# Cracking the Basics of Active Directory
> ***If you’re aiming to red team Windows Networks, Active Directory (AD) isn’t just a topic — it’s the battleground.***
Check it out
## What is Active Directory?
Active Directory (AD) is Microsoft’s Directory service for Windows domain networks. Think of it as the digital master key to managing users, computers, and resources across an organization. It connects everything into a cohesive forest of domains, with each domain acting as a realm of control.
**Core Components of AD:**
* Domain Controllers
* Forests, Trees, and Domains
* Users & Groups
* Trusts & Policies
* Domain Services
### Why do Comapnies Use Active Directory?
It centralized control. With a single login, employees can access their files and workstations anywhere on the network. For admins, it means pushing policies, managing security, and monitoring users — all from one pane of glass.
AD is scalable, efficient, and secure (well, until you show up with a PowerView payload).
## Physical Active Directory: Hardware Meets Hierarchy
At its core, AD starts with **Domain Controllers (DCs)**. These are Windows Servers that host:
* The **AD DS Data Store** (`NTDS.dit`) contains all directory data and password hashes.
* **Authentication & Authorization services**
* Replication duties to sync with other DCs.
Every machine and user in an AD environment ultimately answers to a domain controller.
## Forests, Trees, and Domains: Organizing the Chaos
The Forest is the highest-level container — a collection of Trees (which are hierarchical domain structures).
* **Domains:** Logical groupings of objects like users and computers
* **OUs (Organizational Units):** Sub-contrainers to organize and apply policies
* **Trusts:** Let users access resources across domains
* **Schema:** Blueprint for object creation rules
## Users & Groups: The Heartbeat of AD
**Users:**
* **Domain Admins** — The god tier users
* **Services Accounts** — For services like SQL
* **Local Admins** — Admins on local machines only
* **Domain Users** — Everyday employees
**Groups:**
* **Security Groups:** Control access to resources
* **Distribution Groups:** Email-based grouping (meh for attackers, but useful)
> *Fun fact*: Default groups like Domain Computers, Enterprise Admins, and Cert Publishers often reveal key attack paths.
## Trusts & Policies: The Social Contracts of AD
**Trusts** enable cross-domain access. Two Types:
* **Directional:** One-way trust
* **Transitive:** Expands across domains like a social web
**Policies** dictate behavior:
* Disable Defender across all machines?
* Enforce SMB signing?
It’s all controlled via **Group Policy Objects (GPOs)**.
## AD Domain Services & Authentication
Key default services provided by AD:
* **LDAP:** Communication between apps & directory
* **Certificate Services:** Manage public key certs
* **DNS, LLMNR, NBT-NS:** Name resolution services
### Authentication Protocols:
* **Kerberos:** Uses ticket-based auth (TGT, STs)
* **NTLM:** Legacy, but still present. Encrypted challenge-response.
These are juicy targets for lateral movement and privilege escalation.
## Active Directory in the Cloud
Welcome to Azure AD — the cloud-native, SaaS-backed cousin of on-prem AD. It brings better defaults for security, but introduces some new terminology and technologies. Here’s a quick comparison:
* **LDAP** in Windows AD is replaced with **REST APIs** in Azure AD
* **NTLM** becomes **OAuth/SAML**
* **Kerberos** shifts to **OpenID**
* The concept of **Domain and Forests** changes to **Tenants**
* **Trusts** are replaced with **Guest access** mechanisms
Cloud ADs are more secure out of the box, but still vulnerable. Time to evolve your attacks, ninja-style.
## Hands-On Lab
> For this lab, I used TryHackMe's Active Directory Basics.
{% embed url="" %}
Now that we have talked about Active Direcotry and understand the theory of it, let’s take a hands-on look. I recommend having basic knowledge in PowerShell before trying this lab. We’ll be taking a look at the internals of Active Directory by using PowerShell commands to view machines, computers, users, and groups.
**Lab Setup**
1. Deploy the machine and Attackerbox
2. SSH or RDP into the machine
**Credentials:**
**Username:** Administrator
**Password:** passwrod123@
**Domain:** CONTROLLER.local
**PowerView Setup**
1. `cd Downloads` — navigate to the directory PowerView is in
2. `powershell -ep bypass` — load a PowerShell shell with execution policy bypassed.
3. `..\PowerView.ps1` — import the PowerView module
**Lab Overview**
I will help you with a few commands; the rest is up to you. Use the [PowerView CheatSheet by HarmJ0Y](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) and explore the domain like a pro.
**Example Commands:**
```
Get-NetComputer -fulldata | select operatingsystem
Get-NetUser | select cn
```
**Remote Access (Optional):**
```
xfreerdp /u:Administrator /p:'password123@' /v:10.10.252.212 /size:90%
```
**Command Walkthrough:**
```
cd Downloads
powershell -ep bypass
..\PowerView.ps1
```
**Check OS versions**:
```
Get-NetComputer -fulldata | select operatingsystem
```
Output will include:
* Windows Server 2019 Standard
* Windows 10 Enterprise Evaluation
Check user list:
```
Get-NetUser | select cn
```
Look for second Admin name: `Admin2`
Enumerate Groups:
```
Get-NetGroup -GroupName *
```
Spot the group with a capital “V”: `Hyper-V Admnistrators`
Alternative:
```
net localgroup
```
Find SPN users with elevated privileges:
```
Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'}
```
You’ll discover the `SQL Service` user with the password in the description:
Finally, dive deep with full user data:
```
Get-ADUser -identity SQLService -properties *
```
Check the `PasswordLastSet` field: `5/13/2020 8:26:58 PM`
Now you’re on your own — go explore, enumerate, and understand how attackers see the network.
## Conclusion
Active Directory is everywhere — from SMBs to Fortune 500s. If you’re serious about cybersecurity, mastering AD is non-negotiable.
