THM-Breaching Active Directory-Writeup
This network covers techniques and tools that can be used to acquire that first set of AD credentials that can then be used to enumerate AD.
↓↓↓ Click here and earn $5 TryHackMe credit ↓↓↓
Find This Room: Breaching Active Directory
Introduction:
Active Directory (AD) is used by approximately 90% of the Global Fortune 1000 companies. If an organization’s estate uses Microsoft Windows, you are almost guaranteed to find AD. Before we can exploit AD misconfigurations for privilege escalation, lateral movement, and goal execution, we need initial access first. You need to acquire an initial set of valid AD credentials. Due to the number of AD services and features, there are many different ways to gain AD credentials. In this room, we will discuss several avenues in obtaining different AD credentials.
OSINT and Phishing:
Two popular methods for gaining access to that first set of AD credentials is Open Source Intelligence (OSINT) and Phishing. OSINT is used to discover information that has been publicly disclosed. By using OSINT techniques, it may be possible to recover publicly disclosed credentials. Phishing is another excellent method to breach AD. Phishing usually entices users to either provide their credentials on a malicious web page or ask them to run a specific application that would install a Remote Access Trojan (RAT) in the background.
NTLM Authenticated Services:
New Technology LAN Manager (NTLM) is the suite of security protocols used to authenticate users’ identities in AD. NTLM can be used for authentication by using a challenge-response-based scheme called NetNTLM. This authentication mechanism is heavily used by the services on a network. However, services that use NetNTLM can also be exposed to the internet. Some examples are…
- Internally-hosted Exchange (Mail) servers that expose an Outlook Web App (OWA) login portal.
- Remote Desktop Protocol (RDP) service of a server being exposed to the internet.
- Exposed VPN endpoints that were integrated with AD.
- Web applications that are internet-facing and make use of NetNTLM.
These exposed services provide an excellent location to test credentials discovered using other means. However, these services can also be used directly in an attempt to recover an initial set of valid AD credentials.
To begin I first spun up the room which contained an environment with Active Directory already configured. I then configured my DNS to the domain controller of the AD environment.
After configuring DNS I noticed there was a web hosted web app with the domain http://ntlmauth.za.tryhackme.com. After visiting the site you can see it is asking for windows authentication credentials.
After finding this info I downloaded a password sprayer script along with a username txt file and ran the script.
As you can see, I was able to find 4 passwords with a simple password spray attack. Now to confirm if the password is correct we need to login to the web app.
The login was successful and we got a little message to show our login was valid.
LDAP Bind Credentials:
Another method of AD authentication that applications can use is Lightweight Directory Access Protocol (LDAP) authentication. LDAP authentication is similar to NTLM authentication. However, with LDAP authentication, the application directly verifies the user’s credentials. The application has a pair of AD credentials that it can use first to query LDAP and then verify the AD user’s credentials. LDAP authentication is a popular mechanism with third-party applications that integrate with AD. These include applications and systems such as:
- Gitlab
- Jenkins
- Custom-developed web applications
- Printers
- VPNs
However, one other very interesting attack can be performed against LDAP authentication mechanisms, called an LDAP Pass-back attack. This is a common attack against network devices, such as printers, when you have gained initial access to the internal network, such as plugging in a rogue device in a boardroom. For the next example we will be performing an LDAP Pass-back attack.
The network has a printer on it and it is being hosted on http://printer.za.tryhackme.com/settings.aspx.
So we have the username, but not the password. However, when we press test settings, we can see that an authentication request is made to the domain controller to test the LDAP credentials. We can’t just use normal Netcat to harvest the credentials due to the security of the authentication. We will need to create a rogue LDAP server and configure it insecurely to ensure the credentials are sent in plaintext. There are several ways to host a rogue LDAP server, but we will use OpenLDAP for this example.
After going through the promtps and creating our server, we need to make it vulnerable by downgrading the supported authentication mechanisms. We want to ensure that our LDAP server only supports PLAIN and LOGIN authentication methods. To do this, we need to create a new ldif file:
After that we can patch our server using the following command:
After that is completed it’s time to do some network sniffing over the standard LDAP port 389. After I started a tcpdump, I went ahead and tested the settings on the printer that is located on the server. I was able to see the credentials being transferred through cleartext doing this.
We can see the password is tryhackmeldappass1@ and user is svcLDAP
Authentication Relays:
For this task, we will focus on NetNTLM authentication used by SMB. The Server Message Block (SMB) protocol allows clients to communicate with a server. In networks that use Microsoft AD, SMB governs everything from inter-network file-sharing to remote administration. However, the security of earlier versions of the SMB protocol was deemed insufficient. Several vulnerabilities and exploits were discovered that could be leveraged to recover credentials or even gain code execution on devices. In this task, we will take a look at the authentication that occurs during the use of SMB. We will use Responder to attempt to intercept the NetNTLM challenge to crack it.
I first started responder and set the network interface to the local network:
After that I had to wait for a SMBv2 connection in which Responder can use to entice and extract an NTLMv2-SSP response. After a few minutes I got what I was looking for.
After getting the response I saw that it was still in a hashed form. Our next step is to take the hash and create a file for it.
After creating the file, I used hashcat to crack the hash using a password word list. The following command is hashcat -m 5600 <hash file> <password file> — force 5600 is the hash type in which corresponds with NTLMv2-SSP for hashcat. After typing the command I was able to crack the hash.
The cracked password is FPassword1!
Microsoft Deployment Toolkit:
Large organizations need tools to deploy and manage the infrastructure of the estate. Microsoft Deployment Toolkit (MDT) is a Microsoft service that assists with automating the deployment of Microsoft Operating Systems (OS). Large organizations use services such as MDT to help deploy new images in their estate more efficiently since the base images can be maintained and updated in a central location. Large organizations also like to use PXE boot to allow new devices that are connected to the network to load and install the OS directly over a network connection. MDT can be used to create, manage, and host PXE boot images.
Due to a network diagram I was able to find where the PXE Boot is hosted along with the BCD files. I went to the following url: http://pxeboot.za.tryhackme.com
The file we are going to focus on is the x64 architecture. Now we can enumerate and retrieve the PXE Boot image. We will be using a SSH connection and the password retrieved from the previous steps. The first step we need to perform is using TFTP and downloading our BCD file to read the configuration of the MDT server. In order to use the TFTP command I had to use nslookup to see where the files were being stored.
10.200.32.202 is our ip we need to reach
After getting the IP I initiated a connection to get the BCD file.
With the BCD file now recovered, we will be using powerpxe to read its contents. Powerpxe is a PowerShell script that automatically performs this type of attack. We will use the Get-WimFile function of powerpxe to recover the locations of the PXE Boot images from the BCD file:
I was able to find the boot image folder
After finding the following information I was able to download the image.
Took a few minutes…
Now that we have recovered the PXE Boot image, we can exfiltrate stored credentials. Again we will use powerpxe to recover the credentials, but you could also do this step manually by extracting the image and looking for the bootstrap.ini file.
Found the user id along with the password!
Configuration Files:
The last enumeration avenue we will explore in this network is configuration files. We will focus on recovering credentials from a centrally deployed application in this task. Usually, these applications need a method to authenticate to the domain during both the installation and execution phases. An example of such as application is McAfee Enterprise Endpoint Security. McAfee embeds the credentials used during installation to connect back to the orchestrator in a file called ma.db.
First I connected back to the network via ssh. I then went into the McAfee directory and found the ma.db file.
After that I used scp to download the file to my local machine:
After downloading the file, I used a tool called sqlitebrowser to view the file in a table format.
The 2nd row seemed interesting
This Auth Paaswd might be the one but it looks encrypted
I was able to find the password but sadly it is encrypted. Luckily, McAfee encrypts this field with a known key and I can use a script to do the heavy lifting for me.
Found the password :)
Once again I was able to find the username along with the associated password!
Conclusion:
A significant amount of attack avenues can be followed to breach AD. In terms of mitigations, there are some steps that organizations can take:
- User awareness and training — The weakest link in the cybersecurity chain is almost always users. Training users and making them aware that they should be careful about disclosing sensitive information such as credentials and not trust suspicious emails reduces this attack surface.
- Limit the exposure of AD services and applications online — Not all applications must be accessible from the internet, especially those that support NTLM and LDAP authentication. Instead, these applications should be placed in an intranet that can be accessed through a VPN. The VPN can then support multi-factor authentication for added security.
- Enforce Network Access Control (NAC) — NAC can prevent attackers from connecting rogue devices on the network. However, it will require quite a bit of effort since legitimate devices will have to be allow listed.
- Enforce SMB Signing — By enforcing SMB signing, SMB relay attacks are not possible.
- Follow the principle of least privileges — In most cases, an attacker will be able to recover a set of AD credentials. By following the principle of least privilege, especially for credentials used for services, the risk associated with these credentials being compromised can be significantly reduced.
