I keep seeing people on here saying Active Directory is their weakness or that they’re not very comfortable with AD. For me personally though, I’ve got quite a lot of experience with it from working as a Windows network admin for several years, then writing tools that report on AD objects and permissions.
So would there be much interest in me making a video explaining some fundamental AD concepts?
It wouldn’t really be a tutorial on how to attack AD. More of just a tutorial about how AD works in general so that you’ve got a good grasp of the fundamentals. Some example things I’d probably cover:
Permissions
LDAP queries
How to structure AD object paths
Commonly used LDAP attributes
Group Policy (both AD and Sysvol sides)
DC replication
Kerberos authentication (just a brief summary)
This would take a fair amount of time for me to plan out and record, so yeah just trying to gauge the level of interest in something like this.
If you want to see whether I’m actually any good at explaining things in a video before deciding if you’d watch something like this, you can take a look at the two videos I’ve already done on one of the retired HTB boxes: https://www.youtube.com/channel/UCpoyhjwNIWZmsiKNKpsMAQQ
Oh and if there’s a particular AD related topic you’d like me to cover please mention it here.
Would love to see those, too. Maybe I will then understand why certain things worked with one user, but didn’t work with another even though they seemingly had the same privileges (according to net user and net user /domain)
Any areas in particular you guys would like to see covered? Either in this video or in a more in depth video about a particular part of AD in the future.
EDIT: The video is now up (can’t edit original post to include it as its over a week old)
@HomeSen said:
Would love to see those, too. Maybe I will then understand why certain things worked with one user, but didn’t work with another even though they seemingly had the same privileges (according to net user and net user /domain)
Yeah I don’t ever rely on Net User, in fact I can’t remember the last time I even used that command. So yeah there’s definitely alternatives to that if you want to enumerate user accounts and group membership, which I’ll cover.
@VbScrub Back in the days when I had to deal with/administrate AD there were mostly only GUI tools, the net tools and building custom VB scripts utilizing WMI. And it’s tough getting rid of old habits :lol:
Haha yeah net is definitely an old school way of doing it. I want to say it’s a left over thing from NT4 before active directory was even a thing but I might be wrong. But yeah these days there are plenty of alternatives so in the video I’ll demonstrate a few of those.
One thing that has just convinced me to definitely do this video is seeing in one of the recent Windows machine threads about 60% of the recent posts were people struggling to get Bloodhound to run, or running it successfully but then not knowing what to do with the information it gave them. Its a useful tool don’t get me wrong, but I’ve never needed to use it for any of the machines on here so its not like its absolutely necessary. Seems like it would be good if people didn’t have to rely on it so much as at the end of the day all it’s doing is enumerating group membership and permissions as far as I can see. Two things you can do yourself with various other methods.
Well, IMHO, the biggest advantage of bloodhound is the graphical representation of the (sometimes huge amount of) data. Giving you the ability to map out your path to Domain Admin in complex directory structures.
Absolutely - in the real world its very useful. But in these HTB machines, where there’s usually like 2 or 3 interesting groups at most… its painful to see people spend hours struggling to get bloodhound working when they could have just manually looked at the groups permissions.
I guess it does make for better training for real world scenarios, but I feel like a lot of people here are just doing HTB machines for fun/challenge and aren’t actually going to pentest a real environment. So for those people who just want to complete the boxes, its just causing them extra problems most the time. Again though there’s no problem with people using it if they actually understand the fundamentals behind it and understand the output. But it seems a lot of the time that is not the case
Will start working on the video in the next couple of days. Thanks for the replies everyone.
One quick video that I’m going to make today is about how and why the Impacket GetNPUsers.py script works, as I see a lot of people using it and not really understanding it. Will post a link when its done
I would be interested in this. Not that AD is a complete weakness for me, but I could use some insight with it. Not to mention Windows SMB and Linux… (your recent box is escaping me right now…Nest) but I’m still plugging away at it.
@SnarkyWolf said:
Not to mention Windows SMB and Linux… (your recent box is escaping me right now…Nest) but I’m still plugging away at it.
I honestly don’t mean this to sound like a smart ■■■■ or anything but what’s hard about Windows SMB? Like there’s not really much to get wrong. Connect to a share path and view the files and folders inside.
On windows that’s literally as simple as typing the path in to the start menu and pressing enter… then double clicking on files you see that you want to open. I guess from a linux box its a bit more complicated than that but if that’s actually causing problems, there’s yet another reason not to use linux when attacking windows machines lol bet everyone’s sick of seeing me say that