AD_Overview_&_ Lab Build

Active Directory Overview

  • What is Active Directory ?

    • Directory service developed by Microsoft to manage windows domain networks.

    • Stores information related to objects, such as Computers, Users , Printers, etc.

    • Authenticates using Kerberos tickets : Non-Windows devices , such as linux machines , firewalls ,etc. and can also authenticate to Active Directory via RADIUS or LDAP.

    • Active Directory is the most commonly used identity management service in the world.

    • Can be exploited without ever attacking patchable exploit instead , we abuse features , trusts , components and more.

    • Very important in internal assessment and attacks ( for hackers).

Physical AD components :

  • Domain Controllers :

    • The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD) - is a server with AD DS server role installed that has specifically been promoted to domain controller.

    • Create user accounts or changes the main policy.

    • Host a copy of the AD DS directory store.

    • Provide authentication and authorization services.

    • Replicate updates to other domain controllers in the domain and forest.

    • Allow administrative access to manage user accounts and network resources.

    • Used a tool called “Active Directory users and Computers” used to manage users , computers and acts ass directory service for resources on the network.

    • DC - Group Policy Management :

      • Used to manage all domains user and computer settings remotely.

      • Uses Group Policy Objects (GPOs) to manage client settings.

      • Target specific users , computers , groups OUs.

      • Install software remotely.

      • Configure Desktop background and manage all website can visit - Manage and configure security settings.

  • AD DS Data stores :

    • The AD DS data store contains the database files and processes that store and manage directory information for users , services and applications.

    • Consist of the Ntds.dit file and this very sensitive file which you search for it to compromise.

    • Is stored by default in the %SystemRoot%\NTDS folder on all domain controllers.

    • Is accessible only through DC process and protocols.

    • If we have many DCs , one is the main and critical data is replicated between the DCs.

Logical Active Directory Components :

  • AD DS scheme (Rule Book) contains every definitions of every object that can be created in Active Directory.

    149.jpg

  • Domains : are what used to group things together so we can group objects together in a single organization.

    150.jpg

  • Trees : Group of domains ( Parent : contoso.com , childs : emea.contoso.com , na.contosos.com).

    151.jpg

  • Forest : Collection of trees (Catnoso with his childs and other with his childs and they link togther)

    152.jpg

  • OUs : containers for your users , computers and groups( are very useful in delegating administrative responsibility) .

    153.jpg

  • Trusts : How we have access between resources that might exist in another domain.

    • Directional : One domain trust another domain.

    • Transitive : We have trusting domain and trusting domain but it also trust everything domain trusts (Forest Example).

    154jpg.jpg

  • Objects :

    155.jpg

Active Directory Lab Build

  • Setting Up Users, Groups, and Policies :

    • Local Domain :

    157.jpg

  • Domain Controller - Hydra :

    158.jpg

  • Administrator Domain - If you are domain user that means that you can log in the domain :

    159jpg.jpg

  • Note : User inherits from each others when you creating them by copying.

  • Service (SQL Example) Account shouldn’t be domain administrator - Administrator shouldn’t put the password in the description.

  • Most Domain controllers have file share and if want to open up 139 and 445 so that we have SMB enable on this domain controller.

  • Create SPN (Service principle name) - Set our Active Directory for Attacks ( Setting up Kerberoasting Attack and this an attack that attacks services so we want to setup SQL service ) :

    160.jpg

  • Create GPO for MARVEL.local (domain name) :

    161.jpg

  • Our computers in network should have DNS server ( Domain controller).

  • Joining to our local domain :

    162.jpg

  • In the end :

    • We have 2 machines with there username and password using our domain controller and using our administrator privilege we create local administrator on each of them ( One local administrator for 2 different machines).

  • 2 machines joining the domain :

    163.jpg
PreviousActive_DirectoryNextAD_Initial_Attack_Vectors

Last updated