🪟
Active Directory (AD)

Active Directory (AD) is a system that allows to manage a set of computers and users connected in the same network from a central server.
____ __
o | | |==|
/|\ |____| <--------. .-----> | |
/ \ /::::/ | | |__|
v v
.---.
/ /|
.---. |
| | '
| |/
'---'
____ ^ ^ ____
o | | | | | | \o/
/|\ |____| <-------' '-----> |____| |
/ \ /::::/ /::::/ / \
The above diagram is known as a domain. A domain is a set of connected computers that shares an Active Directory database, which is managed by the central servers of a domain, that are called domain controllers.

A domain controller is a server with the AD DS (Active Directory data store) server role installed that has specifically been promoted to a domain controller. It can:
  • host a copy of the AD DS
  • provide authentication and authorization services (Kerberos)
  • replicate updates to other domain controllers in the domain and forest
  • allow administrative access to manage user accounts and network resources

The AD DS contains the database files and processes that store and manage directory information for users, services, and applications. It:
  • consists of the Ntds.dit file
  • is stored by default in the %SystemRoot%\NTDS folder on all domain controllers
  • is accessible only through the domain controller processes and protocols

The AD DS schema:
  • defines every type of object that can be stored in the directory
  • enforces rules regarding object creation and configuration.
For example:
Objects Types
Function
Examples
Class Object
What objects can be created in the directory
User, Computer
Attribute Object
Information that can be attached to an object
Display name

Domains are used to group and manage objects in an organization. It is:
  • an administrative boundary for applying policies to groups of objects
  • A replication boundary for replicating data between domain controllers
  • An authentication and authorization boundary that provides a way to limit the scope of access to resources

A tree is a hierarchy of domains in AD DS. All domains in the tree:
  • share a contiguous namespace with the parent domain
  • can have additional child domains
  • by default create a two-way transitive trust with other domains

A forest is a collection of one or more domain trees. Forests:
  • share a common schema
  • share a common configuration partition
  • share a common global catalog to enable searching
  • enable trusts between all domains in the forest
  • share the Enterprise Admins and Schema Admins groups

OUs are AD containers that can contain users, groups, computers, and other OUs. OUs are used to:
  • represent your organization hierarchically and logically
  • manage a collection of objects in a consistent way
  • delegate permissions to administer groups of objects
  • apply policies

Trusts provide a mechanism for users to gain access to resources in another domain. Types of trusts:
Types of Trusts
  • All domains in a forest trust all other domains in the forest
  • Trusts can extend outside the forest

Objects

NTLM (NT LAN Manager) authentication is used when a client authenticates to a server by IP address (instead of by hostname), or if the user attempts to authenticate to a hostname that is not registered on the AD integrated DNS server. Likewise, third-party applications may choose to use NTLM authentication instead of Kerberos authentication.
The NTLM authentication is composed by 3 messages/phases: NEGOTIATE, CHALLENGE and AUTHENTICATE:
Client Server
| |
AcquireCredentialsHandle | |
| | |
v | |
InitializeSecurityContext | |
| | NEGOTIATE |
'-------------> | -----------------> | ----------.
| - flags | |
| | v
| | AcceptSecurityContext
| | |
| | challenge
| CHALLENGE | |
.-------------- | <----------------- | <---------'
| | - flags |
challenge | - challenge |
| | - server info |
v | |
InitializeSecurityContext | |
| | | |
session response | |
key | | AUTHENTICATE |
'-------'---------> | -----------------> | ------.--------.
| - response | | |
| - session key | | |
| (encrypted) | response session
| - attributes | | key
| + client info | | |
| + flags | v v
| - MIC | AcceptSecurityContext
| | |
| | v
| | OK
| |

While NTLM authentication works through a principle of challenge-response, Windows-based Kerberos authentication uses a ticket system. Kerberos focuses on the use of tokens called "tickets" that allows an user to be authenticated against a principal. At a high level, Kerberos client authentication to a service in AD involves the user of a domain controller in the role of a key distribution center (KDC).

Attacking Active Directory: 0 to 0.9 | zer1t0
Attacking Active Directory: 0 to 0.9 - zer1t0
Copy link
On this page
What is Active Directory?
Physical AD Components
Domain Controller
AD DS
Logical AD Components
AD Schema
Domains
Trees
Forests
Organizational Units (OUs)
Trusts
Objects
NTLM Authentication
Kerberos Authentication
Reference