killchain-compendium/Cryptography/Active Directory/AD Gaining Foothold.md

Active Directory - Gain Foothold

• Methods of aquiring the first set of credentials

Aquire credentials

OSINT

• Discover info about the target via
  • Questions asked on Stack Overflow
  • Credentials set in (github) repos
  • Past breaches, haveIbeenpwned, DeHashed

Phishing

Create files for using Greenwolf's NTLM theft.

ntlm_theft is an Open Source Python3 Tool that generates 21 different types of hash theft documents. These can be used for phishing when either the target allows smb traffic outside their network, or if you are already inside the internal network.

Gain credentials via eMail, smb write permissions and so on.

NTLM Authenticated Services

• Windows Authentication on NetNTLM is a Challenge-Response protocol used to deliver a challenge and the result on behalf of a user -- through the application -- to the DC

• These may be exposed to the Internet. For example

  • Mail exchange, OWA webmail
  • RDP
  • VPN endpoints
  • Web applications using something like SSO via AD

• Use these applications to either brute force / spraying passwords to found IDs or to verify previously aquired IDs and their passwords

LDAP Bind Credentials

• LDAP may be integrated into an AD Forest. An application may verify an LDAP account with the help of AD credentials at the DC.
• Third party programs may use LDAP like
  • CUPS
  • VPNs
  • gitlab

LDAP Pass-Back

• After gaining access to a device's config including LDAP parameters, reroute its IP to your own IP. This may be done via web UIs.
• Use an LDAP server to catch the credentials. Only PLAIN and LOGIN authentication must be allowed in order to gain the credentials.
  • OpenLDAP

dpkg-reconfigure -p low slapd

• Skip reconfiguration -> No
• Insert DNS domain and organisation
• Provide password
• Select MDB as database
• No removal when db is purged
• Move old database when creating a new one
• Downgrade authentication via *.ldif file

dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

Patch and reload ldap

sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart

Check via

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

• Make pcap via tcdump

Authentication Relay

• Communcating services inside the network verify authentication of each other
• Intercept NTLM hashes send for example via SMB auth, or do a MITM
• Use responder poisons requests gained from
  • Link-Local Multicast Name Resolution (LLMNR)
  • NetBIOS Name Server (NBT-NS), send before LLMNR
  • Web Proxy Auto-Discovery (WPAD), finds proxies for future HTTP connections

Capture via responder

• Run responder on LAN via

sudo responder -I <interface>

• Use hashcat to crack the hashes

hashcat -m 5600 hash.txt rockyout.txt --force

Relay via responder

• SMB signing must not be enforced, either on or off
• Done after some intial enumeration and to gain administrative accounts

Microsoft Deployment Toolkit (MDT)

• Deploy and patch software remotely
• Used in conjuction with Microsoft's System Center Configuration Manager (SCCM)

Preboot Execution Environment (PXE)

• Read this

• Load and install OS via network

• MDT provisions PXE boot images

• An IP gained via DHCP is the validation step, PXE will be delivered by MDT

• Retrieve/enumerate images via TFTP

• Create an admin account after OS installation

• Password scraping to recover AD creds used during OS installation

• Use PowerPXE.ps1 to extract *.bcd files

Configuration Files

• Configurations of services and applications as well as registry keys
• Use enumeration scripts like winpeas.sh or seatbelt