Recently, I started to learn some basic knowledge in the field of information, including Nmap scan principles, OWASP TOP 10 vulnerable classification and this topic Active Directory jot.
目錄
Active Directory Domain Service Objects
Users
People: like employees.
Services: like IIS or MSSQL.
Machines
The machine accounts themselves are local administrators on the assigned computer, they are generally not supposed to be accessed by anyone except the computer itself, but as with any other account, if you have the password, you can use it to log in.
Note: Machine Account passwords are automatically rotated out and are generally comprised of 120 random characters.
The machine account name is the computer’s name followed by a dollar sign. For example, a machine named DC01
will have a machine account called DC01$
.
Other Objects
Groups
Printers
Shares
Organizational Units (OUs)
Mainly used to define sets of users with similar policing requirements.
User can only be a part of a single OU at a time.
Default Organizational Units
Builtin | Contains default groups available to any Windows host. |
Computers | All the machines that join a domain (except for the DCs). |
Domain Controllers | Default that contains the DCs in your network. |
Users | Default users and groups that apply to a domain-wide context. |
Managed Service Accounts | Holds accounts used by services in your Windows domain. |
Security Groups
Used to grant permissions over resources.
Default Groups
Domain Admins | Users of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs. |
Server Operators | Users in this group can administer Domain Controllers. They cannot change any administrative group memberships. |
Backup Operators | They are used to perform backups of data on computers. Users in this group are allowed to access any file, ignoring their permissions. |
Account Operators | Users in this group can create or modify other accounts in the domain. |
Domain Users | Includes all existing user accounts in the domain. |
Domain Computers | Includes all existing computers in the domain. |
Domain Controllers | Includes all existing DCs on the domain. |
Group Policy Objects (GPO)
GPOs can contain policies aimed at either users or computers, allowing you to set a baseline on specific machines and identities.
GPOs are distributed to the network via a network share called SYSVOL
, which is stored in the DC, The SYSVOL share points by default to the C:\Windows\SYSVOL\sysvol\
directory on each of the DCs in our network.
Authentication Methods
Kerberos
Used by any recent version of Windows. This is the default protocol in any recent domain.
Authentication
Refer tryhackme.com remake
NetNTLM
Legacy authentication protocol kept for compatibility purposes.
LM
299BD128C1101FD6
NTHash (NTLM)
B4B9B02E6F09A9BD760F388B67351E2B
NTLMv1 (Net-NTLMv1)
u4-netntlm::kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
NTLMv2 (Net-NTLMv2)
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c7830310000000000000b45c67103d07d7b95acd12ffa11230e0000000052920b85f78d013c31cdb3b92f5d765c783030
Authentication
Refer tryhackme.com remake
Trees, Forests and Trusts
Trees
Root Domain: mks.local
(DC-ROOT)
Subdomains: tw.mks.local
(DC-TW), jp.mks.local
(DC-JP), share the same namespace mks.local
)
Forests
The domains you manage can also be configured in different namespaces.
Root Domains: mks.local
, yee.local
Subdomains: tw.mks.local
(DC-TW), jp.mks.local
(DC-JP), share the same namespace mks.local
)
Subdomains: us.yee.local
(DC-US), uk.yee.local
(DC-UA), share the same namespace yee.local
)
Trust Relationships
In simple terms, having a trust relationship between domains allows you to authorise a user from domain mks
to access resources from domain yee
.