Active Directory Penetration Testing | TryHackMe Breaching Active Directory

In this post, we will cover the answers of TryHackMe Breaching Active Directory room in addition to demonstrating the concepts of Active Directory Penetration Testing.

We also covered the answers for TryHackMe Enumerating Active Directory , TryHackMe Lateral Movement and Pivoting ,TryHackMe Exploiting Active Directory and TryHackMe Active Directory Credential Harvesting rooms.

Complete room answers can be found here.

Active Directory Credential Harvesting Methods

Before we can exploit AD misconfigurations for privilege escalation, lateral movement, and goal execution, you need initial access first. You need to acquire an initial set of valid AD credentials. Due to the number of AD services and features, the attack surface for gaining an initial set of AD credentials is usually significant.

When looking for that first set of credentials, we don’t focus on the permissions associated with the account; thus, even a low-privileged account would be sufficient. We are just looking for a way to authenticate to AD, allowing us to do further enumeration on AD itself.

The following techniques to recover AD credentials in a network:

• NTLM Authenticated Services
• LDAP Bind Credentials
• Authentication Relays
• Microsoft Deployment Toolkit
• Configuration Files

Understanding NTLM andNetNTLM

The set of security protocols called New Technology LAN Manager (NTLM) is what allows users to validate their identities in Active Directory. NetNTLM is a challenge-response-based method that leverages NTLM for authentication. The services on a network make extensive use of this authentication technique. NetNTLM-using services, however, may also be open to the internet. Listed below are a few well-known examples:

• Exchange (Mail) servers hosted internally that provide an Outlook Web App (OWA) login page.
• A server’s Remote Desktop Protocol (RDP) service that is available over the internet.
• VPN endpoints that were connected to AD were made public.
• Web apps that use NetNTLM and are accessible over the internet.

NetNTLM, also often referred to as Windows Authentication or just NTLM Authentication, allows the application to play the role of a middle man between the client and AD. When a challenge is successfully performed, all authentication material is sent to a Domain Controller, and the application will authenticate the user.

This means that the application is authenticating on behalf of the user and not authenticating the user directly on the application itself. This prevents the application from storing AD credentials, which should only be stored on a Domain Controller.

Credentials Brute Force Attacks on Active Directory

These exposed services offer a great place to test credentials that have been found in other ways. To retrieve a first set of legitimate AD credentials, these services can also be accessed directly. If during our first red team recon we were able to recover information like working email addresses, we might try using these for brute force attacks.

We won’t be able to conduct a full brute-force attack because account lockout is implemented in the majority of AD environments. Rather, we must execute a password-spraying attack. Rather than trying a number of different passwords, which could set off the account lockout mechanism, we select one password, utilize it, and try to authenticate with every username we have collected. It should be mentioned, though, that because of how many unsuccessful authentication attempts these attacks will produce, they can be identified and detected.

Task Description

You have been provided with a list of usernames discovered during a red team OSINT exercise. The OSINT exercise also indicated the organisation’s initial onboarding password, which seems to be “Changeme123”. Although users should always change their initial password, we know that users often forget. We will be using a custom-developed script to stage a password spraying against the web application hosted at this URL: https://ntlmauth.za.tryhackme.com.

If you are using the AttackBox, the password spraying script and usernames textfile is provided under the /root/Rooms/BreachingAD/task3/ directory. We can run the script using the following command:

python ntlm_passwordspray.py -u <userfile> -f <fqdn> -p <password> -a <attackurl>        

We provide the following values for each of the parameters:

• <userfile> — Textfile containing our usernames — “usernames.txt”
• <fqdn> — Fully qualified domain name associated with the organisation that we are attacking — “za.tryhackme.com”
• <password> — The password we want to use for our spraying attack — “Changeme123”
• <attackurl> — The URL of the application that supports Windows Authentication — “https://ntlmauth.za.tryhackme.com”

LDAP Pass-back Attack

NTLM authentication and LDAP authentication are comparable. On the other hand, the program authenticates the user’s credentials directly while using LDAP authentication. The program can query LDAP using its pair of AD credentials before confirming the credentials of the AD user.

Below services are example of services that use LDAP authentication

• Gitlab
• Jenkins
• Custom-developed web applications
• Printers
• VPNs

If you could gain a foothold on the correct host, such as a Gitlab server, it might be as simple as reading the configuration files to recover these AD credentials. These credentials are often stored in plain text in configuration files since the security model relies on keeping the location and storage configuration file secure rather than its contents.

LDAP Pass-back attacks can be performed when we gain access to a device’s configuration where the LDAP parameters are specified. This can be, for example, the web interface of a network printer. Usually, the credentials for these interfaces are kept to the default ones, such as admin:admin or admin:password.

Here, we won’t be able to directly extract the LDAP credentials since the password is usually hidden. However, we can alter the LDAP configuration, such as the IP or hostname of the LDAP server.

In an LDAP Pass-back attack, we can modify this IP to our IP and then test the LDAP configuration, which will force the device to attempt LDAP authentication to our rogue device. We can intercept this authentication attempt to recover the LDAP credentials.

Task Description

There is a network printer in this network where the administration website does not even require credentials. Navigate to https://printer.za.tryhackme.com/settings.aspx to find the settings page of the printer.

You can follow through with the room to execute this task’s commands and get the answers shown below.

Understanding Server Message Block (SMB)

Clients (like workstations) and servers (like file shares) can communicate with each other over the Server Message Block (SMB) protocol. SMB controls everything in networks that make use of Microsoft AD, including remote administration and file sharing across networks. The SMB protocol is even responsible for the “out of paper” notification that appears on your computer when you attempt to print a document.

Nevertheless, it was determined that earlier iterations of the SMB protocol lacked adequate security. Numerous flaws and exploits that might be used to obtain code execution on devices or even retrieve credentials were found. Despite the fact that some of these vulnerabilities have been fixed in more recent protocol versions, organizations frequently do not mandate the use of these versions because outdated systems do not support them. We’ll examine two distinct attacks for SMB-based NetNTLM authentication:

• Since the NTLM Challenges can be intercepted, we can use offline cracking techniques to recover the password associated with the NTLM Challenge. However, this cracking process is significantly slower than cracking NTLM hashes directly.
• We can use our rogue device to stage a man in the middle attack, relaying the SMB authentication between the client and server, which will provide us with an active authenticated session and access to the target server.

Attacking Microsoft Deployment Toolkit

One Microsoft service that helps with automating the deployment of Microsoft Operating Systems (OS) is Microsoft Deployment Toolkit (MDT). Since base images can be updated and maintained centrally, large organizations employ services like MDT to help deploy new images in their estate more efficiently.

The System Center Configuration Manager (SCCM) from Microsoft, which controls all updates for all Microsoft services, operating systems, and apps, is typically connected with MDT. For fresh deployments, MDT is employed. In essence, it enables boot image preconfiguration and management for the IT staff. As a result, all users have to do to configure a new system is plug in a network wire; the rest happens on its own. They have the ability to modify the boot image in a number of ways, including pre-installing Office 365 and the preferred antivirus program for the company. Additionally, it may guarantee that the first installation to run uses the upgraded build.

One may consider SCCM to be MDT’s older brother and practically an extension of it. After the software is installed, what happens to it? In any case, SCCM handles this kind of patching. It enables all software installed throughout the estate to have its available upgrades reviewed by the IT team. Prior to centrally delivering these changes to every machine that has joined the domain, the team can additionally test them in a sandbox setting to make sure they are reliable. The IT team’s life is much made easier by it.

On the other hand, attackers may target anything that offers central management of infrastructure, such MDT and SCCM, in an effort to seize control of significant amounts of vital tasks within the estate. While there are other ways to setup MDT, for the sake of this job, we will only be focusing on a configuration known as Preboot Execution Environment (PXE) boot.

PXE boot is used by large organizations to enable new devices connected to the network to load and install the operating system directly over a network connection. PXE boot images can be created, managed, and hosted using MDT. Since PXE boot is typically integrated with DHCP, the host is permitted to request the PXE boot image and begin the network operating system installation procedure if DHCP grants an IP lease.

After the procedure is finished, the client will download the PXE boot image over a TFTP connection. The PXE boot image can be used for two distinct purposes:

After the PXE boot is finished, inject a privilege escalation vector, like a Local Administrator account, to obtain Administrative access to the OS. Use password scraping techniques to obtain the AD credentials that were used for the installation.

Task Description

The first piece of information regarding the PXE Boot preconfigure you would have received via DHCP is the IP of the MDT server. In our case, you can recover that information from the TryHackMe network diagram.

The second piece of information you would have received was the names of the BCD files. These files store the information relevant to PXE Boots for the different types of architecture. To retrieve this information, you will need to connect to this website: https://pxeboot.za.tryhackme.com. It will list various BCD files:

Usually, you would use TFTP to request each of these BCD files and enumerate the configuration for all of them. However, in the interest of time, we will focus on the BCD file of the x64 architecture. Copy and store the full name of this file. For the rest of this exercise, we will be using this name placeholder x64{7B...B3}.bcd since the files and their names are regenerated by MDT every day. Each time you see this placeholder, remember to replace it with your specific BCD filename. Note as well that if the network has just started, these file names will only update after 10 mintes of the network being active.

With this initial information now recovered from DHCP (wink wink), we can enumerate and retrieve the PXE Boot image. We will be using our SSH connection on THMJMP1 for the next couple of steps, so please authenticate to this SSH session using the following:

ssh [email protected]

and the password of Password1@.

Follow along with the room’s instructions so that you get the answers shown below

Harvesting Active Directory Credentials from Config Files

Suppose you were lucky enough to cause a breach that gave you access to a host on the organisation’s network. In that case, configuration files are an excellent avenue to explore in an attempt to recover AD credentials. Below configuration files usually contain many AD credentials.

• Web application config files
• Service configuration files
• Registry keys
• Centrally deployed applications

For example, McAfee embeds the credentials used during installation to connect back to the orchestrator in a file called ma.db. This database file can be retrieved and read with local access to the host to recover the associated AD service account and with below command we can open the database file

Understanding Active Directory Lateral Movement

Simply put, lateral movement is the group of techniques used by attackers to move around a network. Once an attacker has gained access to the first machine of a network, moving is essential for many reasons, including the following: – Reaching our goals as attackers – Bypassing network restrictions in place – Establishing additional points of entry to the network – Creating confusion and avoid detection.

While many cyber kill chains reference lateral movement as an additional step on a linear process, it is actually part of a cycle. During this cycle, we use any available credentials to perform lateral movement, giving us access to new machines where we elevate privileges and extract credentials if possible. With the newfound credentials, the cycle starts again.

Room Answers

Complete room answers can be found here.

Free Active Directory Penetration Testing Training Playlist