Active Directory

This page contains information about active directory components, active directory enumeration, & active directory enumeration mitigations.

Active Directory Components

  • Domain Controllers:
    • Hold the AD DS data store
    • Handle authentication and authorization services
    • Replicate updates from other domain controllers in the forest
    • Allows admin access to manage domain resources
  • AD DS Data Store:
    • Contains NTDS.dit which contains all AD DC information including password hashes for domain users
    • Stored by default in %SystemRoot%\NTDS
    • Accessible only by the domain controller
  • Forest
    • Container that holds pieces of AD network
    • Forest is a collection of one or more domain trees inside
    • Forest consists of:
      • Trees - A hierarchy of domains in Active Directory Domain Services
      • Domains - Used to group and manage objects
      • Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs
      • Trusts - Allows users to access resources in other domains
      • Objects - users, groups, printers, computers, shares
      • Domain Services - DNS Server, LLMNR, IPv6
      • Domain Schema - Rules for object creation
  • Users
    • 4 primary types of user accounts:
      • Domain admins
      • Service accounts
      • Local administrators
      • Domain users
  • Groups
    • Distribution groups: specify email distribution lists
    • Security groups: specify permissions for large number of users, including the following default security groups:
      • Domain Controllers - All domain controllers in the domain
      • Domain Guests - All domain guests
      • Domain Users - All domain users
      • Domain Computers - All workstations and servers joined to the domain
      • Domain Admins - Designated administrators of the domain
      • Enterprise Admins - Designated administrators of the enterprise
      • Schema Admins - Designated administrators of the schema
      • DNS Admins - DNS Administrators Group
      • DNS Update Proxy - DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
      • Allowed RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers in the domain
      • Group Policy Creator Owners - Members in this group can modify group policy for the domain Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
      • Protected Users - Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
      • Cert Publishers - Members of this group are permitted to publish certificates to the directory
      • Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the domain
      • Enterprise Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the enterprise
      • Key Admins - Members of this group can perform administrative actions on key objects within the domain.
      • Enterprise Key Admins - Members of this group can perform administrative actions on key objects within the forest.
      • Cloneable Domain Controllers - Members of this group that are domain controllers may be cloned.
      • RAS and IAS Servers - Servers in this group can access remote access properties of users
  • Domain Trusts
    • Put rules into place about domain interactions
    • Trusts allow users to gain access to other domain resources
    • Types of trusts:
      • Directional - The direction of the trust flows from a trusting domain to a trusted domain
      • Transitive - The trust relationship expands beyond just two domains to include other trusted domains
  • Domain Policies
    • Like domain groups, except instead of permissions they contain rules
  • Active Directory Domain Services
    • Services that a domain controller provides to the rest of the domain or tree
    • Default domain services:
      • LDAP - Lightweight Directory Access Protocol; provides communication between applications and directory services
      • Certificate Services - allows the domain controller to create, validate, and revoke public key certificates
      • DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames
  • Domain Authentiaction
    • Kerberos: default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.
    • NTLM: default Windows authentication protocol uses an encrypted challenge/response protocol
  • Azure AD
    • Operates as a middle man between user sign on and on premises active directory
    • Comparison between Window Server AD and Azure AD:
      • LDAP in Windows Server = Rest APIs in Azure AD
      • NTLM in Windows Server = OAuth/SAML in Azure AD
      • Kerberos in Windows Server = OpenID in Azure AD
      • OU Trees in Windows Server = Flat Structure in Azure AD
      • Domains and Forests in Windows Server = Tenants in Azure AD
      • Trusts in Windows Server = Guests in Azure AD

Microsoft Management Console AD Enumeration

  • Windows Server roles and features can be managed remotely from a workstation by using Remote Server Administration Tools for Windows
  • To install RSAT on a Windows workstation:
    • Press Start
    • Search "Apps & Features" and press enter
    • Click Manage Optional Features
    • Click Add a feature
    • Search for "RSAT"
    • Select relevant RSAT tools and click Install
  • Once RSAT is installed on a workstation, MMC snap ins can be used for administrating AD:
    • To install AD administration features in MMC:
      • Open MMC -> File -> Add/Remove Snap-in -> choose first 3 AD snap ins

Command Prompot AD Enumeration

PowerShell AD Enumeration

  • Common PowerShell cmdlets for enumerating AD:
    • Enumerate AD Users: Get-ADUser
      • Example: Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties *
      • Example: Get-ADUser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A
    • Enumerate AD Groups: Get-ADGroup
      • Example: Get-ADGroup -Identity Administrators -Server za.tryhackme.com
    • Enumerate AD Group Members: Get-ADGroupMember
      • Example: Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com
    • Enumerate AD Objects: Get-ADObject
      • Example: Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com
    • Get domain info: Get-ADDomain
      • Example: Get-ADDomain -Server za.tryhackme.com
    • Force password change: Set-ADAccountPassword
      • Example: Set-ADAccountPassword -Identity gordon.stevens -Server za.tryhackme.com -OldPassword (ConvertTo-SecureString -AsPlaintext "old" -force) -NewPassword (ConvertTo-SecureString -AsPlainText "new" -Force)

PowerView AD Enumeration

Sharphound AD Enumeration

  • Sharphound is the enumeration tool of Bloodhound that can be used to visually display AD information.
  • Components of Sharphound:
    • Sharphound.ps1: Older PowerShell script for running Sharphound
    • Sharphound.exe: Windows executable version for running Sharphound
    • AzureHound.ps1: PowerShell script for running Sharphound for Azure
    • Bloodhound components can be downloaded here: https://github.com/BloodHoundAD/BloodHound
  • Bloodhound and Sharphound versions should match
  • Upload json domain info
  • Sharphound.exe --CollectionMethods <Methods> --Domain za.tryhackme.com --ExcludeDCs
    • CollectionMethods: Determines what kind of data Sharphound would collect
    • Domain: specify the domain we want to enumerate
    • ExcludeDCs: instructs Sharphound not to touch domain controllers to be more stealthy

Other AD Enumeration Techniques

AD Enumeration Mitigations

  • View excessive logon events for accounts: PowerView in particular generates a significant number of logon events
  • Write signature detection rules for specific enumeration techniques like SharpHound binaries and AD-RSAT tools
  • Monitor the use of command prompt and PowerShell