Overview
This room focuses on the stage before authenticated AD enumeration: getting the first valid domain credential pair. It covers common initial access avenues in Active Directory environments, including NTLM-exposed services, LDAP bind credentials, relays, deployment tooling, and credential leakage through configuration.
Core idea: you do not need high privileges to start attacking AD. The real objective at this stage is simply to obtain one valid credential pair that can authenticate to the domain.
1) Why Breaching AD Matters
Before you can abuse domain misconfigurations for escalation or lateral movement, you need initial access into the domain environment.
- Even low-privileged credentials are enough to unlock a lot of authenticated AD enumeration.
- AD attack surface is large because many services and integrations depend on domain authentication.
- The first valid credential pair is often the tipping point between perimeter access and internal domain compromise.
2) DNS and Network Setup
This room again reinforces a core AD reality: if DNS is wrong, everything feels broken.
- Kerberos depends on hostnames, so domain DNS must work correctly.
- AttackBox or VPN users need to point DNS at the domain controller.
- If tooling fails, verify network reachability, then verify DC name resolution.
Practical habit: whenever an AD technique fails unexpectedly, check DNS before assuming the tool or exploit path is wrong.
3) OSINT and Phishing
The room starts with two common real-world ways to obtain domain credentials before any internal exploitation.
- OSINT: leaked credentials in public repos, forums, breaches, or reused work accounts.
- Phishing: credential capture or malware/RAT delivery in a user context.
These are not deep technical exploits, but they remain among the most realistic AD entry points.
4) NTLM-Authenticated Services
Externally or internally exposed services that rely on NetNTLM can become password-spraying targets.
- Outlook Web App and other Exchange portals
- RDP services
- VPN portals integrated with AD
- Web apps using Windows authentication
The room demonstrates password spraying against an NTLM-authenticated web application using a custom script and an onboarding password like Changeme123.
Key distinction: because AD often has account lockout policies, spraying one password across many users is safer than brute-forcing many passwords against one user.
5) LDAP Bind Credentials
Some third-party applications authenticate users directly against LDAP and therefore need their own stored AD service credentials.
- GitLab
- Jenkins
- Custom web applications
- Printers and VPNs
If you can access the application host or its settings, those LDAP bind credentials may be recoverable from configuration or traffic.
6) LDAP Pass-Back Attack
The room’s main practical LDAP attack is the pass-back technique against a network printer.
- Gain access to the device’s LDAP settings page.
- Change the configured LDAP server to your attacker IP.
- Trigger a test of the configuration.
- Force the device to authenticate to your rogue LDAP service.
- Capture the service credentials.
This works because the device is willing to send its own LDAP bind credentials when validating its config.
7) Hosting a Rogue LDAP Server
Plain Netcat is not enough for this attack because the printer first negotiates supported authentication mechanisms.
- OpenLDAP can be reconfigured to support weak mechanisms such as
PLAIN and LOGIN.
- That downgrade helps force cleartext credential transmission during the test request.
tcpdump can then capture the resulting LDAP bind attempt and reveal the username/password pair.
8) Authentication Relays and Broader Breach Paths
The room also frames authentication relays as another important initial-access class in Windows environments.
- Windows services constantly authenticate to each other across the network.
- If an attacker can coerce and relay one of those authentications, that trust can sometimes be abused.
- SMB and NTLM-based flows are especially important to understand for later relay attacks.
9) Practical Breach Mindset
This room is about identifying any route that gets you one usable domain account.
- Check public exposure and leaked credentials.
- Identify NTLM-backed services and weak onboarding passwords.
- Look for LDAP-integrated devices and applications.
- Abuse settings pages and misconfigurations that cause credentials to come back to you.
- Treat any recovered low-priv account as the start of the real AD attack path.
Exam Notes (PT1)
- The first goal in AD breaching is not admin, but any valid domain credential pair.
- NTLM-authenticated services are common password-spraying targets.
- LDAP-integrated applications and devices often store service credentials and can expose them through config or pass-back attacks.
- Password spraying is safer than brute force in AD because it reduces lockout risk.
- DNS troubleshooting is a constant requirement in AD work because Kerberos depends on correct name resolution.