Walkthrough is written by Lakshan Sameera

Special thanks to ****tryhackme, am03bam4n for providing the room. You can access this room using the following link.

https://tryhackme.com/r/room/breachingad

Task 1: Introduction to AD Breaches

For this Tryhackme room, I’m using my own Kali Linux machine, so I need to configure the network with the specific OpenVPN configuration file provided for "network" rooms. This configuration enables secure access to the network environment required for these exercises. I hope you are familiar with the configuration process. If you are using AttackBox, you don't need to configure the network, but you still have to configure the DNS server in the host machine.

The room has a detailed walkthrough on how to configure the DNS server. However, If you are not familiar with this kind of configuration, you can follow the steps.

• Step 1: Download and Connect to the VPN

  

  

• Step-2 Network Manager -> Advanced Network Configuration -> Your Connection -> IPv4 Settings

  

  

  To access the internet also add dns server like 8.8.8.8 or 1.1.1.1 comma separated in the additional DNS servers section. Save it then go to your terminal and restart your network manager.

  sudo systemctl restart NetworkManager
  

  Wait for a few seconds then you can use the following command to check the DNS configuration.

  nslookup thmdc.za.tryhackme.com       
  

  

  If the following error occurs follow this instruction mentioned in this note (Click here), if the error persists reset the network hopefully it will work.

  

Task 2: OSINT and Phishing

Two common methods for obtaining initial AD credentials are Open Source Intelligence (OSINT) and Phishing.

• OSINT: This involves gathering publicly available information, such as credentials disclosed on forums, in code repositories (e.g., GitHub), or past data breaches. Tools like HaveIBeenPwned and DeHashed help identify if work emails have been compromised. If credentials are found, further validation is required to check if they are still active. More on OSINT is covered in a dedicated Red Team OSINT room.
• Phishing: Phishing tactics trick users into entering credentials on a fake site or running malicious software that installs a Remote Access Trojan (RAT). Since RATs run under the user’s AD context, they allow for immediate impersonation. Phishing is a major focus for both Red and Blue teams, with an in-depth room dedicated to this topic available.

Task 3: NTLM Authenticated Services

NTLM and NetNTLM

NTLM (New Technology LAN Manager) is a set of security protocols used to authenticate identities within Active Directory (AD). NTLM’s challenge-response scheme, called NetNTLM, allows network-based authentication by sending an authentication challenge from a service to the client. This scheme is commonly used for services like Exchange servers with an exposed Outlook Web App (OWA), Remote Desktop Protocol (RDP) over the internet, exposed VPN endpoints connected to AD, and other internet-facing applications utilizing NTLM authentication.

In NetNTLM, the application acts as an intermediary between the client and AD. When a user attempts to authenticate, the application forwards the challenge to a Domain Controller rather than directly verifying the user’s credentials. If the Domain Controller confirms the challenge response, the application grants access on behalf of the user. This setup ensures that AD credentials are stored only on the Domain Controller, maintaining security by preventing applications from directly handling or storing sensitive credentials.