Active Directory (AD) is Microsoft's directory service for Windows domain networks. It stores information about objects on the network and makes this information available to users and administrators. Understanding Active Directory structure and security is crucial for thorough penetration testing of Windows environments.
Core Active Directory Components
Domain Controllers
Domain Controllers (DCs) are servers that run AD DS (Active Directory Domain Services) and store the AD database. They:
Authenticate and authorize users
Enforce security policies
Replicate directory updates to other domain controllers
Maintain the SYSVOL folder (containing Group Policy templates and scripts)
Objects
Active Directory organizes network elements as objects, including:
Users: Accounts for people accessing the network
Computers: Workstations, servers, and other devices
Groups: Collections of users or computers for permission management
Organizational Units (OUs): Containers for organizing other objects
Group Policy Objects (GPOs): Sets of policies applied to users or computers
Forests, Domains, and Trust Relationships
Forest: Collection of one or more domains sharing a common schema and global catalog
Domain: Administrative boundary within a forest
Trust Relationships: Connections between domains allowing users from one domain to access resources in another
Active Directory Authentication Mechanisms
Kerberos
The primary authentication protocol in modern Active Directory environments:
Authentication Service (AS) Exchange: User requests a Ticket Granting Ticket (TGT)
Ticket Granting Service (TGS) Exchange: TGT is used to request service tickets
Client/Server Exchange: Service ticket used to access resources
NTLM
Legacy authentication protocol still found in many environments:
Negotiation: Client indicates it wants to authenticate
Challenge: Server sends a random challenge
Response: Client encrypts challenge with password hash and returns it
Key Active Directory Security Concepts
Authentication vs. Authorization
Authentication: Verifies identity (proving who you are)
Authorization: Determines access rights (what you can do)
Security Identifiers (SIDs)
Unique identifiers assigned to security principals (users, groups, computers):
Domain SID: Identifies the domain
RID: Relative identifier appended to domain SID for each object
Well-known SIDs: Predefined identifiers for common groups
Access Control Lists (ACLs) and Access Control Entries (ACEs)
Control who can access objects and what they can do:
Discretionary Access Control Lists (DACLs): Define who has what access
System Access Control Lists (SACLs): Define what access is audited
ACEs: Individual permissions within an ACL
Common Active Directory Weaknesses
Kerberos-Related Issues
Kerberoasting: Exploiting service accounts with weak passwords
AS-REP Roasting: Targeting accounts with "Do not require Kerberos pre-authentication"
Golden/Silver Tickets: Forging Kerberos tickets using compromised keys
Privilege Escalation Paths
Weak GPO restrictions: Allowing command execution or software installation
Shadow Admins: Accounts with delegated privileges similar to administrators
ACL misconfigurations: Excessive permissions on AD objects
Misconfigured trusts: Allowing privilege escalation across domains
Lateral Movement Techniques
Pass-the-Hash: Reusing captured NTLM hashes without cracking
Overpass-the-Hash: Converting NTLM hash to Kerberos tickets
Credential caching: Finding credentials in memory or registry
Active Directory Enumeration Techniques
Domain Information
User Enumeration
Password Policy Retrieval
Group Enumeration
Active Directory Attack Methodologies
Initial Reconnaissance
Identify domain controllers
Enumerate domain users
Query naming contexts
Authentication Attacks
Password spraying
Kerberoasting
AS-REP Roasting
Post-Exploitation Enumeration
Active Directory module (PowerShell)
BloodHound data collection
Active Directory Defense in Depth
Understanding defensive measures helps test their effectiveness:
Privileged Access Management
Just-In-Time administration
Privileged Access Workstations (PAWs)
Administrative tiering
Enhanced Security Features
Protected Users group
Credential Guard
Device Guard
LAPS (Local Administrator Password Solution)
Monitoring and Detection
Advanced Threat Analytics
Security event monitoring
Honeytoken accounts
Best Practices for Active Directory Testing
Understand the environment: Map out domains, trusts, and critical systems
Test systematically: Begin with passive techniques and progress to more invasive methods
Document assumptions: Record what you know about the environment before testing
Evaluate both technical and administrative controls: Policy weaknesses often enable technical exploits
Consider different attack paths: Approach from multiple angles (external, internal, domain user)
Validate findings: Confirm vulnerabilities before reporting to avoid false positives
Assess impact holistically: Consider how vulnerabilities chain together in real-world scenarios
Active Directory is a complex ecosystem with numerous potential security weaknesses. A methodical approach to testing, combined with a thorough understanding of AD concepts, allows for comprehensive security assessment of Windows domains.