killchain-compendium/misc/active_directory/gaining_foothold_AD.md

# Active Directory - Gain Foothold

* Methods of aquiring the first set of credentials


## Aquire credentials

### OSINT

* Discover info about the target via
    * Questions asked on Stack Overflow
    * Credentials set in (github) repos
    * Past breaches, [haveIbeenpwned](https://haveibeenpwned.com/), [DeHashed](https://www.dehashed.com/)

### Phishing 

* Gain credentials via eMail

## NTLM Authenticated Services

* Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC 
* These may be exposed to the Internet. For example
    * Mail exchange, OWA webmail
    * RDP
    * VPN endpoints
    * Web applications using something like SSO via AD

* Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords 
    
## LDAP Bind Credentials

* LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.
* Third party programs may use LDAP like
    * CUPS
    * VPNs
    * gitlab

### LDAP Pass-Back

* After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
* Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
    * OpenLDAP
```sh
dpkg-reconfigure -p low slapd
```
    * Skip reconfiguration -> No
    * Insert DNS domain and organisation
    * Provide password
    * Select `MDB` as database
    * No removal when db is purged
    * Move old database when creating a new one
    * Downgrade authentication via `*.ldif` file
```sh
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```
    * Patch and reload ldap
```sh
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
```
    * Check via
```sh
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
```
* Make pcap via tcdump

## Authentication Relay

* Communcating services inside the network verify authentication of each other
* Intercept NTLM hashes send for example via `SMB` auth, or do a MITM
* Use responder poisons requests gained from 
    * __Link-Local Multicast Name Resolution__ (LLMNR)
    * __NetBIOS Name Server__ (NBT-NS), send before LLMNR
    * __Web Proxy Auto-Discovery__ (WPAD), finds proxies for future HTTP connections

### Capture via responder

* Run responder on LAN via
```sh
sudo responder -I <interface>
```
* Use `hashcat` to crack the hashes
```sh
hashcat -m 5600 hash.txt rockyout.txt --force
```

### Relay via responder

* `SMB` signing must not be enforced, either on or off
* Done after some intial enumeration and to gain administrative accounts

## Microsoft Deployment Toolkit (MDT)

* Deploy and patch software remotely
* Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)

### Preboot Execution Environment (PXE)

* [Read this](https://www.riskinsight-wavestone.com/en/2020/01/taking-over-windows-workstations-pxe-laps/)

* Load and install OS via network
* `MDT` provisions PXE boot images
* An IP gained via `DHCP` is the validation step, PXE will be delivered by `MDT`
* Retrieve/enumerate images via `TFTP`

* Create an admin account after OS installation
* Password scraping to recover AD creds used during OS installation

* Use `PowerPXE.ps1` to extract `*.bcd` files


## Configuration Files

* Configurations of services and applications as well as registry keys
* Use enumeration scripts like `winpeas.sh` or `seatbelt`
bump 2022-06-20 00:09:28 +02:00			`# Active Directory - Gain Foothold`

			`* Methods of aquiring the first set of credentials`


			`## Aquire credentials`

			`### OSINT`

			`* Discover info about the target via`
			`* Questions asked on Stack Overflow`
			`* Credentials set in (github) repos`
			`* Past breaches, [haveIbeenpwned](https://haveibeenpwned.com/), [DeHashed](https://www.dehashed.com/)`

			`### Phishing`

			`* Gain credentials via eMail`

			`## NTLM Authenticated Services`

			`* Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC`
			`* These may be exposed to the Internet. For example`
			`* Mail exchange, OWA webmail`
			`* RDP`
			`* VPN endpoints`
			`* Web applications using something like SSO via AD`

			`* Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords`

			`## LDAP Bind Credentials`

			`* LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.`
			`* Third party programs may use LDAP like`
			`* CUPS`
			`* VPNs`
			`* gitlab`

			`### LDAP Pass-Back`

			`* After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.`
			`* Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.`
			`* OpenLDAP`
			```sh
			`dpkg-reconfigure -p low slapd`
			```
			`* Skip reconfiguration -> No`
			`* Insert DNS domain and organisation`
			`* Provide password`
			* Select `MDB` as database
			`* No removal when db is purged`
			`* Move old database when creating a new one`
			* Downgrade authentication via `*.ldif` file
			```sh
			`dn: cn=config`
			`replace: olcSaslSecProps`
			`olcSaslSecProps: noanonymous,minssf=0,passcred`
			```
			`* Patch and reload ldap`
			```sh
			`sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart`
			```
			`* Check via`
			```sh
			`ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms`
			```
			`* Make pcap via tcdump`

			`## Authentication Relay`

			`* Communcating services inside the network verify authentication of each other`
			* Intercept NTLM hashes send for example via `SMB` auth, or do a MITM
			`* Use responder poisons requests gained from`
			`* __Link-Local Multicast Name Resolution__ (LLMNR)`
			`* __NetBIOS Name Server__ (NBT-NS), send before LLMNR`
			`* __Web Proxy Auto-Discovery__ (WPAD), finds proxies for future HTTP connections`

			`### Capture via responder`
bump 2022-09-11 22:12:05 +02:00
bump 2022-06-20 00:09:28 +02:00			`* Run responder on LAN via`
			```sh
			`sudo responder -I <interface>`
			```
			* Use `hashcat` to crack the hashes
			```sh
			`hashcat -m 5600 hash.txt rockyout.txt --force`
			```

			`### Relay via responder`

			* `SMB` signing must not be enforced, either on or off
			`* Done after some intial enumeration and to gain administrative accounts`

			`## Microsoft Deployment Toolkit (MDT)`

			`* Deploy and patch software remotely`
			`* Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)`

			`### Preboot Execution Environment (PXE)`

			`* [Read this](https://www.riskinsight-wavestone.com/en/2020/01/taking-over-windows-workstations-pxe-laps/)`

			`* Load and install OS via network`
			* `MDT` provisions PXE boot images
			* An IP gained via `DHCP` is the validation step, PXE will be delivered by `MDT`
			* Retrieve/enumerate images via `TFTP`

			`* Create an admin account after OS installation`
			`* Password scraping to recover AD creds used during OS installation`

			* Use `PowerPXE.ps1` to extract `*.bcd` files


			`## Configuration Files`

			`* Configurations of services and applications as well as registry keys`
			* Use enumeration scripts like `winpeas.sh` or `seatbelt`