Active Directory (AD) is used by approximately 90% of the Global Fortune 1000 companies. If an organisation’s estate uses Microsoft Windows, you are almost guaranteed to find AD. Microsoft AD is the dominant suite used to manage Windows domain networks. However, since AD is used for Identity and Access Management of the entire estate, it holds the keys to the kingdom, making it a very likely target for attackers.
This room covers:
- NTLM Authenticated Services
- LDAP Bind Credentials
- Authentication Relays
- Microsoft Deployment Toolkit
- Configuration Files
NTLM
This is the suite of security protocols used to authenticate users identities in AD.
It can be used for authentication with a challenge-reponse system that is called NetNTLM
NETNTLM allows applications to play the role of a middle man between the client and AD
Brute Forcing
Most AD environments will have a lockout policy. This means that we typically have to go the password spraying route.
In this lab, we are going to naviate to ntlmauth.za.tryhackme.com. This presents us with a login page
Using a password spraying tool, such as the one here https://github.com/Nater-aide/Password-Spraying/blob/main/README.md, we can attempt to access using generic weak passwords.
LDAP
LDAP is lightweight Directory Access Protocol. It is similar to NTLM except that the application directly verifies users credentials instead of the challenge-response.
LDAP Pass-back attacks
These attacks occur when you get access to a webpage to a device and testing with possible default credentials. This doesn’t allow us to view credentials but may allow us to alter the configuration
This configuration change we can make is to update the IP or hostname of the LDAP server.
If we modify the IP to our IP, then the LDAP authentication credentials will forward to our IP
Hosting a Rogue LDAP server
Capture LDAP Credentials
Sudo tcpdump -SX -i breachad tcp port 389