killchain-compendium/misc/active_directory/active_directory.md

# Active Directory Enumeration

* Consists of
    * Domain Controller 
    * Organizational Units
        * Users
        * Groups
    * Trusts
    * AD Domains
    * AD Forest
    * Policies

* Administrative accounts are
    * Domain Admin
    * Enterprise Admin
    * Schema Admin
    * Server Operator
    * Account Operator

## Domain Controller

* AD Domain Services data store
* Authentication and authorization
* Update replication / sync with other domain controllers in the forest
* Administration of domain resources

### AD DS Store

* Database of directory info such as users, groups and services
    * `ntdis.dit` contains the information, including password hashes
    * `SystemRoot%\NTDS`

### Forest

* __Trees__, hierarchy of domains in the AD Domain Services
* __Domains__, groups of objects
* __Organizational Units (OU)__, containers of objects such as groups, users, printers and other resources
* __Trusts__, allows users to access resources in a different domain
* __Objects__ users, groups, printers, computers or shares
* __Domain Services__, DNS, LLMNR, SMB
* __Domain Schema__, Rules for object creation

### Users

* __Domain Admin__, DC access
* __Server Accounts__, service maintenance, may have admin permissions
* __Local Admin__, administrative persmission on an object but not the DC
* __Domain Users__, average user account on a local machine which may have admin permissions


### Policies

* Rule sets
* Apply to a domain
* Enable or disables services on a domain basis, like antivirus and malware scanning
    * __Disable Windows Defender__
    * Communication signing, e.g. SMB

### Domain Services 

* __LDAP__
* __Certificates__ handling for services, CRL
* __DNS, LLMNR, NBT-NS__

### Authentication

* __NTLM__, ticket granting service 
* __Kerberos__, challenge/response via hashes

## Usage

* Cmdlets on Domain Controller
* Get some help, `Get-Help Get-Command -Examples`, `Get-Command Get-*`

* From `ActiveDirectory` module
```sh
Import-Module Active-Directory
Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster
Get-ADForest | Select-Object Domains
Get-ADTrust -Filter * | Select-Object Direction,Source,Target
```

* `systeminfo | findstr Domain`
* `Get-ADUser -filter *`
* Use found CN and DC and specify
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`

### Powerview Module

* [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
```sh
Import-Module .\PowerView.ps1
Get-NetDomain
Get-NetDomainController
Get-NetForest
Get-NetDomainTrust
```

### DNS
* Check ip via `ipconfig`
* `nslookup`, then `server <LocalIP>` and zone transfer via 
```sh
ls -d <Domain>
```
AD stuff 2022-03-24 00:45:15 +01:00			`# Active Directory Enumeration`

			`* Consists of`
			`* Domain Controller`
			`* Organizational Units`
			`* Users`
			`* Groups`
			`* Trusts`
			`* AD Domains`
			`* AD Forest`
			`* Policies`

			`* Administrative accounts are`
			`* Domain Admin`
			`* Enterprise Admin`
			`* Schema Admin`
			`* Server Operator`
			`* Account Operator`

			`## Domain Controller`

			`* AD Domain Services data store`
			`* Authentication and authorization`
			`* Update replication / sync with other domain controllers in the forest`
			`* Administration of domain resources`

			`### AD DS Store`

			`* Database of directory info such as users, groups and services`
			* `ntdis.dit` contains the information, including password hashes
			* `SystemRoot%\NTDS`

			`### Forest`

			`* __Trees__, hierarchy of domains in the AD Domain Services`
			`* __Domains__, groups of objects`
			`* __Organizational Units (OU)__, containers of objects such as groups, users, printers and other resources`
			`* __Trusts__, allows users to access resources in a different domain`
			`* __Objects__ users, groups, printers, computers or shares`
			`* __Domain Services__, DNS, LLMNR, SMB`
			`* __Domain Schema__, Rules for object creation`

			`### Users`

			`* __Domain Admin__, DC access`
			`* __Server Accounts__, service maintenance, may have admin permissions`
			`* __Local Admin__, administrative persmission on an object but not the DC`
			`* __Domain Users__, average user account on a local machine which may have admin permissions`


			`### Policies`

			`* Rule sets`
			`* Apply to a domain`
			`* Enable or disables services on a domain basis, like antivirus and malware scanning`
			`* __Disable Windows Defender__`
			`* Communication signing, e.g. SMB`

			`### Domain Services`

			`* __LDAP__`
			`* __Certificates__ handling for services, CRL`
			`* __DNS, LLMNR, NBT-NS__`

			`### Authentication`

			`* __NTLM__, ticket granting service`
			`* __Kerberos__, challenge/response via hashes`

			`## Usage`

			`* Cmdlets on Domain Controller`
			* Get some help, `Get-Help Get-Command -Examples`, `Get-Command Get-*`

			* From `ActiveDirectory` module
			```sh
			`Import-Module Active-Directory`
			`Get-ADDomain \| Select-Object NetBIOSName,DNSRoot,InfrastructureMaster`
			`Get-ADForest \| Select-Object Domains`
			`Get-ADTrust -Filter * \| Select-Object Direction,Source,Target`
			```

			* `systeminfo \| findstr Domain`
			* `Get-ADUser -filter *`
			`* Use found CN and DC and specify`
			* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`

			`### Powerview Module`

			`* [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)`
			```sh
			`Import-Module .\PowerView.ps1`
			`Get-NetDomain`
			`Get-NetDomainController`
			`Get-NetForest`
			`Get-NetDomainTrust`
			```

			`### DNS`
			* Check ip via `ipconfig`
			* `nslookup`, then `server <LocalIP>` and zone transfer via
			```sh
			`ls -d <Domain>`
			```