💎
kashz-jewels
  • kashz jewels
  • about kashz
  • oscp exam review
  • pnpt exam review
  • certification exam
  • c2 frameworks
  • kashz-kali
  • OS-LINUX
    • basic
    • linux-enumeration
      • enumeration auto
      • enumeration manual
    • linux-privilege-escalation
      • socat shells
      • sudo su styles
      • dirtyc0w
  • OS-WINDOWS
    • basic
    • windows-enumeration
      • enumeration auto
      • enumeration manual
      • enumeration tools
    • windows-privilege-escalation
      • privesc tools
      • steal NTLM creds
      • socat shells
      • beef browser exploitation
    • windows-post-exploitation
      • dump SAM SYSTEM
      • RDP tools
    • windows-bypass-uac
      • fodhelper
    • windows meterpreter
  • SHELLCODES
    • shells
    • windows shells
  • ACTIVE-DIRECTORY
    • active directory 101
    • kerberos 101
    • asrep roasting
    • kerberoasting
    • powerview.ps1
    • ad module
    • bloodhound
    • golden silver passing ticket
    • group policy management
    • dcsync
    • kerberos backdoor
    • mitm6
    • smb relay ntlmrelayx
    • responder
    • zero logon exploit
    • untested tools
  • OSINT
    • osint
  • BUFFER OVERFLOW GUIDE
    • exploit.py
    • fuzzer.py
    • methodology
  • HASH-n-CRACK
    • crackmapexec
    • hash identifier
    • hashcat
    • hydra
    • john the ripper
    • medusa
    • ncrack
    • rsa
  • TRICKS
    • .mdb file
    • 403 forbidden waf bypass
    • archive, unarchive
    • asp.net server
    • awscli
    • bash scripting
    • bypass bash restrictions
    • curl
    • ffuf wfuzz feroxbuster gobuster
    • file modification
    • git commands
    • git repo analysis
    • http request smuggling
    • json web token (jwt)
    • kali exploit compilation
    • kali multi-network adapters
    • local discovery
    • login bypass
    • magic bytes
    • nmap
    • office document analysis and exploitation
    • openvpn
    • pgp gpg cheatsheet
    • php wrappers, LFI
    • port forwarding
    • port knocking
    • post upload file
    • share files
    • ssh tunnel
    • subnet scan
    • ssh
    • wget
    • wifi
    • windows AppLocker bypass
    • wordlists
    • xss steal cookie
  • PROTOCOLS
    • dns :53
    • epmd :4369
    • ftp :21
    • ident :113
    • imap :143 :993
    • ipsec ike-vpn :500/udp
    • irc
    • ldap :389 :636 :3268 :3269
    • rpc
    • smb :135 :139 :445
    • smtp :25
    • subversion svn :3690
    • tftp :69
  • ATTACKS
    • .hta exploit
    • network scripts
    • print nightmare
    • ssrf
    • xml external entity XXE
  • CHEATSHEET
    • docker
    • drupal
    • gitlab rails
    • impacket guide
    • itemir/apache2fa
    • jenkins
    • jinja2 flask template injection
    • mimikatz
    • powershell
    • redis
    • sqli oracle odat
    • sqli basic
    • sqli influxql
    • sqli mongo
    • sqli ms-sql
    • sqli mysql
    • sqli oracle-sql
    • sqli postgres-sql
    • telnet
    • webdav
    • wordpress
  • SERVICES
    • achat
    • adminLTE
    • adminer.php
    • comment system
    • amanda
    • apache
    • apache exploits
    • apphp microblog
    • arj
    • azure cloud
    • b2evolution
    • bigtree cms
    • bludit cms
    • booked scheduler
    • cacti
    • centreon
    • chef knife
    • cloudMe
    • cms made simple
    • cmsmini
    • coldfusion
    • corehttp
    • cs cart
    • cse online bookstore
    • cuppa cms
    • cutenews cms
    • distccd (DistCC Daemon)
    • docker
    • dolphin2 cms
    • dosbox
    • drupal
    • elastic freepbx
    • elasticsearch kibana
    • epmd
    • exim
    • fail2ban
    • ftp exploits
    • fudforum
    • gitlab community edition
    • gunicorn
    • gym management system
    • h2 database
    • hp power manager
    • iis
    • james remote admin tool
    • jenkins exploits
    • katris
    • koken cms
    • ladon framework
    • laravel
    • lxd
    • magento
    • manage engine applications manager
    • manage engine service desk plus
    • mantis bugtracker
    • monstra cms
    • msfvenom apk
    • mysql exploit
    • nagios xi
    • network video monitoring system
    • nextcloud
    • nginx
    • nodebb
    • nostromo
    • nsclient
    • nsupdate
    • openNetAdmin ona
    • opendocman
    • openemr
    • opensmtpd
    • osclass
    • orient-db-server
    • otrs open ticket request system
    • ovidentia
    • pfsense
    • php file vault
    • php powerbrowse
    • php
    • phpliteadmin
    • phpmyadmin
    • phreebooks bizuno
    • plantronics hub
    • postfix smtp
    • postgres
    • python2 python3
    • quick cms
    • rabbitmq
    • raspAP
    • rconfig management
    • redis exploits
    • rejetto httpfileserver
    • remote-mouse
    • responsive filemanager
    • saltstack
    • sendmail
    • simple php photo gallery
    • small crm
    • smartermail
    • smartstore.net
    • smb exploits
    • sonatype nexus
    • splunk universal forwarder
    • ssh exploits
    • strapi cms
    • subrion cms
    • sudo
    • teamviewer
    • tmux
    • tomcat
    • umbraco
    • unifi video
    • unreal irc
    • usbcreator
    • vtiger crm
    • webcalendar
    • webmin :10000
    • werkzeug httpd
    • windows UsoSvc service
    • windows exploits
    • windows iot core
    • windows token exploits
    • wise care 365, wisebootassistant
    • wordpress plugin exploits
    • xampp
    • yaml
    • yum
    • zabbix
    • zenphoto cms
    • zookeeper exhibitor
Powered by GitBook
On this page
  • TLDR;
  • Long Explanation
  • Domain Controller
  • Forest
  • User + Groups
  • Trusts + Policies
  • AD Services
  • AD Auth
  • Reference

Was this helpful?

  1. ACTIVE-DIRECTORY

active directory 101

TLDR;

  1. Let's start with a domain; say (kashz.com)

  2. Hierarchy of domains forms a tree.

  • (kashz.com)

    • (writeups.kashz.com)

    • (jewels.kashz.com)

  1. Different trees together forms a forest.

Inside a domain:

  1. Organization Units (OUs) - collection of objects.

  2. Objects can be any of the following:

    1. User

    2. Contact

    3. Groups

    4. Computers

    5. Printers

    6. Shared Folders

Long Explanation

Active Directory consists of

  1. 1 or more Domain Controller (mainly for fault tolerance)

  2. 1 or more storage servers / user workstations

Domain Controller

  • has the AD domain services data store installed

  • promoted to a domain controller in the forest

  • center of Active Directory; controls the rest of the domain

  • handles authentication and authorization services

  • replicate updates from other domain controllers in the forest

  • allows admin access to manage domain resources

AD DS data store

  • Contains the NTDS.dit well as password hashes for domain users

  • Stored by default in %SystemRoot%\NTDS

  • accessible only by the domain controller

Default Paths

  • Database folder: C:\Windows\NTDS

  • Log files folder: C:\Windows\NTDS

  • SYSVOL folder: C:\Windows\SYSVOL

Forest

Collection of one or more domain trees inside an Active Directory network. It can contain:

  • Trees - A hierarchy of domains in Active Directory Domain Services (collection of domains)

  • Domains - Used to group and manage objects

  • Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs

  • Trusts - Allows users to access resources in other domains

  • Objects - users, groups, printers, computers, shares

  • Domain Services - DNS Server, LLMNR, IPv6

  • Domain Schema - Rules for object creation

User + Groups

Default DC comes with default groups and two default users: Administrator and guest.

Users

Four main types of users:

  • Domain Admins - control the domains and are the only ones with access to the DC

  • Service Accounts - for service maintenance

  • Local Administrators - can login to local machines as administrators; cannot access the DC

  • Domain Users - Normal users who can log in to machines they have the authorization to access.

Groups

Allows giving permissions to users and objects by organizing them into groups.

  • Security Groups - specify perms for a large number of users

  • Distribution Groups - specify email distribution lists.

Default Security Groups

  • Domain Controllers - All domain controllers in the domain

  • Domain Guests - All domain guests

  • Domain Users - All domain users

  • Domain Computers - All workstations and servers joined to the domain

  • Domain Admins - Designated administrators of the domain

  • Enterprise Admins - Designated administrators of the enterprise

  • Schema Admins - Designated administrators of the schema

  • DNS Admins - DNS Administrators Group

  • DNS Update Proxy - DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).

  • Allowed RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers in the domain

  • Group Policy Creator Owners - Members in this group can modify group policy for the domain

  • Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain

  • Protected Users - Members of this group are afforded additional protections against authentication security threats.

  • Cert Publishers - Members of this group are permitted to publish certificates to the directory

  • Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the domain

  • Enterprise Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the enterprise

  • Key Admins - Members of this group can perform administrative actions on key objects within the domain.

  • Enterprise Key Admins - Members of this group can perform administrative actions on key objects within the forest.

  • Cloneable Domain Controllers - Members of this group that are domain controllers may be cloned.

  • RAS and IAS Servers - Servers in this group can access remote access properties of users

Trusts + Policies

Trusts

Specify the way that the domains inside a forest communicate to each other.

  • Directional (A -> B)

  • Transitive (A -> B -> C so A -> C)

Policies

Dictates how the server operates and what rules it will and will not follow.

AD Services

Default domain services:

  • LDAP - provides communication between applications and directory services

  • Certificate Services - allows the domain controller to create, validate, and revoke public key certificates

  • DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames

AD Auth

Windows

  • Kerberos - default auth service for AD; uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.

  • NTLM - default Windows auth protocol uses an encrypted challenge/response protocol

Linux

  • RADIUS Protocl

  • LDAP

Reference

Previouswindows shellsNextkerberos 101

Last updated 3 years ago

Was this helpful?

TryHackMe AD Room