diff --git a/Cryptography/Active Directory/AD Gaining Foothold.md b/Cryptography/Active Directory/AD Gaining Foothold.md index 50f9330..d1c5e9a 100644 --- a/Cryptography/Active Directory/AD Gaining Foothold.md +++ b/Cryptography/Active Directory/AD Gaining Foothold.md @@ -2,7 +2,6 @@ * Methods of aquiring the first set of credentials - ## Aquire credentials ### OSINT @@ -12,9 +11,13 @@ * Credentials set in (github) repos * Past breaches, [haveIbeenpwned](https://haveibeenpwned.com/), [DeHashed](https://www.dehashed.com/) -### Phishing +### Phishing -* Gain credentials via eMail +[Create files for using Greenwolf's NTLM theft](https://github.com/Greenwolf/ntlm_theft). + +>ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network. + +Gain credentials via eMail, smb write permissions and so on. ## NTLM Authenticated Services @@ -26,7 +29,7 @@ * Web applications using something like SSO via AD * Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords - + ## LDAP Bind Credentials * LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC. @@ -40,29 +43,37 @@ * After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs. * Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials. * OpenLDAP + ```sh dpkg-reconfigure -p low slapd ``` - * Skip reconfiguration -> No - * Insert DNS domain and organisation - * Provide password - * Select `MDB` as database - * No removal when db is purged - * Move old database when creating a new one - * Downgrade authentication via `*.ldif` file + +* Skip reconfiguration -> No +* Insert DNS domain and organisation +* Provide password +* Select `MDB` as database +* No removal when db is purged +* Move old database when creating a new one +* Downgrade authentication via `*.ldif` file + ```sh dn: cn=config replace: olcSaslSecProps olcSaslSecProps: noanonymous,minssf=0,passcred ``` - * Patch and reload ldap + +Patch and reload ldap + ```sh sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart ``` - * Check via + +Check via + ```sh ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms ``` + * Make pcap via tcdump ## Authentication Relay @@ -77,10 +88,13 @@ ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms ### Capture via responder * Run responder on LAN via + ```sh sudo responder -I ``` + * Use `hashcat` to crack the hashes + ```sh hashcat -m 5600 hash.txt rockyout.txt --force ``` @@ -109,7 +123,6 @@ hashcat -m 5600 hash.txt rockyout.txt --force * Use `PowerPXE.ps1` to extract `*.bcd` files - ## Configuration Files * Configurations of services and applications as well as registry keys