AD Basics
We will cover Active directory basics some important terminology and some major authentication mechanisms,
What is Active Directory
Active Directory is a directory service developed by Microsoft that provides centralized management for network resources. It is primarily used for managing users, computers, devices, and other resources within a Windows-based domain. Active Directory is essential for authentication, authorization, and network management in many corporate environments.
Key Components of Active Directory:
Domain Controller (DC) : A server that authenticates and authorizes users and computers in the AD domain. It also manages the AD database.
Domain : A logical grouping of network resources (e.g., users, computers) that share a common database, policies, and security settings.
Organizational Unit (OU): A container within a domain used to organize objects like users, groups, and computers for easier management.
Group: A collection of users that can be managed as a single unit, often used to define permissions and access control.
Trusts: Relationships between different domains or forests in AD to allow access between resources across domains.
TGT: Ticket Granting Ticket (KDC-issued passport)
SPN: Service Principal Name (ex: HTTP/webserver.domain.com)
KDC: Key Distribution Center (runs on Domain Controllers)
krbtgt: Special service account securing TGT encryption
Kerberos
Why Kerberos is used
Kerberos provides secure authentication in distributed environments using:
Ticket-based authentication (no password transmission)
Mutual authentication (both client and server verify identities)
Session keys for encrypted communication
Time-limited tickets to prevent replay attacks
Centralized management through KDC
Sequence Diagram for Kerberos Authentication
Explanation of the Flow:
- Authentication Service Request (AS-REQ)
Client encrypts current timestamp using user's password hash
Sends username + encrypted timestamp to KDC
- Authentication Service Reply (AS-REP)
KDC decrypts timestamp using stored user password hash If valid, KDC creates:
TGT: Contains user info, IP, timestamp, and TGS session key (encrypted with krbtgt account's hash)
TGS session key: Encrypted with user's password hash
Both sent to client
- Ticket Granting Service Request (TGS-REQ)
Client decrypts TGS session key using user's password hash Creates new authenticator (user info + timestamp) encrypted with TGS session key Sends to KDC: Service SPN + TGT + encrypted authenticator
- Ticket Granting Service Reply (TGS-REP)
KDC decrypts TGT using krbtgt hash to get TGS session key Uses TGS session key to decrypt authenticator and validate Creates:
Service Ticket: Contains user info, groups, and service session key (encrypted with service account's hash) Service session key: Encrypted with TGS session key Both sent to client
- Application Request (AP-REQ)
Client sends to Application Server:
Service Ticket (still encrypted) New authenticator (timestamp + user info encrypted with service session key)
- Application Verification
App Server:
a) Decrypts Service Ticket using service account's password hash
b) Extracts service session key
c) Decrypts authenticator using service session key
d) Compares user info from ticket and authenticator
If valid:
Optionally sends AP-REP for mutual authentication
Grants access with permissions based on group membership
Kerberos Attacks
Kerberoasting: Attackers request service tickets (TGS) from AD for service accounts, and then attempt to crack the tickets offline.
Golden Ticket Attack: Attackers forge Kerberos Ticket Granting Tickets (TGT) using a compromised KRBTGT account hash, allowing for domain-wide access.
Silver Ticket Attack: Similar to Golden Tickets but limited to specific services. It involves creating a forged service ticket.
Pass-the-Ticket: Attackers steal and reuse Kerberos tickets to authenticate to services without needing the user's password.
NTLM Authentication
When is NTLM Authentication Used?
NTLM (NT LAN Manager) authentication is typically employed in the following scenarios:
- IP-based authentication: When a client authenticates to a server using an IP address rather than a hostname.
- Unregistered hostnames: When attempting to authenticate to a hostname not registered in Active Directory-integrated DNS.
- Legacy/third-party systems: When applications explicitly choose NTLM over Kerberos due to compatibility or configuration requirements.
NTLM (NT LAN Manager) is a challenge-response authentication protocol used by older versions of Windows.
Sequence Diagram For NTLM authentication Mechanism
Explaination of the flow
-
Password Hash Preparation: The client calculates the NTLM hash (a cryptographic representation) from the user's password. This hash never leaves the client.
-
Username Transmission: The client sends the plaintext username to the application server to initiate authentication.
-
Challenge Generation: The server generates a random 16-byte value called the "nonce" or "challenge" and sends it to the client.
-
Challenge Encryption: The client encrypts the server's challenge using its precomputed NTLM hash as the encryption key.
-
Response Submission: The client sends the encrypted challenge (called the "response") back to the server.
-
Verification Request: The server forwards three items to the Domain Controller:
The client's encrypted response
The original plaintext challenge
The client's username -
Authentication Validation The Domain Controller:
a) Retrieves the user's stored NTLM hash from Active Directory
b) Uses this hash to decrypt the client's response
c) Compares the decrypted value with the original challenge
d) Notifies the server whether authentication succeeded or failed -
Access Decision Based on the Domain Controller's verdict, the server either grants or denies access to the client.
LDAP Authentication
LDAP (Lightweight Directory Access Protocol) is used to query and modify data in AD, particularly for user authentication.
SSO (LDAP + Kerberos)
Cached AD credentials
Cached credentials are copies of a user’s credentials that are stored locally on a device (typically a laptop) when the user logs into the domain while connected to the network.