Understanding the Active Directory easiest way 1.0
I’ve been researching Active Directory, but I haven’t been able to find a material that will take me from scratch to an understanding of AD’s security posture. So I figured, why not collect all I’ve learned from all the sources into a single series of blogs to aid anyone else who might be interested in learning it too? And so, here we are. I’ll be writing in parts, with all the references and links coming at the end of each blog.
What is Active Directory?
Active Directory is like a phonebook. It stores information about all the objects like computers, users, printers, etc. It is the most common Identity and access management service in the world. Internal assessment is mostly about the active directory.
We won’t require any patchable exploit available — we take advantage of what Active directory does by default — In short abuse features, trusts and components. Attacking an active directory is like attacking from inside the house.
Physical Components of Active Directory
Domain Controller (The Big Cheese):
‣ Hosts a copy of Active Directory Domain Services directory store — hosting phonebook. It has all the information on users, computers what printers are in the network, etc.
‣ It provides Authentication and Authorization (Kerberos).
‣ Replicates updates to other domain controllers in the domain and forest (making updates to one — updates across the board).
‣ Admin access to manage user accounts and network resources. (This is where we can add users, we can add computers, we can add policies).
Active Directory Data Store:
‣ It holds this file called Ntds.dit (When we compromise a domain controller we want to grab this file because it contains everything that is stored in AD data which means the users, groups, objects, etc — it contains password hashes for all users in that domain).
‣ It is stored in the %SystemRoot%\NTDS folder on all the domain controllers.
Logical Components of Active Directory
Active Directory Data Store Schema
‣ You can think of a schema as a rule book or blueprint.
‣ It contains the definition of every type of object that can be created in AD.
‣ Enforces rules about object creation.
Domains
‣ Domains are used to group and manage objects in an organization.
‣ Like a domain controller.
‣ When you see something like .com or .org think of it as a domain.
Trees
‣ Trees are called groups of domains.
‣ Think of it like a parent node and child node.
‣ They have trust between them.
Forests
‣ When you have multiple sets of trees then you start building up forests.
‣ Forests are collections of one or more domain trees.
Security perspective: Mostly you deal with domains, sometimes for advanced AD you deal with trees, it’s rare to come against forests but it never hurts to learn about it.
Organizational Units (Ous)
OUs are AD containers that can contain users, groups, computers and other OUs.
Trusts
Trusts are how we have access to resources in another domain.
Type of trusts
1) Directional trusts: Trust from trusting domain to trusting domain.
2) Transitive trusts: Trust from trusting domain to trust domain but it also trusts what the other trusting domain trusts.
Objects
‣ Objects are what is going to be inside of OUs
‣ Example: User, contacts, groups, computers, printers, shared folders.
We will deep dive into “Attacking Active directory” in the next blog.
