AD_Overview_&_ Lab Build

Active Directory Overview

What is Active Directory ?
- Directory service developed by Microsoft to manage windows domain networks.
- Stores information related to objects, such as Computers, Users , Printers, etc.
- Authenticates using Kerberos tickets : Non-Windows devices , such as linux machines , firewalls ,etc. and can also authenticate to Active Directory via RADIUS or LDAP.
- Active Directory is the most commonly used identity management service in the world.
- Can be exploited without ever attacking patchable exploit instead , we abuse features , trusts , components and more.
- Very important in internal assessment and attacks ( for hackers).

Physical AD components :

Domain Controllers :
- The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD) - is a server with AD DS server role installed that has specifically been promoted to domain controller.
- Create user accounts or changes the main policy.
- Host a copy of the AD DS directory store.
- Provide authentication and authorization services.
- Replicate updates to other domain controllers in the domain and forest.
- Allow administrative access to manage user accounts and network resources.
- Used a tool called “Active Directory users and Computers” used to manage users , computers and acts ass directory service for resources on the network.
- DC - Group Policy Management :
  - Used to manage all domains user and computer settings remotely.
  - Uses Group Policy Objects (GPOs) to manage client settings.
  - Target specific users , computers , groups OUs.
  - Install software remotely.
  - Configure Desktop background and manage all website can visit - Manage and configure security settings.
AD DS Data stores :
- The AD DS data store contains the database files and processes that store and manage directory information for users , services and applications.
- Consist of the Ntds.dit file and this very sensitive file which you search for it to compromise.
- Is stored by default in the %SystemRoot%\NTDS folder on all domain controllers.
- Is accessible only through DC process and protocols.
- If we have many DCs , one is the main and critical data is replicated between the DCs.

Logical Active Directory Components :

AD DS scheme (Rule Book) contains every definitions of every object that can be created in Active Directory.
Domains : are what used to group things together so we can group objects together in a single organization.
Trees : Group of domains ( Parent : contoso.com , childs : emea.contoso.com , na.contosos.com).
Forest : Collection of trees (Catnoso with his childs and other with his childs and they link togther)
OUs : containers for your users , computers and groups( are very useful in delegating administrative responsibility) .
Trusts : How we have access between resources that might exist in another domain.
- Directional : One domain trust another domain.
- Transitive : We have trusting domain and trusting domain but it also trust everything domain trusts (Forest Example).
Objects :

Active Directory Lab Build

Setting Up Users, Groups, and Policies :
- Local Domain :
Domain Controller - Hydra :
Administrator Domain - If you are domain user that means that you can log in the domain :
Note : User inherits from each others when you creating them by copying.
Service (SQL Example) Account shouldn’t be domain administrator - Administrator shouldn’t put the password in the description.
Most Domain controllers have file share and if want to open up 139 and 445 so that we have SMB enable on this domain controller.
Create SPN (Service principle name) - Set our Active Directory for Attacks ( Setting up Kerberoasting Attack and this an attack that attacks services so we want to setup SQL service ) :
Create GPO for MARVEL.local (domain name) :
Our computers in network should have DNS server ( Domain controller).
Joining to our local domain :
In the end :
- We have 2 machines with there username and password using our domain controller and using our administrator privilege we create local administrator on each of them ( One local administrator for 2 different machines).
2 machines joining the domain :

PreviousActive_Directory NextAD_Initial_Attack_Vectors

Last updated 19 days ago

AD_Overview_&_ Lab Build

Active Directory Overview

What is Active Directory ?
- Directory service developed by Microsoft to manage windows domain networks.
- Stores information related to objects, such as Computers, Users , Printers, etc.
- Authenticates using Kerberos tickets : Non-Windows devices , such as linux machines , firewalls ,etc. and can also authenticate to Active Directory via RADIUS or LDAP.
- Active Directory is the most commonly used identity management service in the world.
- Can be exploited without ever attacking patchable exploit instead , we abuse features , trusts , components and more.
- Very important in internal assessment and attacks ( for hackers).

Physical AD components :

Domain Controllers :
- The domain controller (DC) is the box that holds the keys to the kingdom- Active Directory (AD) - is a server with AD DS server role installed that has specifically been promoted to domain controller.
- Create user accounts or changes the main policy.
- Host a copy of the AD DS directory store.
- Provide authentication and authorization services.
- Replicate updates to other domain controllers in the domain and forest.
- Allow administrative access to manage user accounts and network resources.
- Used a tool called “Active Directory users and Computers” used to manage users , computers and acts ass directory service for resources on the network.
- DC - Group Policy Management :
  - Used to manage all domains user and computer settings remotely.
  - Uses Group Policy Objects (GPOs) to manage client settings.
  - Target specific users , computers , groups OUs.
  - Install software remotely.
  - Configure Desktop background and manage all website can visit - Manage and configure security settings.
AD DS Data stores :
- The AD DS data store contains the database files and processes that store and manage directory information for users , services and applications.
- Consist of the Ntds.dit file and this very sensitive file which you search for it to compromise.
- Is stored by default in the %SystemRoot%\NTDS folder on all domain controllers.
- Is accessible only through DC process and protocols.
- If we have many DCs , one is the main and critical data is replicated between the DCs.

Logical Active Directory Components :

AD DS scheme (Rule Book) contains every definitions of every object that can be created in Active Directory.
Domains : are what used to group things together so we can group objects together in a single organization.
Trees : Group of domains ( Parent : contoso.com , childs : emea.contoso.com , na.contosos.com).
Forest : Collection of trees (Catnoso with his childs and other with his childs and they link togther)
OUs : containers for your users , computers and groups( are very useful in delegating administrative responsibility) .
Trusts : How we have access between resources that might exist in another domain.
- Directional : One domain trust another domain.
- Transitive : We have trusting domain and trusting domain but it also trust everything domain trusts (Forest Example).
Objects :

Active Directory Lab Build

Setting Up Users, Groups, and Policies :
- Local Domain :
Domain Controller - Hydra :
Administrator Domain - If you are domain user that means that you can log in the domain :
Note : User inherits from each others when you creating them by copying.
Service (SQL Example) Account shouldn’t be domain administrator - Administrator shouldn’t put the password in the description.
Most Domain controllers have file share and if want to open up 139 and 445 so that we have SMB enable on this domain controller.
Create SPN (Service principle name) - Set our Active Directory for Attacks ( Setting up Kerberoasting Attack and this an attack that attacks services so we want to setup SQL service ) :
Create GPO for MARVEL.local (domain name) :
Our computers in network should have DNS server ( Domain controller).
Joining to our local domain :
In the end :
- We have 2 machines with there username and password using our domain controller and using our administrator privilege we create local administrator on each of them ( One local administrator for 2 different machines).
2 machines joining the domain :

PreviousActive_Directory NextAD_Initial_Attack_Vectors

Last updated 19 days ago