Hackzzz - The Notebook
  • ⚡Welcome!
    • 👾Hackzzz
    • 📝Writeups
      • HackTheBox
        • 🐧Linux
          • Lame
          • Squashed
          • Faculty
        • 🪟Windows
          • Jeeves
          • Bart
          • Active
          • Tally
      • Portswigger
        • 📂File upload
          • Apprentice
            • Remote code execution via web shell upload
            • Web shell upload via Content-Type restriction bypass
        • 💉SQL Injection
          • Apprentice
            • SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
            • SQL injection vulnerability allowing login bypass
          • Practioner
            • SQL injection UNION attack, determining the number of columns returned by the query
            • SQL injection UNION attack, finding a column containing text
            • SQL injection UNION attack, retrieving data from other tables
            • SQL injection UNION attack, retrieving multiple values in a single column
            • SQL injection attack, querying the database type and version on Oracle
            • SQL injection attack, querying the database type and version on MySQL and Microsoft
            • SQL injection attack, listing the database contents on non-Oracle databases
            • SQL injection attack, listing the database contents on Oracle
            • Blind SQL injection with conditional responses
            • Blind SQL injection with time delays
            • Blind SQL injection with time delays and information retrieval
        • 📑Information Disclosure
          • Apprentice
            • Error Messages
            • Filtering a debug page
            • Backup Leakage
            • Authentication bypass via information disclosure
          • Practitioner
            • Information disclosure in version control history
        • 🪜Directory Traversal
          • Apprentice
            • File path traversal, simple case
          • Practioner
            • File path traversal, traversal sequences blocked with absolute path bypass
            • File path traversal, traversal sequences stripped non-recursively
            • File path traversal, traversal sequences stripped with superfluous URL-decode
            • File path traversal, validation of file extension with null byte bypass
        • 🧑‍💻OS Command Injection
          • Apprentice
            • OS command injection, simple case
          • Practioner
            • Blind OS command injection with time delays
            • Blind OS command injection with output redirection
        • 🧃Broken Authentication
          • Apprentice
            • Username enumeration via different responses
            • 2FA simple bypass
            • Password reset broken logic
        • 🗃️Access Control
          • Apprentice
            • Unprotected admin functionality
            • Unprotected admin functionality with unpredictable URL
            • User role controlled by request parameter
            • User role can be modified in user profile
            • User ID controlled by request parameter
            • User ID controlled by request parameter, with unpredictable user IDs
            • User ID controlled by request parameter with data leakage in redirect
            • User ID controlled by request parameter with password disclosure
            • Insecure Direct Object References (IDOR)
        • 📝External Entity Injection
          • Apprentice
      • TryHackme
        • 🐧Linux
        • 🪟Windows
          • Crocc Crew
          • Enterprise
    • 🔮Github
    • 📺YouTube Channel
  • Everything About and Notes
    • 🥷Five stages of Ethical Hacking
    • 🔍OSINT
      • 🕵️Information Gathering Methodologies
        • Information Gathering
        • OSINT Employee's
        • Automate OSINT techniques
          • Sherlock
          • PhoneInfoga
          • Osintgram
          • twint
          • Userrecon
      • Discovering Email Address
      • Breach Credentials
      • Reverse Image Searching
      • Hunting Usernames & Accounts
      • Searching People
      • Phone Numbers
      • Google Dorks
      • Search Engines
      • Default Passwords
      • Aircraft Tracking
      • Car OSINT
      • Wi-Fi OSINT
      • OSINT Virtual Machine
    • 👁️Network Pentesting
      • MITM Cheatsheet
      • Host Discovery
      • Scanning Hosts
      • Sniffing
      • Spoofing
      • DNS spoofing + apache2
      • Firewall/IDS Evasion
      • 🖨️Printer Hacking
      • 👁️‍🗨️IoT Pentesting
    • 🪟Windows and Active Directory
      • Windows Basic Commands
        • Network Command's
        • Tasks
        • Computer Slow Command's
        • Bypass Windows Admin Prompt
      • Active Directory
        • AD Enumeration
        • Man-In-The-Middle Attacks
          • SMB Relay
          • LLMNR Poisoning
        • Zerologon (2020-1472)
        • Password Cracking
        • Kerberoasting
          • Kerbrute
          • ASREP Roasting
        • Post-Compromise Enumeration
          • Powerview
          • Bloodhound
            • Installing & Setting Up
            • SharpHound
            • Using BloodHound
        • Post-Compromise attacks
          • Privilege Escalation
            • Token Impersonation
            • Print Nightmare (CVE-2021-1675)
          • Pass Attacks
            • Pass the Hash
            • Pass the Password
            • GPP cPassword Attack
          • Mimikatz
            • Golden Ticket Attack
          • Dumping hashes (secretsdump)
      • Windows Privilege Escalation
        • Unquoted Path Service
        • Abusing the Golden Privileges
        • Print Spoofer
        • Print-Nightmare
        • Rogue Potato
      • Active Directory Exploitation Cheat Sheet
      • Active Directory Attacks (PayloadAllTheThings)
    • 🧠Social Engineering
      • Windows Malware
        • Generating Undetectable backdoors
        • Bypassing Anti-Virus by modifying Hex Value
        • Creating Trojans
          • Embedding malicious files in Images or PDF
          • Changing Trojans Icon
          • Spoofing file extensions
          • Microsoft Office Trojans
            • Word Macros
      • OS X Malware
        • Using Msfvenom
      • Linux Malware
        • Simple Backdoors
        • Embedding Evil Code in a Legitimate Linux Package
        • Backdooring An APK
      • Spying Software
      • Delivery methods
        • Gophish
        • Spoofing Emails
          • Setting Your Own SMTP server
        • Creating Fake Login Website
        • Manipulating URL's
      • Make attacks outside the network
        • Ngrok
      • Social Engineering
      • Social Engineering by Cristopher hadnagy
    • 🕸️Web Pentesting
      • Web Basics
      • Information Gathering - Some One-liners
      • File Upload
      • Code Execution
      • Local File Inclusion
      • SQL Injection
      • XSS (Corss-site scripting)
      • CSRF (Cross-site requests forgery)
      • Discovering Vulnerabilities using OWASP ZAP
      • CMS
        • Wpscan
      • 🕷️OWASP Testing Guide
      • 📒Bug Bounty Checklist
    • 📡Wireless Pentesting
      • Wi-Fi Network Fundamentals
        • Basic Terminologies and Concepts
      • De-authentication
      • Disassociation Packets
      • Beacon Flooding
      • Authentication Denial-Of-Service
      • SSID Probing and Bruteforcing
      • EAPOL Start and Logoff Packet Injection
      • Attacks for IEEE 802.11s mesh networks
      • WIDS Confusion
      • WEP
        • Caffe-Latte
      • WPA/WPA2 - PSK
        • Handshake Capture
        • WPA Cracking
        • Resources
      • Evil Twin Attacks
        • WifiPumpkin3
          • Creating a fake access point
          • Using captive portal attack
          • Pulp scripts
      • WI-FI Pentesting Guide
      • Wifi Hacking Using Windows CMD
    • 🔥Binary Explotation
      • Assembly for Reverse Engineering
      • Reversing
    • 🏃‍♂️Pivoting & Port-forwarding
      • Chisel
      • SSH
      • Socat
      • plink
      • sshuttle
      • Pivoting Bash Scripts
    • 📱Mobile Application Pentesting
      • Android Hacking Methodology
      • Mobile Application CheatSheet
      • Android Penetration Testing
    • 🦾Arduino
    • 🌐External Pentesting
      • External Pentesting
  • Gadgets
    • 📇Proxmark3
      • Attacking MIFARE Classic 1KB
    • 📡SDR Hacking
      • Hardware
      • Using RTL-SDR
      • DragonOS
    • 🍍WI-FI Pineapple
      • Evil Portals
  • 🚩Resources
    • 🐙Extras
      • Drone Hacking
      • Password Cracking with Rules and Munging
      • Game Hacking
      • Carding
      • Personal Security Checklist
    • 🟦Metasploit
      • Metasploit Modules
    • rc Personal Config (.bashrc && .zshrc)
    • WADCOMS
    • GTFOBins
    • LOLBAS
    • Devhints
    • Weakpass
    • Revshells
    • 📑Pentesting Reports Repo
Powered by GitBook
On this page
  • What is active directory?
  • Why Active Directory?
  • Active Directory Physical Components
  • Domain Controller's
  • What the AD DS?
  • Domains
  • Trees
  • Forest
  • Organizational Units (OU's)
  • Domain Trust
  • Objects
  • Resources
  1. Everything About and Notes
  2. Windows and Active Directory

Active Directory

What is active directory?

  • Directory service developed by Microsoft to manage Windows Domain Networks.

  • Stores Information related to objects, such as Computers, users, Printers, etc.

  • Authenticates using kerberos tickets.

Why Active Directory?

Active Directory lets you create security groups, setting up which users can access which network assets, such as shared files and applications.

You can also organize your company’s network hierarchy. For example, it’s through AD that you determine which computers and printers belong on the network.

Active Directory is the most commonly used identity management service in the world.

Active Directory Physical Components

Domain Controller's

This is a server with AD DS server role installed that has specifically been promoted to a domain controller.

What it does?

  • Host a copy of the AD DS directory store

  • Provide authentication and authorization services

  • Replicate Updates to other Domain Controllers in the Domain Forest

  • Allow administrative access to manage user account and network resources

What the AD DS?

The Active Directory Data Store contains some database files, manage user information or even processes, services and application.

  • Consist of the database file Ntds.dit (aka: The Most Famous DB File in Active Directory)

  • Is store by default in the %Systemroot%\NTDS folder in the Domain Controllers

  • The Ntds.dit file include a lot of sensitive information like, users, passwords, objects, etc.

Domains

Contains all the information about the objects of the Active directory. Domains are used to group and manage objects in organization.

  • The objects of the directory are contained inside the domain. Inside a "forest" more than one domain can exist and each of them will have their own objects collection.

  • Is just one domain (Example: enterprise.com)

Trees

Group of domains with the same root. (Example: dom.local, email.dom.local, www.dom.local)

Forest

Is just a collection of Trees, it could be more than one.

  • Share a common configuration partition.

  • Enable trust between all domains in the forest.

  • Admins and Schema admin groups are shared.

Organizational Units (OU's)

Containers that can have, users, groups, computers etc.

  • Apply Policies, delegate permissions to admin group of objects and manage.

Domain Trust

Microsoft considers that the domain isn't a Security Boundary, the Forest is the security Boundary. This means that if you compromise a domain inside a Forest, you might be able to compromise the entire Forest.

Objects

There are 7 objects that you need to know.

Simplify connecting and locating printers

Network resource access

Simplify administrator control.

User can search for shared folders based on the properties.

Used to assign e-mail address to external users.

Compatibility with other directory services.

Management of resources like, authentication, auditing users, access and resources.

Resources

PreviousBypass Windows Admin PromptNextAD Enumeration

Last updated 1 year ago

Microsoft:

Hacktrickz Active Directory:

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-domain-services
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
🪟
Page cover image