Pentest Everything
GitHubSupport Pentest Everything
  • ⚔️Pentest Everything
  • 🚩Writeups
    • CyberSecLabs
      • Active Directory
        • Dictionary
        • Spray (WIP)
      • Linux
        • Shock
        • Pie
      • Windows
        • Brute
        • Deployable
        • Glass
        • Monitor
        • Sam
        • Secret
        • Stack
        • Unattended
        • Weak
    • HackTheBox
      • Active Directory
        • Active
        • Blackfield
        • Cascade
        • Forest
        • Intelligence
        • Mantis
        • Monteverde
        • Resolute
        • Return
        • Sauna
        • Search
      • Linux
        • Antique
        • Armageddon
        • Backdoor
        • Bashed
        • Cap
        • Cronos
        • Curling
        • Knife
        • Lame
        • Help
        • Horizontall
        • OpenAdmin
        • Poison
        • SolidState
        • Traceback
        • Trick
      • Windows
        • Access
        • Artic
        • Bastard
        • Bastion
        • Bounty
        • Devel
        • Heist
        • Jeeves
        • Jerry
        • Legacy
        • Love
        • Optimum
        • Remote
        • SecNotes
        • Servmon
        • Timelapse
        • Querier
    • PG Play | Vulnhub
      • Linux
        • BBSCute
        • BTRSys2.1
        • Born2root
        • BossPlayersCTF
        • Covfefe
        • Dawn
        • DC5
        • Funbox
        • FunboxEasy
        • FunBoxEasyEnum
        • HackerFest2019
        • Geisha
        • JISCTF
        • My-CMSMS
        • NoName
        • OnSystemShellDredd
        • Photographer
        • Potato
        • PyExp
        • Samurai
        • SunsetDecoy
        • SunsetMidnight
        • SunsetTwilight
        • Wpwn
    • PG Practice
      • Linux
        • ClamAV
        • Nibbles
        • Payday
        • Pelican
        • Peppo
        • Postfish
        • Pwned1
        • Snookums
        • Sirol
        • Sorcerer
        • Quackerjack
        • WebCal
        • Walla
        • ZenPhoto
        • Zino
      • Windows
        • Algernon
        • Compromised
        • Kevin
        • Helpdesk
        • Hutch
        • Jacko
        • Meathead
        • Metallus
        • Shenzi
        • Slort
        • UT99
    • TryHackMe
      • Linux
        • All in One
        • Archangel
        • Anonforce
        • Biblioteca
        • Cat Pictures
        • Chill Hack
        • CMesS
        • ColddBox
        • ConvertMyVideo
        • CyberHeroes
        • Cyborg
        • Dav
        • Fusion Corp
        • GamingServer
        • Gallery
        • Internal
        • Jacobtheboss
        • Kiba
        • LazyAdmin
        • Library
        • Madness
        • Marketplace
        • Mustacchio
        • NerdHerd
        • Oh My WebServer
        • Olympus
        • Plotted-TMS
        • Skynet
        • Startup
        • Surfer
        • Team
        • Tech_Supp0rt: 1
        • Tomghost
        • VulnNet
        • Undiscovered
        • Year of the Owl
      • Windows
        • Blueprint
        • Enterprise
        • Flatline
        • Quotient
        • RazorBlack
        • Relevant
        • USTOUN
        • VulnNet: Roasted
    • To Do
      • AllSignsPoint2Pwnage (WIP)
      • Hunit (WIP)
      • Escape (WIP)
      • Banzai (WIP)
      • Billyboss (WIP)
      • Fish
      • Ra
      • Roquefort (WIP)
  • 💾GitHub
  • 🔵PsMapExec
    • Change Log
    • BloodHound
    • Using Credentials
    • Cross Domain Usage
    • Methods
      • Command Execution
      • DCSync
      • GenRelayList / SMB Signing
      • Inject
      • IPMI
      • Kerberoast
      • MSSQL
      • Session Hunter
      • Spray
    • Modules
      • Amnesiac
      • ConsoleHistory
      • Files
      • FileZilla
      • KerbDump
      • eKeys
      • LDAP / LDAPS
      • LogonPasswords
      • LSA
      • MDF
      • NTDS
      • Notepad
      • NTLM
      • SAM
      • SCCM
      • SessionExec
      • SessionRelay
      • SSH
      • TGTDeleg
      • VNC
      • Wi-Fi
      • WinSCP
    • Target Acquisition
  • Everything
    • Buffer Overflow Guide
    • Everything Active Directory and Windows
      • Active Directory Enumeration
      • ADCS
        • Enumeration - Certificate Authority
        • ESC1
        • ESC2
        • ESC3
        • ESC4
        • ESC6
        • ESC7
        • ESC8
        • ESC9 - WIP
        • ESC11
      • Access Token Manipultion
        • Token Impersonation
        • Create Process with Token
        • 🔨Make and Impersonate Token
        • Parent PID Spoofing
        • 🔨SID-History Injection
      • Adversary-in-the-Middle
        • 🔨LDAP Relay
        • 🔨LLMNR
        • 🔨RDP MiTM
        • 🔨SMB Relay
      • Credential Access
        • Brute Force
          • Password Spraying
        • Credential Dumping
          • LSASS Memory
          • Security Account Manager (SAM)
          • NTDS
          • LSA Secrets
          • Cached Domain Credentials
          • DCSync
            • 🔨DCSync Attack
        • Credentials from Password Stores
          • Credentials from Web Browsers
          • Windows Credential Manager
        • Unsecured Credentials
          • Credentials In Files
          • Credentials in Registry
          • Group Policy Preferences
            • 🔨GPP Passwords
        • 🔨Modify Authentication Process
          • Domain Controller Authentication: Skeleton Key
          • Reversible Encryption
        • Steal or Forge Kerberos Tickets
          • AS-REP Roasting
          • Golden Ticket
          • Kerberoasting
          • Silver Ticket
          • S4U2Self
          • Ticket Aquisition
          • Constrained Delegation
          • Unconstrained Delegation
      • Collection
        • Clipboard Data
        • Audio Capture
      • Defense Evasion
        • Disable and Bypass Defender
        • Impair Defenses
          • Disable Windows Event Logging
          • Impair Command History Logging
          • Disable or Modify System Firewall
        • Indicator Removal
          • Clear Windows Event Logs
          • Clear Command History
          • File Deletion
          • Network Share Connection Removal
          • Timestomp
      • Input Capture
        • Keylogging
      • Lateral Movement
        • PowerShell Remoting
        • Alternate Authentication Material
          • Pass The Hash
          • Pass the Ticket
          • Pass the Password
      • File Execution Methods
      • File Transfer Techniques
      • Forced Coercion
        • URL File Attack
      • LAPS
      • Network Sniffing
      • Persistence
        • AdminSDHolder
        • BITS Jobs
        • Create Account
          • Local Account
          • Domain Account
          • Cloud Account
        • Create or Modify System Process
          • Windows Service
        • Custom SSP
        • DSRM
        • 🔨Persistence Notes
        • Skeleton Key Attack
      • Privilege Escalation
        • Privilege Escalation Checklist
        • DnsAdmin
        • Registry
          • Always Install Elevated
          • AutoRuns
        • Service Exploits
          • Insecure Service Permissions
      • SCCM / MECM
        • Recon
        • CRED-1 - PXE Abuse
        • CRED-2 - Policy Request Credentials
        • CRED-3 - WMI Local Secrets
        • CRED-4 - CIM Repository
        • CRED-5 - MSSQL Database
        • ELEVATE-2 - Client Push
        • TAKEOVER-2
      • Timeroasting
      • Tools
        • BloodHound
    • Everything Linux
      • File Transfer Techniques
      • Linux Privilege Escalation Techniques
      • Privilege Escalation Checklist
      • Shell Upgrades
    • Everything OSINT
      • Discovering Email Addresses
      • Dork Tools
      • Image OSINT
      • Metadata OSINT
      • Password OSINT
      • Phone Number OSINT
      • Search Engine Operators
      • Social Media OSINT Tools
      • OSINT CTFs
      • OSINT VM
      • Username OSINT
    • Everything Web
      • Command Injection
      • Enumeration
      • File Upload
      • Sub Domain Enumeration
      • XSS
    • Host Discovery
    • Pivoting and Portforwarding
    • Ports
      • Nmap Commands for port discovery
      • Port 21 | FTP
      • Port 25 | SMTP
      • Port 53 | DNS
      • Port 88 | Kerberos
      • Ports 111 | 32771 | rpcbind
      • Port 123 | NTP
      • Ports 137 | 138 | 139 | NetBIOS
      • Ports 139 | 445 | SMB
      • Ports 161 | 162 | SNMP
      • Port 389 | LDAP
      • Ports 1099 | Java RMI
      • Ports 2049 | NFS
      • Port 3389 | RDP
      • Ports 8080 | 8180 | Apache Tomcat
    • PowerShell
      • Constrained Language Mode
      • Download and Execution Methods
      • Resources
      • Restricted Mode
  • Resources
    • Cheat Sheets
      • Default Passwords
      • Kerberoast
      • Mimikatz
      • Powerup
    • Hashcat Word lists and Rules
    • Metasploit Modules
    • Misc Snippets
    • GTFOBins
    • LOLBAS
    • WADCOMS
    • Reverse Shell Generator
    • OSINT Tools
    • Weakpass
  • Password Filter DLL
  • Dork Cheatsheet
Powered by GitBook
On this page
  • Description
  • Scenario #1 [ntlmrelayx]
  • Attacker-PC
  • Admin-PC
  • Attacker-PC
  • Scenario #2 [Intercept-ng]
  • Attacker-PC
  • Admin-PC
  • Attacker-PC
  • Domain Controller - DC01
  • Limitations
  • Mitigations
  • LDAP Channel Binding
  • LDAP Signing
  • Verifying changes: Confirming with a simple Bind
  • Verifying changes: Attack perspective
  • Resources:

Was this helpful?

  1. Everything
  2. Everything Active Directory and Windows
  3. Adversary-in-the-Middle

LDAP Relay

Last updated 2 years ago

Was this helpful?

Description

LDAP Relay attacks make use of NTLM authentication where an NTLM authentication request is performed and an attacker captures the credentials and relays them to a Domain Controller and leverages this against LDAP.

By default without LDAP signing and channel binding this attack is possible.

Scenario #1 [ntlmrelayx]

  • Domain Controller - 10.10.10.10 - Windows Server 2019

  • Admin-PC 10.10.10.7 - Windows 10 21H1

  • Attacker-PC 10.10.10.6 - Kali Linux

  • We already have credentials for the user Dave

This scenario also assumes we have valid credentials for a Domain user.

Attacker-PC

Firstly, ntlmrelayx.py it started on the attacking machine with the --escalate-user switch.

sudo python2 ntlmrelayx.py -t ldap://10.10.10.10 --escalate-user Dave

Admin-PC

Through means of phishing or placing a malicious file locally from some other method we are able to trick the Domain Administrator user who is currently logged into Admin-PC into browsing to http://10.10.10.6/.

Attacker-PC

Where credentials are requested and the Domain Administrator successfully submits them. ntlmrelayx.py receives the credentials and relays them to the Domain Controller on 10.10.10.10.

Successfully giving the user Dave DCSync rights which can be used to dump hashes for the Domain with secretsdump.py.

sudo python2 secretsdump.py security/Dave:'Password123!'@10.10.10.10

The hashes can then either be taken for password cracking or can be used for authentication. By default Domain Contollers run the WinRM service on port 5985. This can be used alongside Evil-WinRM to authenticate with hashes.

Below is a example of the dumped hashed for the Domain Administrator being used for access over WinRM to the Domain Controller DC01.

evil-winrm -i 10.10.10.10  -u 'Administrator' -H '0c564715b06bb035a87e91b9f71488a3'

Scenario #2 [Intercept-ng]

  • Domain Controller - 10.10.10.10

  • Admin-PC - 10.10.10.7

  • Attacker-PC 10.10.10.5

Attacker-PC

This first example shows the LDAP Relay attack using Intercept-ng on a Windows 10 host. Intercept-ng is started on the system Attacker-PC and an administrator PC 'Admin-PC' is quickly identified.

The system is then added to the target list on Intercept-ng. From here Expert mode is then used on Intercept-ng to enable LDAP relay and enter the Domain name as shown below.

Then under the MiTM options LDAP relay is checked and the Domain Controller and Gateway fields are populated with the expected information.

From here the MiTM attack is started and active sniffing begins. As shown below we are given the Inject URL which is http://Attacker-PC:62222/.

Admin-PC

Attacker-PC

Once this Domain Administrator on Admin-PC clicks the malicious link we see Intercept-ng relays the credentials to the Domain Controller and creates a new user called 'cepter'.

Domain Controller - DC01

Over on our Windows Server 2019 Domain Controller we now see the user 'cepter' exists and is a member of the Domain Admins Group.

Limitations

Unfortunately though this method Intercept-ng is unable to create the new user account with a password. One way which this can be leveraged however is through connecting to an RDP session to provide the opportunity for a password reset.

Changing the password from here will provide the new Domain Administrator account with a valid password we can use across the network. The limitation in this regard is that Remote Desktop Network Level Authentication needs to be disabled on the RDP host as shown below.

Mitigations

LDAP Channel Binding

[WIP]

LDAP Signing

LDAP signing is the digital signing of LDAP traffic by the source. The digital signing of LDAP traffic guarantees the authenticity and integrity of the contents of the LDAP traffic has not been altered in transit and allows the receiving party to verify the origin of the LDAP traffic. The LDAP signing configuration can be done by using specific group policies or by using registry keys. It is important to note that LDAP signing must be configured on both the domain controllers and clients:

How to set the server LDAP signing requirement Group Policy Object

  1. Select Default Domain Controller Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies, and then select Security Options.

  2. Right-click Domain controller: LDAP server signing requirements, and then select Properties.

  3. In the Domain controller: LDAP server signing requirements Properties dialog box, enable Define this policy setting, select Require signing in the Define this policy setting list, and then select OK.

  4. In the Confirm Setting Change dialog box, select Yes.

**How to set the client LDAP signing requirement by using local computer policy **

  1. Select Local Computer Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies, and then select Security Options.

  2. Right-click Network security: LDAP client signing requirements, and then select Properties.

  3. In the Network security: LDAP client signing requirements Properties dialog box, select Require signing in the list, and then select OK.

  4. In the Confirm Setting Change dialog box, select Yes.

How to set the client LDAP signing requirement by using a domain Group Policy Object

  1. Select Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies, and then select Security Options.

  2. In the Network security: LDAP client signing requirements Properties dialog box, select Require signing in the list, and then select OK.

  3. In the Confirm Setting Change dialog box, select Yes.

Verifying changes: Confirming with a simple Bind

How to verify configuration changes

  1. Sign in to a computer that has the AD DS Admin Tools installed.

  2. Select Start > Run, type ldp.exe, and then select OK.

  3. Select Connection > Connect.

  4. In Server and in Port, type the server name and the non-SSL/TLS port of your directory server, and then select OK.

    Note

    For an Active Directory Domain Controller, the applicable port is 389.

  5. After a connection is established, select Connection > Bind.

  6. Under Bind type, select Simple bind.

  7. Type the user name and password, and then select OK.

    If you receive the following error message, you have successfully configured your directory server:

    Ldap_simple_bind_s() failed: Strong Authentication Required

Verifying changes: Attack perspective

Attempting the same attack again after the required Group Policy changes for LDAP signing have been made produces the following result on the attackers system.

Resources:

Through means of phishing or placing a malicious file locally from some other method we are able to trick the Domain Administrator user who is currently logged into Admin-PC into browsing to .

🔨
http://Attacker-PC:62222/
Escalating privileges with ACLs in Active DirectoryFox-IT International blog
Understanding LDAP Channel Binding and LDAP Signing RequirementsOxford Computer Group - North America
How to enable LDAP signing - Windows Serverdocsmsft
Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure
Logo
Logo
Logo
Logo