General Information

Introduction

While Active Directory itself is a service, it also acts as a management layer. AD contains critical information about the environment, storing information about users, groups, and computers, each referred to as objects. Permissions set on each object dictate the privileges that object has within the domain.

The first step in configuring an instance of AD is to create a domain name such as corp.com in which corp is the name of the organization itself. Within this domain, administrators can add various types of objects that are associated with the organization such as computers, users, and group objects.

Organization Units

To ease the management of various objects and assist with management, system administrators will often organize objects into Organizational Units (OUs).

OUs are comparable to file system folders in that they are containers used to store objects within the domain. Computer objects represent actual servers and workstations that are domain-joined (port of the domain), and user objects represent accounts that can be used to log in to the domain-joined computers. In addition, all AD objects contain attributes, which will vary depending on the type of object. For example, a user object may include attributes such as first name, last name, username, phone number, etc.

Domain Controller

AD relies on several components and communication services. For example, when a user attempts to log in to the domain, a request is sent to a Domain Controller (DC), which checks whether or not the user is allowed to log in to the domain. One or more DCs act as the hub and core of the domain, storing all OUs, objects, and their attributes. Since the DC is such a central domain component, we'll pay close attention to it as we enumerate AD.

Domain Admins

Objects can be assigned to AD groups so that the administrators can manage those objects as a single unit. For example, users in a group could be given access to a file server share or given administrative access to various clients on the domain. Attackers often target high-privileged groups.

Members of Domain Admins are among the most privileged objects in the domain. If an attacker compromises a member of this group (often referred to as domain administrators), they essentially gain complete control over the domain.

Domain Trees and Forests

This attack vector could extend beyond a single domain since an AD instance can host more than one domain in a domain tree or multiple domain trees in a domain forest. While there is a Domain Admins group for each domain in the forest, members of the Enterprise Admins group are granted full control over all domains in the forest and have Administrator privilege on all DCs. This is obviously a high-value target for an attacker.

LDAP

The Lightweight Directory Access Protocol (LDAP) will be the service we will rely on to perform the majority of our enumeration through.

Active Directory Naming Convention

In order for LDAP to function, objects in AD (or other directory services) must be formatted according to a specific naming standard.