Simon Décosse Profile picture
Penetration tester focusing on Active Directory. Challenge designer at @NorthSec_io CTF.

Sep 7, 2022, 11 tweets

I finished reading this Active Directory book. While the latest edition was released in 2013, it contains plenty of information still relevant to this day.

Below are described 10 tricks or fun facts from the book that you may find useful in infosec.

🧵 (0/10)

(1/10) Ambiguous Name Resolution

Are you looking for an object in the directory, but unsure which attribute contains your known value?

In your LDAP query, use the filter "(anr=value)". This would result in the following query for the value "Joe Richards":

(2/10) Read-Only Domain Controller (RODC) Password Caching

RODCs are designed to be compromised without impacting a domain. As such, they do not store secrets, unless configured to do so.

"msDS-ReavealedList" on the RODC object lists principals with passwords currently cached.

(3/10) RODC Delegated Admins

The attribute "managedBy" on the RODC computer object states principals that have been given local administration privileges on it. With these privileges, you can retrieve cached secrets in the NTDS database.

(4/10) Sites and Subnets

Subnets must be defined in sites as AD objects for various purposes, such as replication and locating the nearest DC.

These objects can be found at "CN=Subnets,CN=Sites,CN=Configuration,DC=contoso,DC=com", and may be useful for reconnaissance.

(5/10) Fine-Grained Password Policies

Users can have a different password policy applying to them than what is defined domain-wide.

"msDS-ResultantPso" will let you know if this is the case, and should be kept in mind when Kerberoasting or spraying.

(6/10) SMTP Replication (ISM-SMTP)

Site links can be configured to use SMTP, meaning that a DC may replicate over SMTP across links. This was originally created in order to support links with poor connections. Note that secrets will not replicate over SMTP.

(7/10) Service Connection Point (SCP)

SCP objects are for hosted services in an environment, for instance AD LDS instances. Typically, these will be published under computer objects that host them. You can query their attribute "serviceBindingInformation" to discover locations.

(8/10) Active Directory-Integrated DNS (ADI DNS)

ADI DNS zones are stored in AD. Therefore, principals can be delegated access over them.

Domain-wide zones location: "DC=DomainDnsZones,DC=contoso,DC=com".
Forest-wide zones location: "DC=ForestDnsZones,DC=contoso,DC=com".

(9/10) Implicit Service Principal Name (SPN)

In a ticket granting service request, the DC tries to explicitly match the service name to an SPN attribute in AD. If not found, it looks for an implicit match.

See "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration".

(10/10) In-Chain Matching Rule

You can find all nested members of a group, or all nested groups of a user with a raw LDAP query. Use the Object Identifier (OID) "1.2.840.113556.1.4.1941" like so:

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling