I finished reading this Active Directory book. While the latest edition was released in 2013, it contains plenty of information still relevant to this day.
Below are described 10 tricks or fun facts from the book that you may find useful in infosec.
🧵 (0/10)
Below are described 10 tricks or fun facts from the book that you may find useful in infosec.
🧵 (0/10)
(1/10) Ambiguous Name Resolution
Are you looking for an object in the directory, but unsure which attribute contains your known value?
In your LDAP query, use the filter "(anr=value)". This would result in the following query for the value "Joe Richards":
Are you looking for an object in the directory, but unsure which attribute contains your known value?
In your LDAP query, use the filter "(anr=value)". This would result in the following query for the value "Joe Richards":
(2/10) Read-Only Domain Controller (RODC) Password Caching
RODCs are designed to be compromised without impacting a domain. As such, they do not store secrets, unless configured to do so.
"msDS-ReavealedList" on the RODC object lists principals with passwords currently cached.
RODCs are designed to be compromised without impacting a domain. As such, they do not store secrets, unless configured to do so.
"msDS-ReavealedList" on the RODC object lists principals with passwords currently cached.
(3/10) RODC Delegated Admins
The attribute "managedBy" on the RODC computer object states principals that have been given local administration privileges on it. With these privileges, you can retrieve cached secrets in the NTDS database.
The attribute "managedBy" on the RODC computer object states principals that have been given local administration privileges on it. With these privileges, you can retrieve cached secrets in the NTDS database.
(4/10) Sites and Subnets
Subnets must be defined in sites as AD objects for various purposes, such as replication and locating the nearest DC.
These objects can be found at "CN=Subnets,CN=Sites,CN=Configuration,DC=contoso,DC=com", and may be useful for reconnaissance.
Subnets must be defined in sites as AD objects for various purposes, such as replication and locating the nearest DC.
These objects can be found at "CN=Subnets,CN=Sites,CN=Configuration,DC=contoso,DC=com", and may be useful for reconnaissance.
(5/10) Fine-Grained Password Policies
Users can have a different password policy applying to them than what is defined domain-wide.
"msDS-ResultantPso" will let you know if this is the case, and should be kept in mind when Kerberoasting or spraying.
Users can have a different password policy applying to them than what is defined domain-wide.
"msDS-ResultantPso" will let you know if this is the case, and should be kept in mind when Kerberoasting or spraying.
(6/10) SMTP Replication (ISM-SMTP)
Site links can be configured to use SMTP, meaning that a DC may replicate over SMTP across links. This was originally created in order to support links with poor connections. Note that secrets will not replicate over SMTP.
Site links can be configured to use SMTP, meaning that a DC may replicate over SMTP across links. This was originally created in order to support links with poor connections. Note that secrets will not replicate over SMTP.
(7/10) Service Connection Point (SCP)
SCP objects are for hosted services in an environment, for instance AD LDS instances. Typically, these will be published under computer objects that host them. You can query their attribute "serviceBindingInformation" to discover locations.
SCP objects are for hosted services in an environment, for instance AD LDS instances. Typically, these will be published under computer objects that host them. You can query their attribute "serviceBindingInformation" to discover locations.
(8/10) Active Directory-Integrated DNS (ADI DNS)
ADI DNS zones are stored in AD. Therefore, principals can be delegated access over them.
Domain-wide zones location: "DC=DomainDnsZones,DC=contoso,DC=com".
Forest-wide zones location: "DC=ForestDnsZones,DC=contoso,DC=com".
ADI DNS zones are stored in AD. Therefore, principals can be delegated access over them.
Domain-wide zones location: "DC=DomainDnsZones,DC=contoso,DC=com".
Forest-wide zones location: "DC=ForestDnsZones,DC=contoso,DC=com".
(9/10) Implicit Service Principal Name (SPN)
In a ticket granting service request, the DC tries to explicitly match the service name to an SPN attribute in AD. If not found, it looks for an implicit match.
See "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration".
In a ticket granting service request, the DC tries to explicitly match the service name to an SPN attribute in AD. If not found, it looks for an implicit match.
See "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration".
(10/10) In-Chain Matching Rule
You can find all nested members of a group, or all nested groups of a user with a raw LDAP query. Use the Object Identifier (OID) "1.2.840.113556.1.4.1941" like so:
You can find all nested members of a group, or all nested groups of a user with a raw LDAP query. Use the Object Identifier (OID) "1.2.840.113556.1.4.1941" like so:
• • •
Missing some Tweet in this thread? You can try to
force a refresh
