CTF Writeup: Breaching AD

NTLM & NetNTLM

Web NetNTLM Server: http://ntlmauth.za.tryhackme.com/

Uses a web-based identification (Challenge-response authentication) to relay the auth mechanism. From the provided script, a Requests module is imported:

from requests_ntlm import HttpNtlmAuth

With the method (function):

requests.get(url, auth=HttpNtlmAuth(self.fqdn + "\\" + user, password))

Password Spraying

Using the already built script to authenticate to the web NetNTLM:

LDAP Bind Credentials

Lightweight Authentication protocol → Used by third-parties (Non-MS) to authenticate other services (Jenkins, Git Servers, Web Apps, Printers, VPNs, etc.) to Domains.

Attack Path: Since it uses an authentication with the DC, the user/password MUST be stored in the middleman (Printer, Web App, etc.) in plaintext in a conf file.

LDAP Pass-back Attacks (Rogue LDAP server)

Since third parties use an already stored credential to authenticate to LDAP server, but the credentials are often stored securely, we can set up a rogue server to try to get authentication attempts to it from the compromised system (We must be able to modify the configuration so it tries to auth to our Attack Box instead of the original DC).

Using slapd & ldap-utils (Debian)

Slapd will be the rogue LDAP server - requires configuration (systemctl) and enabling
sudo dpkg-reconfigure -p low slapd
To downgrade the connection to allow plaintext passwords:

# $ vim olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
# (Response):
# dn:
# supportedSASLMechanisms: PLAIN
# supportedSASLMechanisms: LOGIN

Note: This ONLY worked with slapd version:

root:~# apt list --installed | grep slapd
slapd/now 2.4.45+dfsg-1ubuntu1.10 amd64 [installed,upgradable to: 2.4.45+dfsg-1ubuntu1.11]

Not in:

Kali$ apt list --installed | grep slapd
slapd/kali-rolling,now 2.5.12+dfsg-2 amd64 [installed]

Now the client will authenticate using plain text to our server, and we’ll catch the information using a network analysis tool (tcpdump)

Authentication Relay: Intercepting NetNTLM Challenge

Responder.py

Using responder we can poison LLMNR, NBT-NS, or WPAD communication inside the LAN. Since clients will send requests in a Broadcast manner, we can intercept those requests. Normally this requests would be dropped, but responder can trick the client and send poisoned responses and make it authenticate to it.

(Responder needs to be ran as root, preferably with Venv). - Pre-installed in Kali/Parrot

From here we just need to use Hashcat to crack the NTLMv2 hash.

Errors indicate ports for HTTP, SMB, etc. are already taken by the machine. We received an authentication set from the victim machine (password & NTLM hash)