Introduction to Active Directory

So this is pretty important if you want to be a penetration tester, as around four in five big organisations use it, around 90% of Fortune 500 companies use it - and these are the sorts of clients with massive infrastructures that need the likes of you trying to break in and confirm their stability.

A Directory is a hierarchical structure which can be used to store information about an object, or sub-objects and create chains of information. Active Directory is the Microsoft Windows implementation of the Lightweight Directory Access Protocol (LDAP) , to fit Windows OSs - to allow directory information to be shared to other Windows computers on the network , and to allow each directory (and sub-directory) to have its appropriate permissions , which users can access it, and what permissions is that folder given (is it owned by admin , but did they set it to a lower read/write permission level etc).

Objects, which are the fundamental things AD collects , manages and stores data on - can be classified either as a resource - so a printer, scanner , server etc - whereas a security principal is the user or group account which has particular permissions , SSH keys , passwords etc.

So the data managing has to be for two different, though very much interlinked entities, as each user that logs in and requests a particular resource has to belong to the right group, and meet any of the requirements for accessing that resource - which could be requesting at a particular time of the day, their IP etc. Also, just to authenticate their login may be offshored to a framework like Kerberos, who returns either a success or fail packet to AD and then they can go from there.

To help companies handle all these machines , users and their subsequent data - AD comes with a variety of services to streamline the process, including:

• Active Directory Domain Services (AD DS) which is where the technical administrator of an entire office (who watches over all employee machines, be they in separate domains or not) can set the authentication policies (Kerberos?) , define the rules , stored data and attributes of objects and the group policies. An administrator account with such regulatory power is called the domain controller, and their computer has the Windows Server Operating System installed, with the AD DS running which allows them to get the domain up and running. For the creation of new domains, maybe per department or however the organisation wants to partition their structure, they would have to create a new domain server. Three is also Active Directory Lightweight Domain Services (AD LDS) which is a simplified version of the former. Like I mentioned, there are multiple domain controllers along the hierarchy - the first one at the root, following all the way down into locally scoped domains like departments of a particular country...
• Certificate Services generate, manage and share certificates. A certificate uses encryption to enable a user to exchange information over the internet securely with their issued public key.
• Federation Services is what allow a single user to not have to sign in to access each resource each time, they login once at the domain server and then they proceed to request for any resource within their level.
• Rights Management Services allow us to define information rights, what gets encrypted what doesn't what procedures need this form of encryption etc.

A domain is a collection of objects - which don't have to be on the same network , but they have all been grouped together and have their own DNS structure built up. So you can ask for a resource by name and not have to know the IP. A tree is one or more domains grouped together, which may reflect an office block. Trees can only be built when there is a high-degree of trust between the two domains, so as to allow them to communicate. Depending on the structure , if one domain is a subset of another, then the hierarchical nature of this would allow a third domain which sits atop both to transitively trust the first domain, as it trusts the second. A forest then is a collection of trees, which must contain shared catalogues , directory schemas - noting the structure of each tree, application information and domain configurations. So for each conceptual layer we go up - the more abstract it gets - likewise the more we need to know to form such a connecting backbone. In addition, global catalogue servers provide a listing of all the objects in a forest. According to Microsoft, the forest is Active Directory's security boundary.

An Organisational Unit defines a section for users, groups and devices, and each domain can house an OU , but each user/object in a domain must be unique which may impact your design choices.

Containers are similar to OUs, but Group Policy Objects (GPO) cannot be applied or linked to container objects.

Information Gathering on an AD Domain

As I'll be assuming the role of an attacker, we presumably won't have access to something like the Server Manager GUI as our connection will be through a shell and not RDP - though this is more than enough. We shall be utilising the modules within the Powersploit framework, which sounds very similar to one such tool we have been using for quite a while , and it's functionality is pretty much the same - just directed to handle only the privilege escalation, exploitation, enumeration and persistence of Windows systems. Though there are many more functions, see the entire Powersploit docs for more.

We will need to transfer this file over, though for the Active Directory Basics room it is already in our downloads folder:

Writeup : Attack Active Directory

This box focuses on our ability to look at NetBIOS, SMB , Active Directory and Kerberos - which is a realistic combination in a business infrastructure , nevertheless it is quite a lot to tackle ...

The first thing we want to do to assist our enumerative efforts will be to install the impacket library, which is a suite of Python classes that allows us to construct , send and sift through deeply nested packets (of composing protocols).

To install it for use later, we can do:

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket

pip3 install -r /opt/impacket/requirements.txt

cd /opt/impacket/ && python3 ./setup.py install