Active Directory Basics Room

 
ad.png
 

The link for this lab is located here: https://tryhackme.com/room/activedirectorybasics


In this room, we will give an introduction to Active Directory - a staple in modern networks and widely used in large corporate networks.


intro.png

Task 1 - Introduction

Active Directory is the directory service for Windows Domain Networks used by many top companies and is vital to understand when attacking Windows. It is recommended to have knowledge of basic network services, Windows, networking and PowerShell.

Active Directory is a collection of machines and servers connected inside of domains that are a collective part of a bigger forest of domains that make up the AD network. AD contains many functioning bits and pieces:

  • Domain Controllers

  • Forests, Trees, Domains

  • Users + Groups

  • Trusts

  • Policies

  • Domain Services

The majority of large companies use AD because it allows for the control of their user's computers through a single domain controller. It allows a single user to sign in to any computer on the AD network and have access to their files and folders as well as local storage on that machine.

This allows for any user in the company to use any machine that the company owns, without having to set up multiple users on a machine.


1.jpg

Task 2 - Physical Active Directory

The physical AD is the servers and machines on-premise - anything from domain controllers and storage servers to domain user machines. Everything needed for an AD environment besides the software.

A domain controller is a Windows server that has AD Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. Domain controllers are the center of AD - they control the rest of the domain and much more such as:

  • holds the AD DS data store

  • handles authentication and authorization services

  • replicate updates from other domain controllers in the forest

  • allows admin access to manage domain resources

The AD DS holds the databases and processes needed to store and manage directory information such as users, groups and services. Below is an outline of some of the contents and characteristics of the AD DS Data Store:

  • Contains the NTDS.dit - database that contains ALL information of an AD domain controller as well as password hashes for domain users

  • Stored by default in $SystemRoot%\NTDS

  • Accessible only by the domain controller

Questions

Q1: What database does the AD DS contain? A: NTDS.dit

Q2: Where is the NTDS.dit stored? A: %SystemRoot%\NTDS.dit

Q3: What type of machine can be a domain controller? A: Windows Server

2.jpg

Task 3 - The Forest

The forest is what defines everything - it is the container that holds all of the other bits and pieces of the network together. Without the forest, all of the other trees and domains would NOT be able to interact.

A forest is a collection of one or more domain trees inside of an AD network. It is what categorizes the parts of the network as a whole. The forest consists of these parts:

  • Trees - a hierarchy of domainds in AD DS

  • Domains - used to group and manage objects

  • Organizational Units (OU) - containers for groups, computers, users, printers, and other OUs

  • Trusts - allows users to access resources in other domains

  • Objects - users, groups, printers, computers, shares

  • Domain Services - DNS Server, LLMNR, IPv6

  • Domain Schema - Rules for object creation

Questions

Q1: What is the term for a hierarchy of domains in a network? A: Tree

Q2: What is the term for the rules for object creation? A: Domain Schema

Q3: What is the term for containers for groups, computers, users, printers, and other OUs? A: Organizational Units

3.png

Task 4 - Users + Groups

The users and groups that are inside of an AD are up to you; when you create a domain controller, it comes with default groups and two default users (Administrator and Guest).

Users are the core to AD. There are four main types of users you will find in AD networks; however, there can be more depending on how a company manages the permissions of users:

  • Domain Admins - they control the domains and are the only ones with access to the domain controller

  • Service Accounts (can be domain admins) - these are never used except for service maintenance, they are required by Windows for services such as SQL to pair a service with a service account

  • Local Administrators - can make changes to local machines as an admin and may control other normal users, but cannot access the domain controller

  • Domain Users - everyday users, can login to machines they have authorization to access and may have local admin rights to machines depending on the organization

Groups make it easier to give permissions to users and objects by organizing them into groups with specific permissions. There are two overarching types of AD groups:

  • Security Groups - used to specify permissions for a large number of users

  • Distribution Groups - used to specify email distribution lists

There are a lot of default security groups:

  • Domain Controllers - All domain controllers in the domain

  • Domain Guests - All domain guests

  • Domain Users - All domain users

  • Domain Computers - All workstations and servers joined to the domain

  • Domain Admins - Designated administrators of the domain

  • Enterprise Admins - Designated administrators of the enterprise

  • Schema Admins - Designated administrators of the schema

  • DNS Admins - DNS Administrators Group

  • DNS Update Proxy - DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).

  • Allowed RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers in the domain

  • Group Policy Creator Owners - Members in this group can modify group policy for the domain

  • Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain

  • Protected Users - Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.

  • Cert Publishers - Members of this group are permitted to publish certificates to the directory

  • Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the domain

  • Enterprise Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the enterprise

  • Key Admins - Members of this group can perform administrative actions on key objects within the domain.

  • Enterprise Key Admins - Members of this group can perform administrative actions on key objects within the forest.

  • Cloneable Domain Controllers - Members of this group that are domain controllers may be cloned.

  • RAS and IAS Servers - Servers in this group can access remote access properties of users

Questions

Q1: Which type of groups specify user permissions? A: Security Groups

Q2: Which group contains all workstations and servers joined to the domain? A: Domain Computers

Q3: Which group can publish certificates to the directory? A: Cert Publishers

Q4: Which user can make changes to a local machine but not to a domain controller? A: Local Administrator

Q5: Which group has their passwords replicated to read-only domain controllers? A: Allowed RODC Password Replication Group

4.jpg

Task 5 - Trusts + Policies

Trusts and policies go hand in hand to help the domain and trees communicate with each other and maintain security inside of the network. They put the rules in place of how the domains inside of a forest can interact with each other, how an external forest can interact with the forest and the overall domain rules or policies that a domain MUST follow.

Trusts are a mechanism in place for users in the network to gain access to other resources in the domain. For the most part, trusts outline the way that the domains inside of a forest communicate to each other. In some environments, trusts can be extended out to external domains and even forests.

There are two types of trusts that determine how the domains communicate:

  • Directional - The direction of the trust flows from a trusting domain to a trusted domain

  • Transitive - the trust relationship expands beyond just two domains to include other trusted domains

The type of trusts determines how the domains and trees in a forest are able to communicate and send data to and from each other. When attacking an AD environment, you can sometimes abuse these trusts in order to move laterally throughout the network.

Policies dictate how the server operates and what rules it will and will NOT follow. They act as a rulebook for AD that a domain admin can modify and alter as they deem necessary to keep the network running smoothly and securely. Along with the long list of default domain policies, domain admins can choose to add in their own policies not already on the DC.

The options for domain policies are endless and are a big factor for attackers when enumerating AD networks.

Questions

Q1: What type of trust flows from a trusting domain to a trusted domain? A: Directional

Q2: What type of trusts expands to include other trusted domains? A: Transitive

6.jpg

Task 6 - Active Directory Domain Services + Authentication

The AD DS are the core functions of an AD network - they allow for management of the domain, security certificates, LDAPs and more. This is how the domain controller decides what it wants to do and what services it wants to provide for the domain.

Domain Services are services that the DC provides to the rest of the domain or tree. There is a wide range of various services that can be added to a domain controller. Some default domain services are:

  • LDAP - provides communication between apps and directory services

  • Certificate Services - allows domain controller to create, validate, and revoke public key certificates

  • DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames

The most important part of AD is the authentication protocols set in place. There are two main types of authentication in place for AD - NTLM and Kerberos:

  • Kerberos - the default authentication services for AD uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain

  • NTLM - default Windows authentication protocol uses an encrypted challenge/response protocol

The AD DS are the main access point for attackers and contain some of the most vulnerable protocols for AD.

Questions

Q1: What type of authentication uses tickets? A: Kerberos

Q2: What domain service can create, validate and revoke public key certificates? A: Certificate Services

78.png

Task 7 - AD in the Cloud

The most notable AD cloud provider is Azure AD. Its default settings are much more secure than an on-premise physical AD network but still has vulnerabilities.

Azure acts as the middle man between your physical AD and your user's sign on. This allows for a more secure transaction between domains, making a lot of AD attacks ineffective.

The best way to show how the cloud takes security precautions past what is already provided with a physical network is to show a comparison with a cloud AD environment:

table.png

Questions

Q1: What is the Azure AD equivalent of LDAP? A: REST APIs

Q2: What is the Azure AD equivalent of Domains and Forests? A: Tenants

Q3: What is the Windows Server AD equivalent of Guests? A: Trusts

hands.gif

Task 8 - Hands-On Lab

We can take a look at the internals of AD by using PowerShell commands to view machines, computers, users and groups. First, set up PowerView by running the following:

powershell.png

Some example commands are:

Get-NetComputer -FullData | select operatingsystem (gets a list of all OS on the domain)

firstcom.png

Get-NetUser | select cn (gets list of all users on the domain)

secondcom.png

Questions

Q2: What is the name of the Windows 10 operating system? A: Looking at the first screenshot above, we can see it is Windows 10 Enterprise Evaluation

Q3: What is the second "Admin" name? A: Looking at the second screenshot, we can see it is Admin2

Q4: Which group has a capital "V" in the group name? A: Using the command "Get-NetGroup" reveals the groups and the answer

Get-NetGroup

Q5: When was the password last set for the SQLService user? A: Using the command "Get-NetUser -Username SQLService | select pwdlastset", we can see it was last set on 5/13/2020 8:26:58 PM

Get-NetUser -Username SQLService | select pwdlastset

9.jpg

Task 9 - Conclusion

That is all the basics of AD that you need to know to understand how it interacts inside of the network. Now that you know the basics, go and find the vulnerabilities inside these networks and see what makes AD such a big deal.


Previous
Previous

Metasploit - TryHackMe Room

Next
Next

Intro to Windows - TryHackMe Room