As more users and devices are connected to an organization’s network, the need to implement centralized management arises. Imagine having to configure a new user account on each computer within your company each time a new employee is hired, or having to manually configure policies on each device to ensure users are restricted from performing administrative actions. Microsoft Windows Server allows IT professionals to install and configure the role of Active Directory Domain Services (AD DS), enabling IT professionals to centrally manage users, groups, policies, and devices within the domain.

In this chapter, you will gain an understanding of the role, function, and components of Active Directory within an organization. You will learn how to use various tools and techniques to enumerate sensitive information from a Windows domain that can be used to understand the attack path to compromise the domain and the domain controller. Finally...

To follow along with the exercises in this chapter, please ensure that you have met the following hardware and software requirements:

• Kali Linux: https://www.kali.org/get-kali/
• Windows Server 2019: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019
• Windows 10 Enterprise: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise

As an organization grows by increasing the number of employees needed to support its daily business functions, the number of devices connected to the organization’s network increases as well. When an organization is small, there are very few users and computers on the network, and having a dedicated IT team is not always needed. Most importantly, since a small company has very few users, IT professionals can easily create a local user account on each system per employee. However, as the number of users and devices increases to make a medium-sized or large organization, creating local accounts for each user per device is not efficient.

For instance, imagine you need to change a user’s password on their user account and there are over 100 devices in the network – this can be very challenging. Within Microsoft Windows Server, you will find many roles and features that can be installed and configured to help IT professionals provide...

Enumerating will allow you to gather sensitive information about all the objects, users, devices, and policies within the entire Active Directory domain. Such information will provide you with insights into how the organization uses Active Directory to manage its domain. You will also be able to gain a clear idea of how to exploit the trust between domain clients, users, and the domain controller to compromise an organization’s Active Directory domain.

Furthermore, the enumeration of Active Directory provides penetration testers with insights and understanding of the structure, permissions, and policies in place, which are critical for both security assessments and malicious threat actors.

To recap, in Chapter 3, Setting Up for Advanced Penetration Testing Techniques, you learned how to assemble our Redteamlab which we will use in this chapter to help understand and exploit an Active Directory domain. The following diagram shows the topology...

While this chapter focuses on exploiting the trust of the Active Directory roles and services within a Windows environment, there are several types of attacks, such as pass-the-hash, that exploit the security vulnerabilities found within the protocols of the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. When we talk about TCP/IP, we are often referring to network-related technologies and devices. However, the protocols within TCP/IP can be found in the operating system and the applications running on a host device as well. As an aspiring penetration tester, it is important to discover as many techniques as possible and develop strategies to compromise your target.

In this section, you will learn how to discover and exploit security weaknesses found within the underlying network protocols of TCP/IP. These are used within an Active Directory domain to connect clients such as Windows 10 Enterprise systems to a domain controller...

In this chapter, you learned how Active Directory is used within organizations to help their IT teams centrally manage all the users and devices within their network. You have also gained some hands-on experience and the skills needed to extract sensitive information from Active Directory and identify the attack paths to use to compromise the domain. Furthermore, you know how to perform various network-based attacks that take advantage of the trust between domain clients and the domain controller within a network.

I trust that the knowledge presented in this chapter has provided you with valuable insights, supporting your path toward becoming an ethical hacker and penetration tester in the dynamic field of cybersecurity. May this newfound understanding empower you on your journey, allowing you to navigate the industry with confidence and make a significant impact. In the next chapter, Advanced Active Directory Attacks, you will learn how to perform advanced attacks on...

To learn more about the topics that were covered in this chapter, visit the following links:

• Security Account Manager: https://www.techtarget.com/searchenterprisedesktop/definition/Security-Accounts-Manager
• Active Directory Domain Services overview: https://www.techtarget.com/searchenterprisedesktop/definition/Security-Accounts-Manager
• PowerView command list: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
• BloodHound documentation: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
• LLMNR/NBT-NS poisoning and SMB relay: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

Join our community on Discord

Join our community’s Discord space for discussions with the author and other readers:

https://packt.link/SecNet