← Back to Blog

Active Directory - Enumeration & Overview

Type: Technical Notes Category: Active Directory
Active Directory Kerberos PowerView BloodHound Windows

Overview

Organization Description
OU: Organizational Units Bulk application of policy to users
Security Groups Grant permissions to resources

Security Groups

Security Group Description
Domain Admins Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs.
Server Operators Users in this group can administer Domain Controllers. They cannot change any administrative group memberships.
Backup Operators Users in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers.
Account Operators Users in this group can create or modify other accounts in the domain.
Domain Users Includes all existing user accounts in the domain.
Domain Computers Includes all existing computers in the domain.
Domain Controllers Includes all existing DCs on the domain.

Delegation

Control ---to--> User ---over---> OU

Specific users can be granted specified control over specified OUs. For example, IT Dept having control to reset a low-privileged user's password.

Delegation example

PowerShell Commands

Reset Password:

Set-ADAccountPassword username -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose

Force Password Change at Logon:

Set-ADUser -ChangePasswordAtLogon $true -Identity username -Verbose

Computer Types

Type Representation
Workstations PC, LPT
Servers SRV
Domain Controllers DC

Recommended to keep servers and workstations in different OUs.

GPOs (Group Policy Objects)

GPOs are simply a collection of settings that can be applied to OUs. GPOs can contain policies aimed at either users or computers, allowing you to set a baseline on specific machines and identities.

GPO Scope

GPO policies can be edited, causing system-wide policies to be enacted. For example, changing password policy to increase minimum length:

GPO Password Policy

Force GPO Update:

gpupdate /force

GPO Distribution

GPOs are distributed to the network via a network share called SYSVOL:

  • SYSVOL is stored in the DC
  • All users in a domain should typically have access to this share over the network to sync their GPOs periodically
  • The SYSVOL share points by default to C:\Windows\SYSVOL\sysvol\ directory on each of the DCs

Authentication Protocols

  • Kerberos: Used by any recent version of Windows. This is the default protocol in any recent domain.
  • NetNTLM: Legacy authentication protocol kept for compatibility purposes.

Kerberos Authentication

  1. Encrypted username and timestamp using key derived from password sent to KDC (Key Distribution Center)
  2. KDC creates, returns TGT (Ticket Granting Ticket) and Session Key
  3. TGT allows user to request TGS (Ticket Granting Service) by sending TGT, SPN (Service Principal Name), and username, timestamp encrypted with session key
    • SPN indicates desired service and server name to access
  4. KDC returns TGS, Service Session Key
    • TGS encrypted using key from Service Owner Hash
    • Service Session Key is used to authenticate to the desired service
    • Service Owner = account that service runs under
    • TGS contains Service Session key, which Service Owner can decrypt and access
  5. TGS sent to desired service to authenticate and establish connection
Kerberos Auth Flow Kerberos Auth Detailed

NetNTLM Authentication

  • Challenge-response mechanism
  • User password/hash never transmitted
NetNTLM Auth Flow