DiscordHackTheBoxTryHackMeGitHub

Theory

What is Active Directory

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Active Directory plays a crucial role in managing the identities and relationships that make up network environments. Active Directory hacking is very complex topic

Key Concepts of Active Directory

  • Domain: The basic unit of structure in an Active Directory network. A domain is a collection of objects such as users, groups, and computers that are managed centrally.

  • Forest: A collection of one or more domain trees. Forests enable global policies and trust relationships across multiple domains.

  • Tree: A hierarchy of domains in Active Directory that share a contiguous namespace.

  • Organizational Unit (OU): A container within a domain that can hold users, groups, computers, and other OUs. OUs allow the organization of objects within a domain and the application of policies at a granular level.

  • Global Catalog: A distributed data repository that contains a searchable, partial representation of every object in every domain within a forest. It is used to improve query performance and facilitate logon processes across domains.

After Windows system became part of the domain, it's interaction with SAM is over, they've broke up and it's new boyfriend is Domain Controller. And all questions about checking password would now be sent to Domain Controller, not SAM. But in some ways system could come over to SAM if specify the hostname of the device proceeded by the username like WS01/nameofuser.

PKI

PKI (Public Key Infrastructure) is a framework that provides the creation, distribution, management of digital certificates. It ensures secure communication over networks by authenticating users, devices, and services through the use of public and private key pairs.

ADCS

Active Directory Certificate Services (AD CS) is a Windows Server role for issuing and managing public key infrastructure (PKI) certificates used in secure communication and authentication protocols. So basically it is PKI framework functionality implementation in AD and Windows Server.

CA

Certificate Authority (CA) in Active Directory Certificate Services (ADCS) is a trusted entity responsible for issuing, managing, and validating digital certificates in an Active Directory environment. These digital certificates are used to verify identities, secure communications, and enable authentication across the network.

UPN

UPN (User Principal Name) in Active Directory (AD) is a unique identifier assigned to a user, which typically resembles an email address. It is used to log on to the domain and can be considered a "user-friendly" form of a username that simplifies authentication in a network environment.

Kerberos

Kerberos is default domain accounts authentication protocol since Windows 2000. Main difference between other authentication protocols is that Kerberos use tickets, instead of just transmitting passwords all over the network. This image will show you simplified version of Kerberos authentication process, and then I'll explain everything in parts. Also for more detailed explanations I could recommend to watch [THIS] video.

The whole ping-pong of tickets and requests is shows here:

Main Kerberos Terms

  • Key Distribution Center (KDC):

    Core of Kerberos authentication that manages secret keys and distributes them to clients and servers. It is divided into two main components: the Authentication Server (AS) and the Ticket Granting Server (TGS).

  • Authentication Server (AS):

    Part of the KDC that verifies the identity of the client. Upon successful authentication, it issues a Ticket Granting Ticket (TGT) to the client, which can be used to request service tickets from the TGS. There are also database with hashes of user credentials.

  • Ticket Granting Server (TGS):

    Part of the KDC that issues service tickets to clients that have a valid TGT. These service tickets allow the client to authenticate to various services without needing to re-enter their credentials. There are also database with service secret keys, which is used to encrypt/decrypt service tickets.

  • Ticket Granting Ticket (TGT):

    Ticket given by the AS to a client upon successful authentication. It contains a session key and is used to obtain service tickets from the TGS. The TGT is encrypted with the TGS's secret key.

  • Service Ticket: This Ticket allows a client to authenticate to a specific service. It contains encrypted information that verifies the client's identity and includes a session key that the client can use to communicate securely with the service.

NTDS.DIT

NTDS.DIT stands for New Technology Directory Services Directory Information Tree. It is main database file within Microsoft’s Active Directory Domain Services (AD DS). NTDS.DIT stores and organizes all the information related to objects in the domain, including users, groups, computers, and more. It acts as the backbone of Active Directory, housing critical data such as user account details, passwords, group memberships, and other object attributes.

Important Files Location

  • %systemroot%/ntds - Location of NTDS.dir file

PreviousWeak PermissionsNextMovement

Last updated