3.6 KiB
3.6 KiB
Active Directory - Gain Foothold
- Methods of aquiring the first set of credentials
Aquire credentials
OSINT
- Discover info about the target via
- Questions asked on Stack Overflow
- Credentials set in (github) repos
- Past breaches, haveIbeenpwned, DeHashed
Phishing
- Gain credentials via eMail
NTLM Authenticated Services
-
Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC
-
These may be exposed to the Internet. For example
- Mail exchange, OWA webmail
- RDP
- VPN endpoints
- Web applications using something like SSO via AD
-
Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords
LDAP Bind Credentials
- LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.
- Third party programs may use LDAP like
- CUPS
- VPNs
- gitlab
LDAP Pass-Back
- After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
- Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
- OpenLDAP
dpkg-reconfigure -p low slapd
* Skip reconfiguration -> No
* Insert DNS domain and organisation
* Provide password
* Select `MDB` as database
* No removal when db is purged
* Move old database when creating a new one
* Downgrade authentication via `*.ldif` file
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
* Patch and reload ldap
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
* Check via
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
- Make pcap via tcdump
Authentication Relay
- Communcating services inside the network verify authentication of each other
- Intercept NTLM hashes send for example via
SMB
auth, or do a MITM - Use responder poisons requests gained from
- Link-Local Multicast Name Resolution (LLMNR)
- NetBIOS Name Server (NBT-NS), send before LLMNR
- Web Proxy Auto-Discovery (WPAD), finds proxies for future HTTP connections
Capture via responder
- Run responder on LAN via
sudo responder -I <interface>
- Use
hashcat
to crack the hashes
hashcat -m 5600 hash.txt rockyout.txt --force
Relay via responder
SMB
signing must not be enforced, either on or off- Done after some intial enumeration and to gain administrative accounts
Microsoft Deployment Toolkit (MDT)
- Deploy and patch software remotely
- Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)
Preboot Execution Environment (PXE)
-
Load and install OS via network
-
MDT
provisions PXE boot images -
An IP gained via
DHCP
is the validation step, PXE will be delivered byMDT
-
Retrieve/enumerate images via
TFTP
-
Create an admin account after OS installation
-
Password scraping to recover AD creds used during OS installation
-
Use
PowerPXE.ps1
to extract*.bcd
files
Configuration Files
- Configurations of services and applications as well as registry keys
- Use enumeration scripts like
winpeas.sh
orseatbelt