TryHackMe

TryHackMe: Active Directory Basics

Vic Galvan

Vic Galvan

8 min read

Welcome to my writeup of TryHackMe's Active Directory Basics room! Let's dive into it.

Windows Domains

Content

Windows Domain - a group of users and computers under the administration of a given business.

Active Directory (AD) - a centralized repository of common components of a Windows computer network.

Domain Controller (DC) - the service that runs Active Directory.

Advantages of a configured Windows domain:

  • Centralised Identity Management: all users across the network can be configured from AD with minimum effort
  • Managing security policies: security policies can be configured in AD and applied to users and computers across the network as needed.

Questions

In a Windows domain, credentials are stored in a centralised repository called...

Active Directory

The server in charge of running the Active Directory services is called...

Domain Controller

Active Directory

Content

Active Directory Domain Service (AD DS) is the core of every Windows Domain. It is a catalogue that holds the information about all objects on the network.

Common objects in an AD environment:

Users

Users are one of the objects known as security principals, meaning they can be authenticated by the domain and assigned privileges to resources. A security principal is an object that can act upon resources in the network.

Users can be:

  • People: generally represent people in the organization that need network access.
  • Services: users that can be used by services. Services require users to run, but service users will only have the privileges needed to run their specific service.

Machines

Machines are another type of object within Active Directory; for every computer that joins the Active Directory domain, a machine object will be created. Machines are also considered "security principals" and are assigned an account just as any regular user. This account has somewhat limited rights within the domain itself.

The machine accounts themselves are local administrators on the assigned computer, they are generally not supposed to be accessed by anyone except the computer itself, but as with any other account, if you have the password, you can use it to log in.

Note: Machine Account passwords are automatically rotated out and are generally comprised of 120 random characters.

Identifying machine accounts is relatively easy. They follow a specific naming scheme. The machine account name is the computer's name followed by a dollar sign. For example, a machine named DC01 will have a machine account called DC01$.

Security Groups

Security groups are also considered security principals and, therefore, can have privileges over network resources.

Groups can have both users and machines as members. If needed, groups can include other groups as well.

Several groups are created by default in a domain that can be used to grant specific privileges to users.

As an example, here are some of the most important groups in a domain:

Security GroupDescription
Domain AdminsUsers of this group have administrative privileges over the entire domain. By default, they can administer any computer on the domain, including the DCs.
Server OperatorsUsers in this group can administer Domain Controllers. They cannot change any administrative group memberships.
Backup OperatorsUsers in this group are allowed to access any file, ignoring their permissions. They are used to perform backups of data on computers.
Account OperatorsUsers in this group can create or modify other accounts in the domain.
Domain UsersIncludes all existing user accounts in the domain.
Domain ComputersIncludes all existing computers in the domain.
Domain ControllersIncludes all existing DCs on the domain.

Organizational Units

Organizational Units (OUs) are container objects that allow you to classify users and machines. They are mainly used to define sets of users with similar policy requirements.

Security Groups vs OUs

You are probably wondering why we have both groups and OUs. While both are used to classify users and computers, their purposes are entirely different:

  • OUs are handy for applying policies to users and computers, which include specific configurations that pertain to sets of users depending on their particular role in the enterprise. Remember, a user can only be a member of a single OU at a time, as it wouldn't make sense to try to apply two different sets of policies to a single user.
  • Security Groups, on the other hand, are used to grant permissions over resources. For example, you will use groups if you want to allow some users to access a shared folder or network printer. A user can be part of multiple groups, which is necessary to grant access to various resources.

Questions

Which group normally administrates all computers and resources in a domain?

Domain Admins

What would be the name of the machine account associated with a machine named TOM-PC?

TOM-PC$

Suppose our company creates a new department for Quality Assurance. What type of containers should we use to group all Quality Assurance users so that policies can be applied consistently to them?

Organizational Units

Managing Users in AD

Content

Deleting extra OUs and users

  • To delete an OU, enable Advanced Features in the View menu.
  • Then, in "Object" deselect the "Protect object from accidental deletion" checkbox.

Delegation

Delegation is the process of granting users specific privileges to perform advanced tasks on OUs without needing a Domain Administrator's approval.

Questions

What was the flag found on Sophie's desktop?

THM{thanks_for_contacting_support}

The process of granting privilege to a user over some OU or another AD Object is called...

Delegation

Managing Computers in AD

Content

By default, all machines that join a domain (except for the DCs) will be put in the container called "Computers". All devices will be included in this list. A best practice is to divide devices into at least the three following categories:

  1. Workstations
  2. Servers
  3. Domain Controllers

Questions

After organising the available computers, how many ended up in the Workstations OU?

7

Is it recommendable to create separate OUs for Servers and Workstations? (yay/nay)

yay

Group Policies

Content

Group Policy Object (GPO) - a collection of settings that can be applied to OUs. Can contain policies aimed at either users or computers.

GPOs are configured through the Group Policy Management tool.

Questions

What is the name of the network share used to distribute GPOs to domain machines?

SYSVOL

 Can a GPO be used to apply settings to users and computers? (yay/nay)

yay

Authentication Methods

Content

When using Windows domains, all credentials are stored in the DCs. When a user attempts to authenticate to a service using domain credentials, the service asks the DC to verify if the credentials are correct.

Two protocols are used for network authentication in Windows domains:

  1. Kerberos: Used by recent versions of Windows. Default protocol in any recent domain.
  2. NetNTLM: Legacy authentication protocol kept kept for compatibility purposes.

Kerberos Authentication

Users who log into a service using Kerberos will be assigned tickets. Tickets are proof of a previous authentication.

Kerberos authentication process:

  1. The user sends their username and a timestamp encrypted using a key derived from their password to the Key Distribution Center (KDC). The KDC is a service usually installed on the DC and is in charge of creating Kerberos tickets on the network.
  2. The KDC will create and send back a Ticket Granting Ticket (TGT) which will allow the user to request additional tickets to access specified services. A Session Key is also given to the user, which they will need to generate the following requests:
    1. Note: The TGT is encrypted using the krbtgt account's password hash, adn therefore the user can't access its contents. The KDC has no need to store the Session Key as it can recover a copy by decrypting the TGT
  3. When a user wants to connect to a service, they will use their TGT to ask the KDC for a Ticket Granting Service (TGS). TGS are tickets that allow connection only to the specific service they were created for.  To request a TGS, the user will send their username and a timestamp encrypted using the Session Key, along with the TGT and a Service Principal Name (SPN), which indicates the service and server name we intend to access.
  4. As a result, the KDC will send us a TGS along with a Service Session Key, which we will need to authenticate to the service we want to access. The TGS is encrypted using a key derived from the Service Owner Hash. The Service Owner is the user or machine account that the service runs under. The TGS contains a copy of the Service Session Key on its encrypted contents so that the Service Owner can access it by decrypting the TGS.
  5. The TGS can then be sent to the desired service to authenticate and establish a connection. The service will use its configured account's password hash to decrypt the TGS and validate the Service Session Key.

NetNTLM Authentication

NetNTLM uses a challenge-response mechanism.

  1. The client sends an authentication request to the server they want to access.
  2. The server generates a random number and sends it as a challenge to the client.
  3. The client combines their NTLM password hash with the challenge (and other known data) to generate a response to the challenge and sends it back to the server for verification.
  4. The server forwards the challenge and the response to the Domain Controller for verification.
  5. The domain controller uses the challenge to recalculate the response and compares it to the original response sent by the client. If they both match, the client is authenticated; otherwise, access is denied. The authentication result is sent back to the server.
  6. The server forwards the authentication result to the client.

Note: The user's password (or hash) is never transmitted through the network

Note: The described process applies when using a domain account. If a local account is used, the server can verify the response to the challenge itself without requiring interaction with the domain controller since it has the password hash stored locally on its SAM.

Questions

Will a current version of Windows use NetNTLM as the preferred authentication protocol by default? (yay/nay)

nay

When referring to Kerberos, what type of ticket allows us to request further tickets known as TGS?

Ticket Granting Ticket

When using NetNTLM, is a user's password transmitted over the network at any point? (yay/nay)

nay

Trees, Forests, and Trusts

Content

As companies grow, so do their networks. Having a single domain for a company is good enough to start, but in time, some additional needs might push you into having more than one.

Trees

Two domains that share the same namespace can be joined into a Tree. For example, if the thehackerwitch.com was split into two subdomains for the US and Swedish branches, we could build a tree with the root domain of thehackerwitch.com and have two subdomains called se.thehackerwitch.com and us.thehackerwitch.com, each with its own computers and users.

A new security group should be introduced when discussing trees and forests. The Enterprise Admins group grants a user administrative privileges across all of an enterprise's domains. Each domain retains its own Domain Admins with administrator privileges for that specific domain, while the Enterprise Admins can manage everything within the enterprise.

Forests

The domains you manage can also be configured in different namespaces. Suppose your company continues growing and eventually acquires another company called MHT Inc. When both companies merge, you will probably have different domain trees for each company, each managed by its own IT department. The union of several trees with different namespaces into the same network is known as a forest.

Trust Relationships

Having multiple domains organized in trees and forest allows you to have a nice compartmentalized network in terms of management and resources. But at a certain point, a user at thehackerwitch SE might need to access a shared file in one of MHT ASIA servers. For this to happen, domains arranged in trees and forests are joined together by trust relationships.

In simple terms, having a trust relationship between domains allows you to authorize a user from domain thehackerwitch SEto access resources from domain MHT EU.

The simplest trust relationship that can be established is a one-way trust relationship. In a one-way trust, if Domain AAA trusts Domain BBB, this means that a user on BBB can be authorized to access resources on AAA:

The direction of the one-way trust relationship is contrary to that of the access direction.

Two-way trust relationships can also be established to enable mutual authorization between domains. By default, joining several domains under a tree or a forest will form a two-way trust relationship.

It is important to note that having a trust relationship between domains doesn't automatically grant access to all resources on other domains. Once a trust relationship is established, you have the chance to authorize users across different domains, but it's up to you what is actually authorized or not.

Questions

What is a group of Windows domains that share the same namespace called?

Tree

What should be configured between two domains for a user in Domain A to access a resource in Domain B?

A Trust Relationship

Read more