> For the complete documentation index, see [llms.txt](https://ne0b1t3.gitbook.io/vault/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ne0b1t3.gitbook.io/vault/eng/prolabs/zephyr.md). # Zephyr ## Certification of Completion
Zephyr es una Pro Lab centrada en Active Directory, relaciones de confianza y pivoting bajo restricciones de red (firewall). Es cierto que incluye alguna que otra parte de hacking web y linux pero muy puntual.\ Como alguien que disfruta bastante todo lo relacionado con Active Directory, me gustó mucho… aunque sinceramente me esperaba algo bastante más retador en general. Lo que la diferencia de otras Pro Labs no es tanto la dificultad técnica aislada de cada máquina, sino el **contexto**: un entorno completamente Active Directory con firewalls que realmente limitan tu movimiento. *** ### Approximate Lab Topology You start from the outside, connected via VPN to a DMZ. From there, a first pivot leads you into an internal network with a full domain, including its Domain Controller (DC), workstations, and servers. From that domain, there is a cross-forest trust to another domain, which in turn has a parent-child trust with its child domain. In total, around 5 pivoting hops in increasingly restrictive environments.

All computers to be compromised

From that domain, there is a cross-forest trust to another domain, which in turn has a parent-child trust with its child domain. In total, around 5 pivoting hops in increasingly restrictive environments.

Laboratory Infrastructure

### Skills You Should Master Before Attempting It To face Zephyr, you need to be comfortable with how the main components, mechanisms, and workflows of Active Directory work. You don’t need to be an expert in AD, but the fundamentals should be second nature. If any of the following areas feel vague, study them first:
ÁreaDificultad en ZephyrDónde practicar
Enumeración ADbajaHTB machines: Forest, Active, Sauna
Kerberoasting / AS-REPbajaHTB: Sauna, Vulnlab: Shinra
Abuso de ACLsmediaHTB: Object, BloodHound Community Edition labs
Relay attacks (NTLM)mediaHTB: Driver, OSCP PG: Hutch
Pivoting con Ligolo-ngaltaDante ProLab (recomendado antes de Zephyr)
Cross-domain trustsmediaHTB: Multimaster, RastaLabs ProLab
MSSQL attacksaltaHTB: MedCorp, PentesterLab MSSQL path
*** ### Main Tools During Zephyr, there is no single dominant tool. Instead, you combine a stack depending on the phase: enumeration, lateral movement, pivoting, and post-exploitation. #### Enumeration and Analysis These are the foundations for understanding the environment before touching anything: * **BloodHound**: Essential for visualizing Active Directory relationships (users, groups, ACLs, attack paths). * Data collection with tools like `bloodhound-python`, `nxc --bloodhound`, `rusthound`, or `rusthound-ce` (especially useful when AD CS is involved). * **ldapsearch**: Useful for direct LDAP enumeration when you need raw object attributes without abstraction. * **PowerView / powerview\.py**: Deep domain enumeration: sessions, users, groups, ACLs, trusts, etc. Very useful when you already have code execution in a compromised host context. * **bloodyAD**: One of the most powerful tools in the lab. It allows you to: * Enumerate Security Descriptors (SD) * Analyze and abuse ACLs * Modify AD object attributes * Abuse AD CS, delegations, and misconfigured permissions It is especially useful because it operates at the “raw” Active Directory level. #### Lateral Movement and Remote Execution * **NetExec (nxc)**: Probably the most versatile tool for hacking: * SMB / WinRM / MSSQL / FTP / SSH / LDAP enumeration * Remote command execution * Credential/hash dumping * NTLM coercion * BloodHound ingestion support * **Impacket suite**: Essential toolkit for Kerberos and lateral movement: * TGT / TGS requests (Silver Tickets) * Pass-the-Hash / Pass-the-Ticket * S4U2Self / S4U2Proxy * Delegation abuse and Kerberos attacks * SMB / MSSQL / WinRM access #### Pivoting and Traffic Capture * **Ligolo-ng (key tool in the lab)**: This was the main tool I used. Depending on the situation, you may need to use CIDR notation `.0/24` or `.x/32` when targeting a single IP. Typical flow: * Create tunnel interface (`interface_create`) * Add routes to new subnets (`add_route`) * Start tunnel (`tunnel_start`) * Add listener (`listener_add`) * **Responder**: Network poisoning for capturing NTLM authentications. * **tcpdump**: Traffic capture for later analysis in Wireshark. #### Remote Execution and Shells * **evil-winrm / evil-winrm-py**: WinRM access when valid credentials are available. * **psexec / smbexec (Impacket) / wmiexec / wmiexec2**: Remote execution with administrative context. * **nc64.exe (Netcat)**: Simple but effective alternative for stable reverse shells or basic AV bypass scenarios. #### Post Explotation and Credential Dumping * **Secretsdump (Impacket) / Mimikatz / nxc / donPAPI / Seatbelt**: The focus here is not just privilege escalation, but maximizing reusable credential exposure: * LSASS dumping * SAM / SYSTEM / NTDS extraction * DPAPI extraction * Browser-stored credentials * Autologon / scripts / scheduled tasks *** ### Advanced Pivoting One of the most distinctive aspects of Zephyr is pivoting—not because of extreme technical complexity, but because of the context in which it takes place. Although the number of hops is not higher than Dante (around 5), the environment is significantly more restrictive. You start to encounter things like: * Realistic network segmentation: domains, subdomains, and forests. * Firewalls between subnets that actively shape lateral movement. * The need to understand which ports are actually reachable from each compromised host. * The role of network interfaces (NICs) and how they define pivoting possibilities. * Progressive discovery of internal networks as compromise expands. In addition, the use of multiple pivot agents becomes constant. It’s not enough to just “have a working tunnel” — you need to dynamically adjust it, understand what traffic is flowing through it, identify allowed ports, and rebuild routes (listeners) as you progress. This often requires modifying CIDR notation and IP mappings depending on the situation. *** ### Main Techniques | Área | Conceptos y técnicas principales | | --------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Enumeración profunda del dominio** |

• Users, groups, and descriptions

• ACLs and permissions

• OUs and organizational structure

• Object attributes

• Delegations and implicit relationships

| | **Relay Attacks y abuso de NTLM** |

• Captura de hashes NTLM en red
• Uso de UNC paths para forzar autenticaciones
• Responder e Inveigh en entornos aislados
• Preparación de herramientas offline (Impacket, binarios estáticos)

| | **Trusts y movimiento lateral entre dominios** |

• Abuse of Trusts
• Parent-child trusts
• Forest trusts
• Trusted Accounts
• Golden Tickets inter-realm
• SID History Injection

| | **Abuso de Kerberos** |

• Kerberoasting (Clasic and with No-Preauth)
• AS-REP Roasting
• Delegations (S4U2Self / S4U2Proxy)
• Shadow Credentials
• Silver Tickets
• Golden Tickets

| | **Abuso de ACLs** |

• GenericWrite / GenericAll
• AddMember / AddSelf
• ForceChangePassword
• WriteDACL
• Permission chaining for escalation

| | **MSSQL Attacks** |

• Trustworthy abuse
• Linked Servers
• Impersonación de usuarios
• Extracción de datos desde bases de datos

| | **Exfiltración y dumping de credenciales** |

• DPAPI
• SAM / LSASS / NTDS
• Secrets del sistema
• Credenciales en navegadores
• Autologon y scripts
• Tareas programadas

| | **Bypass de AV y firewall** |

• Disable Defender / AMSI
• Modify and disable firewall
• Add exclusions to our offensive tools
• Enable services(RDP, SMB, WinRM)

| {% hint style="info" %} It is worth noting that Zephyr includes machines with Defender enabled, but they are not particularly restrictive or up to date, so tools like `nc64.exe` will often be your best ally for reverse shells.\ \ Similarly, a C2 framework is not strictly required, but you can optionally rely on tools like Metasploit / Meterpreter for dumping, exploitation, or tunneling tasks. {% endhint %} *** ### Lessons Learned With Zephyr, I was able to apply a wide range of Active Directory techniques: ACL abuse, delegation attacks, Kerberos abuse, cross-domain trusts, MSSQL exploitation, relay attacks, and lateral movement.\ However, most of these concepts were already part of my day-to-day knowledge, so the technical difficulty itself did not feel particularly high, and in some ways I found it “easy.” Where I **truly struggled** and got stuck was pivoting under network segmentation and firewall restrictions.\ Personally, this was the most valuable part, and the one that most differs from simplified scenarios found in standalone machines or smaller labs. When you deploy an agent on a compromised machine, it typically has two network interfaces: * The first is the physical or virtual network interface (NIC, Network Interface Card), which provides initial connectivity, usually through VPN or another agent. * The second interface appears after pivoting, and it allows access to a new subnet where additional hosts are discovered. A **NIC** (*Network Interface Card*) is the physical or virtual component that connects a system to a network. Each interface has an IP address belonging to a specific subnet, and this membership determines how other systems interpret the traffic source (for example, whether it is considered “internal” or “external”). The issue arises when you compromise a machine that only has a single NIC in one subnet (for example, `172.12.1.0/24`), but at the same time it can communicate with another subnet (`172.12.2.0/24`) without having a second interface assigned to that network. In these scenarios, internal firewall policies come into play—either local or pushed via GPO—that restrict access to certain ports and services when the connection does not originate from a host belonging to the correct subnet. In other words, traffic may be blocked if the source machine does not “belong” to that network through a proper NIC assignment. This leads to situations where you must first compromise a machine that does have a valid NIC inside the target subnet (`172.12.2.0/24`), so that the rest of the domain and systems treat it as a trusted internal host. Only then can lateral movement and pivoting continue effectively. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ne0b1t3.gitbook.io/vault/eng/prolabs/zephyr.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.