Breaching Active Directory

Active Directory (AD) is used by approximately 90% of the Global Fortune 1000 companies. If an organisation’s estate uses Microsoft Windows, you are almost guaranteed to find AD. Microsoft AD is the dominant suite used to manage Windows domain networks. However, since AD is used for Identity and Access Management of the entire estate, it holds the keys to the kingdom, making it a very likely target for attackers.

This room covers:

  • NTLM¬†Authenticated Services
  • LDAP Bind Credentials
  • Authentication Relays
  • Microsoft Deployment Toolkit
  • Configuration Files


This is the suite of security protocols used to authenticate users identities in AD.

It can be used for authentication with a challenge-reponse system that is called NetNTLM

NETNTLM allows applications to play the role of a middle man between the client and AD


Brute Forcing

Most AD environments will have a lockout policy. This means that we typically have to go the password spraying route.

In this lab, we are going to naviate to This presents us with a login page

Using a password spraying tool, such as the one here, we can attempt to access using generic weak passwords.


LDAP is lightweight Directory Access Protocol. It is similar to NTLM except that the application directly verifies users credentials instead of the challenge-response.


LDAP Pass-back attacks

These attacks occur when you get access to a webpage to a device and testing with possible default credentials. This doesn’t allow us to view credentials but may allow us to alter the configuration

This configuration change we can make is to update the IP or hostname of the LDAP server.

If we modify the IP to our IP, then the LDAP authentication credentials will forward to our IP


Hosting a Rogue LDAP server

Hosting a Rogue LDAP Server


Capture LDAP Credentials

Sudo tcpdump -SX -i breachad tcp port 389