Understanding Active Directory attacks

In this blog, we'll learn everything there is to know that requires to understand active directory attacks in order to perform them, and also we will skim over the architecture and working as well, and we'll learn about the attacks and attack vectors that are present for active directories in the next series of posts.

Active Directory is a very powerful and popular authentication and authorization service that is used in almost every enterprise network. Even though it is a Microsoft product, it works with non-Windows operating systems, too. And one more thing that fascinates me a lot is it is super flexible with on-premise, and cloud and even supports hybrid environments.

If we add computers, users, groups, printers, etc. to an active directory, we can use them anywhere in the entire enterprise network. The machine /device, which we are trying to log in to, is already set up and connected to the main machine to verify who we are, Each item is called an object.

Active Directory, stores data in a hierarchy of containers and leaf nodes called the directory information tree (DIT). Leaf nodes are endpoints in the tree, while containers can store other containers and leaf nodes. In Active Directory, the two most common types of containers are organizational units (OUs) and container objects. The container objects are generic containers that do not have any special properties about them other than that they can contain objects. Organizational units, on the other hand, have some special properties, such as being able to be linked to a group policy.

The root of this tree has two children, Finance and Sales, Sales have two children of their own, Pre-Sales and Post-Sales, for example, The Pre-Sales holds user objects, group objects, and computer objects, When you are potentially storing millions of objects in Active Directory, each object has to be uniquely relocatable and identifiable, objects have a Globally Unique Identifier (GUID), another way to reference objects, called a distinguished name (DN), is more commonly used.

The DN will follow some syntax and rules while representing, so the DN for root (sumo.com) from the figure will be “dc=sumo dc=com”, let us consider a subdomain as sales.sumo.com for this the DN will be “dc=sales, dc=sumo, dc=com”, there is one more important metric that's required to uniquely refer an object within the parent domain, it is called relative distinguished name (RDN)

And if you wanted to specify a user named Richard Lang, a group called My Group, and a computer called Moose in the Pre-Sales OU, you would use the following:

cn=Richard Lang, ou=Pre-Sales, ou=Sales, dc=sumo, dc=com
cn=My Group, ou=Pre-Sales, ou=Sales, dc=sumo, dc=com
cn=Moose, ou=Pre-Sales, ou=Sales, dc=sumo, dc=com

Domains and Domain Trees:

Sumo.com is a domain and there can be multiple subdomains like sales.sumo.com, finanace.sumo.com, and so on, and they all together form a domain tree. Each domain can only contain one Domain controller(DC), which is responsible for authoritative functions in the entire domain, Each domain tree is called by the name given to the root of the tree; hence, this domain tree is known as the sumo.com tree.

With a transitive trust, if Domain A trusts B and B trusts C, then Domain A trusts C. All the domains in a domain tree trust each other with transitive trusts. Put much more simply, the administrator of sales.sumo.com can allow any user in the tree access to any of the resources in the sales domain that the administrator wishes. The user accessing the resource does not have to be in the same domain.

Forests:

A forest is a collection of one or more domain trees, and the whole trees are connected together through transitive trusts. As soon as you create a single domain, you have a forest. If you add any domains to the initial domain tree or add new domain trees, you still have one forest, Forests are named after the first domain that is created when creating a new forest, also known as the forest root domain. The forest root domain is important because it has special properties.

We find that it has a subsidiary business called Gangu. The DNS domain name allocated and used by Gangu is gangu.com. In Gangu’s case, all you would need to do is create the root of the gangu.com tree as a member of the existing forest; thus, gangu.com and sumo.com can exist together and share resources, The forest containing the sumo.com and gangu.com domain trees are known as the sumo.com forest, in which sumo.com is the forest root domain.

Thats it :), See you in the next