Active Directory is a Microsoft technology used to manage computers and other devices on a network. It’s like a directory service for a network, storing information about user accounts, computers, and other resources, and providing various services such as authentication and authorization.
Domains and Forests
An AD domain is a logical group of network objects (computers, users, devices) that share a common directory database. A forest is a collection of one or more AD domains that share a common schema, configuration, and global catalog, and are linked with trust relationships.
Get-ADDomain | select DNSRoot,NetBIOSName,DomainSID: This PowerShell command retrieves and displays the DNSRoot (fully qualified domain name), NetBIOSName, and DomainSID (security identifier) of the Active Directory domain.Get-ADForest: This PowerShell command retrieves information about the Active Directory forest.
Functional Modes
Forest and domain functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest.
(Get-ADForest).ForestMode: This PowerShell command retrieves the forest functional level of the Active Directory forest.(Get-ADDomain).DomainMode: This command retrieves the domain functional level of the Active Directory domain.
Trusts
In an Active Directory context, a trust is a relationship established between domains that enables users in one domain to be authenticated by a domain controller in another domain.
nltest /domain_trusts: This command-line utility lists all the trusted domains on a system.
Transitive Trust
A transitive trust can extend beyond the two domains to other trusted domains in the forest.
Nontransitive Trust
A nontransitive trust is restricted to the two domains in the trust relationship and cannot be extended to a third domain.
References
- Breaking Forest Trusts
- Trust Keys
- A Guide to Attacking Domain Trusts
- How Does SID Filtering Work?
- Inter-realm Key Roasting
Users
In Active Directory, user accounts are stored as objects in a centralized database. Each user account has a unique username (stored in the SamAccountName attribute), a Security Identifier (SID), and a DistinguishedName used by the Lightweight Directory Access Protocol (LDAP) API to identify objects.
The user’s password is not stored in plaintext. Instead, the NT hash (and LM hash for older accounts) and Kerberos keys, which are derived from the user’s password, are stored. These secrets are needed for user authentication and can only be retrieved by administrators or those with equivalent privileges.
Get-ADUser Anakin: This PowerShell command retrieves information about a specific Active Directory user (“Anakin” in this case).
DCSync Attack
This is a type of attack where the attacker pretends to be a domain controller and asks for user password data.
ntds.dit
This file is the heart of Active Directory, including user passwords, and is located in the C:\Windows\NT
LM Hashes
The LM hash (Lan Manager hash) is an outdated method to store passwords and is generally considered to be insecure. It operates as follows:
upper_password = to_uppercase(password)
14_password = truncate_to_14_bytes(upper_password)
7_part1, 7_part2 = split_7(14_password)
hash1 = des(7_part1, "KGS!+#$%")
hash2 = des(7_part2, "KGS!+#$%")
lm_hash = hash1 + hash2
NT Hashes
The NT hash is a more secure way of storing passwords used by Windows NT and later systems.
nt_hash = md4(encode_in_utf_16le(password))
It’s important for a penetration tester to recognize NT hashes since, while they are not the user passwords, they are used for authentication in Windows machines and can be used to perform Pass-The-Hash or Overpass-the-Hash attacks to impersonate users on remote machines. You can also attempt to crack the LM and NT hashes with tools like hashcat to recover the original password.
Kerberos Keys
Kerberos keys can be used to request a Kerberos ticket that represents the user in Kerberos authentication. There are several different keys, and different ones are used for different Kerberos encryption support:
- AES 256 key: Used by the AES256-CTS-HMAC-SHA1-96 algorithm. This is the one commonly used by Kerberos, and the one a penetration tester should use in order to avoid triggering alarms.
- AES 128 key: Used by the AES128-CTS-HMAC-SHA1-96 algorithm.
- DES key: Used by the deprecated DES-CBC-MD5 algorithm.
- RC4 key: This is the NT hash of the user used by the RC4-HMAC algorithm.
The secretsdump.py tool can be used to dump these hashes:
secretsdump.py 'contoso.local/Administrator@192.168.100.2' -just-dc-user anakin
These keys can be used in a Pass-The-Key attack to retrieve a ticket for the impersonated user. Then you can use that Kerberos ticket to authenticate against different services of the domain on behalf of the user.