# Active Directory - Gain Foothold

* Methods of aquiring the first set of credentials


## Aquire credentials

### OSINT

* Discover info about the target via
    * Questions asked on Stack Overflow
    * Credentials set in (github) repos
    * Past breaches, [haveIbeenpwned](https://haveibeenpwned.com/), [DeHashed](https://www.dehashed.com/)

### Phishing 

* Gain credentials via eMail

## NTLM Authenticated Services

* Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC 
* These may be exposed to the Internet. For example
    * Mail exchange, OWA webmail
    * RDP
    * VPN endpoints
    * Web applications using something like SSO via AD

* Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords 
    
## LDAP Bind Credentials

* LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.
* Third party programs may use LDAP like
    * CUPS
    * VPNs
    * gitlab

### LDAP Pass-Back

* After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
* Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
    * OpenLDAP
```sh
dpkg-reconfigure -p low slapd
```
    * Skip reconfiguration -> No
    * Insert DNS domain and organisation
    * Provide password
    * Select `MDB` as database
    * No removal when db is purged
    * Move old database when creating a new one
    * Downgrade authentication via `*.ldif` file
```sh
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```
    * Patch and reload ldap
```sh
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
```
    * Check via
```sh
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
```
* Make pcap via tcdump

## Authentication Relay

* Communcating services inside the network verify authentication of each other
* Intercept NTLM hashes send for example via `SMB` auth, or do a MITM
* Use responder poisons requests gained from 
    * __Link-Local Multicast Name Resolution__ (LLMNR)
    * __NetBIOS Name Server__ (NBT-NS), send before LLMNR
    * __Web Proxy Auto-Discovery__ (WPAD), finds proxies for future HTTP connections

### Capture via responder

* Run responder on LAN via
```sh
sudo responder -I <interface>
```
* Use `hashcat` to crack the hashes
```sh
hashcat -m 5600 hash.txt rockyout.txt --force
```

### Relay via responder

* `SMB` signing must not be enforced, either on or off
* Done after some intial enumeration and to gain administrative accounts

## Microsoft Deployment Toolkit (MDT)

* Deploy and patch software remotely
* Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)

### Preboot Execution Environment (PXE)

* [Read this](https://www.riskinsight-wavestone.com/en/2020/01/taking-over-windows-workstations-pxe-laps/)

* Load and install OS via network
* `MDT` provisions PXE boot images
* An IP gained via `DHCP` is the validation step, PXE will be delivered by `MDT`
* Retrieve/enumerate images via `TFTP`

* Create an admin account after OS installation
* Password scraping to recover AD creds used during OS installation

* Use `PowerPXE.ps1` to extract `*.bcd` files


## Configuration Files

* Configurations of services and applications as well as registry keys
* Use enumeration scripts like `winpeas.sh` or `seatbelt`