty easy and straightforward since it’s Vagrant based:

The VM was up and running, that was time to break stuff. The first…

Riccardo Ancarani

Cyber Security & AI enthusiast

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store