Building active directory lab for red teaming

Building Active
Directory Lab for
Red Teaming

#whoami
👉 Chirag Savla
👉 Twitter – @chiragsavla94
👉 Interest area – Red
Teaming, Application
Security, Penetration
Testing
2
Blog – https://3xpl01tc0d3r.blogspot.com

“
Prevention is ideal, detection is a must

What is Active Directory ?
▸ Active Directory is a directory service that
centralizes the management of users, computers
and other objects within a network. Its primary
function is to authenticate and authorize users and
computers in a windows domain.
4

What is Forest?
6
rtlabs.local
sales.rtlabs.local accounts.rtlabs.local
techno.local
dev.techno.local sec.techno.local
Domain Tree
Domain Forest
= Groups
= Organizational Unit
= Domain
Trust Relationship
= Users / Groups

Active Directory Components
▸ Forest
▸ Domain Trees
▸ Domains
▸ Schema
▸ Objects
▹ Organizational Units (OUs)
▹ Groups
▹ Users
▹ Computer
▸ Sites
▸ Global Catalog (GC)
▸ Group Policy
▸ Domain Trust
7

Forest
▸ An Active Directory forest (AD forest) is the top
most logical container in an Active Directory
configuration that contains domains, users,
computers, and group policies.
8

Domain Tree
▸ When you add a child domain to a parent domain
you create what is called a domain tree. A domain
tree is just a series of domains connected together
in a hierarchical fashion all using the same DNS
namespace.
9

Domain
▸ The domain is a logical structure of containers and
objects within Active Directory. A domain contains
the following components:
▹ A hierarchical structure for users, groups, computers and other
objects
▹ Security services that provide authentication and authorization
to resources in the domain and other domains
▹ Policies that are applied to users and computers
▹ A DNS name to identify the domain. When you log into a
computer that is part of a domain you are logging into the DNS
domain name.
10

Schema
▸ The Active Directory schema defines every object
class that can be created and used in an Active
Directory forest. It also defines every attribute that
can exist in an object. In other words, it is a
blueprint of how data can be stored in Active
Directory.
11

Object
▸ Objects are defined as a group of attributes that
represent a resource in the domain. These objects
are assigned a unique security identifier (SID) that
is used to grant or deny the object access to
resources in the domain.
12

Organizational Units (OUs)
▸ An OU is a container object that can contain
different objects from the same domain. You will
use OUs to store and organize, user accounts,
contacts, computers, and groups. You will also link
group policy objects to an OU.
13

Groups
▸ There are two types of objects, a Security group,
and a distribution group. A security group is a
grouping of users accounts that can be used to
provide access to resources. Distribution groups
are used for email distribution lists.
14

Users
▸ A domain user is one whose username and
password are stored on a domain controller rather
than the computer the user is logging into.
▸ User accounts are used to gain access to the
domain resources.
15

Computer
▸ Each domain-joined computer has an account in
AD DS. Computer accounts are used in the same
ways that user accounts are used for users. Each
computer has a Security Identification (SID) and
attributes. when you create a domain, a Computers
container is created.
16

Sites
▸ A site is a collection of subnets. The Active
Directory sites help define the replication flow and
resource location for clients such as a domain
controller.
17

Global Catalog (GC)
▸ The global catalog server contains a full replica of
all objects and is used to perform forest wide
searches. By default the first domain controller in a
domain is designated as the GC server.
18

Group Policy
▸ Group policy allows you to centrally manage user
and computer settings. You can use group policy to
set password policies, auditing policies, lock
screen, map drives, deploy software, one drive,
office 365 settings and much more.
19

Domain Trust
▸ In an AD environment, trust is a relationship
between two domains or forests which allows users
of one domain or forest to access resources in the
other domain or forest.
▸ Trust can be automatic (parent-child, same forest
etc.) or established (forest, external).
▸ Trusted Domain Objects (TDOs) represent the trust
relationships in a domain.
20

Domain Trust
▸ In an AD environment, trust is a relationship
between two domains or forests which allows users
of one domain or forest to access resources in the
other domain or forest.
▸ Trust can be automatic (parent-child, same forest
etc.) or established (forest, external).
▸ Trusted Domain Objects (TDOs) represent the trust
relationships in a domain.
21

Domain Trust
▸ Trust Direction
▹ One-way trust – Unidirectional. Users in the trusted domain can
access resources in the trusting domain but the reverse is not
true.
▹ Two-way trust – Bi-directional. Users of both domains can
access resources in the other domain.
22

Domain Trust
▸ Trust Direction
▹ One-way trust – Unidirectional. Users in the trusted domain can
access resources in the trusting domain but the reverse is not
true.
▹ Two-way trust – Bi-directional. Users of both domains can
access resources in the other domain.
23

Domain Trust
24
rtlabs.local techno.local
Trust Relationship
One-way trust
Direction of Trust
Direction of Access

Domain Trust
25
rtlabs.local techno.local
Trust Relationship
Two-way trust

Domain Trust
▸ Trust Transitivity
▹ Transitive – Can be extended to establish trust relationships
with other domains. All the default intra-forest trust relationships
(Tree-root, ParentChild) between domains within a same forest
are transitive two-way trusts.
▹ Nontransitive – Cannot be extended to other domains in the
forest. Can be two-way or one-way. This is the default trust
(called external trust) between two domains in different forests
when forests do not have a trust relationship.
26

Domain Trust
27
Domain A
Transitive
Domain C
Domain B

Domain Trust
28
Domain A
Nontransitive
Domain CDomain B

Domain Trust
▸ Default/Automatic Trusts –
▹ Parent-child trust – It is created automatically between the new
domain and the domain that precedes it in the namespace
hierarchy, whenever a new domain is added in a tree. For
example, sales.rtlabs.local is a child of rtlabs.local. This trust is
always two-way transitive.
▹ Tree-root trust – It is created automatically between whenever a
new domain tree is added to a forest root. This trust is always
two-way transitive.
29

Domain Trust
30
Parent-child trust
techno.local

Domain Trust
31
Tree-root trust
techno.local
sec.rtcloud.local
aws.sec.rtcloud.local

Domain Trust
▸ Shortcut Trusts – Used to reduce access times in complex trust
scenarios. Can be one-way or two-way transitive.
▸ External Trusts – Between two domains in different forests when
forests do not have a trust relationship. Can be one-way or two-way
and is nontransitive.
▸ Forest Trusts – Between forest root domain. Cannot be extended to
a third forest (no implicit trust). Can be one-way or two-way and
transitive or nontransitive.
32

Domain Trust
33
Shortcut Trusts
techno.local
sec.rtcloud.local
aws.sec.rtcloud.local

Domain Trust
34
External Trusts
rtlabs.local
sales.rtlabs.local accounts.rtlabs.local sec.techno.local
techno.local
Two-Way External Trust
One-Way External Trust

Domain Trust
35
Forest Trusts
rtlabs.local techno.local consult.local
Forest trust Forest trust

Credits
Thanks to @NullMumbai for granting me the privilege
to present.
64

Reference
▸ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-
2003/cc780036(v=ws.10)
▸ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-
2003/cc773178(v=ws.10)
▸ https://activedirectorypro.com/glossary/
▸ https://adsecurity.org/
65

66
THANKS!
Any questions?
You can find me at @chiragsavla94

Building active directory lab for red teaming

Related slideshows

More Related Content

Building active directory lab for red teaming