search

Active Directory (AD)

hashtag
What is Active Directory?

Active Directory (AD) is a system that allows to manage a set of computers and users connected in the same network from a central server.

       ____                         __ 
  o   |    |                       |==|
 /|\  |____| <--------.    .-----> |  |
 / \  /::::/          |    |       |__|
                      v    v
                       .---.
                      /   /|
                     .---. |
                     |   | '
                     |   |/ 
                     '---'  
       ____          ^    ^        ____ 
  o   |    |         |    |       |    |  \o/
 /|\  |____| <-------'    '-----> |____|   | 
 / \  /::::/                      /::::/  / \

The above diagram is known as a domain. A domain is a set of connected computers that shares an Active Directory database, which is managed by the central servers of a domain, that are called domain controllers.

hashtag
Physical AD Components

hashtag
Domain Controller

A domain controller is a server with the AD DS (Active Directory data store) server role installed that has specifically been promoted to a domain controller. It can:

  • host a copy of the AD DS

  • provide authentication and authorization services (Kerberos)

  • replicate updates to other domain controllers in the domain and forest

  • allow administrative access to manage user accounts and network resources

hashtag
AD DS

The AD DS contains the database files and processes that store and manage directory information for users, services, and applications. It:

  • consists of the Ntds.dit file

  • is stored by default in the %SystemRoot%\NTDS folder on all domain controllers

  • is accessible only through the domain controller processes and protocols

hashtag
Logical AD Components

hashtag
AD Schema

The AD DS schema:

  • defines every type of object that can be stored in the directory

  • enforces rules regarding object creation and configuration.

For example:

Objects Types
Function
Examples

Class Object

What objects can be created in the directory

User, Computer

Attribute Object

Information that can be attached to an object

Display name

hashtag
Domains

Domains are used to group and manage objects in an organization. It is:

  • an administrative boundary for applying policies to groups of objects

  • A replication boundary for replicating data between domain controllers

  • An authentication and authorization boundary that provides a way to limit the scope of access to resources

hashtag
Trees

A tree is a hierarchy of domains in AD DS. All domains in the tree:

  • share a contiguous namespace with the parent domain

  • can have additional child domains

  • by default create a two-way transitive trust with other domains

hashtag
Forests

A forest is a collection of one or more domain trees. Forests:

  • share a common schema

  • share a common configuration partition

  • share a common global catalog to enable searching

  • enable trusts between all domains in the forest

  • share the Enterprise Admins and Schema Admins groups

hashtag
Organizational Units (OUs)

OUs are AD containers that can contain users, groups, computers, and other OUs. OUs are used to:

  • represent your organization hierarchically and logically

  • manage a collection of objects in a consistent way

  • delegate permissions to administer groups of objects

  • apply policies

hashtag
Trusts

Trusts provide a mechanism for users to gain access to resources in another domain. Types of trusts:

Types of Trusts

  • All domains in a forest trust all other domains in the forest

  • Trusts can extend outside the forest

hashtag
Objects

Objects

hashtag
NTLM Authentication

NTLM (NT LAN Manager) authentication is used when a client authenticates to a server by IP address (instead of by hostname), or if the user attempts to authenticate to a hostname that is not registered on the AD integrated DNS server. Likewise, third-party applications may choose to use NTLM authentication instead of Kerberos authentication.

The NTLM authentication is composed by 3 messages/phases: NEGOTIATE, CHALLENGE and AUTHENTICATE:

hashtag
Kerberos Authentication

While NTLM authentication works through a principle of challenge-response, Windows-based Kerberos authentication uses a ticket system. Kerberos focuses on the use of tokens called "tickets" that allows an user to be authenticated against a principal. At a high level, Kerberos client authentication to a service in AD involves the user of a domain controller in the role of a key distribution center (KDC).

hashtag
Reference

LogoAttacking Active Directory: 0 to 0.9 | zer1t0zer1t0.gitlab.iochevron-right
Attacking Active Directory: 0 to 0.9 - zer1t0
PreviousLinux: sshuttleNextInitial Compromise

Last updated