Active Directory (AD) is a directory service for Windows-based network environments. It provides a distributed, hierarchical structure that facilitates centralized management of organizational resources, including users, computers, groups, network devices, file shares, group policies, and trusts.
AD delivers authentication and authorization within a Windows domain and is integral to enterprise infrastructure. However, it is inherently backward-compatible, which often results in configurations that are not secure by default. This, combined with its complexity, makes AD environments highly susceptible to misconfiguration and exploitation.
One of AD's core vulnerabilities is its accessibility. By default, standard domain user accounts—with no elevated privileges—can read a significant portion of the directory. This read access includes critical data such as user objects, group memberships, and domain trust relationships. As a result, adversaries can perform reconnaissance and identify attack paths using minimal access.
A properly secured Active Directory implementation is crucial. Misconfigurations, excessive privileges, and poor segmentation allow attackers to move laterally and vertically within the domain. A defense-in-depth strategy, least privilege access control, and segmentation are essential to mitigate risk.
One example of an AD-related vulnerability is the noPac attack, disclosed in December 2021. This exploit chain demonstrated how a standard user could escalate privileges using a combination of misconfigurations and flaws in the AD environment.
Active Directory is highly scalable, capable of supporting millions of objects per domain. Organizations can create additional domains to support growth and organizational segmentation. Due to its flexibility and manageability, AD remains the dominant directory service globally.
Approximately 95% of Fortune 500 companies use Active Directory. This prevalence makes AD a prime target for adversaries, particularly those deploying ransomware or other large-scale attack campaigns.
Such attacks demonstrate the critical need for security professionals to understand AD's structure and behavior. Even standard user accounts can be exploited to gain domain-wide control if proper safeguards are not in place.
LDAP, the foundation of Active Directory, was first introduced in RFCs as early as 1971. Active Directory was predated by the X.500 organizational unit concept, which was the earliest version of all directory systems created by Novell and Lotus and released in 1993 as Novell Directory Services.
Active Directory was first introduced in the mid-1990s but did not become part of the Windows operating system until the release of Windows Server 2000. Microsoft first attempted to provide directory services in 1990 with the release of Windows NT 3.0. This operating system combined features of the LAN Manager protocol and the OS/2 operating systems, which Microsoft initially created in collaboration with IBM, led by Ed Iacobucci—who also led the design of IBM DOS and later co-founded Citrix Systems.
The NT operating system evolved throughout the 1990s, adapting protocols such as LDAP and Kerberos alongside Microsoft's proprietary elements. The first beta release of Active Directory was made available in 1997.
The release of Windows Server 2003 introduced extended functionality, improved administration capabilities, and added the Forest feature. This allowed system administrators to create "containers" for separate domains, users, computers, and other objects, grouped under a common structure for better management and segmentation.
Active Directory Federation Services (ADFS) was introduced in Windows Server 2008 to enable Single Sign-On (SSO) capabilities across systems and applications. ADFS streamlined user access by allowing authentication across different applications without requiring separate logins, even outside the local area network (LAN).
ADFS uses a claims-based Access Control Authorization model. In this model, user identity is represented by a set of claims, which are packaged into a security token by the identity provider. This approach enhances security and interoperability across organizational boundaries.
With the release of Windows Server 2016, additional improvements were introduced, such as the capability to migrate Active Directory environments to the cloud and enhanced security mechanisms. Notable among these were features like Group Managed Service Accounts (gMSA), which provide a secure way to run automated tasks, applications, and services.
gMSA is often recommended as a mitigation against the Kerberoasting attack, a technique frequently used by attackers to extract service account credentials from AD environments.
In 2016, Microsoft further emphasized cloud integration with the release of Azure AD Connect. This tool facilitates synchronization between on-premises Active Directory and Microsoft Office 365, offering a unified Single Sign-On experience for hybrid environments.
Despite these advancements, Active Directory continues to suffer from misconfigurations. From its introduction in 2000 through the present, new vulnerabilities are regularly discovered—not only within AD itself, but also in interconnected technologies like Microsoft Exchange.
As security researchers uncover flaws, organizations must prioritize patching and configuration management. Penetration testers are often tasked with identifying these weaknesses before adversaries can exploit them.
As previously mentioned, 95% of Fortune 500 companies run Active Directory. Microsoft holds a near-monopoly in the directory services market. While cloud and hybrid deployments are becoming more common, on-premises AD is still deeply entrenched in most enterprises.
In network penetration testing engagements, encountering Active Directory in some capacity is virtually guaranteed. Therefore, developing a robust understanding of its architecture and attack surface is essential for successful engagements and meaningful remediation guidance.
Active Directory has been a major area of focus for security researchers for the past decade. Beginning around 2014, a significant surge in tools and academic research began to shape the current understanding of AD security. This period led to the discovery of numerous common attack techniques, many of which remain widely used and relevant to this day.
The timeline presented below outlines some of the most impactful attacks and vulnerabilities uncovered by leading security researchers, as well as the release of essential tools that have become staples in the penetration testing field. Despite the age of many of these methods, Active Directory—along with its cloud-based counterpart Azure AD—continues to present a large and complex attack surface.
The PrintNightmare RCE vulnerability in the Windows Print Spooler emerged. Shadow Credentials allowed low-privileged users to impersonate accounts. noPac attack released, enabling domain takeover under certain conditions.
ZeroLogon exploit released, enabling impersonation of domain controllers via a critical flaw in the Netlogon protocol.
harmj0y revisited Kerberoasting at DerbyCon. Elad Shamir published RBCD abuse techniques. BC Security launched Empire 3.0 in Python.
Lee Christensen discovered the "Printer Bug". harmj0y released Rubeus and a blog on forest trust attacks. DCShadow and Ping Castle tools released.
ASREPRoast technique introduced. Black Hat talk on ACL attacks. Blog on domain trust attacks published.
BloodHound debuted at DEF CON 24, revolutionizing AD attack path visualization.
Major year: PowerShell Empire, PowerView 2.0, DCSync (Mimikatz), CrackMapExec, Impacket, and talks on Kerberos delegation by Sean Metcalf.
Veil-PowerView released. Tim Medin introduced Kerberoasting at SANS Hackfest.
Responder tool by Laurent Gaffie released. Used to poison LLMNR, NBT-NS, and MDNS to capture hashes and perform relay attacks.
Active Directory (AD) is a directory service for Windows network environments. It is a distributed, hierarchical structure that allows for centralized management of an organization's resources, including users, computers, groups, network devices and file shares, group policies, servers and workstations, and trusts.
AD provides authentication and authorization functions within a Windows domain environment. A directory service such as Active Directory Domain Services (AD DS) enables organizations to store directory data and make it available to both standard users and administrators across the network.
AD DS stores essential identity information such as usernames and passwords and enforces access control by managing the rights and permissions required by users to access these resources. First released with Windows Server 2000, Active Directory has since become a core component of enterprise infrastructure but is increasingly targeted due to its complexity and frequent misconfigurations.
Active Directory is designed with backward compatibility in mind, meaning that many features are not secure by default. In large environments, AD is difficult to configure and manage securely, increasing the risk of vulnerabilities.
Flaws and misconfigurations in AD are frequently exploited to gain initial access, move laterally and vertically across a network, and escalate privileges. Once compromised, AD can provide unauthorized access to protected resources, including databases, shared files, source code repositories, and more.
AD functions as a large directory database accessible by all users within the domain, regardless of their privilege level. A standard user account, even without administrative privileges, can enumerate a wide range of objects within the AD structure.
The following information is commonly accessible to unauthenticated or minimally privileged users in an AD environment:
| Domain Computers | Domain Users |
| Domain Group Information | Organizational Units (OUs) |
| Default Domain Policy | Functional Domain Levels |
| Password Policy | Group Policy Objects (GPOs) |
| Domain Trusts | Access Control Lists (ACLs) |
Active Directory is organized into a hierarchical tree structure. At the top of the hierarchy is the forest, which acts as a security boundary and contains one or more domains. Each domain may, in turn, contain child domains, forming a nested structure.
A forest represents the outermost boundary of security and administrative authority. It contains all the domains and defines the scope within which trust relationships and policy enforcement exist.
A domain is a logical grouping of AD objects, such as users, groups, and computers. Domains enforce policies and access permissions for their contained objects.
Domains include built-in Organizational Units (OUs) like Users, Computers, and Domain Controllers. Administrators can create custom OUs as needed. OUs can contain both AD objects and additional sub-OUs, enabling granular assignment of group policies and delegation of administrative tasks.
At a high level, an Active Directory (AD) structure can be visualized hierarchically. The following example illustrates a simplified tree structure of a fictional AD environment:
INLANEFREIGHT.LOCAL/
├── ADMIN.INLANEFREIGHT.LOCAL
│ ├── GPOs
│ └── OU
│ └── EMPLOYEES
│ ├── COMPUTERS
│ │ └── FILE01
│ ├── GROUPS
│ │ └── HQ Staff
│ └── USERS
│ └── barbara.jones
├── CORP.INLANEFREIGHT.LOCAL
└── DEV.INLANEFREIGHT.LOCAL
In this example, INLANEFREIGHT.LOCAL represents the root domain. It contains multiple child
domains such as ADMIN.INLANEFREIGHT.LOCAL, CORP.INLANEFREIGHT.LOCAL, and
DEV.INLANEFREIGHT.LOCAL. These subdomains may represent different organizational units,
departments, or geographic locations. Each domain manages its own objects including users, groups,
organizational units (OUs), and Group Policy Objects (GPOs).
Creating distinct domains within a forest is common practice in larger organizations. For enterprises that grow through mergers or acquisitions, it is often more efficient to establish a trust relationship with another domain or forest than to recreate all user accounts and objects within a single domain. However, this practice introduces potential security risks if the trust relationships are not configured and managed properly.
In environments with multiple forests, such as INLANEFREIGHT.LOCAL and
FREIGHTLOGISTICS.LOCAL, bidirectional trust relationships can be established to allow
cross-forest authentication and resource access. This setup enables users in one forest to access resources
in the other, provided that permissions and trust paths are properly defined.
It is important to understand that even though a bidirectional trust exists between the root domains, this
does not imply that all subdomains automatically trust one another. For example, a user in
admin.dev.freightlogistics.local would not, by default, be able to authenticate to machines
within the wh.corp.inlanefreight.local domain. A separate trust relationship would need to be
explicitly configured to permit such access.
Improperly scoped or overly permissive trust relationships can become significant attack vectors. Attackers who compromise a user or machine in one domain may attempt to pivot into a trusted domain or forest, especially in cases where misconfigured or excessive trust settings allow for such traversal.
Before exploring advanced concepts, it is essential to understand the core terminology used in Active Directory environments. This section outlines foundational terms that will be referenced throughout this and related modules.
| Term | Description |
|---|---|
| Object | Any resource within Active Directory (e.g., users, OUs, printers). |
| Attributes | Properties assigned to each object (e.g., hostname, displayName). |
| Schema | Defines object classes and their attributes; blueprint of the AD database. |
| Domain | Logical grouping of AD objects; may have trust relationships. |
| Forest | Top-level container that holds domains, users, groups, etc. |
| Tree | Collection of domains under a common namespace in a forest. |
| Container (Cntnr.) | Holds other objects in the directory hierarchy. |
| Leaf | Object that does not contain other objects. |
| GUID (Globally Unique Identifier) | Unique 128-bit identifier for any AD object. |
| Security Principal (SP) | Any entity that can be authenticated (users, computers, services). |
| SID (Security Identifier) | Unique per user/group for access control. |
| Distinguished Name (DN) | Full AD path of an object (e.g., cn=user,ou=OU,dc=domain). |
| Relative Distinguished Name (RDN) | Unique object name at its hierarchy level. |
| sAMAccountName | Legacy logon name (max 20 characters). |
| userPrincipalName (UPN) | Modern user login in email format (e.g., user@domain). |
| FSMO Roles (Flexible Single Master Operations) | Five roles that control specific AD operations and prevent conflicts. |
| Global Catalog (GC) | Domain controller with forest-wide object visibility. |
| RODC (Read-only Domain Controller) | Read-only Domain Controller; does not replicate changes. |
| Replication | Synchronization of AD data between domain controllers. |
| SPN (Service Principal Name) | Service Principal Name uniquely identifies a service instance. Used by Kerberos to map service to an account. |
| GPO (Group Policy Object) | Settings applied to users/computers. |
| ACL (Access Control List) | List of permissions assigned to an object. |
| ACE (Access Control Entry) | Single permission entry in an ACL. |
| DACL (Discretionary Access Control List) | Defines who has access or is denied access to an object. |
| SACL (System Access Control List) | Logs access attempts for auditing. |
| FQDN (Fully Qualified Domain Name) | Complete domain name (e.g., dc01.inlanefreight.local). |
| Tombstone | Deleted object placeholder retained for a set period. |
| AD Recycle Bin | Feature allowing restoration of deleted AD objects. |
| SYSVOL | Shared directory for domain-wide public files and GPOs. |
| AdminSDHolder | Controls permissions for privileged accounts. |
| dsHeuristics | Forest-wide settings string for config management. |
| adminCount | Marks if a user is protected by AdminSDHolder. |
| ADUC (Active Directory Users and Computers) | GUI for managing AD users and objects. |
| ADSI Edit | Advanced AD object editor tool. |
| sIDHistory | Stores previous SIDs for migrated users/groups. |
| NTDS.DIT | Main AD database storing all domain data and password hashes. |
| MSBROWSE | Legacy browsing protocol for LAN resource discovery. |
In Active Directory (AD), the term "object" refers to any resource present within the AD environment. This includes organizational units (OUs), users, computers, printers, groups, domain controllers, and more.
User objects represent individual users within the organization's AD environment. These are leaf objects, meaning they cannot contain any other objects. Similar to mailboxes in Microsoft Exchange, user objects are security principals and therefore possess both a Security Identifier (SID) and a Globally Unique Identifier (GUID). They contain numerous attributes, such as display name, last login time, password last set date, email address, account description, manager, address, among others. An AD environment can theoretically support over 800 different attributes per user, although only a subset is typically populated. Due to the privileges user accounts may provide, even low-privileged user accounts can be a critical target for attackers aiming to enumerate the entire domain or forest.
Contact objects are used to represent external users. These are informational-only, non-security principal objects and do not have a SID—only a GUID. Typical attributes include first name, last name, email address, and telephone number. Contacts are used in scenarios such as representing third-party vendors or customers.
Printer objects represent printers accessible within the AD network. Like contacts, printers are leaf objects and not security principals, having only a GUID. Attributes of printer objects include printer name, driver details, port number, and other relevant metadata.
Computer objects represent workstations or servers joined to the AD network. They are leaf objects but are also considered security principals, and thus have both a SID and a GUID. Computer accounts are valuable targets for attackers, especially if they can escalate to NT AUTHORITY\SYSTEM, which has privileges similar to or greater than a standard domain user. These accounts can perform many domain enumeration tasks.
Shared folder objects reference shared directories located on specific systems within the AD environment. These are not security principals and only have a GUID. Access control to shared folders can vary significantly—from being publicly accessible to strictly restricted. Common attributes include the folder name, physical path, and access control settings.
Group objects serve as containers for other objects such as users, computers, and other groups. Groups are security principals with both a SID and a GUID. They are primarily used to manage access to AD resources efficiently. Instead of assigning permissions individually, users can inherit permissions through group membership. AD also supports nested groups, where a group is a member of another group. This configuration can lead to complex permission inheritance chains, which tools like BloodHound can help to audit and visualize. Common group attributes include group name, description, membership list, and parent group associations.
OUs are containers used by administrators to logically organize AD objects. They enable administrative delegation and policy management without requiring full domain administrative rights. For example, an OU structure could allow Help Desk staff to reset passwords within a specific department but not company-wide. Group Policy Objects (GPOs) can be linked to OUs to enforce specific configurations like password policies. OU attributes include its name, linked policies, security permissions, and the objects it contains.
A domain is the foundational structure of an Active Directory network. It contains all AD objects and governs them using domain-level policies and a separate database. Default domain policies (such as password policy) can be customized, and additional policies can be created to enforce restrictions like command-line access or drive mapping. Domains encapsulate all authentication and policy enforcement within a boundary.
Domain Controllers (DCs) are the central authority within an AD domain. They manage authentication requests, validate credentials, enforce security policies, and store directory information for all objects. DCs are critical to the functionality and security of the entire AD infrastructure.
Sites in Active Directory represent collections of IP subnets connected by high-speed links. Their primary purpose is to optimize replication traffic between domain controllers, ensuring efficient data synchronization across geographically distributed environments.
The Built-in container holds default security groups that are automatically created when an AD domain is initialized. These groups are predefined and serve common administrative roles and functions within the domain.
Foreign Security Principals are objects created to represent users, computers, or groups from trusted
external forests. They are automatically generated when a foreign object is added to a local group. Each FSP
acts as a placeholder that holds the foreign object's SID, allowing the domain to recognize and resolve it
through the established trust relationship. These objects reside within the
ForeignSecurityPrincipals container and have distinguished names like
cn=ForeignSecurityPrincipals,dc=domain,dc=local.
Active Directory includes five Flexible Single Master Operation (FSMO) roles, each responsible for specific critical tasks that ensure consistency and proper functioning across the AD environment. These roles may be assigned to designated domain controllers (DCs) and are essential for authentication, authorization, and directory integrity.
| Role | Description |
|---|---|
| Schema Master | This role manages the read/write copy of the AD schema, which defines all attributes that can apply to an object in AD. |
| Domain Naming Master | Manages domain names and ensures that two domains of the same name are not created in the same forest. |
| Relative ID (RID) Master | Assigns blocks of RIDs to other DCs within the domain that can be used for new objects. The RID Master helps ensure that multiple objects are not assigned the same SID. Domain object SIDs are the domain SID combined with the RID number assigned to the object to make the unique SID. |
| PDC Emulator | The host with this role would be the authoritative DC in the domain and respond to authentication requests, password changes, and manage Group Policy Objects (GPOs). The PDC Emulator also maintains time within the domain. |
| Infrastructure Master | This role translates GUIDs, SIDs, and DNs between domains. This role is used in organizations with multiple domains in a single forest. The Infrastructure Master helps them to communicate. If this role is not functioning properly, Access Control Lists (ACLs) will show SIDs instead of fully resolved names. |
Misconfiguration or failure of FSMO roles may lead to authentication and authorization problems throughout the domain.
Functional levels in Active Directory determine which features are available within a domain or forest, and which versions of Windows Server can operate as domain controllers. Raising the functional level enables new capabilities but requires all DCs to be running compatible versions of Windows Server.
| Domain Functional Level | Features Available | Supported DC OS |
|---|---|---|
| Windows 2000 native | Universal groups, group nesting, SID history, group type conversion. | Windows Server 2000/2003/2008/2008 R2 |
| Windows Server 2003 | Netdom.exe, lastLogonTimestamp, constrained delegation, selective authentication. | Windows Server 2003 to 2012 R2 |
| Windows Server 2008 | DFS-R support, AES encryption for Kerberos, fine-grained password policies. | Windows Server 2008 to 2012 R2 |
| Windows Server 2008 R2 | Authentication mechanism assurance, Managed Service Accounts. | Windows Server 2008 R2 to 2012 R2 |
| Windows Server 2012 | KDC support for claims, compound authentication, Kerberos armoring. | Windows Server 2012, 2012 R2 |
| Windows Server 2012 R2 | Authentication Policies, Protected Users, Authentication Policy Silos. | Windows Server 2012 R2 |
| Windows Server 2016 | Smart card enforcement for interactive logon, enhanced Kerberos and credential protections. | Windows Server 2016, 2019 |
No new functional level was introduced with Windows Server 2019. However, Windows Server 2008 functional level is the minimum required to integrate Server 2019 domain controllers. Additionally, DFS Replication (DFS-R) must be used for SYSVOL replication in such environments.
| Version | Capabilities |
|---|---|
| Windows Server 2003 | Forest trusts, domain renaming, Read-Only Domain Controllers (RODC). |
| Windows Server 2008 | Default domain functional level set to 2008 for new domains. No new features. |
| Windows Server 2008 R2 | Active Directory Recycle Bin. |
| Windows Server 2012 | Default to Server 2012 domain level. No new forest-level features. |
| Windows Server 2012 R2 | No additional forest-level features introduced. |
| Windows Server 2016 | Privileged Access Management (PAM) using Microsoft Identity Manager (MIM). |
A trust allows user authentication and resource access across domains or forests. It links authentication systems and can be either transitive or non-transitive, and one-way or two-way, depending on access requirements and administrative intent.
| Trust Type | Description |
|---|---|
| Parent-child | Occurs between domains in the same forest. Automatically established two-way transitive trust. |
| Cross-link | Established between child domains to optimize authentication routing. |
| External | Non-transitive trust between domains in different forests, used when a forest trust is not in place. Implements SID filtering. |
| Tree-root | Two-way transitive trust between root domains of different domain trees within a single forest. |
| Forest | Transitive trust between forest root domains, facilitating cross-forest authentication. |
Trust relationships can be transitive, allowing access through nested trusts, or non-transitive, restricting access to only the directly trusted domain. Trusts may also be one-way or bidirectional. In a one-way trust, only the trusted domain's users can access the trusting domain's resources. Improperly configured trusts can introduce serious security risks, particularly when established hastily during mergers and acquisitions. It is not uncommon to exploit misconfigured trusts for attacks such as Kerberoasting to gain privileged access across domains.
While Windows operating systems use a variety of protocols to communicate, Active Directory specifically requires the Lightweight Directory Access Protocol (LDAP), Microsoft's version of Kerberos, DNS for authentication and communication, and MSRPC, which is the Microsoft implementation of Remote Procedure Call (RPC), an interprocess communication technique used for client-server model-based applications.
Kerberos has been the default authentication protocol for domain accounts since Windows 2000. Kerberos is an open standard and allows for interoperability with other systems using the same standard. When a user logs into their PC, Kerberos is used to authenticate them via mutual authentication, where both the user and the server verify their identity. Kerberos is a stateless authentication protocol based on tickets instead of transmitting user passwords over the network.
As part of Active Directory Domain Services (AD DS), Domain Controllers include a Kerberos Key Distribution Center (KDC) that issues tickets. When a user initiates a login request to a system, the client requests a ticket from the KDC, encrypting the request with the user's password. If the KDC can decrypt the request (AS-REQ) using the user's password, it creates a Ticket Granting Ticket (TGT) and transmits it to the client.
The client then presents its TGT to a Domain Controller to request a Ticket Granting Service (TGS) ticket, which is encrypted using the service's NTLM password hash. Finally, the client requests access to the desired service by presenting the TGS to the target application or service, which decrypts it with its own password hash. If all steps are completed successfully, the user is granted access to the resource.
Kerberos authentication effectively decouples users' credentials from their requests to consumable resources, ensuring that passwords are not transmitted over the network (e.g., accessing an internal SharePoint intranet site). The Kerberos Key Distribution Center (KDC) does not retain previous transactions. Instead, the Ticket Granting Service (TGS) relies on the validity of the TGT. If a user holds a valid TGT, it is assumed they have already been authenticated.
The Kerberos protocol uses port 88 (TCP and UDP). When enumerating an Active Directory
environment, Domain Controllers can often be identified by scanning for open port 88 using tools such as
nmap.
Active Directory Domain Services (AD DS) uses DNS to allow clients—such as workstations, servers, and other systems communicating with the domain—to locate Domain Controllers. DNS is also used for communication between Domain Controllers hosting directory services.
DNS resolves hostnames to IP addresses and is used across both internal networks and the internet. Private internal networks leverage Active Directory DNS namespaces to facilitate communication between servers, clients, and peers. AD maintains a DNS-based database of services in the form of Service (SRV) records, which allow clients to locate needed services like file servers, printers, or Domain Controllers.
Dynamic DNS (DDNS) automatically updates entries in the DNS database when a system's IP address changes. This automation prevents the need for manual entry, which can be time-consuming and error-prone. If DNS records are incorrect or missing, clients may be unable to locate and communicate with target hosts.
When a client joins the network, it queries DNS to locate a Domain Controller. The client retrieves the SRV record from the DNS database and uses the Domain Controller's hostname to resolve its IP address. DNS uses both UDP and TCP port 53. By default, UDP is used; however, if the communication fails or the DNS message exceeds 512 bytes, DNS will fall back to TCP.
A forward DNS lookup allows us to resolve the IP address of a given domain. For example, we can retrieve the
IP address of the Domain Controller for INLANEFREIGHT.LOCAL using nslookup:
PS C:\htb> nslookup INLANEFREIGHT.LOCAL
Server: 172.16.6.5
Address: 172.16.6.5
Name: INLANEFREIGHT.LOCAL
Address: 172.16.6.5
A reverse DNS lookup allows us to resolve the DNS name of a host given its IP address:
PS C:\htb> nslookup 172.16.6.5
Server: 172.16.6.5
Address: 172.16.6.5
Name: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Address: 172.16.6.5We can also resolve a host's IP address using its name (with or without its Fully Qualified Domain Name):
PS C:\htb> nslookup ACADEMY-EA-DC01
Server: 172.16.6.5
Address: 172.16.6.5
Name: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Address: 172.16.6.5Active Directory supports the Lightweight Directory Access Protocol (LDAP) for directory lookups. LDAP is an open-source, cross-platform protocol used to authenticate against various directory services, including AD. The latest version of LDAP is LDAPv3, defined in RFC 4511.
LDAP uses TCP port 389, while LDAP over SSL (LDAPS) uses TCP port 636. A firm understanding of LDAP in AD environments is essential for both attackers and defenders.
AD stores user credentials and security data, such as passwords, and shares this information with other devices across the network. LDAP acts as the query language that applications use to retrieve data from directory services. In simple terms, LDAP is how systems in the environment "speak" to AD.
An LDAP session begins with a connection to an LDAP server, also referred to as a Directory System Agent. In AD environments, Domain Controllers listen for incoming LDAP requests, including those related to authentication.
The relationship between AD and LDAP is similar to that of Apache and HTTP: just as Apache is a web server using the HTTP protocol, Active Directory is a directory server using the LDAP protocol.
While uncommon, some organizations may use LDAP without Active Directory, typically employing alternatives such as OpenLDAP servers.
LDAP authentication in AD is based on a BIND operation, which sets the authentication state for an LDAP session. There are two main types of LDAP authentication:
Important: By default, LDAP messages are transmitted in cleartext. This means credentials and queries can be intercepted by attackers monitoring internal traffic. It is recommended to use TLS encryption (LDAPS) or other secure transport methods to protect LDAP communications.
MSRPC (Microsoft Remote Procedure Call) is Microsoft’s implementation of the Remote Procedure Call (RPC) protocol, which enables interprocess communication across a network. It is widely used in Windows systems for enabling client-server communication. Within Active Directory environments, MSRPC provides access to key services via four major RPC interfaces.
| Interface Name | Description |
|---|---|
| lsarpc |
Provides a set of RPC calls to the Local Security Authority (LSA), which manages
local security policies, audit controls, and interactive authentication. lsarpc is used
for managing domain security policies.
|
| netlogon | Netlogon is a background Windows service responsible for authenticating users and other services within a domain. It plays a central role in domain authentication workflows. |
| samr |
Security Account Manager Remote (samr) provides remote access to the SAM database,
allowing management of users, groups, and computers. It enables CRUD operations on security
principals. Tools like BloodHound can use samr for domain reconnaissance to map
attack paths. To prevent this, administrators can configure the Windows registry to restrict
samr queries to privileged users, as by default, any authenticated user can perform them.
|
| drsuapi |
The Directory Replication Service (DRS) Remote Protocol is implemented via the
drsuapi interface. It handles replication between Domain Controllers. Attackers can
exploit this interface to extract a copy of the NTDS.dit database, which contains
password hashes for all domain accounts. These hashes can be used in Pass-the-Hash attacks or
cracked offline using tools like Hashcat to obtain plaintext credentials. The
attacker can then authenticate using protocols like RDP or WinRM.
|
In addition to Kerberos and LDAP, Active Directory supports other authentication protocols, including LM, NTLM, NTLMv1, and NTLMv2. LM and NTLM refer to password hashing formats, while NTLMv1 and NTLMv2 are authentication protocols that utilize those hashes. Understanding the distinction between hash types and authentication protocols is critical in assessing security exposure.
| Hash/Protocol | Cryptographic Technique | Mutual Authentication | Message Type | Trusted Third Party |
|---|---|---|---|---|
| NTLM | Symmetric key cryptography | No | Random number | Domain Controller |
| NTLMv1 | Symmetric key cryptography | No | MD4 hash, random number | Domain Controller |
| NTLMv2 | Symmetric key cryptography | No | MD4 hash, random number | Domain Controller |
| Kerberos | Symmetric & asymmetric cryptography | Yes | Encrypted ticket (DES, MD5) | Domain Controller / KDC |
LM (LAN Manager) Hash were introduced in 1987 and are now deprecated due to weak encryption. Passwords are limited to 14 uppercase characters and split into two 7-character chunks before being hashed using DES. The resulting LM hash is vulnerable to brute-force attacks using tools like Hashcat. LM hashes are stored in the SAM or NTDS.dit databases. They can be disabled via Group Policy. An LM hash looks like:
299bd128c1101fd6
NTLM is a challenge-response protocol. It uses three message types: NEGOTIATE_MESSAGE,
CHALLENGE_MESSAGE, and AUTHENTICATE_MESSAGE. The NT hash is computed using MD4 on
the UTF-16LE encoded password:
MD4(UTF-16-LE(password))NTLM hashes are vulnerable to brute-force attacks and pass-the-hash attacks. An NT hash example:
b4b9b02e6f09a9bd760f388b67351e2bRachel:500:aad3c435b514a4eeaad3b935b51304fe:e46b9e548fa0d122de7f59fb6d48eaa2:::crackmapexec smb 10.129.41.19 -u rachel -H e46b9e548fa0d122de7f59fb6d48eaa2NTLMv1 uses challenge-response with LM/NT hashes. It's vulnerable to relay attacks and offline cracking. Notably, these hashes cannot be used in pass-the-hash attacks.
C = 8-byte challenge
response = DES(K1, C) | DES(K2, C) | DES(K3, C)NTLMv1 hash example:
u4-netntlm::kNS:338d08f8e26de9330000000000000000:9526fb8c23a90751cdd619b6cea56474:cb8086049ec4736cIntroduced in Windows NT 4.0 SP4, NTLMv2 enhances security by using HMAC-MD5 and includes server and client challenges, timestamps, and domain data.
SC = server challenge, CC = client challenge
LMv2 = HMAC-MD5(v2-Hash, SC, CC)
NTv2 = HMAC-MD5(v2-Hash, SC, CC*)NTLMv2 hash example:
admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958dac6:5c7830315c783031...When a domain-joined host cannot contact a Domain Controller, it uses Domain Cached Credentials (DCC). These credentials are stored in the Windows registry:
HKEY_LOCAL_MACHINE\SECURITY\CacheDCC hashes cannot be used in pass-the-hash attacks and are difficult to crack even with high-performance cracking rigs. Example MSCache2 hash:
$DCC2$10240#bjones#e4e938d12fe5974dc42a90120bd9c90fUser accounts are created on both local systems (not joined to AD) and in Active Directory to allow a person or a service to log on and access resources based on their assigned rights. When a user logs in, the system verifies the password and creates an access token containing the user’s identity and group memberships. This token is used whenever the user interacts with a process or requests access to a resource.
Users can be added to groups, which simplify access control management by allowing administrators to assign permissions to a group rather than to individual users. Group membership makes it easier to grant, audit, and revoke access in a scalable way.
Every user in an AD environment typically has at least one user account. Admins, Help Desk staff, or service
users may have multiple accounts based on role. In large organizations, it is common to see hundreds of
deactivated accounts (former employees, contractors, interns). These are often stored in dedicated OUs like
FORMER EMPLOYEES and are kept for auditing purposes.
Local accounts exist only on a specific host and can only access resources on that host. Their rights are managed individually or through local group membership. These are the default local accounts on a Windows system:
| Account | Description |
|---|---|
| Administrator | SID: S-1-5-domain-500. Full control over the system. Cannot be deleted or locked.
Disabled by default in modern systems (Windows 10/Server 2016+). |
| Guest | Disabled by default. Allows limited login access. Security risk if enabled with blank password. |
| SYSTEM | Internal account used by Windows to run critical services. Highest privilege level on a Windows host. |
| Network Service | Minimal-privilege account used to run services that need access to remote resources. |
| Local Service | Another low-privilege account for services that do not require elevated or network access. |
Domain users are granted permissions through Active Directory to access resources such as file shares, printers, and applications. These accounts can log in to any domain-joined system, and their access is governed by Group Policy and AD configurations.
One special account is the KRBTGT account, used by the Kerberos Key Distribution Center (KDC). If compromised, it can be abused for attacks like Golden Ticket, granting persistent and unrestricted access to the domain.
| Attribute | Description |
|---|---|
| UserPrincipalName (UPN) | Primary logon name, usually in email format. |
| ObjectGUID | Globally unique identifier for the user. Remains unchanged even if the user is deleted. |
| SAMAccountName | Legacy logon name used by older systems. |
| objectSID | The user’s Security Identifier (SID), used to enforce permissions and access control. |
| sIDHistory | Stores previous SIDs from domain migrations to preserve access permissions. |
PS C:\htb> Get-ADUser -Identity htb-student
DistinguishedName : CN=htb student,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
Enabled : True
GivenName : htb
Name : htb student
ObjectClass : user
ObjectGUID : aa799587-c641-4c23-a2f7-75850b4dd7e3
SamAccountName : htb-student
SID : S-1-5-21-3842939050-3880317879-2865463114-1111
Surname : student
UserPrincipalName : htb-student@INLANEFREIGHT.LOCALDomain-joined hosts are centrally managed via Active Directory. Group Policies apply automatically, and users can access resources across the domain. This is the standard in enterprise environments.
These hosts operate in standalone or workgroup configurations. Users and policies are local to the host. This setup is typical for home or small office systems and lacks centralized control.
SYSTEM-level access on a domain-joined host provides capabilities equivalent to a standard domain user. Attackers who gain SYSTEM privileges on a domain host can access a wide range of domain resources and enumerate AD without needing valid credentials. This access is often underestimated but is a powerful pivot point in domain attacks.
After user accounts, groups are a fundamental object class in Active Directory. They simplify the assignment of access rights to multiple users and are a common target for attackers due to their potential to grant excessive or misconfigured privileges. Groups can be used to organize users by role or function and manage access to resources more efficiently. Organizations often create both built-in and custom groups, which may grow in complexity and size over time, necessitating regular auditing.
Groups are primarily used to assign permissions to access resources, whereas Organizational Units (OUs) are used to apply Group Policy Objects (GPOs) and delegate administrative control. While OUs help in structural organization, groups help in access control and resource assignment.
Groups can contain users, computers, and other groups. They simplify permission assignments. For instance, instead of assigning access to 50 individual users, a group can be created to manage permissions centrally.
When creating a group, administrators must define its type and scope. The two group types are:
Group scope determines how and where the group can be used within the AD forest:
PS C:\htb> Get-ADGroup -Filter * | select samaccountname, groupscope
samaccountname groupscope
-------------- ----------
Administrators DomainLocal
Users DomainLocal
Guests DomainLocal
Print Operators DomainLocal
Backup Operators DomainLocal
Replicator DomainLocal
Remote Desktop Users DomainLocal
Network Configuration Operators DomainLocal
Distributed COM Users DomainLocal
IIS_IUSRS DomainLocal
Cryptographic Operators DomainLocal
Event Log Readers DomainLocal
Certificate Service DCOM Access DomainLocal
RDS Remote Access Servers DomainLocal
RDS Endpoint Servers DomainLocal
RDS Management Servers DomainLocal
Hyper-V Administrators DomainLocal
Access Control Assistance Operators DomainLocal
Remote Management Users DomainLocal
Storage Replica Administrators DomainLocal
Domain Computers Global
Domain Controllers Global
Schema Admins Universal
Enterprise Admins Universal
Cert Publishers DomainLocal
Domain Admins Global
Domain Users Global
Domain Guests Global
AD includes many built-in security groups with a Domain Local scope. These groups typically cannot be nested and are used for administrative purposes (e.g., Domain Admins, Administrators). Organizations often create additional custom groups for managing access to specific resources or roles.
Groups can be nested within one another. This allows a user to inherit permissions indirectly. While convenient, it can result in unintended privilege escalation. Tools like BloodHound are useful for analyzing nested relationships and identifying hidden access paths.
| Attribute | Description |
|---|---|
| cn | Common Name of the group in AD. |
| member | Lists the users, groups, or contacts that are members of the group. |
| memberOf | Shows which groups this group is a member of (used for nesting). |
| groupType | Indicates the group’s type and scope as an integer value. |
| objectSid | Unique security identifier used for access control. |
Understanding group configuration and scope is critical for system administrators and penetration testers alike. Misconfigured group memberships and excessive privileges are common attack vectors during assessments. Regular auditing and visualization tools (like BloodHound) help mitigate these risks and improve domain security posture.
Rights and privileges form the core of Active Directory security. Rights typically relate to object access (e.g., read a file), while privileges refer to system-level actions (e.g., shut down a machine). In AD, both can be granted directly or via group membership. Mismanagement often leads to abuse and privilege escalation.
Active Directory includes numerous default security groups that provide predefined privileges. Misconfigured or excessively permissive group membership is a common vector for escalation.
| Group Name | Description |
|---|---|
| Account Operators | Can create/modify accounts except admin-related ones. Can log in locally to DCs. |
| Administrators | Full control over systems/domain if assigned on a DC. |
| Backup Operators | Can back up/restore any file, log in locally. Critical for privilege escalation. |
| DnsAdmins | Access to network DNS config. Created with DNS role. |
| Domain Admins | Full domain control. Members are local admins on all machines. |
| Enterprise Admins | Forest-wide configuration access. Exists in root domain only. |
| Schema Admins | Can modify AD schema. Powerful and should be tightly controlled. |
| Print Operators | Can manage printers on DCs. Could be leveraged for privilege escalation. |
| Remote Desktop Users | Allows RDP access to hosts. Cannot be renamed or deleted. |
| Hyper-V Administrators | Full Hyper-V rights. If DCs are VMs, equivalent to Domain Admins. |
PS C:\htb> Get-ADGroup -Identity "Server Operators" -Properties *Windows uses User Rights Assignment to define privileges. These are managed via GPOs and can be exploited for privilege escalation. Example: assigning SeDebugPrivilege allows credential dumping.
| Privilege | Description |
|---|---|
| SeRemoteInteractiveLogonRight | Allows RDP logon. |
| SeBackupPrivilege | Allows backup of protected files (e.g., SAM, NTDS.dit). |
| SeDebugPrivilege | Debug processes (e.g., read LSASS memory). |
| SeImpersonatePrivilege | Impersonate another user's token. |
| SeTakeOwnershipPrivilege | Take ownership of files/objects. |
PS C:\htb> whoami /priv
Use whoami /priv to view the privileges available in the current session. Rights differ between
standard and elevated sessions due to User Account Control (UAC). Only elevated sessions expose all
privileges.
Active Directory is designed around centralized management and wide-scale resource accessibility, which inherently prioritizes Availability and, to a degree, Confidentiality. However, this makes AD insecure by design if deployed without proper hardening. Many security measures are not enabled by default and require explicit configuration. This section outlines general hardening recommendations to reduce risk and improve AD security posture, aligned with the principles of the CIA Triad: Confidentiality, Integrity, and Availability.
LAPS randomizes and rotates local administrator passwords on Windows hosts, mitigating lateral movement risks. Passwords can be set to rotate on fixed intervals (e.g., every 12 or 24 hours). LAPS integrates with AD and stores passwords securely as attributes. While effective, it should be combined with broader hardening strategies.
Effective monitoring is essential to detect anomalies and potential attacks. Organizations should configure auditing to log critical events such as object creation/modification, password changes, unauthorized access attempts, and suspicious authentication behavior (e.g., password spraying or Kerberos ticket abuse).
Group Policy Objects (GPOs) allow administrators to apply security policies to users and computers at the OU level. Common policies include:
Timely patching is critical. Windows Server Update Services (WSUS) can automate patch deployment. System Center Configuration Manager (SCCM) extends WSUS with enhanced visibility and control. Manual patching is error-prone and slow, increasing the risk of unpatched vulnerabilities in the environment.
gMSAs are domain-managed accounts designed for services and scheduled tasks. They provide automatically rotating 120-character passwords and eliminate the need for password knowledge or manual management. gMSAs are suitable for multi-host services and improve credential hygiene.
Security groups simplify access control management by assigning permissions collectively. Default groups such as Domain Admins, Account Operators, and Backup Operators are created during AD setup. Proper use of groups ensures scalable and maintainable access policies.
Administrators should use separate accounts for administrative and non-administrative tasks. For example,
sjones for daily use and sjones_adm for privileged operations. This limits
exposure in case of endpoint compromise and prevents unnecessary exposure of privileged credentials.
Enforcing long passphrases or random complex passwords mitigates cracking risks. Complexity requirements alone are insufficient. Password filters should disallow weak patterns (e.g., "Welcome1", month names). Minimum length should be 12+ characters, especially for privileged accounts. Multi-factor authentication (MFA), particularly for RDP access, is highly recommended to prevent lateral movement.
Domain Admin accounts must only be used on Domain Controllers. Using them on endpoints, jump hosts, or application servers increases credential theft risk. Limiting their usage reduces attack surface and memory exposure of sensitive credentials.
Inactive accounts, especially privileged ones, pose significant risk. Organizations must periodically audit and disable/remove unused user, computer, or service accounts, particularly those with weak legacy configurations or passwords.
Regular reviews of group memberships, file share access, and administrative rights are essential. Excessive Domain Admins or Enterprise Admins increase risk. Audits should identify and reduce overprivileged users and misconfigured access controls.
Robust auditing is required for visibility into AD operations. Organizations should use Microsoft’s Audit Policy Recommendations to detect anomalous activity like Kerberoasting, enumeration, or brute force attempts. Logging is key to post-incident investigation and active threat detection.
Restricted Groups allow enforcement of specific group memberships. For example, local Administrators can be limited to Domain Admins and the built-in Administrator account. This prevents privilege escalation through unauthorized group additions.
Critical systems like Domain Controllers must not host unnecessary roles (e.g., IIS, Exchange, web applications). Role separation limits the impact of exploitation and ensures proper compartmentalization of services across infrastructure.
Local administrator access must be tightly controlled. The use of Domain Users as local admins is a severe misconfiguration. Attackers can escalate privileges or access sensitive data by compromising low-privileged accounts with local admin rights. Similarly, RDP access must be restricted to essential users only.
Group Policy is a powerful feature in Windows that allows administrators to configure and enforce a wide range of settings across user and computer accounts in a domain environment. It supports centralized management of operating system configurations, application behavior, and security posture across an enterprise network. While highly effective for defensive measures, Group Policy can also be leveraged by attackers to escalate privileges and maintain persistence.
A Group Policy Object (GPO) is a virtual collection of policy settings that can be applied to users, computers, or groups via linkage to domains, sites, or organizational units (OUs). GPOs are uniquely identified by a GUID and can include hundreds of configurable settings. Examples include screen lock timeouts, application restrictions, password policy enforcement, logon banners, audit configurations, and remote access management. GPOs are critical for standardizing and securing system configurations at scale.
In a default Windows Server 2008 AD installation, the password policy enforces:
GPOs are processed in the following order, where the last applied policy takes precedence and may override previous settings:
| Level | Description |
|---|---|
| Local Group Policy | Applies only to the individual host. Easily overridden by domain-linked policies. |
| Site Policy | Policies linked to the AD site level, often used to configure location-specific settings. |
| Domain Policy | Applies across the entire domain, including password policies and default login messages. |
| Organizational Unit (OU) | Role-specific or departmental GPOs applied to users and computers within an OU. |
| Nested OUs | Child OUs inherit policies from parent OUs unless overridden. Fine-grained control is possible at this level. |
The Default Domain Policy and Default Domain Controllers Policy are created automatically during AD setup. They are used to enforce baseline domain-wide and DC-specific security settings. A GPO marked as Enforced will not be overridden by lower-level policies. Block Inheritance can be set on an OU to prevent higher-level GPOs from applying. However, Enforced GPOs will override this block.
When multiple GPOs are linked to a single OU, the link order determines processing precedence. The GPO with the lowest link order number (e.g., 1) is applied last and therefore has the highest precedence. This allows fine-tuning of policy application and helps manage potential conflicts.
By default, GPOs are refreshed every 90 minutes on user and computer accounts with a random offset of up to
±30 minutes. Domain controllers refresh every 5 minutes. Settings can be forced using
gpupdate /force or configured via Group Policy settings:
Computer Configuration → Policies → Administrative Templates → System → Group Policy.
GPOs can be abused by attackers with write permissions to inject malicious settings, escalate privileges, and maintain persistence. Common abuse scenarios include:
BloodHound is a powerful tool for identifying GPO attack paths. It can reveal misconfigurations where standard users can modify GPOs due to excessive permissions inherited through nested group membership. This is a critical security risk and a common target during privilege escalation in AD environments.