Our development agency is committed to providing you the best service.


The awesome people behind our brand ... and their life motto.

  • Kumar Atul Jaiswal

    Ethical Hacker

    Hacking is a Speed of Innovation And Technology with Romance.

  • Kumar Atul Jaiswal

    CEO Of Hacking Truth

    Loopholes are every major Security,Just need to Understand it well.

  • Kumar Atul Jaiswal

    Web Developer

    Techonology is the best way to Change Everything, like Mindset Goal.


We pride ourselves with strong, flexible and top notch skills.


Development 90%
Design 80%
Marketing 70%


Development 90%
Design 80%
Marketing 70%


Development 90%
Design 80%
Marketing 70%


We help our clients integrate, analyze, and use their data to improve their business.










Phasellus iaculis dolor nec urna nullam. Vivamus mattis blandit porttitor nullam.


We pride ourselves on bringing a fresh perspective and effective marketing to each project.

Showing posts with label Active Directory. Show all posts
Showing posts with label Active Directory. Show all posts
  • CVE-2022-26923 A AD Certificate Services


    CVE-2022-26923 A AD Certificate Services

    A certificate signing request (CSR) is one of the first steps towards getting your own SSL/TLS certificate. Generated on the same server you plan to install the certificate on, the CSR contains information (e.g. common name, organization, country) the Certificate Authority (CA) will use to create your certificate.

    This website explores CVE-2022-26923, a vulnerability in Microsoft's Active Directory Certificate Service (AD CS) that allows any AD user to escalate their privileges to Domain Admin in a single hop!.

    A brief look at certificate templates

    Windows Active Directory (AD) is not just for identity and access management but provides a significant amount of services to help you run and manage your organisation. Many of these services are less commonly known or used, meaning they are often overlooked when security hardening is performed. One of these services is the Active Directory Certificate Services (AD CS).

    When talking about certificates, we usually only think about the most common ones, such as those used to upgrade website traffic to HTTPS. But these are generally only used for applications that the organisation exposes to the internet. What about all those applications running on the internal network? Do we now have to give them internet access to allow them to request a certificate from a trusted Certificate Authority (CA)? Well, not really. Cue AD CS.

    AD CS is Microsoft's Public Key Infrastructure (PKI) implementation. Since AD provides a level of trust in an organisation, it can be used as a CA to prove and delegate trust. AD CS is used for several things, such as encrypting file systems, creating and verifying digital signatures, and even user authentication, making it a promising avenue for attackers. What makes it an even more dangerous attack vector, is that certificates can survive credential rotation, meaning even if a compromised account's password is reset, that will do nothing to invalidate the maliciously generated certificate, providing persistent credential theft for up to 10 years! The diagram below shows what the flow for certificate requests and generation looks like.


    CVE-2022-26923 A AD Certificate Services

    Since AD CS is such a privileged function, it normally runs on selected domain controllers. Meaning normal users can't really interact with the service directly. On the other side, organisations tend to be too large to have an administrator create and distribute each certificate manually. This is where certificate templates come in. Administrators of AD CS can create several templates that can allow any user with the relevant permissions to request a certificate themselves. These templates have parameters that say which user can request the certificate and what is required. What SpecterOps has found, was that specific combinations of these parameters can be incredibly toxic and be abused for privilege escalation and persistent access!

    Before we dive deeper into certificate abuse, some terminology:

    • PKI - Public Key Infrastructure is a system that manages certificates and public key encryption
    • AD CS - Active Directory Certificate Services is Microsoft's PKI implementation which usually runs on domain controllers
    • CA - Certificate Authority is a PKI that issues certificates
    • Certificate Template - a collection of settings and policies that defines how and when a certificate may be issued by a CA
    • CSR - Certificate Signing Request is a message sent to a CA to request a signed certificate
    • EKU - Extended/Enhanced Key Usage are object identifiers that define how a generated certificate may be used

    1) What does the user create to ask the CA for a certificate?

    Ans :- Certificate Signing Request

    2) What is the name of Microsoft's PKI implementation?

    Ans :- Active Directory Certificate Services

    Client Authentication

    As discussed in the overview of Certificate Templates, they are convenient to allow users and systems to enrol for certificates. Certificates have many use cases in the network. For CVE-2022-26923 and the template misconfigurations discovered by SpectorOps, the primary focus is on the Client Authentication use case.

    Client Authentication allows the owner of the certificate to use it to verify their own identity in AD for authentication purposes. For example, a client certificate is used to authenticate against a web application. The authentication process occurs through Kerberos. If we have a valid certificate that has the Client Authentication EKU, we can interface with AD CS and the Key Distribution Centre to request a Kerberos TGT that can then be used for further authentication.

    As an attacker, we can leverage this to generate a TGT to impersonate another user or system, should we have a valid certificate for them. In essence, we want to be able to modify the Subject Alternative Name (SAN) attribute of the certificate request to point to someone or something else, that has more permissions to perform privilege escalation.

    Default Certificate Templates

    By default, when AD CS is installed in an environment, two certificate templates are made available for requests that support Client Authentication:

    User Certificate Template - This certificate template can be requested by any user that belongs to the Domain Users group.

    Machine Certificate Template
    - This certificate template can be requested by any host that belongs to the Domain Computers group.

    The User Template is not vulnerable by default. When we request a certificate based on the User template, the User Principal Name (UPNs) of the user account will be embedded in the SAN that can be used for identification. Since UPNs must be unique, and we usually do not have the ability to modify our UPN, we cannot leverage this template. Furthermore, since we don't have the ability to alter the SAN value in the certificate signing request, we cannot impersonate another user by specifying their UPN.

    However, computer accounts do not have a UPN. Instead of using a UPN for authentication, the Machine template uses the DNS Name of the machine for identification and authentication. When a certificate is requested for a machine through the Machine template, AD CS embeds the machine's DNS Name into the SAN, which is then used for authentication.

    Default Domain User Privileges

    By default, any user who is a member of the Authenticated Users group (literally all AD accounts) can enrol up to 10 new machines on the domain. This is often used in organisations to allow users to bring their own device (BYOD) and enrol it for use on the domain. This in itself is not really a vulnerability but has led to some interesting privilege escalation vectors in the path, exactly what we will be exploiting for this CVE.

    When we enrol a new host in AD, we are assigned as the owner of that host. This provides us with certain permissions over the AD Object associated with that host. Two permissions in particular cause an issue here:

    Validate write to DNS hostname - This permission allows us to update the DNS hostname of our AD Object associated with the host.

    Validate write to Service Principal Name (SPN) - This permission allows us to update the SPN of our AD Object associated with the host.

    SPNs are used by Kerberos authentication to associate a service instance with a service logon account. By default, the Computer AD Object receives SPNs associated with their name to allow for Kerberos authentication, which the host requires to perform specific requests against AD. SPNs must be unique, meaning two AD Objects are not allowed to have the same SPN.

    You would think it would be as simple as changing the DNS hostname to another hostname, maybe the hostname of a Domain Controller for privilege escalation? However, if you change the DNS hostname, Microsoft automatically updates the SPN attribute. Since those must be unique, we will get an error if we try to impersonate another host through the DNS hostname attribute. But since we have the ability also to change the SPN, we can bypass this restriction.

    The pieces of the puzzle should now start to come together. If we only had one of the two permissions, we would not have a vulnerability.  However, the combination of having those two permissions allows us to perform privilege escalation.

    Putting it all Together

    Using these configurations, the default AD CS Machine certificate template, the default ability to enrol a new machine, and the default permissions assigned on the created Computer AD Object, we have a privilege escalation vector on our hands. What makes it worse is that this privilege escalation vector requires minimal effort, meaning the attacker's skill level to exploit this issue is quite low. The basic steps are the following:

    1. Compromise the credentials of a low-privileged AD user.
    2. Use those credentials to enrol a new host on the domain.
    3. Alter the DNS hostname attribute of the Computer AD Object to that of a privileged host, such as a Domain Controller.
    4. Remove the SPN attributed to bypass the unique SPN conflict issue.
    5. Request a Machine certificate using the default template.
    6. Perform Kerberos authentication with the received template, now as the privileged machine account instead of our fake machine account.


    1) Which EKU allows us to use the generated certificate for Kerberos authentication?

    Ans :- Client Authentication

    2) What AD group can request a certificate using the Machine Certificate Template?

    Ans :- Domain Controller

    3) What value in the Machine Certificate is used for identification and authentication?

    Ans :- DNS Hostname

    To Be Continue....Exploitation soon



    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

  • Critical samba bug lurking in your system


    Critical samba bug lurking in your system CVE-2021-44141


    Critical samba bug lurking in your system CVE-2021-44141 and CVE-2022-0336

    Understanding SMB

    SMB - Server Message Block Protocol - is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. [source] Learn about, then enumerate and exploit a variety of network services and misconfigurations.
    Servers make file systems and other resources (printers, named pipes, APIs) available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers. The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages between the client and server to establish a connection. Clients connect to servers using TCP/IP (actually NetBIOS over TCP/IP as specified in RFC1001 and RFC1002), NetBEUI or IPX/SPX.

    How does SMB work?

    Critical samba bug lurking in your system CVE-2021-44141 and CVE-2022-0336

    Once they have established a connection, clients can then send commands (SMBs) to the server that allow them to access shares, open files, read and write files, and generally do all the sort of things that you want to do with a file system. However, in the case of SMB, these things are done over the network.


    Also read- All about SMB and enum4linux with Questions/Answer


    Also read- Samba and exploitation too

    Samba Active Directory

    The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present
    on that account, such as one added when a computer is joined to a domain. An attacker who has the ability to write to an account can exploit
    this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can
    intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity.

    According to the CERT Coordination Center (CERT/CC), the flaw also affects widely used Linux distributions such as Red Hat, SUSE Linux, and Ubuntu.

    The vulnerability, rated 9.9 on the CVSS scale, has been credited to security researcher Orange Tsai from DEVCORE, who last year disclosed the widely-exploited flaws in Microsoft Exchange Server. Additionally, the fix has been issued in Samba versions 4.14.12 and 4.15.5.

    Samba administrators are advised to upgrade to the latest releases (4.13.17, 4.14.12, and 4.15.5) or apply a patch as soon as possible. Mitigation short of patching would involve changing Samba configuration files so that the vulnerable vfs_fruit module doesn’t run. “The specific flaw exists within the parsing of EA metadata when opening files in SMBD,” an advisory on the flaw from developers of Samba explains.

    The ability to write access to extended file attributes is needed in order to attack the flaw, but such permissions are granted to guest or unauthenticated users.

    Also addressed by Samba are two additional flaws —

    • CVE-2021-44141 (CVSS score: 4.2) - Information leak via symlinks of existence of files or directories outside of the exported share (Fixed in Samba version 4.15.5)

    • CVE-2022-0336 (CVSS score: 3.1) - Samba AD users with permission to write to an account can impersonate arbitrary services (Fixed in Samba versions 4.13.17, 4.14.12, and 4.15.4)

    Samba administrators are recommended to upgrade to these releases or apply the patch as soon as possible to mitigate the defect and thwart any potential attacks exploiting the vulnerability



    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.


  • Intro to windows - active directory and Azure active directory

    Intro to windows - active directory and Azure active directory  



    Windows history

    On November 20, 1985 Microsoft announced its operating system named Windows which was a graphical operating system shell as a response to growing GUIs (graphical user interfaces). At the moment Windows dominates the word of computers with around 90% market share and it overtook Apple (Mac OS) which was introduced in 1984. Intro to windows - active directory and Azure active directory

    Windows versions:

    •     Windows 1
    •     Windows 2
    •     Windows 2.x
    •     Windows 3.x
    •     Windows 95
    •     Windows 98
    •     Windows NT
    •     Windows XP
    •     Windows Vista
    •     Windows 7
    •     Windows 8.x
    •     Windows 10

    Windows server versions:

    •     Windows Server 2003
    •     Windows Server 2008
    •     Windows Server 2012 / 2012 R2
    •     Windows Server 2016
    •     Windows Server 2019

    Read a little about Windows history and versions.

    1) When was Windows announced?

    Ans :- November 20 1985

    2) Which is the latest version of Windows?

    Ans :- windows 10

    3) Which is the latest version of Windows Server?

    Ans :- windows server 2019

    Task 2 Windows file system and permissions explained

    What is the file system?

    It is the method and data structure that an operating system uses to keep track of files on a disk or partition. Without a file system, the information saved in a storage media would be one large body of data with no way to tell where the information begins and ends.

    Windows file system structure is:

    • Logical drives (Ex: Local Disk C)
    • Folders (these are the folders that come by default. Ex: Documents, Downloads, Music)
    • Files

    Something that might also interest you would be the folders located on the C drive and their role. These folders are:

    •     PerfLogs
    •     Program Files
    •     Program Files (x86)
    •     Users
    •     Windows

    Let me break them down and explain each of them:

    • PerfLogs - Stores the system issues and other reports regarding performance
    • Program Files and Program Files (x86) - Is the location where programs install unless you change their path (Ex: Choosing to install software on D drive)
    • Users - In this folder are stored the users created. It also stores users generated data (Ex: Saving a file on your Desktop)
    • Windows - It's the folder which basically contains the code to run the operating system and some utility tools (we'll talk about them later)






    File permissions

    FIles permissions can be set by an administrator or a privileged account. These permissions can be applied to:

    •     Users
    •     Groups


    Permissions that can be set are:

    •     Full control
    •     Modify
    •     Read & execute
    •     List folders content
    •     Read
    •     Write
    •     Special permissions


    • Full control - allows the user/users/group/groups to set the ownership of the folder, set permission for others, modify, read, write, and execute files.
    • Modify - allows the user/users/group/groups to modify, read, write, and execute files.
    • Read & execute - allows the user/users/group/groups to read and execute files.
    • List folder contents - allows the user/users/group/groups to list the contents (files, subfolders, etc) of a folder.
    • Read - only allows the user/users/group/groups to read files.
    • Write - allows the user/users/group/groups to write data to the specified folder (automatically set when "Modify" right is checked).


    Note: You can allow or deny permissions for users or groups.

    To set permissions for a file or folder right click on the file and select "Properties". Go to the "Security" tab and click on the "Edit" button.



    Intro to windows - active directory and Azure active directory


    As you can see Users can only read, execute, and list the folder contents. However, we want to allow them to be able to store, edit, or delete files inside that folder. To do that, check the "Modify" box (you will see that by checking the Modify box the Write box will be automatically checked too).

    Intro to windows - active directory and Azure active directory


    To apply the changes click on the "Apply" button.

    The reason we do not set the full control permission on the folder is that users could set permissions and take ownership of the folder themselves (without the action of an administrator/privileged user).

    A tool you can use to check the files or folder permissions is "icacls".

    Intro to windows - active directory and Azure active directory


    Let's explain what those letters in parentheses mean as right now you might be confused.

    • I - permission inherited from the parent container
    • F - full access (full control)
    • M - Modify right/access
    • OI - object inherit
    • IO - inherit only
    • CI - container inherit
    • RX - read and execute
    • AD - append data (add subdirectories)
    • WD - write data and add files

    You can use icacls to check permissions, set ownership of the folder, set, remove or deny permissions. An example would be setting the ownership of the folder to Users.

    To check if that applied you can right-click on the folder and select "Properties", go to the "Security" tab, and click on "Advanced". There you should be able to see that the owner is "Users".

    Intro to windows - active directory and Azure active directory

    Read the above.

    In which folder are users profiles stored?

    Ans :- users



    Task 3 Understanding the authentication process

    What is authentication?

    Authentication is a process for verifying the identity of a person (or an object or a service). When you authenticate a person, the goal is to verify that the person is not an imposter.

    Local authentication

    Local authentication is done using the Local Security Authority (LSA). LSA is a protected subsystem that keeps track of the security policies and the accounts that are on a computer system. It also maintains information about all aspects of local security on a computer.

    Types of Active Directory

    There are two types of Active Directory:

    • On-Premise Active Directory (AD)
    • Azure Active Directory (AAD)

    Authentication on On-Premise Active Directory


    Intro to windows - active directory and Azure active directory



    On-premise Active Directory has a record of all users, PCs and Servers and authenticates the users signing in (the network logon). Once signed in, Active Directory also governs what the users are, and are not, allowed to do or access (authorization).

    In an on-premise Active Directory environment the authentication can be made by using the following protocols:

    •     NTLM
    •     LDAP / LDAPS
    •     KERBEROS

    NTLM / NTLM 2


    NTLM uses a challenge-response sequence of messages between a client and a server system. NTLM  provides authentication based on a challenge-response authentication scheme. It does not provide data integrity or data confidentiality protection for the authenticated network connection.


    Intro to windows - active directory and Azure active directory






    The main difference between LDAP and LDAPS is that LDAPS support encryption and therefore the credentials are not sent in plain text across the network.

    Another thing to keep in mind is that the Domain Controller (DC) can be considered a database of users, groups, computers and so on (contains information about objects). Using LDAP/LDAPS the user's workstation sends the credentials using an API to the Domain Controller in order to validate them and be able to log in.

    The procedure is similar to the image below:

    Intro to windows - active directory and Azure active directory



    Another way to authenticate is using Kerberos. Kerberos uses symmetric-key cryptography and requires trusted third-party authorization to verify user identities. The authentication process is similar to the one below:



    Intro to windows - active directory and Azure active directory



    Authentication on Azure Active Directory

    Azure Active Directory is a secure online authentication store, which can contain users and groups. Users have a username and a password which are used when you sign in to an application that uses Azure Active Directory for authentication. So, for example, all of the Microsoft Cloud services use Azure Active Directory for authentication: Office 365, Dynamics 365 and Azure.

    Intro to windows - active directory and Azure active directory


    Azure Active Directory supports the following authentication methods:

    •     SAML (Security Assertion Markup Language)
    •     OAUTH 2.0
    •     OpenID Connect

    SAML (Security Assertion Markup Language)


    Security Assertion Markup Language (SAML) is a type of Single Sign-On (SSO) standard. It defines a set of rules/protocols that allow users to access web applications with a single login. This is possible because those applications (referred to as “Service Providers”) all trust the systems that verify users’ identities (referred to as “Identity Providers”).

    • Service Providers - These are the systems and applications that users access throughout the day.

    • Identity Providers - This would be the system that performs user authentication.

    OAUTH 2.0


    OAuth 2.0 is a standard that apps use to provide client applications with access.

    OAuth 2.0 spec has four important roles:

    • The authorization server, which is the server that issues the access token.
    • The resource owner, normally your application's end-user, that grants permission to access the resource server with an access token.
    • The client, which is the application that requests the access token, and then passes it to the resource server.
    • The resource server, which accepts the access token and must verify that it is valid. In this case, this is your application.

    OpenID Connect


    OpenID Connect is an authentication standard built on top of OAuth 2.0. It adds an additional token called an ID token.

    For that, it uses simple JSON Web Tokens (JWT). While OAuth 2.0 is about resource access and sharing, OIDC is all about user authentication


    1) Which Active Directory is cloud based?

    Ans :- Azure Active Directory


    2) Which authentication method does not provide data integrity?

    Ans :- NTLM

    4) Authentication method that assings a ticket in order for a user to login?

    Ans :- kerberos


    3) Which authentication method allow users to access applications with a single login (short name)?

    Ans :- SAML

    4) Authentication method that uses JSON Web Tokens?

    Ans :- openID connect


    Task 4 Utility tools

    Built-in utility tools

    Windows comes with a variety of utility tools. Some of them are:

    •     Computer Management
    •     Local Security Policy
    •     Disk Cleanup
    •     Registry Editor
    •     Command-line tools
    •     Registry Editor (Regedit)

    Let's break each of them down and see their usage and why they are important.

    Computer Management

    Computer Management contains more tools such as:

    •     Task Scheduler
    •     Event Viewer
    •     Shared Folders
    •     Local users & computers
    •     Performance Monitor
    •     Disk Management
    •     Services & Applications


    Task Scheduler - This is a tool that allows predefined actions to be automatically executed whenever a certain set of conditions is met(Ex: You can set up a date and time for a piece of software to be installed, or a script to run).

    Event Viewer - Probably one of the most important tools that come with Windows. The Event Viewer logs events that happen across the device (Ex: Successful & Failed login attempts, System Errors, etc). The reason Event Viewer is important is because it can be used to forward the events to a SIEM (Security Information and Event Manager) which helps the IT team of a company determine possible malicious activities.

    Shared Folders
    - Is a directory or a folder that can be shared across the network and can be accessed by multiple users.

    Local users and computers - Using local users and computers we can create users, add them to different built-in groups, and they can be given different levels of access (Ex: User A can connect through RDP to a machine but user B can't).

    Performance Monitor -Performance Monitor monitors the different activities across the device such as CPU usage, memory usage, etc.

    Disk Management - Using Disk Management you can shrink, expand, create new partitions (drives) and format the partitions.

    Services & Applications - It is possible to check the running services on the system and you have the ability to start, stop or restart them.


    Local Security Policy

    Local Security Policy is a group of settings you can configure to strengthen the computer's security. Even though
    most policy settings in Windows are fine, there are a few that need adjusting for enhanced security. You can set the minimum password length, the password complexity level, you can disable guest & local administrator accounts, and many more.

    Note: If the computer is not integrated into an Active Directory environment disabling local administrator account is a bad idea.

    Disk Cleanup

    Another useful utility is Disk Cleanup. Using Disk Cleanup we can delete files that are no longer needed by the system and are just adding up to the computer disk space. Running Disk Cleanup as administrator we can also clean system files (Ex: sometimes, after getting updates some files remain on disk, but these are no longer needed).

    To access Disk Cleanup right-click on Local Disk C and click Properties. You should see a button in the General tab named "Disk Cleanup".



    Intro to windows - active directory and Azure active directory


    You just need to tick the box/files you want to clean and press OK.

    Registry Editor

    The Windows registry database stores many important operating system settings. For example, it contains entries with information about what should happen when double-clicking a particular file type or how wide the taskbar should be. Built-in and inserted hardware also stores information in the registry when the driver is installed; this driver is called up every time the system is booted up.

    To access the Registry Editor you can either search it or use Windows Key + R and type RegEdit.

    Command-line tools

    Windows comes equipped with two command-line tools:

    •     CMD
    •     Powershell
    •     Windows Terminal

    CMD is the command-line interpreter for Microsoft Windows operating systems used to automate various system-related tasks using scripts and batch files. Users can interact with the OS directly using text-based commands. It emulates most of the command line abilities available in MS-DOS through a command-line interface.

    Powershell is mainly used by sysadmins to manage the network and domain they handle, as well as the computers and other devices that are part of it. PowerShell is a scripting language. The PowerShell can interpret batch commands and Powershell commands, but the command prompt can only interpret batch commands.

    Both CMD and Powershell are powerful command-line tools used to automate system administration tasks by writing a script/batch file. However, CMD has limited administration capabilities as compared to Powershell, which, on the other hand, is a more advanced and modern shell implementation with additional features and enhancements (Ex: cmdlets).

    Windows Terminal can be used instead of Powershell and CMD and can be installed from the Microsoft Store. The application includes multiple tab support, alongside themes and customization for developers who want to tweak the Terminal.

    Registry Editor

    Registry Editor can be considered a database that contains low-level settings for Microsoft Windows settings and applications. The registries are structured as follows:

    •     HKEY_USERS

    A feature of Powershell is that you can browse the registries. You can do that by typing: "cd <REG DB>" (Example: cd HKLM:\).



    Intro to windows - active directory and Azure active directory

    Windows also has a builtin tool named "reg" which can be used from the command line to add, remove, query, import, export, etc registry keys.

    Intro to windows - active directory and Azure active directory

    There is also available a GUI that can be used. You can search for "Regedit" or type it in the command line.

    There is no point to remember the paths for some settings that are located in the registry editor. You can look up for the settings on the internet.

    Task 5 Types of servers

    What is a server?

    A server is a piece of hardware or software equipment that provides functionality for other softwares or devices.

    Intro to windows - active directory and Azure active directory

    Types of servers

    Servers can be used for a variety of actions or things. The most common ones are:

    •     Domain Controller
    •     File server
    •     Web server
    •     FTP Server
    •     Mail Server
    •     Database Server
    •     Proxy Server
    •     Application Server

    Domain Controller - Might be one of the most important servers because in an AD or AAD infrastructure we can control users, groups, restrict actions, improve security, and many more of other computers and servers.

    File Server - File servers provide a great way to share files across devices on a network.

    Web Server- It serves static or dynamic content to a Web browser by loading a file from a disk and serving it across the network to a user’s Web browser.

    FTP Server - Makes possible moving one or more files securely between computers while providing file security and organization as well as transfer control.

    Mail Server - Mail servers move and store mail over corporate networks (via LANs and WANs) and across the Internet.

    Database Server
    - A database server is a computer system that provides other computers with services related to accessing and retrieving data from one or multiple databases.

    Proxy Server - This server usually sits between a client program and an external server to filter requests, improve performance, and share connections.

    Application Server - They're usually used to connect the database servers and the users.

    Read the above.

    1) Which can be considered the most important server?

    Ans :- Domain Controller

    2) Which server can store emails?

    Ans :- Mail Server

    Task 6 Users and Groups Management

    Users and Groups Management in Active Directory

    In Active Directory user management is done using the Active Directory Users and Computers. To access it go to Tools > Active Directory Users and Computers.

    Intro to windows - active directory and Azure active directory

    Before any other action let's enable Advanced Features which adds additional features when looking at an object properties. That is doable by going to View > Advanced Features.

    Intro to windows - active directory and Azure active directory

    By double-clicking on thm.lab we are presented with the Active Directory tree.

    Intro to windows - active directory and Azure active directory

    Let's create an Organizational Unit (OU) where to store the users. To do that right-click on the domain name (thm.lab) and go to New > Organizational Unit. I named it LAB and clicked OK to create it.

    Intro to windows - active directory and Azure active directory

    Let's create two more OUs inside the newly created OU (it will look nested). In one OU we'll store users and in the second one, we'll store Groups. To create the OU's we can repeat the steps above (Right-click on LAB OU > New > Organizational Unit).

    Time to create some users and groups! To do so right-click on the Users OU and go to New > User and fill in the information required.

    Intro to windows - active directory and Azure active directory

    Click Next and set a password for the user.

    Intro to windows - active directory and Azure active directory

    The reason I checked only "Password never expires" is because I do not want the password to expire after a period of time (the default period of time in AD is 42 days). In a production environment, you would probably check "User must change password at next logon" so the user can set a password he desires after you created his AD account.

    Since the password can be set to expire after a period of time it would be a bad idea to check the "User cannot change password" because he won't be able to reset the password and you will have to manually intervene.

    As for the last box "Disable account" it's obvious the action that will take place. It will disable the user account. You might want to disable a user account in case he has a leave (let's say 6 months leave) and you do not want him or any other colleague or malicious entity to use his account.

    Click on Next and you will be shown the account information and click Finish to finish the account creation.

    Note: The username that is going to be used by the user in order to authenticate is the one you set in the User Logon Name.

    You've successfully created your first AD user. Now, create two more users and name them as you wish.

    We should have three users in the AD:

    Intro to windows - active directory and Azure active directory

    Let's move to the Groups OU. Right click on the OU > New > Group.

    I named the group Admins and clicked OK to create it.

    Intro to windows - active directory and Azure active directory

    Then I created another group named RDP Access.

    Intro to windows - active directory and Azure active directory

    And finally using the same method create one more group named No RDP Access.

    We should have the following groups in AD:

    Intro to windows - active directory and Azure active directory

    To assign a user to a group you can do that in two ways:

        Right-clicking a user > Add to a group

    Intro to windows - active directory and Azure active directory

    2. Double-clicking a group > click on Members tab > Add

    Intro to windows - active directory and Azure active directory

    Using the first method let's add Albert Einstein to the Admins group. A window will be prompted to search for an object in the AD. You can type in the Enter object name to select field the name of the group created (in my case Admins), click Check Names, and OK to add the user to the specified group.

    Intro to windows - active directory and Azure active directory

    Proceed to add one of the created users to the RDP Access group and the other to the No RDP Access group.

    Another thing to keep in mind is that an object can be a member of another object (Ex: A group can be a member of another group).

    We added Albert Einstein to a group named Admins. Let's add the Admins group to the Domain Admins group. To do that we can right-click on Admins group > Add to a group and search for Domain Admins and press OK.

    Intro to windows - active directory and Azure active directory

    As we've done with Albert Einstein's account, add both RDP Access and No RDP Access groups to the Remote Desktop Users group

    Note: Even though adding the No RDP Access group to the RDP Users group the No RDP Access group can be blocked using GPO. This will be done in the next task (Creating your first GPO).

    Task 7 Creating your first GPO

    What is Group Policy Objects?

    A GPO or a Group Policy Object is a feature of Active Directory that adds additional controls to user accounts and computers.

    Group Policy settings including local settings, site-wide settings, domain-level settings and settings applied to organizational units.

    Creating our first GPO

    To create a GPO we need to go to Tools > Group Policy Management inside the Server Manager.


     Intro to windows - active directory and Azure active directory


    Right-click on "Group Policy Objects" and create a new object. I will name mine "Groups GPO".
    To edit the GPO right-click on it > Edit.


    Intro to windows - active directory and Azure active directory



    For the purpose of this demo, we will set different permissions for the groups recently created.

    First, let's let users authenticate using RDP. To do so, go to Policies > Windows Settings > Security Settings > Local Policies > Users Right Assignment and double click on Allow log on through Remote Desktop Services.




    Intro to windows - active directory and Azure active directory


    Select Define these policy settings > Add user or group > Browse


    Intro to windows - active directory and Azure active directory



    Search for Admins and RDP Access groups and click OK > OK to add them.



    Intro to windows - active directory and Azure active directory



    To block a user or a group to login using RDP we can do that by double-clicking Deny log on through Remote Desktop Services and adding No RDP Access group in there.

    Intro to windows - active directory and Azure active directory



    We can close the editor and go back to our Group Policy Management console/tab/panel. In order to make the policy apply, we have to link the GPO to the root of the domain (thm.lab). To do that right-click on Domain Controllers OU > Link an existing GPO and select the GPO you created (Group GPO in my case) and press OK.


    Intro to windows - active directory and Azure active directory


    To apply the GPO open a CMD as an administrator (right-click on it > Run as administrator) and type the following: gpupdate /force and wait for the policy to apply.

    Intro to windows - active directory and Azure active directory


    Testing the GPO

    Let's try to RDP into the machine using each user and see the different level of access each has.

    The first user I'm going to login is Albert Einstein which has Domain Admin rights. The logon is successful. Open a CMD as admin and type "whoami".


    Intro to windows - active directory and Azure active directory



    As noticed we were able to start an elevated CMD.

    Sign out and log in using the account added to RDP Access group (In my case Jim Carrey).

    Try prompting an elevated CMD (Right-click on CMD > Run as administrator). You notice that UAC (User Account Control) asks for admin credentials. If you try entering the credentials (username and password) of the account you are currently logged in you will notice the CMD prompt will not pop out. This happens because you are a simple user on the machine, not an administrator.


    Intro to windows - active directory and Azure active directory




    Note: You can spawn the shell if you use an administrator credential (in my case Albert Einstein).

    Lastly, try logging in with the account added to the No RDP Access. You will get the following error:

    Intro to windows - active directory and Azure active directory



    This happens because even though the No RDP Access group has been added to the Remote Desktop Users group using the GPO earlier created he have blocked RDP access to the users that are in that group.

  • Active Directory Basics TryHackMe Walkthrough

    Active Directory is the directory service for Windows Domain Networks. It is used by many of today's top companies and is a vital skill to comprehend when attacking Windows.

    It is recommended to have knowledge of basic network services, Windows, networking, and Powershell.

    The detail of specific uses and objects will be limited as this is only a general overview of Active Directory. For more information on a specific topic look for the corresponding room or do your own research on the topic. Active Directory Basics TryHackMe Walkthrough

    What is Active Directory? -

    Active Directory is a collection of machines and servers connected inside of domains, that are a collective part of a bigger forest of domains, that make up the Active Directory network. Active Directory contains many functioning bits and pieces, a majority of which we will be covering in the upcoming tasks. To outline what we'll be covering take a look over this list of Active Directory components and become familiar with the various pieces of Active Directory:

    •     Domain Controllers
    •     Forests, Trees, Domains
    •     Users + Groups
    •     Trusts
    •     Policies
    •     Domain Services

    All of these parts of Active Directory come together to make a big network of machines and servers. Now that we know what Active Directory is let's talk about the why?

    Why use Active Directory? -

    The majority of large companies use Active Directory because it allows for the control and monitoring of their user's computers through a single domain controller. It allows a single user to sign in to any computer on the active directory network and have access to his or her stored files and folders in the server, as well as the local storage on that machine. This allows for any user in the company to use any machine that the company owns, without having to set up multiple users on a machine. Active Directory does it all for you.

    [Task 2] Physical Active Directory

    The physical Active Directory is the servers and machines on-premise, these can be anything from domain controllers and storage servers to domain user machines; everything needed for an Active Directory environment besides the software.

    Domain Controllers -

    A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. Domain controllers are the center of Active Directory -- they control the rest of the domain. I will outline the tasks of a domain controller below:

        holds the AD DS data store
        handles authentication and authorization services
        replicate updates from other domain controllers in the forest
        Allows admin access to manage domain resources

    Active Directory Basics TryHackMe Walkthrough

    AD DS Data Store -

    The Active Directory Data Store holds the databases and processes needed to store and manage directory information such as users, groups, and services. Below is an outline of some of the contents and characteristics of the AD DS Data Store:

    Contains the NTDS.dit - a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users
    Stored by default in %SystemRoot%\NTDS
    accessible only by the domain controller

    That is everything that you need to know in terms of physical and on-premise Active Directory. Now move on to learn about the software and infrastructure behind the network.

    #1 What database does the AD DS contain?

    Ans :- NTDS.dit

    #2 Where is the NTDS.dit stored?

    Ans :- %SystemRoot%\NTDS

    #3 What type of machine can be a domain controller?

    Ans :- %SystemRoot%\NTDS

    [Task 3] The Forest

    The forest is what defines everything; it is the container that holds all of the other bits and pieces of the network together -- without the forest all of the other trees and domains would not be able to interact. The one thing to note when thinking of the forest is to not think of it too literally -- it is a physical thing just as much as it is a figurative thing. When we say "forest", it is only a way of describing the connection created between these trees and domains by the network.

    Active Directory Basics TryHackMe Walkthrough

    Forest Overview -

    A forest is a collection of one or more domain trees inside of an Active Directory network. It is what categorizes the parts of the network as a whole.

    The Forest consists of these parts which we will go into farther detail with later:

    •     Trees - A hierarchy of domains in Active Directory Domain Services
    •     Domains - Used to group and manage objects
    •     Organizational Units (OUs) - Containers for groups, computers, users, printers and other OUs
    •     Trusts - Allows users to access resources in other domains
    •     Objects - users, groups, printers, computers, shares
    •     Domain Services - DNS Server, LLMNR, IPv6
    •     Domain Schema - Rules for object creation

    #1 What is the term for a hierarchy of domains in a network?

    Ans :- Trees

    #2 What is the term for the rules for object creation?

    Ans :- Domain Schema

    #3 What is the term for containers for groups, computers, users, printers, and other OUs?

    Ans :- Organizational Units


    [Task 4] Users + Groups

    The users and groups that are inside of an Active Directory are up to you; when you create a domain controller it comes with default groups and two default users: Administrator and guest. It is up to you to create new users and create new groups to add users to.

    Users Overview -

    Users are the core to Active Directory; without users why have Active Directory in the first place? There are four main types of users you'll find in an Active Directory network; however, there can be more depending on how a company manages the permissions of its users. The four types of users are: 

    •     Domain Admins - This is the big boss: they control the domains and are the only ones with access to the domain controller.
    •     Service Accounts (Can be Domain Admins) - These are for the most part never used except for service maintenance, they are required by Windows for services such as SQL to pair a service with a service account
    •     Local Administrators - These users can make changes to local machines as an administrator and may even be able to control other normal users, but they cannot access the domain controller
    •     Domain Users - These are your everyday users. They can log in on the machines they have the authorization to access and may have local administrator rights to machines depending on the organization.

    Groups Overview -

    Groups make it easier to give permissions to users and objects by organizing them into groups with specified permissions. There are two overarching types of Active Directory groups:

    •     Security Groups - These groups are used to specify permissions for a large number of users
    •     Distribution Groups - These groups are used to specify email distribution lists. As an attacker these groups are less beneficial to us but can still be beneficial in enumeration

    Default Security Groups -

    There are a lot of default security groups so I won't be going into too much detail of each past a brief description of the permissions that they offer to the assigned group. Here is a brief outline of the security groups:

    •     Domain Controllers - All domain controllers in the domain
    •     Domain Guests - All domain guests
    •     Domain Users - All domain users
    •     Domain Computers - All workstations and servers joined to the domain
    •     Domain Admins - Designated administrators of the domain
    •     Enterprise Admins - Designated administrators of the enterprise
    •     Schema Admins - Designated administrators of the schema
    •     DNS Admins - DNS Administrators Group
    •     DNS Update Proxy - DNS clients who are permitted to perform dynamic updates on behalf of some other clients (such as DHCP servers).
    •     Allowed RODC Password Replication Group - Members in this group can have their passwords replicated to all read-only domain controllers in the domain
    •     Group Policy Creator Owners - Members in this group can modify group policy for the domain
    •     Denied RODC Password Replication Group - Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain
    •     Protected Users - Members of this group are afforded additional protections against authentication security threats. See http://go.microsoft.com/fwlink/?LinkId=298939 for more information.
    •     Cert Publishers - Members of this group are permitted to publish certificates to the directory
    •     Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the domain
    •     Enterprise Read-Only Domain Controllers - Members of this group are Read-Only Domain Controllers in the enterprise
    •     Key Admins - Members of this group can perform administrative actions on key objects within the domain.
    •     Enterprise Key Admins - Members of this group can perform administrative actions on key objects within the forest.
    •     Cloneable Domain Controllers - Members of this group that are domain controllers may be cloned.
    •     RAS and IAS Servers - Servers in this group can access remote access properties of users

    #1 Which type of groups specify user permissions?

    Ans :- Security Groups

    #2 Which group contains all workstations and servers joined to the domain?

    Ans :- Domain Computers

    #3 Which group can publish certificates to the directory?

     Ans :- Cert publishers

    #4 Which user can make changes to a local machine but not to a domain controller?

    Ans :- Local Administrators

    #5 Which group has their passwords replicated to read-only domain controllers?

    Ans :- Allowed RODC Password Replication Group



    [Task 5] Trusts + Policies

    Trusts and policies go hand in hand to help the domain and trees communicate with each other and maintain "security" inside of the network. They put the rules in place of how the domains inside of a forest can interact with each other, how an external forest can interact with the forest, and the overall domain rules or policies that a domain must follow.

    Domain Trusts Overview -

    Trusts are a mechanism in place for users in the network to gain access to other resources in the domain. For the most part, trusts outline the way that the domains inside of a forest communicate to each other, in some environments trusts can be extended out to external domains and even forests in some cases.

    There are two types of trusts that determine how the domains communicate. I'll outline the two types of trusts below:

    •     Directional - The direction of the trust flows from a trusting domain to a trusted domain
    •     Transitive - The trust relationship expands beyond just two domains to include other trusted domains

    The type of trusts put in place determines how the domains and trees in a forest are able to communicate and send data to and from each other when attacking an Active Directory environment you can sometimes abuse these trusts in order to move laterally throughout the network.

    Domain Policies Overview -

    Policies are a very big part of Active Directory, they dictate how the server operates and what rules it will and will not follow. You can think of domain policies like domain groups, except instead of permissions they contain rules, and instead of only applying to a group of users, the policies apply to a domain as a whole. They simply act as a rulebook for Active  Directory that a domain admin can modify and alter as they deem necessary to keep the network running smoothly and securely. Along with the very long list of default domain policies, domain admins can choose to add in their own policies not already on the domain controller, for example: if you wanted to disable windows defender across all machines on the domain you could create a new group policy object to disable Windows Defender. The options for domain policies are almost endless and are a big factor for attackers when enumerating an Active Directory network. I'll outline just a few of the  many policies that are default or you can create in an Active Directory environment:

    •     Disable Windows Defender - Disables windows defender across all machine on the domain
    •     Digitally Sign Communication (Always) - Can disable or enable SMB signing on the domain controller

    #1 What type of trust flows from a trusting domain to a trusted domain?

    Ans :- Directional

    #2 What type of trusts expands to include other trusted domains?

    Ans :- Transitive

    [Task 6] Active Directory Domain Services + Authentication

    The Active Directory domain services are the core functions of an Active Directory network; they allow for management of the domain, security certificates, LDAPs, and much more. This is how the domain controller decides what it wants to do and what services it wants to provide for the domain.

    Domain Services Overview -

    Domain Services are exactly what they sound like. They are services that the domain controller provides to the rest of the domain or tree. There is a wide range of various services that can be added to a domain controller; however, in this room we'll only be going over the default services that come when you set up a Windows server as a domain controller. Outlined below are the default domain services:

    •     LDAP - Lightweight Directory Access Protocol; provides communication between applications and directory services
    •     Certificate Services - allows the domain controller to create, validate, and revoke public key certificates
    •     DNS, LLMNR, NBT-NS - Domain Name Services for identifying IP hostnames

    Domain Authentication Overview -

    The most important part of Active Directory -- as well as the most vulnerable part of Active Directory -- is the authentication protocols set in place. There are two main types of authentication in place for Active Directory: NTLM and Kerberos. Since these will be covered in more depth in later rooms we will not be covering past the very basics needed to understand how they apply to Active Directory as a whole.

    •     Kerberos - The default authentication service for Active Directory uses ticket-granting tickets and service tickets to authenticate users and give users access to other resources across the domain.
    •     NTLM - default Windows authentication protocol uses an encrypted challenge/response protocol

    The Active Directory domain services are the main access point for attackers and contain some of the most vulnerable protocols for Active Directory, this will not be the last time you see them mentioned in terms of Active Directory security.

    #1 What type of authentication uses tickets?

    Ans :- Kerberos

    #2 What domain service can create, validate, and revoke public key certificates?

    Ans :- Certificate Services

    [Task 7] AD in the Cloud

    Recently there has been a shift in Active Directory pushing the companies to cloud networks for their companies. The most notable AD cloud provider is Azure AD. Its default settings are much more secure than an on-premise physical Active Directory network; however, the cloud AD may still have vulnerabilities in it.

    Azure AD Overview -

    Azure acts as the middle man between your physical Active Directory and your users' sign on. This allows for a more secure transaction between domains, making a lot of Active Directory attacks ineffective.

    Cloud Security Overview -

    The best way to show you how the cloud takes security precautions past what is already provided with a physical network is to show you a comparison with a cloud Active Directory environment:

    Windows Server AD    Azure AD
    • LDAP    Rest APIs
    • NTLM    OAuth/SAML
    • Kerberos    OpenID
    • OU Tree    Flat Structure
    • Domains and Forests    Tenants
    • Trusts    Guests

    This is only an overview of Active Directory in the cloud so we will not be going into detail of any of these protocols; however, I encourage you to go out and do your own research into these cloud protocols and how they are more secure than their physical counterparts, and if they themselves come with vulnerabilities.

    #1 What is the Azure AD equivalent of LDAP?

    Ans :- Rest APIs

    #2 What is the Azure AD equivalent of Domains and Forests?

    Ans :- Tenants

    #3 What is the Windows Server AD equivalent of Guests?

    Ans :- Trusts


    [Task 8] Hands-On Lab

    Lab Setup - 

    1.) Deploy the Machine

    2.) SSH or RDP into the machine

    user: Administrator

    pass: P@$$W0rd

    domain: CONTROLLER.local

    PowerView Setup -

    1.) cd Downloads - navigate to the directory PowerView is in

    2.) powershell -ep bypass - load a powershell shell with execution policy bypassed

    3.) . .\PowerView.ps1 - import the PowerView module

    Lab Overview -

    I will help you with a few commands the rest is up to you. Use the following cheatsheet here to find what you need. You should have enough knowledge of Active Directory now to investigate the machine's internals on your own.

    Example Commands:

    Get-NetComputer -fulldata | select operatingsystem - gets a list of all operating systems on the domain

    Get-NetUser | select cn - gets a list of all users on the domain

    #2 What is the name of the windows 10 operating system?

    Ans :-Windows 10 Enterprise Evaluation

    #3 What is the second "Admin" name?

    Ans :- Admin2

    #4 Which group has a capital "V" in the group name?

    Ans :- Hyer-V Administrator

    #5 When was the password last set for the SQLService user?

    Ans :- 5/13/2020  8:26:58 PM

    Video Tutorial :- 






    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!

    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.

    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.

    - Hacking Truth by Kumar Atul Jaiswal

    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


    We've been developing corporate tailored services for clients for 30 years.


    For enquiries you can contact us in several different ways. Contact details are below.

    Hacking Truth.in

    • Street :Road Street 00
    • Person :Person
    • Phone :+045 123 755 755
    • Country :POLAND
    • Email :contact@heaven.com

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.

    Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation.