Who wants a video explaining AD / LDAP basics?

Haha yeah net is definitely an old school way of doing it. I want to say it’s a left over thing from NT4 before active directory was even a thing but I might be wrong. But yeah these days there are plenty of alternatives so in the video I’ll demonstrate a few of those.

One thing that has just convinced me to definitely do this video is seeing in one of the recent Windows machine threads about 60% of the recent posts were people struggling to get Bloodhound to run, or running it successfully but then not knowing what to do with the information it gave them. Its a useful tool don’t get me wrong, but I’ve never needed to use it for any of the machines on here so its not like its absolutely necessary. Seems like it would be good if people didn’t have to rely on it so much as at the end of the day all it’s doing is enumerating group membership and permissions as far as I can see. Two things you can do yourself with various other methods.

Well, IMHO, the biggest advantage of bloodhound is the graphical representation of the (sometimes huge amount of) data. Giving you the ability to map out your path to Domain Admin in complex directory structures.

Absolutely - in the real world its very useful. But in these HTB machines, where there’s usually like 2 or 3 interesting groups at most… its painful to see people spend hours struggling to get bloodhound working when they could have just manually looked at the groups permissions.

I guess it does make for better training for real world scenarios, but I feel like a lot of people here are just doing HTB machines for fun/challenge and aren’t actually going to pentest a real environment. So for those people who just want to complete the boxes, its just causing them extra problems most the time. Again though there’s no problem with people using it if they actually understand the fundamentals behind it and understand the output. But it seems a lot of the time that is not the case

yeah, I’d love to see such a video

Will start working on the video in the next couple of days. Thanks for the replies everyone.

One quick video that I’m going to make today is about how and why the Impacket GetNPUsers.py script works, as I see a lot of people using it and not really understanding it. Will post a link when its done

I am interested :slight_smile:

I would be interested in this. Not that AD is a complete weakness for me, but I could use some insight with it. Not to mention Windows SMB and Linux… (your recent box is escaping me right now…Nest) but I’m still plugging away at it.

@SnarkyWolf said:
Not to mention Windows SMB and Linux… (your recent box is escaping me right now…Nest) but I’m still plugging away at it.

I honestly don’t mean this to sound like a smart ■■■■ or anything but what’s hard about Windows SMB? Like there’s not really much to get wrong. Connect to a share path and view the files and folders inside.

On windows that’s literally as simple as typing the path in to the start menu and pressing enter… then double clicking on files you see that you want to open. I guess from a linux box its a bit more complicated than that but if that’s actually causing problems, there’s yet another reason not to use linux when attacking windows machines :blush: lol bet everyone’s sick of seeing me say that

Yes!

Type your comment> @VbScrub said:

Haha yeah net is definitely an old school way of doing it. I want to say it’s a left over thing from NT4 before active directory was even a thing but I might be wrong. But yeah these days there are plenty of alternatives so in the video I’ll demonstrate a few of those.

One thing that has just convinced me to definitely do this video is seeing in one of the recent Windows machine threads about 60% of the recent posts were people struggling to get Bloodhound to run, or running it successfully but then not knowing what to do with the information it gave them. Its a useful tool don’t get me wrong, but I’ve never needed to use it for any of the machines on here so its not like its absolutely necessary. Seems like it would be good if people didn’t have to rely on it so much as at the end of the day all it’s doing is enumerating group membership and permissions as far as I can see. Two things you can do yourself with various other methods.

Personally I’d love to learn about these enumeration methods you speak of, especially methods that don’t rely on something like bloodhound. I’ve been able to get user on most of the easy/med windows boxes so far, but after that I struggle with identifying what and where to enumerate in order to identify potential routes toward privilege escalation. Could very well be that I just lack basic windows knowledge, but it seems like I’m not the only one struggling with this. Thx!

Yes, I’d love a long talk about AD enumeration. :smiley:

Yes i am interested too

AD video will be coming next week but for now I’ve just finished up this video explaining how the Impacket GetNPUsers script works, which involves some AD related stuff that might be of interest to the people in this thread:

Subbed :slight_smile:

Just watched your vid on GetNPUsers.py and kerb pre auth, very good!
A video on AD would me really helpful for me personally but for the whole htb community I think since as you said, a lot of people state that AD / Windows is their weakness.
What I would personally like to see in this video is:

What is LDAP and how it works
What is RPC and how it works
What is SMB and how it works
more kerberos stuff
Active directory objects etc
forests (?)
maybe you could also state what the best practice is for AD in general, what to look out for and maybe even how to look out for attacks.
In any case thanks for making your videos, pretty nice :slight_smile:

Video is now up :slight_smile: There will be plenty more coming soon with more specific topics covered, but I just wanted to get this fundamental stuff out there first so that there’s something to build from even for people who know nothing at all about AD.

The topics I covered in this first video (along with timestamps) are:

AD/LDAP/DS definition: 2:33
Installing AD: 4:02
Forests: 5:30
Global Catalog: 6:05
Domain functional levels: 6:48
Local account migration: 8:08
Viewing the contents of a domain: 8:58
FSMO roles: 11:06
Creating a new user: 12:51
Viewing user account properties: 13:29
Constructing distinguished names: 15:35
Computer accounts: 21:03
Groups: 24:17
SIDs and RIDs: 27:55
LDAP queries: 30:05
LDAP attributes: 34:07
Group policy: 35:39
AD permissions: 44:17

Yes please!!

@Pilgrim23 scroll up :slight_smile: the video just went live

thanks dude, if I may, could you speak a bit slower and dont move the mouse too much ?

Type your comment> @peek said:

thanks dude, if I may, could you speak a bit slower and dont move the mouse too much ?

Yeah someone else mentioned I move the mouse too much lol made a conscious effort to do it less at the start of the video but think once I got going I forgot…