๐๏ธ Database
๐ Database Location
The physical location of the database is the C:\Windows\NTDS\ntds.dit file, located in the Domain Controllers. Each Domain Controller has its own NTDS file and synchronization between Domain Controllers is required in order to keep the database up to date.
๐ Classes
The Active Directory database has a schema that defines different object classes. Each class has different properties and serves for different purposes. For example, there is the User class, the Computer class or the Group class.
Moreover, a class can be the subclass of a parent class, that allows to inherit properties. For example, the Computer class is a subclass of User class, therefore the computer objects can have the same properties of the user objects, like SAMAccountName, and some new custom properties, like OperatingSystem.
All the classes are subclasses of the Top class, that defines the essential properties like ObjectClass or ObjectGUID.
The ObjectClass property contains a list of the classes of an object, that is its current class and all of the parent classes.
On the other hand, the ObjectGUID property is a GUID (globally unique identifier) to identify each object of the database. It must not be confused with the SID (or SecurityIdentifier) property, which is an identifier related to security principals, such as users or groups.
Also is important to note that classes can be attached to auxiliary classes in order to get its properties. This auxiliary classes won't appear in the ObjectClass property. For example, many of the most relevant classes when performing a pentest, like User and Group, are attached to Security-Principal auxiliary class, the class that defines the SAMAccountName and SID properties.
PS C:\> . .\PowerView.ps1
PS C:\> Get-NetComputer dc01 -Properties objectclass | select -ExpandProperty objectclass
top
person
organizationalPerson
user
computer
๐ Properties
As we have seen, each class can have several properties or attributes. Usually, the properties store a string value, like Name or a number like UserAccountControl.
Generally, any user of the domain can read the information of any object of the domain, with a few exceptions. The first exception is the users passwords that cannot be retrieved.
The database defines the UserPassword and UnicodePwd, but these properties cannot be read, only written. When a password change is required, these properties can be written in order to modify the user password.
Moreover, there are certain properties that contain sensitive data that should be only retrieved by authorized users. In order to achieve this, these property are marked as confidential properties in the schema (setting the 128 flag in SearchFlags of the property definition). Thus, in order to read a confidential property, apart from the read rights, an user required CONTROL_ACCESS right over that specific property.
PS C:\Users\Administrator> Get-ADObject -LDAPFilter "(searchflags:1.2.840.113556.1.4.803:=128)" -SearchBase "CN=Schema,CN=Configuration,DC=etherdrake,DC=local" | Select Name
Name
----
ms-TPM-Owner-Information-Temp
ms-Kds-KDF-AlgorithmID
ms-Kds-KDF-Param
ms-Kds-SecretAgreement-AlgorithmID
ms-Kds-SecretAgreement-Param
ms-Kds-PublicKey-Length
ms-Kds-PrivateKey-Length
ms-Kds-RootKeyData
ms-Kds-Version
ms-Kds-DomainID
ms-Kds-UseStartTime
ms-Kds-CreateTime
ms-FVE-RecoveryPassword
ms-FVE-KeyPackage
ms-TPM-OwnerInformation
ms-DS-Transformation-Rules-Compiled
ms-PKI-Credential-Roaming-Tokens
ms-DS-Issuer-Certificates
ms-PKI-RoamingTimeStamp
ms-PKI-DPAPIMasterKeys
ms-PKI-AccountCredentials
UnixUserPassword
Additionally, there are certain properties that require to meet certain conditions before being written. This is controlled with Validated Writes, for example editing services of an account.
Furthermore, in order to manage sets of related properties, for given permissions to an user, is also possible to use property sets instead of have to manage the properties individually.
๐ค Principals
One term that you should be familiar with is principal. In Active Directory, a principal is a security entity. The most common principals are users, groups and computers. This terminology is also used in other areas, like Kerberos.
๐ SID
In order to identify principals, each one is assigned a SID (Security Identifier). In Active Directory you can find three kind of SIDs.
The Domain SID is used to identify the domain, as well as the base for SIDs of the domain principals.
The Principal SID is used to identify principals. It is compose by the domain SID and a principal RID (Relative Identifier).
In this example you can see that the user SID is the domain SID plus the 1103 RID.
Finally, in Active Directory there are many Well-known SIDs that identify abstract entities for special situations. Here are the most common ones:
- S-1-5-11 -> Authenticated Users. The users logged on the system belongs to this group.
- S-1-5-10 -> Principal Self. Used in security descriptors to reference the object itself.
PS C:\> . .\PowerView.ps1
PS C:\> $(Get-DomainObjectAcl User)[41]
ObjectDN : CN=User,CN=Users,DC=etherdrake,DC=local
ObjectSID : S-1-5-21-1372086773-2238746523-2939299801-1103
ActiveDirectoryRights : WriteProperty
ObjectAceFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
ObjectAceType : ea1b7b93-5e48-46d5-bc6c-4df4fda78a35
InheritedObjectAceType : bf967a86-0de6-11d0-a285-00aa003049e2
BinaryLength : 56
AceQualifier : AccessAllowed
IsCallback : False
OpaqueLength : 0
AccessMask : 32
SecurityIdentifier : S-1-5-10
AceType : AccessAllowedObject
AceFlags : ContainerInherit, InheritOnly, Inherited
IsInherited : True
InheritanceFlags : ContainerInherit
PropagationFlags : InheritOnly
AuditFlags : None
There are also some Well-know SIDs that defines the schema for built-in principals of the domain/forest. For example:
- Administrator -> S-1-5-21-domain-500
- Domain Admins -> S-1-5-21-domain-512
- Domain Users -> S-1-5-21-domain-513
- Enterprise Admins -> S-1-5-21-root domain-519
๐ฃ๏ธ Distinguished Names
It is also important to understand the DistinguishedName property. The DistinguishedName is like a path that indicates the object position in the database hierarchy (similar to a file path).
PS C:\> Get-ADComputer dc01 | select -ExpandProperty DistinguishedName
CN=DC01,OU=Domain Controllers,DC=etherdrake,DC=local
It is frequently used to identify objects in the database and to reference another objects in the database. For example, the members of a group are referenced by its DistinguishedName.
PS C:\> Get-ADGroup "Domain Admins" -Properties member | select -ExpandProperty Member
CN=leia,CN=Users,DC=etherdrake,DC=local
CN=Administrator,CN=Users,DC=etherdrake,DC=local
The Distinguished Name (DN) is compose by several parts that can be:
-
Domain Component (DC) It usually identifies the domain parts of the database. For example, for it.domain.com the DC part will be DC=it,DC=domain,DC=com.
-
Organizational Unit (OU) Identify containers that are used to group several related objects. It is worth to note that, even if OUs are similar to groups, its purpose is different. The OUs purpose is to organize objects in the database, whereas security groups are used to organize permissions in the domain/forest.
Sometimes, organizations maps the OUs directly to security groups in a automated way. These groups are known as shadow groups.
Organize objects in OUs is useful since you can apply the a GPO to the OU that affect to all its objects. This is not possible for members of a group.
- Common Name (CN) The name that identifies the object. Sometimes you will see more than one CN on a path, because some objects also acts as containers. For example, in CN=Administrator,CN=Users,DC=etherdrake,DC=local, the CN=Users identifies the Users container.
๐ Partitions
Apart from OUs and containers, the database is also divided by partitions. Each database has the following partitions:
- Domain: Stores the domain objects.
- Configuration: Stores configuration of the domain, such as the HOST service alias or Well-known SIDs that we have seen before.
- Schema: Stores the definition of the classes and properties used by the database.
- Domain DNS Zones: Stores the DNS records of the domain and subdomains.
- Forest DNS Zones: Stores the DNS records of the rest of the forest, including parent domains.
PS C:\> Import-Module ActiveDirectory
PS C:\> cd AD:
PS AD:\> ls
Name ObjectClass DistinguishedName
---- ----------- -----------------
etherdrake domainDNS DC=etherdrake,DC=local
Configuration configuration CN=Configuration,DC=etherdrake,DC=local
Schema dMD CN=Schema,CN=Configuration,DC=etherdrake,DC=local
DomainDnsZones domainDNS DC=DomainDnsZones,DC=etherdrake,DC=local
ForestDnsZones domainDNS DC=ForestDnsZones,DC=etherdrake,DC=local
You need to load the ActiveDirectory Powershell module in order to access to the AD: drive with Powershell.
Usually you will only use the domain partition, but is important to know how the database is organized in case you require other data that is not in the domain partition.
A tool will search in the domain partition, so if you are searching objects that are in order partition, you will to specify the partition DistinguishedName as search base.
PS C:\> Get-ADObject -LDAPFilter "(objectclass=site)" -SearchBase "CN=Configuration,$((Get-ADDomain).DistinguishedName)" | select name
name
----
Default-First-Site-Name
mysite
For example, tools like adidnsdump or dns-dump use the DNS Zones partitions in order to retrieve all the DNS information of the domain.
๐ Global Catalog
The domain database contains all the objects of the current domain, but in order to speed searches for objects in other domains of the forest, some Domain Controllers also contains a subset of objects of other domains.
These Domains Controllers can be called Global Catalogs and contains extra read-only partitions with objects of other domains, for which only a subset of properties are stored, usually the most used ones. For example, if you need only to consult the name of an user in other domain, then the global catalog will allow you to retrieve it without requiring to query the other domain Domain Controller.
In case you want to consult the Global Catalog, you need to an specify a different port for the connection since the global catalog service listen in the port 3268 (LDAP).
PS C:\> Get-ADUser -Server "poke.mon:3268" -Filter * | select DistinguishedName
DistinguishedName
-----------------
CN=Administrator,CN=Users,DC=poke,DC=mon
CN=Guest,CN=Users,DC=poke,DC=mon
CN=krbtgt,CN=Users,DC=poke,DC=mon
CN=ETHERDRAKE$,CN=Users,DC=poke,DC=mon
CN=pikachu,CN=Users,DC=poke,DC=mon
CN=ITPOKEMON$,CN=Users,DC=it,DC=poke,DC=mon
CN=Administrator,CN=Users,DC=it,DC=poke,DC=mon
CN=Guest,CN=Users,DC=it,DC=poke,DC=mon
CN=krbtgt,CN=Users,DC=it,DC=poke,DC=mon
CN=POKEMON$,CN=Users,DC=it,DC=poke,DC=mon
CN=porygon,CN=Users,DC=it,DC=poke,DC=mon
๐ How to Query the Database?
In order to interact with the database data, the Domain Controllers gives you several options that are translate in different protocols/services they support.
๐ LDAP
Probably, the first one that should be mentioned is LDAP (Lightweight Directory Access Protocol) protocol. With LDAP is possible to access to the domain database as well as the Global Catalog.
.-------------
|
.---
.--TCP-->| 389 LDAP
| '---
| |
| .---
|--SSL-->| 636 LDAPS
.------. | '---
| LDAP |--| |
'------' | .---
|--TCP-->| 3268 LDAP Global Catalog
| '---
| |
| .---
'--SSL-->| 3269 LDAPS Global Catalog
'---
|
'-------------
LDAP defines a query syntax that allows you to filter the objects that you want retrieve/edit of the database. You can filter objects based on its properties. For example, to retrieve the groups of the domain with members you can use the following query (&(objectsclass=group)(members=*)).
Apart from filters, LDAP also allows you to specify the properties you would like to retrieve for each object, for example the name. Be sure to check the LDAP wiki if you need examples of retrieving information from Active Directory.
~$ ldapsearch -H ldap://192.168.100.2 -x -LLL -W -D "User@etherdrake.local" -b "dc=etherdrake,dc=local" "(&(objectclass=group)(member=*))" "samaccountname"
Enter LDAP Password:
dn: CN=Administrators,CN=Builtin,DC=etherdrake,DC=local
sAMAccountName: Administrators
dn: CN=Users,CN=Builtin,DC=etherdrake,DC=local
sAMAccountName: Users
dn: CN=Guests,CN=Builtin,DC=etherdrake,DC=local
sAMAccountName: Guests
dn: CN=Remote Desktop Users,CN=Builtin,DC=etherdrake,DC=local
sAMAccountName: Remote Desktop Users
dn: CN=IIS_IUSRS,CN=Builtin,DC=etherdrake,DC=local
sAMAccountName: IIS_IUSRS
dn: CN=Schema Admins,CN=Users,DC=etherdrake,DC=local
sAMAccountName: Schema Admins
dn: CN=Enterprise Admins,CN=Users,DC=etherdrake,DC=local
sAMAccountName: Enterprise Admins
dn: CN=Domain Admins,CN=Users,DC=etherdrake,DC=local
sAMAccountName: Domain Admins
dn: CN=Group Policy Creator Owners,CN=Users,DC=etherdrake,DC=local
sAMAccountName: Group Policy Creator Owners
dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=etherdrake,DC=local
sAMAccountName: Pre-Windows 2000 Compatible Access
dn: CN=Windows Authorization Access Group,CN=Builtin,DC=etherdrake,DC=local
sAMAccountName: Windows Authorization Access Group
dn: CN=Denied RODC Password Replication Group,CN=Users,DC=etherdrake,DC=local
sAMAccountName: Denied RODC Password Replication Group
# refldap://ForestDnsZones.etherdrake.local/DC=ForestDnsZones,DC=etherdrake,DC=local
# refldap://DomainDnsZones.etherdrake.local/DC=DomainDnsZones,DC=etherdrake,DC=local
# refldap://etherdrake.local/CN=Configuration,DC=etherdrake,DC=local
Almost any object and property of the Active Directory database can be retrieved by using LDAP. The exception are those attributes that are highly sensitive, such as users credentials.
LDAP is used by many Windows tools like Powerview or ADExplorer. In case you don't have tools, you can always use Powershell to query LDAP by using .NET.
On the other hand, from Linux, you can use ldapsearch and ldapmodify tools.
When you need to retrieve information from the Active Directory, like enumerating users or something like that, LDAP should the first thing to come to your mind. But remember that LDAP also allows you to modify objects, so if you need to add an user to a group or stuff like that, well.. this is a way.
๐ ADWS
As alternative to LDAP, in Windows Server 2008 R2, Microsoft introduced ADWS (Active Directory Web Services), a protocol to query and manipulate domain objects based on SOAP messages.
It is compatible with LDAP filters so it is possible to perform very specific queries and retrieve only the required properties. In fact, when ADWS is used, internally the DC perform LDAP requests to retrieve the results.
.---------------------------------------
| Domain Controller
,---
| 389 (Domain) <------------.
'--- | .------.
| |----| LDAP |
.--- | '------'
| 3268 (Global Catalog) <---' |
'--- ^
| |
.------. .------. .--- |
| ADWS |>--->| SOAP |>---->| 9389 >----------------->---------'
'------' '------' '---
|
'---------------------------------------
ADWS is the protocol used by the ActiveDirectory Powershell module.
PS C:\Users\Administrator> Get-ADUser -Filter * | select name
name
----
Administrator
Guest
krbtgt
User
Han
POKEMON$
leia
luke
๐ Other Protocols
Apart from LDAP and ADWS, there are many other protocols that allow to retrieve information from the database. Although the rest of protocols, generally only work with a subset with the database.
-
The DNS protocol, used mostly to resolve the IP address of computers, also retrieves its information from the database.
-
The SAMR (Security Account Manager Remote) protocol allows to query and edit basic info of the users and groups. Is the one used by commands such as
net user /domain. -
The DRSR (Directory Replication Service Remote) protocol is the one used by the Domain Controllers to synchronize the database. Through this protocol even the user credentials can be retrieved (if you have enough permissions) and is the one used to perform the dcsync attack.
-
The Kerberos authentication protocol also uses the database to generate the required tickets based on the requested service. Additionally, the kpasswd service (port 464) is used by Kerberos to change the user password.
-
The Netlogon protocol is used by computers in order to authenticate the domain users. For example, is used by NTLM authentication. Also, this was the protocol affected by the Zerologon vulnerability.
There are many other protocols that interacts with the database, but these short list should give you the idea of there are many different ways to access to the same data.