Skip to content

Active Directory

AD is the crown jewels
If you compromise Active Directory you control the entire enterprise because every authentication , every authorization , every Group Policy decision flows through Domain Controllers running this directory service that manages identities , computers , and permissions across the organization

Core Components

  • Domain Controller (DC) - Server hosting AD DS (the brain)
  • Domain - Administrative boundary (security principals)
  • Forest - Collection of domains (trust relationships between them)
  • OU (Organizational Unit) - Container for objects (GPO target)
  • GPO (Group Policy Object) - Configuration enforcement mechanism

Authentication Protocols

Kerberos Default authentication protocol since Windows 2000 Ticket-based system that prevents password hashes traversing the network

Client -> AS-REQ -> KDC (Authentication Service)
KDC -> AS-REP -> Client (TGT received)
Client -> TGS-REQ -> KDC (Ticket Granting Service)
KDC -> TGS-REP -> Client (Service Ticket)
Client -> AP-REQ -> Target Server

NTLM Legacy authentication still enabled in most environments Challenge-response protocol that is weaker than Kerberos NTLM hash theft enables pass-the-hash attacks

Key Attacks

  • Pass-the-Hash - Use NTLM hash to authenticate without password
  • Kerberoasting - Request TGS tickets for service accounts and crack offline
  • AS-REP Roasting - Target accounts without pre-authentication required
  • DCSync - Replicate domain database to extract all hashes
  • Golden Ticket - Forge KRBTGT ticket to impersonate anyone
  • Silver Ticket - Forge service ticket for specific service
  • SMB Relay - Relay captured NTLM authentication to other systems

Enumeration Essentials

# Users in domain
Get-ADUser -Filter * -Properties *

# Domain admins
Get-ADGroupMember -Identity "Domain Admins"

# Service accounts (Kerberoast targets)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"}

# Computers in domain
Get-ADComputer -Filter *

# OU structure
Get-ADOrganizationalUnit -Filter *

Tooling

  • BloodHound - Map relationships with graph theory
  • PowerView - PowerShell recon toolkit
  • Mimikatz - Extract credentials from memory
  • Impacket - Linux-based AD attack toolkit
  • CrackMapExec - Swiss army knife for AD assessment