# Active Directory
###### `tryHackMe` `AD`
[TOC]
** It's important to understand the why behind certain flaws and misconfigurations.**
# Machine Connecting
Reference
https://medium.com/@laupeiip/how-to-rdp-into-a-tryhackme-windows-machine-with-your-kali-vm-f637cf7422d1
RDP `THM\Administrator` (THM domain)
password: Password321
```
xfreerdp /u:"THM\Administrator" /p:"Password321" /v:10.10.122.128 /dynamic-resolution
```
VPN
```sh
#!/bin/sh
echo "kali" | sudo -S -v
if [ $? -eq 0 ]; then
sudo openvpn ./meowhecker.ovpn &
sudo -s
else
echo "Authentication Fail !!"
fi
```
Root Login
## XRDP Server
XRDP Server allows that Linux machine connected from the windows RDP
# Windows Domains
Windows Domain allow us easily to manage a lot of network server components
We can place the these network components within the domain and utilize Domain Controller to manage them.
Advantage:
- centralized identity management
- Managing Security Policy
The Domain Controller typically enforce access control restrictions and Policy that are deployed across the network.
# Active Directory
## AD DS (Active Directory Domain service)
Directory -> Management
Active Directory Domain Services (AD DS) is a directory service that functions like a directory, storing various objects within the domain.
### Users (object)
User is a security principals which mean they can operate and access the resource in the network.
There are two type of entities
- People
- Service
- services also require the user to run it, However the service users can only run the specific server
### Machines (object)
Machines are also considered secrity principals.
When every computer join the act
ive directory, the machine object is created.
Typically the machine account is the locall commputer administrator
Machine can throught the account and password to login
>Note
machine account's password are automatically rotated out and are generally comprised of 120 random characters.
Idnetify machine account
mehecker Computer
Machine Account -> meowhecker$(Machine Account)
### Security Group (object)
Secruity Group also seen as a security principles
Any join to Secruity Group object will automatically inherit all fo the groupt's privileges.
Groupt like container can include
- uresr
- machine
- group
#### Important Security Group in AD
Domain Admin: Domain Administrators with extensive privileges.
Server Operators: They are responsible for managing Domain Controllers but do not have privilege to change or manage administrative group membership
Backup Operators: Members of this group are allowed to access files for backup purposes,
(ignoring their permissions.!!!)
Account Operators: They can create, modify, or delete user accounts within the domain.
Domain User: Includes all existing user accounts in the domain.
Domain Computer:Includes all existing computers in the domain.
Domin Controller:Includes all existing DCs on the domain.
Document:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups
## Active Directory User and Computer
Configure the user, group and machines in Active directory
An Organization unite (OU) is container object which include the user, computer, group objects, Additionally
it used for the classification of users and computers.
Objects with similar policy will be placed within the same OU.
>Note
>user only can belong a single OU but thet can have both IT policy and sale policy.
>policy are not restrictive.
## OUs vs Secruity Group
OUs can easily employ the specific policy and configuration on the particular role in the enterprise
OUs are typically structured to resemble the company's departments with each user or object belonging to a single departmental OU
---
Security Group: security Group similar be part of a deparment they provide users with unique privilege
A user can belong to multiple security groups, each of which grants different access rights or permissions.
# Managing User in AD
We are new domain administrators, and we have edited and made some changes to match the following picture.
## Delet the User and OU
Delete OU
the Rearch and Develoment is not exists on the picture, we have to delete it.
In defautl the UO be protected we have to uncheckt the "unexcept delete" optiont.
Go to View/advance
Delete User
## Delegation (Assign the privilege to specific user )
Delegation mean we can assign specific privleges to specific object to run services that require elevated privileges, without adding them to administrator or security group
Common Case:
Granting the IT Support the privilege to reset the password.
Like this XD
```
sudo passwd
```
we can delegate the control of restting password over sales marketing and Management OU to IT suport
Operation:
check Name -> avoid mistyping user's name
### Reset the password
Now let's use use Phillip's account to reset the Sophie's password
Powershell
sophie->UserName
```
Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
```
Enforcing change the password in next login
```
Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose
VERBOSE: Performing the operation "Set" on target "CN=Sophie,OU=Sales,OU=THM,DC=thm,DC=local".
```
# Management Computer in AD
By default, all newly added devices or computers are placed into the 'Computers' container in Active Directory.
We can categorize them based on their role:
- Workstations
- Servers
- Domain Controllers
This categorization makes it easier to apply different policies to these devices.
It's important to note that Domain Controllers are the most sensitive devices in the network.
To better manage these device, we can create new organization to separate the workstation and Server form the Computer Container.
_LPT_ (line print terminal) is the usual designation for a parallel port connection to a printer or other device on a personal _computer_.
# Group Policy Management(GPM)
## Group Policy objects (GPO)
Windows through Group policy object (GPO) to apply policies on specific OUs.
## Group Policy Manage Tools
The Default Domain Policy and RDP policy are linked to THM domain
Domain controller OU is impacted by the default domain policy
Sub-OUs within OU will also be affected by the policy
### Default Domain Policy
#### setting
Account/password policy
### Edit Policy (Default domain policy)
/minimum password length policy (PATH)
```
Computer Configurations -> Policies -> Windows Setting -> Security Settings -> Account Policies -> Password Policy
```
If we unfamiliar about this policy, we can review the explain options.
# GPO Distribute
policy group object are distribute through the `SYSVOL` to apply policy across entire Network.
`SYSVOL` is stored in the windows Domain Controller
ALL use can access the PGO via `C:\Windows\SYSVOL\sysvol\`
Enforce immediate update ALL user Policy as following command.
```
PS C:\> gpupdate /force
```
Goal
- Block non-IT users from accessing the Control Panel.
- Make workstations and servers lock their screen automatically after 5 minutes of user inactivity to avoid people leaving their sessions exposed
## Crating PGO (Restrict control panel Access)
we have to Create new PGO called "Restrict control panel Access"
All users within the Organizational Units (OUs) covered by this policy will be prohibited from accessing the Control Panel and PC settings.
Now, we have to associate the policy with sale, Marking, Management OU in order to restrict their access the control plan and PC settings.
## Create PGO (Auto lock screen)
This PGO is apply in THM domain.
It's mean all user and computer will apply the policy
Applying the policy across the entire THM Domain
# Authentication Methods
All the user credential are store on the domain controller.
To verify the user's identity, there are two authentication protocols in use.
## Kerberos (Default Protocol in AD)
It employs a Client-Server Model and relies on tickets to authenticate identity even in insecure network environment.
User can use the ticket to access the service.
Authentication Flows :
### Step1 (Request TGT)
User send their encrypted username and timestamp to the KDC(Key Distribute Center), which is located in the domain controller. The KDC is responsible for creating the TGT(ticket Granting Ticket).
### Step 2 (Response)
The KDC receives the THT request, uses user hash to decrypt it, and send the TGT(Ticket granting Ticket) back to client, This allow the client use TGT to request more TGTs to accessing specific services.
The benefit of this process is that replaces transmit credentials for authentication
Both the TGT and Session Key are encrypted using the Krbtgt's password hash.
### Step 3 (Request TGS)
When the client obtain the TGT it can processed to send the TGS(Tick Granting Service) Request.
In the TGS request, Client send the username and timestamp, protected by session key, along with the TGT Ticket and SPN(Server Principal Server) to inform the KDC abount server client wishes to access.
The KDC then generates the Ticket Granting Service (TGS) and encrypts it using the "Service Owner Hash."
### Step 4(TGS response)
The KDC responds to the TGS request by sending the TGS and the Service Session Key back to the client. The Server Session Key is encrypted by the session key used for secure communication.
The client can decrypt the TGS to obtain the Server Session Key. Additionally, the TGS contains a copy of the Server Session Key for the service owner to use for authentication.
### Step 5 (Client Accesses the Service)
The client can now access the desired service
the client can send the TGS (encrypted by "Service Owner Hash")along with username, timestamp encrypted by service session key
The KDC decrypts the TGS using its account password hash and validates the server session key.
---
## NetNTLM Authentication (Old)
Challenge-Response mechanism
- The client sends an authentication request to the server they want to access.
- The server generates a random number and sends it as a challenge to the client.
- The client combines their NTLM password hash with the challenge (and other known data) to generate a response to the challenge and sends it back to the server for verification.
- The server forwards the challenge and the response to the Domain Controller for verification.
- The domain controller uses the challenge to recalculate the response and compares it to the original response sent by the client. If they both match, the client is authenticated; otherwise, access is denied. The authentication result is sent back to the server.
- The server forwards the authentication result to the client.
The described process applies when using a domain account. If a local account is used, the server can verify the response to the challenge itself without requiring interaction with the domain controller since it has the password hash stored locally on its SAM.
# Tree, Forest and Trust
## Single Domain
In small companies, a single domain is typically sufficient for their needs.
## Tree
A tree in the context of Active Directory refers to elements within the same namespace.
Active Directory supports the integration of multiple domains into a tree structure. This structure is especially useful for managing subdomains.
The tree structure provides better control over who can access what within the domain.
DC-UK administrators can access uk.thm.local
DC-Root can access the entire network.
## Forest
A Forest in AD is designed to manege different namespace
when two different namespaces integrated into the same network we called it Forest.
A forest allows for the management of multiple namespaces and is particularly useful when different entities or organizations come together in a network environment.
## Trust Relations
### One way trust Relationship
Domain AAA trust Domain BBB, therefore, the Domain BBB can access the file from the domain AAA
The direction of the one-way trust relationship os contrary to that of the access direction.
### Two way trust Relationship (Default)
Two way trust relationship allow both domain authenticate user from each other
However,Relationship didn't mean we can automatically grant access to resources, Access to resources must still be granted based on appropriate permissions and policies.
Sign in with Wallet
Connect another wallet