# Active Directory - Gain Foothold

* Methods of aquiring the first set of credentials

## Aquire credentials

### OSINT

* Discover info about the target via
    * Questions asked on Stack Overflow
    * Credentials set in (github) repos
    * Past breaches, [haveIbeenpwned](https://haveibeenpwned.com/), [DeHashed](https://www.dehashed.com/)

### Phishing

[Create files for using Greenwolf's NTLM theft](https://github.com/Greenwolf/ntlm_theft).

>ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.

Gain credentials via eMail, smb write permissions and so on.

## NTLM Authenticated Services

* Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC 
* These may be exposed to the Internet. For example
    * Mail exchange, OWA webmail
    * RDP
    * VPN endpoints
    * Web applications using something like SSO via AD

* Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords 

## LDAP Bind Credentials

* LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.
* Third party programs may use LDAP like
    * CUPS
    * VPNs
    * gitlab

### LDAP Pass-Back

* After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
* Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
    * OpenLDAP

```sh
dpkg-reconfigure -p low slapd
```

* Skip reconfiguration -> No
* Insert DNS domain and organisation
* Provide password
* Select `MDB` as database
* No removal when db is purged
* Move old database when creating a new one
* Downgrade authentication via `*.ldif` file

```sh
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```

Patch and reload ldap

```sh
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
```

Check via

```sh
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
```

* Make pcap via tcdump

## Authentication Relay

* Communcating services inside the network verify authentication of each other
* Intercept NTLM hashes send for example via `SMB` auth, or do a MITM
* Use responder poisons requests gained from 
    * __Link-Local Multicast Name Resolution__ (LLMNR)
    * __NetBIOS Name Server__ (NBT-NS), send before LLMNR
    * __Web Proxy Auto-Discovery__ (WPAD), finds proxies for future HTTP connections

### Capture via responder

* Run responder on LAN via

```sh
sudo responder -I <interface>
```

* Use `hashcat` to crack the hashes

```sh
hashcat -m 5600 hash.txt rockyout.txt --force
```

### Relay via responder

* `SMB` signing must not be enforced, either on or off
* Done after some intial enumeration and to gain administrative accounts

## Microsoft Deployment Toolkit (MDT)

* Deploy and patch software remotely
* Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)

### Preboot Execution Environment (PXE)

* [Read this](https://www.riskinsight-wavestone.com/en/2020/01/taking-over-windows-workstations-pxe-laps/)

* Load and install OS via network
* `MDT` provisions PXE boot images
* An IP gained via `DHCP` is the validation step, PXE will be delivered by `MDT`
* Retrieve/enumerate images via `TFTP`

* Create an admin account after OS installation
* Password scraping to recover AD creds used during OS installation

* Use `PowerPXE.ps1` to extract `*.bcd` files

## Configuration Files

* Configurations of services and applications as well as registry keys
* Use enumeration scripts like `winpeas.sh` or `seatbelt`