DEV Community 👩‍💻👨‍💻

jmau111⭐
jmau111⭐

Posted on • Updated on • Originally published at blog.julien-maury.dev

Active Directory in CTFs

Corporate networks often rely on Windows systems, making Microsoft products very attractive for attackers.

Windows OSes (operating systems) are prone to attacks, and many public POCs are available on GitHub when a vulnerability is disclosed publicly.

CTFs invite players to attack LDAP (Lightweight Directory Access Protocol) and Active Directory (AD). It makes sense, because you can't skip Windows if you want to learn hacking.

However, it's sometimes a bit hard to understand for beginners.

DisclaimerZ

  1. I won't cover privilege escalation here, but tools like Winpeas can help you find a path to attack. Mimikatz is also a classic tool to perform lateral movements.
  2. CTFs usually let you download stuff from your attacker's machine to the victim's machine, so it does not matter if you can't download it directly.
  3. When I write things like {PASSWORD} or {DC_IP}, you have to replace it with your actual password or domain controller.

Active directory in short

The vast majority of Corporate networks rely on this service, so it can be rewarding for an attacker.

AD runs on a Windows Server and allows administrator(s) to manage users, groups, resources, devices, add access permissions. Pretty much everything is an object, and you can interact with these entities by typing specific commands or using more advanced scripts.

It would be too long to be 100% accurate here, so let's say it's a specific domain, and if you manage to take control of a DC (Domain Controller), it's often enough to open the gates. DC are servers that control user access.

In the context of a CTF, you will typically use techniques such as:

  • enumeration to perform attacks like password spraying and ultimately hack a vulnerable account
  • Kerberos* attacks (we'll see that later)
  • Pass the cache attacks (we'll see that later)
  • privilege escalations

* N.B.: Windows domains often use Kerberos authentication

LDAP in short

LDAP is the protocol that allows administrators and users to access to some resources and perform search queries, read and write documents, delete data, and many more. It's basically what is used behind the scene for most operations, including authentication.

Like any other protocol, it uses specific ports that hackers and pen-testers like to attack, for example, 389 and 636, which are the default ones.

It's precisely what you want to attack during a CTF to enumerate objects or inject commands.

If you like Python, you can use the ldap3 package to run LDAP commands:

pip3 install ldap3
Enter fullscreen mode Exit fullscreen mode

Tools to know

Crackmapexec

Attackers like to use crackmapexec to exploit Windows networks and machines. It can achieve various goals like enumerating users, cracking SMB shares, and injecting shellcode into memory.

I often use the following command to perform a password spraying attack during CTFs:

crackmapexec winrm {IP_VICTIM} -u users.txt -p {PASSWORD}
Enter fullscreen mode Exit fullscreen mode

The idea is to try a unique password on multiple accounts to avoid account lockouts. In the context of a CTF, you will likely get that password in previous steps. For example, a flawed application contains a hash you can quickly reverse, or even guess if the CTF is very easy (e.g., USER:USER).

If the password does not work, you may use it to run authenticated LDAP queries that can reveal the {PASSWORD} you are looking for (I'm describing the scenario of an existing CTF here...).

Kerbrute

Kerbrute allows multithreaded Kerberos attacks.

Use the bruteuser mode only if there's no lockout policy, which is pretty rare, even in CTFs. Fortunately, there's a passwordspray mode:

kerbrute passwordspray -d {DOMAIN} users.txt {PASSWORD}
Enter fullscreen mode Exit fullscreen mode

You can also enumerate users with the userenum mode.

Impacket

Impacket is a collection of Python classes for working with network protocols.

Attackers often use it to perform Kerberos attacks with GetNPUSers.py and impacket-getTGT. For example, you can request a TGT (Kerberos ticket) and save it as ccache (credential cache) with the following command:

impacket-getTGT {DOMAIN}/{USER}:{PASSWORD}
Enter fullscreen mode Exit fullscreen mode

Then, the generated ccache can be used like that:

export KRB5CCNAME={USER}.ccache
impacket-GetUserSPNs {DOMAIN}/{USER}:{PASSWORD} -dc-ip {DC_IP} -request -k -no-pass
Enter fullscreen mode Exit fullscreen mode

This attack is called a Pass the cache attack.

Evil-WinRM

Evil-WinRM exploits WinRM, a protocol used by system administrators on Windows servers.

It's handy to start a shell session on the victim's machine provided you have the correct credentials:

evil-winrm -i {IP_VICTIM} -u {USER} -p {PASSWORD}
Enter fullscreen mode Exit fullscreen mode

You have the k option that allows passing a private key.

BloodHound: the next-level mapper

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.

It's a fantastic tool to identify attack paths in AD, as it will connect the dots, which is pretty hard if you stick with the terminal.

Many boring (but still essential) steps such as enumeration can be performed automatically. Besides, you don't need to combine different tools to map the target, which saves significant time.

It can have some inconveniences, though, as there are additional requirements, but it's extremely efficient.

Wrap up

Hopefully, you have now a better understanding of common techniques and tools that help solve Windows-based CTFs.

Top comments (0)

🌚 Browsing with dark mode makes you a better developer by a factor of exactly 40.

It's a scientific fact.