Primer on Active Directory for OSCP/OSEP/CRTP/CRTE

Hey Squad,

Hey Squad,

Today we gonna learn about AD basics. This will help you during your CERT journey. I hope you guys like it. Please follow me to get more fun stuffs.

https://i.pinimg.com/236x/75/de/da/75deda5947cae72579f6f29a782bf419.jpg

Let’s start…


Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was used only for centralized domain management. [1]

What is LDAP?

Active Directory is based on the Lightweight Directory Access Protocol (LDAP). This protocol provides a common language for clients and servers to speak to one another.

LDAP is a lightweight version of the Directory Access Protocol (DAP). DAP is an X.500 protocol. It is an architecture where the clients and servers communicate through the Open Systems Interconnection model. It does not use the TCP/IP standards and requires a large investment. Hence, LDAP was proposed as a lighter version of DAP while retaining the core functionalities of DAP. LDAP is much easier on an organization’s wallet, and it also follows the TCP/IP protocol.

Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators.

AD DS (Active Directory Domain Services)and its related services form the foundation for enterprise networks that run Windows operating systems. The AD DS database is the central store of all the domain objects, such as user accounts, computer accounts, and groups. AD DS provides a searchable, hierarchical directory and a method for applying configuration and security settings for objects in an enterprise. [2]

In addition, you can use AD DS options to perform actions such as:

  • Installing, configuring, and updating apps.
  • Managing the security infrastructure.
  • Enabling Remote Access Service and DirectAccess.
  • Issuing and managing digital certificates.

AD DS has two types of components. They are logical (logical components are structures that you use to implement an AD DS design) and physical (Physical components in AD DS are those objects that are tangible) components.

Logical Components

  • Partition: A partition, or naming context, is a portion of the AD DS database. Although the database consists of one file named Ntds.dit, different partitions contain different data. For example, the schema partition contains a copy of the Active Directory schema.
  • Schema: A schema is the set of definitions of the object types and attributes that you use to define the objects created in AD DS.
  • Domain:
    A domain is a logical administrative container for objects such as users and computers.
  • Domain tree:
    A domain tree is a hierarchical collection of domains that share a common root domain.
  • Forest:
    A forest is a collection of one or more domains that have a common AD DS root, a common schema, and a common global catalog.
  • OU: An OU is a container object for users, groups, and computers that provides a framework for delegating administrative rights and administration by linking Group Policy Objects (GPOs).
  • Container: A container is an object that provides an organizational framework for use in AD DS.

Physical Components:

  • Domain controller: A domain controller contains a copy of the AD DS database.
  • Data store: A copy of the data store exists on each domain controller.
  • Global catalog server: A global catalog server is a domain controller that hosts the global catalog, which is a partial, read-only copy of all the objects in a multiple-domain forest.
  • Site: A site is a container for AD DS objects, such as computers and services that are specific to a physical location.
  • Subnet: A subnet is a portion of the network IP addresses of an organization assigned to computers in a site.

AD DS forest

A forest is a top-level container in AD DS. Each forest is a collection of one or more domain trees that share a common directory schema and a global catalog. A domain tree is a collection of one or more domains that share a contiguous namespace. The forest root domain is the first domain that you create in the forest.

The following objects exist in the forest root domain:

  • The schema master role.
  • The domain naming master role.
  • The Enterprise Admins group. [Useful in Red teaming]
  • The Schema Admins group. [Useful in Red teaming]

The following objects exist in each domain (including the forest root):

  • The RID master role.
  • The Infrastructure master role.
  • The PDC emulator master role.
  • The Domain Admins group. [Useful in Red teaming]

AD DS domain

An AD DS domain is a logical container for managing user, computer, group, and other objects. The AD DS database stores all domain objects, and each domain controller stores a copy of the database.

Taken from Microsoft

User accounts

User accounts contain information about users, including the information required to authenticate a user during the sign-in process and build the user’s access token.

Computer accounts

Each domain-joined computer has an account in AD DS. You can use computer accounts for domain-joined computers in the same way that you use user accounts for users.

Groups

Groups organize users or computers to simplify the management of permissions and Group Policy Objects in the domain.

The AD DS domain contains an Administrator account and a Domain Admins group. By default, the Administrator account is a member of the Domain Admins group, and the Domain Admins group is a member of every local Administrators group of domain-joined computers. Also, by default, the Domain Admins group members have full control over every object in the domain. [Important]


Trust Relationships

AD DS trusts enable access to resources in a complex AD DS environment. When you deploy a single domain, you can easily grant access to resources within the domain to users and groups from the domain. When you implement multiple domains or forests, you should ensure that the appropriate trusts are in place to enable the same access to resources.

There are Five types of Trust in Active Directory [3] –

  • Parent-child Trust.
  • Tree-Root Trust.
  • Forest Trust.
  • Shortcut Trust.
  • Realm Trust.
  • External Trust.

Parent-child Trust

Parent-child trust is implicitly established. It is a two-way transitive trust. Parent-child trust is automatically generated when a child domain is added to a parent domain. When a new child domain is added, the trust path flows upward through the domain hierarchy.

Tree-Root Trust

Tree-root trust is also a two-way transitive trust similar to parent-child trust. When a new domain tree is created within a forest, a tree-root trust is automatically created between the new domain tree and all exiting tree domains.

Forest Trust

Forest trust are transitive trust, and they can either one-way or two-way trust. It is explicitly transitive (between two forest) created trust between two forest root domains. Forest trust are manually created, one-way transitive or two-way transitive trust that allows you to provide access to the resource between multiple forest. It required DNS resolution to be established between forests.

Forest trust cannot be extended to other forests, for example, if Forest1.com trusts Forest2.com, and another forest Forest3.com trust is created between Forest2.com and Forest3.com, Forest1.com does not have an implied trust. If a trust is required, one must be manually created.

Shortcut Trust

Shortcut trust are manually created one-way, transitive trusts. They can only exist within a forest. They are created to optimize the authentication process shortening the trust path. These trusts are created when one domain needs to trust another domain by bypassing the hierarchy of trusts such as parent-child trust and Tree-root trusts.

External Trust

An External trust is a one-way non-transitive trust. These trusts are manually established. An external trust is established with an external domain outside the forest of the trusting domain.

Realm Trust

These kinds of trust between a domain or a forest with another domain and a forest that is not based on Windows Active Directory. A Realm Trust can be established to provide resource access and cross-platform inter-operability between an AD DS Domain and non-windows Kerberos v5 Realm.


GPO

Since early versions of Windows Server, the Group Policy feature of Windows operating systems has provided an infrastructure with which administrators can define settings centrally and then deploy them to computers across their organizations.

Group Policy is a framework in Windows operating systems with components that reside in AD DS, on domain controllers, and on each Windows Server and client. By using these components, you can manage configuration in an AD DS domain. You define Group Policy settings within a GPO. A GPO is an object that contains one or more policy settings that apply to one or more configuration settings for a user or a computer.

Group Policy is a powerful administrative tool. You can use GPOs to push various settings to a large number of users and computers. Primarily, you use Group Policy to configure settings that you do not want users to configure.

Scope a GPO

You can use several methods to manage the scope of domain-based GPOs. The first is the GPO link. In AD DS, you can link GPOs to:

  • Sites
  • Domains
  • OUs

GPO processing order

The GPOs that apply to a user, computer, or both don’t apply all at once. GPOs apply in a particular order. Conflicting settings that process later might overwrite settings that process first.

Group Policy follows the following hierarchical processing order:

  1. Local GPOs.
  2. Site-linked GPOs.
  3. Domain-linked GPOs.
  4. OU-linked GPOs.
  5. Child OU-linked GPOs.

Access Control List (ACLs) and Access Control Entries (ACEs)

In Active Directory, access control lists are tables, or simple lists, that define the trustees who have access to the object in question, and also what type of access they have. A trustee may be any security principal such as a user account, group, or login session. Each access control list has a set of access control entries, and each ACE defines the trustee and the type of access the trustee has. So, an object can be accessed by multiple trustees since there can be multiple ACEs. Access control lists are also used for auditing purposes, such as recording the number of access attempts to a securable object, and the type of access. A securable object is any named object in Active Directory that contains a security descriptor, which has the security information about the object, which includes ACLs. [4]

Types of Access Control Lists

  • Discretionary Access Control List (DACL): This ACL defines the access rights of a trustee to the securable object in question. DACLs contain ACEs that are either access allowed ACEs or access denied ACEs. The system checks the DACL to know the level of access authorized to the object when a trustee attempts to access the object. If a securable object does not have any DACL associated with it, then the system will grant full access to all trustees that are trying to access the object. If the DACL is defined for an object, but there are no ACEs inside the DACL, then the system will deny all trustees access to the object.
  • System Access Control List (SACL): This ACL generates audit logs that specify whether a trustee was attempting to gain access to an object. It also specifies whether access was granted or denied, and if granted, what type of access was given to the trustee. SACLs contain system audit ACEs.

NTLM authentication and Kerberos Authentication Protocols

A network needs to have security processes put in place to avoid the misuse of its resources. An authentication process goes a big way in identifying whether a person is who they say they are, or a fraud. Active Directory employed the NTLM authentication protocol to securely authenticate its users, which was then succeeded by the Kerberos authentication protocol. [5]

How NTLM authentication works

Let’s say that John needs access to a server in a domain of the AD network. Here’s how a user’s password is used to authenticate and gain access to the domain using NTLM authentication:

  • John provides his username, password, and the name of the domain he wants to access on the interactive logon screen of his system which is the client machine.
  • The client develops a hash using John’s password and discards the actual password.
  • The client machine then sends John’s username in plain text to the server that John wants to access.
  • The server sends a challenge to the client. This challenge is a 16-byte random number.
  • The client uses the hash generated by John’s password to encrypt this challenge sent by the server, and then it sends the encrypted challenge as a response to the DC.
  • The server then sends the challenge, response, and John’s username to the domain controller (DC), or it may verify the authentication process itself.
  • If the server sends the response to the DC, the DC retrieves the hash of the user’s password from its database, and then encrypts the challenge using the hash.
  • The DC then compares the encrypted challenge it has computed to the response sent by the client. If John has entered the right password, then these two will match, and John will be authenticated and granted access to the server.

NTLMv2: A better NTLM authentication process

NTLMv2 is a more secure version of NTLM protocol discussed above, which is also known as NTLMv1. The main differences that make NTLMv2 differentiate itself from its predecessor are as follows:

  • NTLMv2 provides a variable length challenge instead of the 16-byte random number challenge used by NTLMv1.
  • In NTLMv2, the client adds additional parameters to the server’s challenge such as the timestamp and the username.
  • NTLMv2 also uses the more superior HMAC-MD5 encryption algorithm to encrypt the server’s challenge using the hash generated from the user’s password. NTLMv1 used the relatively weaker DES encryption algorithm.

NTLMv2 gives a better defense against attacks such as replay attacks. However, it is still vulnerable to a man-in-the-middle (MITM) attack, apart from other vulnerabilities. Kerberos was thus implemented as it is an even more secure authentication protocol because of its use of encrypted tickets.

How Kerberos authentication works

Let’s say that John is a client who wants access to server A. Here’s how the three components of Kerberos authentication function to provide AD authentication:

  • Initially, when a John joins the network, a secret key is generated using the password that John created, and it shared between John’s system which is the client and the KDS.
  • When John enters his user ID and password for authentication, his system generates a secret key using the password entered.
  • His system then sends a plain text file with the his user ID and an authentication request to the KDC. The authentication request is time stamped. This makes sure that the probability of a replay attack is less. A replay attack is when a hacker retrieves the plain text file and sends it to the KDC masquerading as the user. However, this process takes more time than if the attack did not take place. So, if the request is time stamped, the KDC can detect the time delay in receiving the request, and it will deny it if the time delay is beyond the set threshold.
  • The AS part of KDC checks whether John is present in the KDC database. If he is not present, the KDC denies the request. If he is present, the AS sends back a Ticket Granting Ticket(TGT) which is also time stamped and encrypted using the secret key that was generated with John’s password.
  • Once the TGT is obtained, John’s system decrypts the TGT using the secret key generated from the password. If John entered the right password, the secret key generated by John’s system will match the secret key that the KDC used to encrypt the TGT. Thus, the TGT can be decrypted. If the TGT session time lapses, John’s system sends another request for a TGT.
  • Once the TGT is decrypted, John’s system sends the TGT and a Service Principal Name(SPN) of the required service from server A to the KDC.
  • This time, the TGS part of the KDC verifies the TGT with the database and then sends back an encrypted session key to access server A back to John’s system.

John’s system then sends the Session key to Server A, which verifies the key. Once the session key is validated, John is granted permission to access the service from Server A, thus completing the AD authentication process using the Kerberos protocol.


FAQ

  1. OU vs Container: The primary difference between OUs and containers is the management capabilities. Containers have limited management capabilities. For example, you can’t apply a GPO directly to a container.
  2. Will the domain controller host the global catalog? This option is selected by default when deploying. The global catalog is stored on domain controllers that have been designated as global catalog servers.
  3. Where will the database, log files and SYSVOL folders be created? By default, the database and log files folder is located at C:\Windows\NTDS. By default, the SYSVOL folder is located at C:\Windows\SYSVOL.
  4. Why is NTLM bad? NTLM Relay is an attack that exploits the inability to provide mutual authentication. In an NTLM relay attack, the attacker can intercept the server-client connection and run a man-in-the-middle attack.
  5. What is the Sysvol folder? Why is it used? The Sysvol folder is used to store the server’s copy of the domain’s public files and deliver the policy and logon scripts to domain members. It replicates all the group policies from one domain to other domain controllers in a particular domain.
  6. What is Active Directory Schema? Active Directory Schema is the blueprint of an Active Directory Network. All the objects created in an Active Directory Network reference the Active Directory Schema for its object type.
  7. What do you understand by RID Master? RID master stands for Relative Identifier Master. It is used to assign unique IDs to the object created in Active Directory.
  8. What is the full form of SID? Why is it used? SID stands for Security Identifier. It is a unique variable-length identifier used to recognize a trustee or refuge principal.

Hay Yay!!!

you have learnt about AD 😊. Please give a clap if you found it use full and follow me to get more Awesome content.

Photo by Samuel Regan-Asante on Unsplash

References

  1. https://en.wikipedia.org/wiki/Active_Directory
  2. https://learn.microsoft.com/en-us/training/modules/introduction-to-ad-ds/2-define-ad-ds
  3. https://zindagitech.com/different-types-of-trusts-in-an-active-directory/
  4. https://www.windows-active-directory.com/access-control-list.html
  5. https://www.windows-active-directory.com/ntlm-and-kerberos-authetication-protocols.html
  6. https://www.javatpoint.com/active-directory-interview-questions