killchain-compendium/misc/active_directory/gaining_foothold_AD.md

117 lines
3.6 KiB
Markdown
Raw Normal View History

2022-06-20 00:09:28 +02:00
# Active Directory - Gain Foothold
* Methods of aquiring the first set of credentials
## Aquire credentials
### OSINT
* Discover info about the target via
* Questions asked on Stack Overflow
* Credentials set in (github) repos
* Past breaches, [haveIbeenpwned](https://haveibeenpwned.com/), [DeHashed](https://www.dehashed.com/)
### Phishing
* Gain credentials via eMail
## NTLM Authenticated Services
* Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC
* These may be exposed to the Internet. For example
* Mail exchange, OWA webmail
* RDP
* VPN endpoints
* Web applications using something like SSO via AD
* Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords
## LDAP Bind Credentials
* LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.
* Third party programs may use LDAP like
* CUPS
* VPNs
* gitlab
### LDAP Pass-Back
* After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
* Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
* OpenLDAP
```sh
dpkg-reconfigure -p low slapd
```
* Skip reconfiguration -> No
* Insert DNS domain and organisation
* Provide password
* Select `MDB` as database
* No removal when db is purged
* Move old database when creating a new one
* Downgrade authentication via `*.ldif` file
```sh
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```
* Patch and reload ldap
```sh
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
```
* Check via
```sh
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
```
* Make pcap via tcdump
## Authentication Relay
* Communcating services inside the network verify authentication of each other
* Intercept NTLM hashes send for example via `SMB` auth, or do a MITM
* Use responder poisons requests gained from
* __Link-Local Multicast Name Resolution__ (LLMNR)
* __NetBIOS Name Server__ (NBT-NS), send before LLMNR
* __Web Proxy Auto-Discovery__ (WPAD), finds proxies for future HTTP connections
### Capture via responder
2022-09-11 22:12:05 +02:00
2022-06-20 00:09:28 +02:00
* Run responder on LAN via
```sh
sudo responder -I <interface>
```
* Use `hashcat` to crack the hashes
```sh
hashcat -m 5600 hash.txt rockyout.txt --force
```
### Relay via responder
* `SMB` signing must not be enforced, either on or off
* Done after some intial enumeration and to gain administrative accounts
## Microsoft Deployment Toolkit (MDT)
* Deploy and patch software remotely
* Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)
### Preboot Execution Environment (PXE)
* [Read this](https://www.riskinsight-wavestone.com/en/2020/01/taking-over-windows-workstations-pxe-laps/)
* Load and install OS via network
* `MDT` provisions PXE boot images
* An IP gained via `DHCP` is the validation step, PXE will be delivered by `MDT`
* Retrieve/enumerate images via `TFTP`
* Create an admin account after OS installation
* Password scraping to recover AD creds used during OS installation
* Use `PowerPXE.ps1` to extract `*.bcd` files
## Configuration Files
* Configurations of services and applications as well as registry keys
* Use enumeration scripts like `winpeas.sh` or `seatbelt`