Active Directory Breaching

NTML Authenticated Services

uses challenge-response-based scheme called NetNTLM
heavily used by services on a network, can also be exposed to internet
- internally hosted exchange, mail, exposing outlook web app login portal
- remote desktop protocol
- exposed vpn endpoints
- internal facing web applications

application directly verifies users credentials
integrates with other popular services and applications
if able to get access to application services, can possibly read ad credentials directly from files

common against network devices like printersm after gaining access to network using rogue device
on printers credentials are usually default ones
wont be able to directly extract ldap credentials since password usually hidden
can alter LDAP configuration, like IP or hostname of LDAP server
possible attack
- find printer
- find admin page without credentials or default ones
- has username and hidden password in form for testing/setting up LDAP
- listen on 389 default port for ldap on attacker
or setup rogue LADP server on rogue machine to capture traffic

responder tries to win race condition by poisoning connection
to ensure you intercept the connection
responder usually limited to poisoning authentication challenge on local network
https://github.com/lgandx/Responder

MDT and SCCM
- service that assists with automating deployment of systems
- integrated with microsoft system center configuration
PXE Boot
- Preboot Execution Environment
- install os directly over network connection
- client will use tftp connection to download pxe boot image
- possible vectors
  - inject privilege escalation vector like local administrator account to gain admin access once pxe boot is done
  - perform password scraping attacks to recover active directory credentials during install
PXE boot image retrieval
- download boot images
- recover credentials or inject vector