Chapter 1 โ€” What is Active Directory?

Active Directory (AD) is Microsoft's directory service โ€” a centralised database of all network resources: users, computers, printers, groups, and policies. Over 90% of Fortune 500 companies run it. Understanding AD is mandatory for enterprise penetration testing.

ComponentRole
DomainAdministrative boundary, e.g. corp.local
Domain Controller (DC)Server hosting AD, authenticates users
ForestCollection of domains sharing schema
Organizational Unit (OU)Container for organizing AD objects
Group Policy Object (GPO)Applies settings to users/computers

Chapter 2 โ€” AD Objects & Structure

Everything in AD is an object with attributes. Key object types: Users (people + service accounts), Computers (every domain-joined machine), Groups (security groups for permissions, distribution for email), OUs (containers for policy application), and Trusts (relationships between domains).

Chapter 3 โ€” Users, Groups & OUs

# Enumerate via PowerShell
Get-ADUser -Filter * | Select Name, SamAccountName
Get-ADGroup -Filter * | Select Name, GroupCategory
Get-ADGroupMember "Domain Admins"

# LDAP query filter examples
(objectClass=user)(objectCategory=person)
(memberOf=CN=Domain Admins,CN=Users,DC=corp,DC=local)

Chapter 4 โ€” Domain Controllers

The DC is the crown jewel. It holds the NTDS.dit (all password hashes), runs KDC (Kerberos), DNS, and LDAP. FSMO roles (PDC Emulator, RID Master, Schema Master) determine which DC is authoritative for specific functions. Owning the PDC Emulator means owning the domain.

Chapter 5 โ€” Kerberos Authentication

Kerberos is the default authentication protocol in AD. Understanding it is essential for attacks like Kerberoasting and Pass-the-Ticket.

StepMessagePurpose
1AS-REQClient requests TGT from KDC
2AS-REPKDC returns TGT (encrypted with krbtgt hash)
3TGS-REQClient requests service ticket using TGT
4TGS-REPKDC returns service ticket (encrypted with service account hash)
5AP-REQClient presents ticket to service

Chapter 6 โ€” NTLM Authentication

NTLM is the legacy authentication protocol still present everywhere. The NTLM hash (MD4 of the password) can be used directly in Pass-the-Hash attacks โ€” you do not need the cleartext password, just the hash.

# NTLM hash structure in SAM/NTDS.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
#              RID  LM hash (disabled)                NT hash (MD4 of password)

Chapter 7 โ€” Group Policy (GPO)

GPOs can deploy software, set password policies, disable Windows Defender, create scheduled tasks, and map drives โ€” all from a single policy. If you can write to a GPO linked to Domain Controllers, it is game over for the domain.

Chapter 8 โ€” AD Trusts

Trusts allow authentication across domains. A one-way trust means Domain A trusts Domain B (users from B can access resources in A). Two-way trusts are bidirectional. SID History trusts are the most dangerous โ€” they allow privilege escalation across domain boundaries.

Chapter 9 โ€” DNS in Active Directory

AD-integrated DNS stores zone data in AD (replicated to all DCs). Every computer resolves via the DC. Misconfigured DNS (wildcard records, zone transfer enabled) leaks infrastructure. ADIDNS can sometimes be abused to inject records for man-in-the-middle attacks.

Chapter 10 โ€” AD Attack Surface

WeaknessAttackImpact
SPNs on user accountsKerberoastingOffline password crack
No pre-auth requiredASREPRoastingOffline password crack
NTLM hash possessionPass-the-HashLateral movement
Over-permissioned DACLsACL AbusePrivilege escalation
Misconfigured ADCSESC1-ESC8Domain compromise
Unconstrained delegationTGT theftDomain compromise
โœ…
Workbook complete! You've covered all chapters. Mark it complete below and continue your learning path.
โ† All Workbooks
๐Ÿ“–
Sign in to track progress