Active Directory - Gain Foothold

• Methods of aquiring the first set of credentials

Aquire credentials

OSINT

• Discover info about the target via
  • Questions asked on Stack Overflow
  • Credentials set in (github) repos
  • Past breaches, haveIbeenpwned, DeHashed

Phishing

• Gain credentials via eMail

NTLM Authenticated Services

• Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC

• These may be exposed to the Internet. For example

  • Mail exchange, OWA webmail
  • RDP
  • VPN endpoints
  • Web applications using something like SSO via AD

• Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords

LDAP Bind Credentials

• LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.
• Third party programs may use LDAP like
  • CUPS
  • VPNs
  • gitlab

LDAP Pass-Back

• After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
• Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
  • OpenLDAP

dpkg-reconfigure -p low slapd

* Skip reconfiguration -> No
* Insert DNS domain and organisation
* Provide password
* Select `MDB` as database
* No removal when db is purged
* Move old database when creating a new one
* Downgrade authentication via `*.ldif` file

dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

* Patch and reload ldap

sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart

* Check via

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

• Make pcap via tcdump

Authentication Relay

• Communcating services inside the network verify authentication of each other
• Intercept NTLM hashes send for example via SMB auth, or do a MITM
• Use responder poisons requests gained from
  • Link-Local Multicast Name Resolution (LLMNR)
  • NetBIOS Name Server (NBT-NS), send before LLMNR
  • Web Proxy Auto-Discovery (WPAD), finds proxies for future HTTP connections

Capture via responder

• Run responder on LAN via

sudo responder -I <interface>

• Use hashcat to crack the hashes

hashcat -m 5600 hash.txt rockyout.txt --force

Relay via responder

• SMB signing must not be enforced, either on or off
• Done after some intial enumeration and to gain administrative accounts

Microsoft Deployment Toolkit (MDT)

• Deploy and patch software remotely
• Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)

Preboot Execution Environment (PXE)

• Read this

• Load and install OS via network

• MDT provisions PXE boot images
• An IP gained via DHCP is the validation step, PXE will be delivered by MDT

• Retrieve/enumerate images via TFTP

• Create an admin account after OS installation

• Password scraping to recover AD creds used during OS installation

• Use PowerPXE.ps1 to extract *.bcd files

Configuration Files

• Configurations of services and applications as well as registry keys
• Use enumeration scripts like winpeas.sh or seatbelt