This room explains the basics of Active Directory, a directory service for Windows Domain Networks.
What is Active Directory?
Active Directory is a collection of machines and servers inside a Windows network that help control users and devices on the larger "forest" of domains. Big corporations use Active Directory so that any of their users can login to any PC on the network and access their files, and also to allow the admins to easily control and monitoring of their user’s computer via a single domain controller.
Task 2 – Physical Active Directory
The physical Active Directory is the servers hosted on-site, these can be anything from domain controllers and storage servers to domain user machines; basically everything needed for an Active Directory environment besides the software.
Domain Controllers
A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. Domain controllers are the centre of an Active Directory network, they control the rest of the domain.
The main tasks of a Domain Controller is:
- holds the AD DS data store
- handles authentication and authorization services
- replicate updates from other domain controllers in the forest
- allows admin access to manage domain resources
AD DS
The Active Directory Data Store hols the databases and processes needed to store and manage directory information, such as users, groups and services.
Here is an outline of the contents and characteristics of the AD DS:
- contains the
NTDS.dit
– a database that contains all the information of an Active Directory domain controller as well as password hashes for domain users - stored by default in
%SystemRoot%\NTDS
- accessible only by the domain controller
What database does the AD DS contain?
Where is the NTDS.dit stored?
What type of machine can be a domain controller?
Task 3 – The Forest
The "forest" is what defines everything in an Active Directory network. It is the container that holds all the network pieces together, without it the other trees and domains would not be able to interact.
Forest Overview
A forest is a collection of one or more domain trees inside of an Active Directory network. It is what catagorizes the parts of an AD network as a whole.
The forest consists of these parts:
- Trees – A hierarchy of domains in the Active Directory Domain Services
- Domains – Used to group and manage objects
- Organizational Units (OUs) – Containers for groups, computers, users, printers and other OUs
- Trusts – Allows users to access resources in other domains
- Objects – users, groups, printers, computers, shares
- Domain Services – DNS Server, LLMNR, IPv6
- Domain Schema – Rules for object creation
What is the term for a hierarchy of domains in a network?
What is the term for the rules for object creation?
What is the term for containers for groups, computers, users, printers, and other OUs?
Task 4 – Users + Groups
Users
Users are the core to Active Directory, without them there would be no point having an Active Directory in the first place. There are 4 main types of users you’ll find in an Active Directory network, however that depends on how a company manages the permissions of its users.
The four types of users are:
- Domain Admins – The big boss, they control the domains and the only one with access to the domain controller
- Service Accounts (can be Domain Admins) – These are mainly for network services such as SQL to pair a service with a service account.
- Local Administrators – These users can make changes to local machines as an administrator and may even be able to control other normal users, but they can’t access the domain controller.
- Domain Users – These are the everyday users. They can log in on the machines they are authorized to access and may have local admin rights to certain machines (depending on the organization).
Groups
Groups make it easier to give permissions to users and objects by organizing them into groups with specific permissions. There are two overarching types of Active Directory groups:
- Security Groups – These groups are used to specify permissions for a large number of users.
- Distribution Groups – These groups are used to specifcy email distribution lists. As an attacker these groups can be beneficial in enumeration.
Default Security Groups
There are a lot of default security groups, but here is a brief outline:
- Domain Controllers – All domain controllers in the domain
- Domain Guests – All domain guests
- Domain Users – All domain users
- Domain Computers – All workstations and servers joined to the domain
- Domain Admins – Designated administrators of the domain
- Enterprise Admins – Designated administrators of the enterprise
- Schema Admins – Designated administrators of the schema
- DNS Admins – DNS Administrators Group
- DNS Update Proxy – DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
- Allowed RODC Password Replication Group – Members in this group can have their passwords replicated to all read-only domain controllers in the domain
- Group Policy Creator Owners – Members in this group can modify group policy for the domain
- Denied RODC Password Replication Group – Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
- Protected Users – Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
- Cert Publishers – Members of this group are permitted to publish certificates to the directory
- Read-Only Domain Controllers – Members of this group are Read-Only Domain Controllers in the domain
- Enterprise Read-Only Domain Controllers – Members of this group are Read-Only Domain Controllers in the enterprise
- Key Admins – Members of this group can perform administrative actions on key objects within the domain.
- Enterprise Key Admins – Members of this group can perform administrative actions on key objects within the forest.
- Cloneable Domain Controllers – Members of this group that are domain controllers may be cloned.
- RAS and IAS Servers – Servers in this group can access remote access properties of users
Which type of groups specify user permissions?
Which group contains all workstations and servers joined to the domain?
Which group can publish certificates to the directory?
Which user can make changes to a local machine but not to a domain controller?
Which group has their passwords replicated to read-only domain controllers?
Task 5 – Trusts + Policies
Trusts and policies go hand in hand to help the domain and tress communicate with each other and maintain "security" inside the network. They put the rules in place of how the domains inside of a forest can interact with each other, how an external forest can interact with the forest and the overall domain rules or policies that a domain must follow.
Domain Trusts
Trusts are a mechanism in place for users in the network to gain access to other resources in the domain. This means basically that the trusts outline the way that the domains interact inside of a forest communicate with each other. In some environments trusts can be extended out to external domains and even forests in some cases.
There are two types of trusts that determine how the domains communicate, they are:
- Directional – The direction of the trust flows from a trusting domain to a trusted domain.
- Transitive – The trust relationship expands beyond just two domains to include other trusted domains.
The type of trusts put in place determines how the domains and trees in a forest are able to communicate and send data to and from each other when attacking an Active Directory environment, you can sometimes abuse these trusts in order to move laterally throughout the network.
Domain Policies
Policies are a very big part of Active Directory – they dictate how the server operates and what rules it needs to follow. You can think of domain policies like domain groups, except instead of permissions they contain rules, and instead of only applying to a group of users, the policies apply to a domain as a whole. Domain policies act as a rulebook for Active Directory that a domain admin can modify and alter as they deem necessary to keep the network running smoothly and securely.
Along with the very long list of default domain policies, domain admins can choose to add their own policies not already on the domain controller. For example: if you wanted to disable Windows Defender across all machines on the domain you could create a new group policy object to disable Windows Defender.
The options for domain policies are almost endless and are a big factor for attackers when enumerating an Active Directory network.
Here is a few examples of domain policies:
- Disable Windows Defender – Disables Windows Defender across all machine on the domain.
- Digital Sign Communications (Always) – Can disable or enable SMB signing on the domain controller.
What type of trust flows from a trusting domain to a trusted domain?
What type of trusts expands to include other trusted domains?
Task 6 – Active Directory Domain Services + Authentication
The Active Directory domain services are the core fuctions of an Active Directory network; they allow for management of the domain, security certificates, LDAPs and much more. This is how a domain controller decides what it wants to do and what services it wants to provide for the domain.
Domain Services
Domain Services are exactly what they sound like; they are services that the domain controller provides to the rest of the domain or tree. There is a wide range of various services that can be added to a domain controller.
Outlined below are the default domain services:
- LDAP (Lightweight Directory Access Protocol) – provides communication between applications and directory services.
- Certificate Services – allows the domain controll to create, validate and revoke publlic key certificates.
- DNS, LLMNR, NBT-NS – Domain Name Services for indentifying IP hostnames.
Domain Authentication
The most important and most vulnerable part of Active Directory – is the authentication protocols set in place. There are two main types of authentication in place for Active Directory: NTLM and Kerberos. This room only covers the basics of these authentication protocols (as they will be covered in further rooms).
For more information on NTLM and Kerberos check out the "Attacking Kerberos" room: https://tryhackme.com/room/attackingkerberos
- Kerberos – The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.
- NTLM – default Windows authentication protocol uses an encrypted challenge/response protocol
What type of authentication uses tickets?
What domain service can create, validate, and revoke public key certificates?
Task 7 – AD in the Cloud
Recently there has been a shift in Active Directory pushing the companies to cloud networks for their companies. The most noteable AD cloud provider is Azure AD. It’s default settings are much more secure than an on-premise physical Active Directory network; however, the cloud AD may still have vulnerabilities in it.
Azure AD
Azure acts as the middle man between your physical Active Directory and your user’s sign on. This allows for a more secure transaction between domains, making a lot of Active Directory attacks ineffective.
Cloud Security
The best way to show you how the cloud takes security precautions past what is already provided with a physical network is to show a comparison with a cloud Active Directory environment:
Windows Server AD | Azure AD |
---|---|
LDAP | Rest APIs |
NTLM | OAuth/SAML |
Kerberos | OpenID |
OU Tree | Flat Structure |
Domains and Forests | Tenants |
Trusts | Guests |
What is the Azure AD equivalent of LDAP?
What is the Azure AD equivalent of Domains and Forests?
What is the Windows Server AD equivalent of Guests?
Task 8 – Hands-On Lab
Playing with PowerView in PowerShell on an AD domain controller… let’s go!
PowerView Setup
powershell -ep bypass
– load a powershell shell with execution policy bypassed – you can either do this inside powershell, cmd, or directly from the run box (Win+R
)
cd Downloads
– navigate to the directory PowerView is in. .\PowerView.ps1
– import the PowerView module
What is the name of the Windows 10 operating system?
- Command –
Get-NetComputer -fulldata | select operatingsystem
What is the second 'Admin' name?
- Command –
Get-NetUser | select cn
Which group has a capital 'V' in the group name?
- Command –
Get-NetGroup
When was the password last set for the SQLService user?
- Command –
Get-NetUser SQLService | select pwdlastset