Skip to main content

AD Basics

We will cover Active directory basics some important terminology and some major authentication mechanisms,

What is Active Directory

Active Directory is a directory service developed by Microsoft that provides centralized management for network resources. It is primarily used for managing users, computers, devices, and other resources within a Windows-based domain. Active Directory is essential for authentication, authorization, and network management in many corporate environments.

Key Components of Active Directory:

Domain Controller (DC) : A server that authenticates and authorizes users and computers in the AD domain. It also manages the AD database.

Domain : A logical grouping of network resources (e.g., users, computers) that share a common database, policies, and security settings.

Organizational Unit (OU): A container within a domain used to organize objects like users, groups, and computers for easier management.

Group: A collection of users that can be managed as a single unit, often used to define permissions and access control.

Trusts: Relationships between different domains or forests in AD to allow access between resources across domains.

Kerberos

Kerberos is a network authentication protocol that uses symmetric key cryptography to authenticate users and services in a secure manner.

Explanation of the Flow:

  1. Client (C) requests a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC).
  2. KDC returns the TGT encrypted using its own secret key.
  3. Client (C) uses the TGT to request a Service Ticket from the Ticket Granting Service (TGS).
  4. TGS returns the Service Ticket, which is encrypted with the service's secret key.
  5. Client (C) sends the Service Ticket to the Service (S) to gain access.
  6. Service (S) decrypts the Service Ticket and grants access if the ticket is valid.

Kerberos Attacks

Kerberoasting: Attackers request service tickets (TGS) from AD for service accounts, and then attempt to crack the tickets offline.

Golden Ticket Attack: Attackers forge Kerberos Ticket Granting Tickets (TGT) using a compromised KRBTGT account hash, allowing for domain-wide access.

Silver Ticket Attack: Similar to Golden Tickets but limited to specific services. It involves creating a forged service ticket.

Pass-the-Ticket: Attackers steal and reuse Kerberos tickets to authenticate to services without needing the user's password.

NTLM Authentication

NTLM (NT LAN Manager) is a challenge-response authentication protocol used by older versions of Windows.

Explaination of the flow

  1. Client (C) sends an NTLM Authentication Request to the Server (S).
  2. Server (S) sends an NTLM Challenge (a random challenge string) to the Client (C).
  3. Client (C) computes a response based on the NTLM Challenge and the Password Hash (stored locally or derived from the password) and sends this back as an NTLM Response.
  4. Server (S) forwards the NTLM Response to the Domain Controller (DC) to verify its validity.
  5. Domain Controller (DC) checks the response by comparing it with the stored password hash and responds with whether the response is valid.
  6. Server (S) informs the Client (C) whether authentication is successful or failed based on the validity response from the Domain Controller (DC)

LDAP Authentication

LDAP (Lightweight Directory Access Protocol) is used to query and modify data in AD, particularly for user authentication.

SSO (LDAP + Kerberos)

Cached AD credentials

Cached credentials are copies of a user’s credentials that are stored locally on a device (typically a laptop) when the user logs into the domain while connected to the network.