Chapter 1 โ What is Active Directory?
Active Directory (AD) is Microsoft's directory service โ a centralised database of all network resources: users, computers, printers, groups, and policies. Over 90% of Fortune 500 companies run it. Understanding AD is mandatory for enterprise penetration testing.
| Component | Role |
|---|---|
| Domain | Administrative boundary, e.g. corp.local |
| Domain Controller (DC) | Server hosting AD, authenticates users |
| Forest | Collection of domains sharing schema |
| Organizational Unit (OU) | Container for organizing AD objects |
| Group Policy Object (GPO) | Applies settings to users/computers |
Chapter 2 โ AD Objects & Structure
Everything in AD is an object with attributes. Key object types: Users (people + service accounts), Computers (every domain-joined machine), Groups (security groups for permissions, distribution for email), OUs (containers for policy application), and Trusts (relationships between domains).
Chapter 3 โ Users, Groups & OUs
# Enumerate via PowerShell
Get-ADUser -Filter * | Select Name, SamAccountName
Get-ADGroup -Filter * | Select Name, GroupCategory
Get-ADGroupMember "Domain Admins"
# LDAP query filter examples
(objectClass=user)(objectCategory=person)
(memberOf=CN=Domain Admins,CN=Users,DC=corp,DC=local)
Chapter 4 โ Domain Controllers
The DC is the crown jewel. It holds the NTDS.dit (all password hashes), runs KDC (Kerberos), DNS, and LDAP. FSMO roles (PDC Emulator, RID Master, Schema Master) determine which DC is authoritative for specific functions. Owning the PDC Emulator means owning the domain.
Chapter 5 โ Kerberos Authentication
Kerberos is the default authentication protocol in AD. Understanding it is essential for attacks like Kerberoasting and Pass-the-Ticket.
| Step | Message | Purpose |
|---|---|---|
| 1 | AS-REQ | Client requests TGT from KDC |
| 2 | AS-REP | KDC returns TGT (encrypted with krbtgt hash) |
| 3 | TGS-REQ | Client requests service ticket using TGT |
| 4 | TGS-REP | KDC returns service ticket (encrypted with service account hash) |
| 5 | AP-REQ | Client presents ticket to service |
Chapter 6 โ NTLM Authentication
NTLM is the legacy authentication protocol still present everywhere. The NTLM hash (MD4 of the password) can be used directly in Pass-the-Hash attacks โ you do not need the cleartext password, just the hash.
# NTLM hash structure in SAM/NTDS.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# RID LM hash (disabled) NT hash (MD4 of password)
Chapter 7 โ Group Policy (GPO)
GPOs can deploy software, set password policies, disable Windows Defender, create scheduled tasks, and map drives โ all from a single policy. If you can write to a GPO linked to Domain Controllers, it is game over for the domain.
Chapter 8 โ AD Trusts
Trusts allow authentication across domains. A one-way trust means Domain A trusts Domain B (users from B can access resources in A). Two-way trusts are bidirectional. SID History trusts are the most dangerous โ they allow privilege escalation across domain boundaries.
Chapter 9 โ DNS in Active Directory
AD-integrated DNS stores zone data in AD (replicated to all DCs). Every computer resolves via the DC. Misconfigured DNS (wildcard records, zone transfer enabled) leaks infrastructure. ADIDNS can sometimes be abused to inject records for man-in-the-middle attacks.
Chapter 10 โ AD Attack Surface
| Weakness | Attack | Impact |
|---|---|---|
| SPNs on user accounts | Kerberoasting | Offline password crack |
| No pre-auth required | ASREPRoasting | Offline password crack |
| NTLM hash possession | Pass-the-Hash | Lateral movement |
| Over-permissioned DACLs | ACL Abuse | Privilege escalation |
| Misconfigured ADCS | ESC1-ESC8 | Domain compromise |
| Unconstrained delegation | TGT theft | Domain compromise |