ACTIVE DIRECTORY-HTB

Understanding noPac VulnerabilitiesSophos

It's always easier to "break" things if we already know how to build them

Active Directory Structure

give a read at the following !!!

Active Directory Domain Services (AD DS) gives an organization ways to store directory data and make it available to both standard users and administrators on the same network. AD DS stores information such as usernames and passwords and manages the rights needed for authorized users to access this information. It was first shipped with Windows Server 2000; it has come under increasing attack in recent years. It is designed to be backward-compatible, and many features are arguably not "secure by default." It is difficult to manage properly, especially in large environments where it can be easily misconfigured.

// Some code
 True or False; It can be common to see multiple domains linked together by trust relationships
 
 
 
 :: true

Attributes

Every object in Active Directory has an associated set of attributes used to define characteristics of the given object. A computer object contains attributes such as the hostname and DNS name. All attributes in AD have an associated LDAP name that can be used when performing LDAP queries, such as displayName for Full Name and given name for First Name.

forest >> domain controllers >> ou(organizational units) >> object(user, computer , groups) >>

its a kind of service used in the windows , (there are many people in the company and there is a active directory present to provide each user a service automatically , like i cant go mannual to each person and say to to download this service and all stuff , instead of this just going to have the automated services setted , and good to go as new employee arrives i am just goona make is active direcctory account and he is good to go for using the services ...........

authentication && authorization

authentication --->> the user verify himself

authorization ---->> decides , how much the acess the user gets to services ..........

active directory protocalls

ldap|((Lightweight Directory Access Protocol) && ionternally uses {kerbros (for secure login) }

rpc client , dns , smb

Group Policy Object

Group policy object

• Ye rules aur settings hain jo network ke sabhi computers par apply hote hain

• Jaise: password policy, software installation, security settings, etc.

password ki complexcity ..........and all stuff

LDAP

DIRECTORY KI INFORMATION USE KARNE KE LIYE LDAP USE KARTE HAI

KERBROS

SECURE AUTHENTICAION

SMB

FILE SHARING INTIAL ACESS >> USER CAN SEE THE FILES

DNS

AD OBJECT KO RESOLVE KARNE KE LIYE HOTA HAI , (DC01.DOMAIN.LOCAL) LIKE THIS .......

Active Directory mein DNS kyun zaroori hai:

1. Locating Domain Controllers: Jab aapka computer domain mein login karna chahta hai, use pata hona chahiye ki Domain Controller kahan hai. DNS hi batata hai ki "xyz.com" domain ka controller kis IP address pe hai.

2. Service Location (SRV Records): DNS mein special records hote hain jinhe SRV records kehte hain. Ye records batate hain ki kaunsi services (jaise authentication, LDAP, Kerberos) kahan available hain. Active Directory in records pe depend karta hai.

3. Name Resolution: Jab aap kisi computer ya server ko naam se access karna chahte ho (jaise "server1.company.local"), DNS hi us naam ko IP address mein convert karke connection establish karne mein madad karta hai.

4. Replication: Multiple Domain Controllers ko ek doosre se communicate karne ke liye DNS ki zaroorat hoti hai taaki proper replication ho sake.

Simple analogy: Socho Active Directory ek bada office building hai. DNS ek directory board hai entrance pe jo batata hai ki kaunsa department kis floor pe hai, kaunse lifts kaam kar rahe hain, etc. Bina directory ke aap kho jaoge!

DNS (Domain Name System) clients aur services ko domain controllers locate karne mein madad karta hai aur computer names ko IP addresses mein convert karta hai, jo Active Directory ke liye bahut zaroori hai.

remote procedure call

remote tasks .....

imp

so agar atacker ne ek bhi credentials nikal liya phising se company ke toh toh pura active directory enumerate karr sakta hai .....using bloodhound ..

ek bhi user ka acess mil gaya na , toh i can kmonw who is the admin , which machine is active and connected to where ....... i can know what is going on the system .........

imporatant concept ..

as an attacker , weak creds , open shares , open system , privilage accounts , unpatched system .....

zerologan

in this we get acess of domain controller without password ..........

printnighmare

priv esc through printer ......

nopac attack 2021

normal user se full domain admin .....

// Some code

intial acess ke baad we have to just enumerate ..........

bloodhound

it basically full map dhikata hai properly ......

sharpshound

data collect karke deta hai

ldap search && ldap dump

direct data nikalne ke liye use hota hai ..... (information extract karr sakte hai )

powerview

ad object ko enumerate karne ke liye use karte hai ........

impacket tools vagera ....

---

✅ ACTIVE DIRECTORY — SUPER CRISP NOTES (For HTB + Interviews + Exams)

---

🔹 Object

AD me koi bhi resource → Object. Example: User, Computer, OU, Printer, etc.

---

🔹 Attributes

Har object ke paas info stored hota hai → Attributes. Example: displayName, givenName, objectGUID, etc.

---

🔹 Schema

AD ka Blueprint. Defines:

• Kaunse objects exist kar sakte hain (Classes)

• Unke attributes kya honge

Example: user class, computer class.

---

🔹 Domain

Logical grouping of AD objects under one namespace. Example: inlanefreight.local.

---

🔹 Forest

Top-level container of AD. Contains: Domains, users, computers, GPOs, etc.

---

🔹 Tree

Forest ke andar domains ka hierarchical group. Child → Parent relationship.

---

🔹 Container

Object that holds other objects. Example: OU.

---

🔹 Leaf

Object that cannot contain other objects. Example: User, Computer.

---

🔹 GUID

Object ka unique 128-bit identifier. Never changes, even if object moves.

---

🔹 Security Principals

Anything that can authenticate:

• Users

• Computers

• Services

---

🔹 SID

Unique security identifier for each principal. Stored in tokens for access control.

---

🔹 DN (Distinguished Name)

Full path of AD object. Example: cn=bjones,ou=IT,ou=Employees,dc=inlanefreight,dc=local

---

🔹 RDN (Relative DN)

Only the object’s own name. Example: cn=bjones

---

🔹 sAMAccountName

Legacy logon username Example: bjones

---

🔹 UPN

Email-style username Example: bjones@inlanefreight.local

---

🔹 FSMO Roles (5 Total)

Forest-level:

1. Schema Master

2. Domain Naming Master

Domain-level: 3. RID Master 4. PDC Emulator 5. Infrastructure Master

---

🔹 Global Catalog (GC)

Domain controller that stores:

• Full copy of local domain

• Partial copy of all other domains

Used for:

• Authentication

• Searching AD objects

---

🔹 Read Only Domain Controller (RODC)

DC jiska AD database read-only hota hai. Passwords usually cached nahi hote.

---

🔹 Replication

AD me changes sync karne ka mechanism. Managed by → KCC service.

---

🔹 Service Principal Name (SPN)

Uniquely identifies a service instance. Used by Kerberos.

---

🔹 Group Policy Object (GPO)

Policies collection applied to:

• Users

• Computers

---

🔹 ACL / ACE / DACL / SACL

ACL → Contains ACEs ACE → Allow/Deny/Audit entry DACL → Access permissions SACL → Logging/auditing rules

---

🔹 FQDN

Full hostname + domain Example: DC01.inlanefreight.local

---

🔹 Tombstone

Deleted objects stored here (default 60–180 days).

---

🔹 AD Recycle Bin

Allows easy restoration of deleted objects WITH attributes.

---

🔹 SYSVOL

Stores:

• Logon scripts

• GPO settings Replicated across DCs.

---

🔹 AdminSDHolder

Protects high-privileged group members from unauthorized ACL changes.

---

🔹 dsHeuristics

Used to exclude groups from protected list.

---

🔹 adminCount

If = 1 → Account is protected by AdminSDHolder.

---

🔹 ADSI Edit

Deep-level AD editor (Dangerous).

---

🔹 sIDHistory

Contains old SIDs of migrated users. Can be abused if not filtered.

---

🔹 NTDS.DIT

Main AD database → Contains:

• User data

• Groups

• PASSWORD HASHES

1️⃣ What is known as the “Blueprint” of an Active Directory environment?

✔ Schema

---

2️⃣ What uniquely identifies a Service instance? (full name, space-separated, not abbreviated)

✔ Service Principal Name

---

3️⃣ True or False: Group Policy objects can be applied to user and computer objects.

✔ True

---

4️⃣ What container in AD holds deleted objects?

✔ Tombstone

---

5️⃣ What file contains the hashes of passwords for all users in a domain?

✔ NTDS.DIT

---

---

Active Directory Functionality — GitBook Notes

1. FSMO Roles (Flexible Single Master Operations)

AD has 5 special roles that ensure smooth operation. If these fail, authentication & authorization break.

1.1 Schema Master

• Maintains read/write copy of AD Schema (defines all AD object attributes).

1.2 Domain Naming Master

• Ensures unique domain names inside a forest

• Prevents duplicate domains.

1.3 RID Master

• Assigns blocks of RIDs to Domain Controllers.

• Ensures unique SIDs for new objects (SID = Domain SID + RID).

1.4 PDC Emulator

• Authoritative DC for authentication, password changes, and Group Policy.

• Maintains time synchronization for the entire domain.

1.5 Infrastructure Master

• Translates GUIDs, SIDs, and DNs between domains.

• Important when multiple domains exist in the forest.

• If broken → ACLs show raw SIDs, not names.

AD Trusts

Trusts allow cross-domain or cross-forest authentication.

Types of trusts:

3.1 Parent–Child Trust

• Between parent domain and its child

• Two-way, transitive

3.2 Cross-Link Trust

• Between two sibling (child) domains

• Improves authentication speed

• Transitive

3.3 External Trust

• Between domains in different forests

• Non-transitive, uses SID filtering

3.4 Tree-Root Trust

• Linking a new tree into the forest

• Two-way, transitive

3.5 Forest Trust

• Between root domains of two forests

• Transitive

Trust Behavior

Transitive Trust

• Trust extends to the entire chain

• A → B → C means A trusts C

Non-Transitive Trust

• Trust limited to just the two domains

One-Way Trust

• Only trusted domain’s users can access the trusting domain

• Direction is opposite of access.

Two-Way Trust

• Both domains trust each other

• Users can access resources in both.

Trust Type	Description
Parent-child	Domains within the same forest. The child domain has a two-way transitive trust with the parent domain.
Cross-link	a trust between child domains to speed up authentication.
External	A non-transitive trust between two separate domains in separate forests which are not already joined by a forest trust. This type of trust utilizes SID filtering.
Tree-root	a two-way transitive trust between a forest root domain and a new tree root domain. They are created by design when you set up a new tree root domain within a forest.
Forest	a transitive trust between two forest root domains.

Answer the question(s) below to complete this Section and earn cubes!

+ 0 What role maintains time for a domain?+ 1 What domain functional level introduced Managed Service Accounts?+ 0 What type of trust is a link between two child domains in a forest?+ 0 What role ensures that objects in a domain are not assigned the same SID? (full name)

---

---

---

---

Kerberos, DNS, LDAP, MSRPC

Kerberos Authentication Process

1. When a user logs in, their password is used to encrypt a timestamp, which is sent to the Key Distribution Center (KDC) to verify the integrity of the authentication by decrypting it. The KDC then issues a Ticket-Granting Ticket (TGT), encrypting it with the secret key of the krbtgt account. This TGT is used to request service tickets for accessing network resources, allowing authentication without repeatedly transmitting the user's credentials. This process decouples the user's credentials from requests to resources.
2. The KDC service on the DC checks the authentication service request (AS-REQ), verifies the user information, and creates a Ticket Granting Ticket (TGT), which is delivered to the user.
3. The user presents the TGT to the DC, requesting a Ticket Granting Service (TGS) ticket for a specific service. This is the TGS-REQ. If the TGT is successfully validated, its data is copied to create a TGS ticket.
4. The TGS is encrypted with the NTLM password hash of the service or computer account in whose context the service instance is running and is delivered to the user in the TGS_REP.
5. The user presents the TGS to the service, and if it is valid, the user is permitted to connect to the resource (AP_REQ).

Kerberos authentication process: Client requests TGT from KDC, receives TGT, requests TGS, receives TGS, and accesses database server. Includes steps for user login and ticket encryption.