THM – Active Directory Basics – Part 18

Byaghanim

This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there.

Introduction

Active Directory is the directory service for Windows Domain Networks.

What is Active Directory?

It’s a collection of machine and servers connected inside of domains, that are part of a bigger forest of domains, that make up the Active Directory network. AD contains many functions:

  • Domain Controllers
  • Forest, Trees, Domains
  • Users + Groups
  • Trusts
  • Policies
  • Domain Services

Why use Active Directory

It allows for the control and monitoring of their users computers through a single domain controller. Allows a single user to sign in to any computer on the active directory network and have access to stored files and folders in the server, as well as the local storage on that machine. Allows for any user in the company to use any machine that the company owns, without having to set up multiple users on a machine.

Physical Active Directory

Domain Controllers

A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. Domain controllers are the center of Active Directory – Control the rest of the domain. Tasks for the domain controller:

  • Holds the AD DS data store
  • Handles authentication and authorization services
  • Replicate updates from other domain controllers in the forest
  • Allows admin access to manage domain resources

AD DS Data Store

Active Directory Data Store holds the databases and process needed to store and manage directory information such as users, groups and services. Content and characteristics of AD DS Data Store:

  • Contain the NTDS.dit – a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users.
  • Stores by default in %SystemRoot%\NTDS
  • Accessible only by the domain controller

The Forest

Forest is what defines everything; container that holds all the other bits and pieces of the network together. Without the forest all the trees and domains would not be able to interact.

Forest Overview

A forest is a collection of one or more domain trees inside of an Active Directory network. It categorizes the parts of the network as a whole.

Forest consists of these parts:

  • Trees – a hierarchy of domains in Active Directory Domain Services
  • Domains – Used to group and manage objects
  • Organization Units (OUs) – Containers for groups, computers, users, printers and other OUs
  • Trusts – Allow users to access resources in other domains
  • Objects – Users, groups, printers, computers, shares
  • Domain services – DNS server, LLMNR IPv6
  • Domain Schema – Rules for object creation

Users + Groups

Users Overview

Users are the core to AD. No users – no need for AD. Four main types of users in AD network. Can be more depending on how a company manages the permissions of its users. Four type of users:

  • Domain Admins – they control the domains and are the only ones with access to the domain controller.
  • Service Accounts (Can be Domain Admins) – These are for the most part never used except for service maintenance, they are required by Windows for services such as SQL to pair a service with a service account
  • Local Administrators – These users can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller
  • Domain Users – These are your everyday users. They can log in on the machines they have the authorization to access and may have local administrator rights to machines depending on the organization.

Groups overview

Groups make it easier to give permissions to users and objects by organizing them into groups with specified permissions. Two types of AD groups:

  • Security Groups – These groups are used to specify permissions for a large number of users
  • Distribution Groups – These groups are used to specify email distribution lists. As an attacker these groups are less beneficial to us but can still be beneficial in enumeration

Trusts + Policies

Help the domain and trees communicate with each other and maintain security inside of the network.

Domain Trust Overview

Trusts are a mechanism in place for users in the network to gain access to other resources in the domain. Trust outlines the way that the domains inside of a forest communicate to each other. Trusts can in some environments extend out to external domains and even forests in some cases.

Two types of trusts that determine how the domains communicate:

  • Directional – The direction of the trust flows from a trusting domain to a trusted domain
  • Transitive – The trust relationship expands beyond just two domains to include other trusted domains

Domain Policies Overview

Dictate how the server operates and what rules it will and will not follow. Acts as a rulebook for AD that a domain admin can modify and alter as necessary.

Active Directory Domain Services + Authentication

AD DS are the core functions of Active Directory network; allow for management of the domain, security certificates, LDAPs and much more.

Domain services are services that the domain controller provides to the rest of the domain or tree. Default domain services:

  • LDAP – Lightweight Directory Access Protocol; provides communication between applications and directory services
  • Certificate Services – allows the domain controller to create, validate, and revoke public key certificates
  • DNS, LLMNR, NBT-NS – Domain Name Services for identifying IP hostnames

Domain Authentication Overview

Most important part of AD – and most vulnerable part – is the authentication protocols. Two main types of authentications in place for AD: NTLM and Kerberos.

  • Kerberos – The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.
  • NTLM – default Windows authentication protocol uses an encrypted challenge/response protocol

AD in the cloud

Windows Server ADAzure AD
LDAPRest APIs
NTLMOAuth/SAML
KerberosOpenID
OU TreeFlat Structure
Domains and ForestsTenants
TrustsGuests

Similar Posts

  • THM – John The Ripper – Part 15

    Byaghanim

    This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there. Table Of ContentsCracking Basic HashesCracking Windows authentication HashesCracking /etc/shadow HashesSingle Cracking ModeCustom RulesCracking Password Protected Zip FilesCracking Password Protected RAR FilesCracking SSH Keys…

  • THM – SSRF – Part 9

    Byaghanim

    This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsWhat is an SSRF?Types of SSRFWhat’s the impact?SSRF ExamplesFinding an SSRFDefeating Common SSRF DefensesDeny ListAllow ListOpen Redirect What is an SSRF? SSRF stands for Server-Side Request Forgery. It’s…

  • THM – Authentication Bypass – Part 6

    Byaghanim

    This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsUsername EnumerationBrute ForceLogical FlawWhat is a Logical Flaw?Logical Flaw ExampleLogic Flaw PracticalCookie TamperingPlain TextHashingEncoding Username Enumeration A helpful exercise to complete when trying to find authentication vulnerabilities is…

  • Command And Control – C2 Framework

    Byaghanim

    This is a list of Command and control (C2) servers that I’ve tested. Table Of ContentsCobalt StrikeCovenantInstallation and setupLisenersGruntsPowershell-Empire with StarkillerPoshC2GodGenesisMetasploitSliverLinks and tutorialInstallSliver and MetasploitBeacon vs sessionGenerating HTTP(S) Implants with certificateExtensions (Armory)CheatsheetExample getting beacon with msfBypassing defender with staged process hollowingHavoc C2InstallInstall the dependenciesUbuntu 20.04 / 22.04Kali and other Debian based Distros only.Debian 10/11Building the…

  • THM – Network Services – MySQL – Part 8

    Byaghanim

    Table Of ContentsUnderstanding MySQL Enumerating MySQL Exploit MySQL Understanding MySQL  What is MySQL?   In its simplest definition, MySQL is a relational database management system (RDBMS) based on Structured Query Language (SQL).   Database:   A database is simply a persistent, organized collection of structured data.   RDBMS:   A software or service used to create and manage databases based on a relational model. The word “relational” just menas…

  • THM – Windows Exploitation Basics – Part 17

    Byaghanim

    This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there. Table Of ContentsWindows file system and permissions explainedUnderstanding the authentication process Windows file system and permissions explained What is the file system? It…