Who wants a video explaining AD / LDAP basics?

edited February 19 in Video Tutorials

I keep seeing people on here saying Active Directory is their weakness or that they're not very comfortable with AD. For me personally though, I've got quite a lot of experience with it from working as a Windows network admin for several years, then writing tools that report on AD objects and permissions.

So would there be much interest in me making a video explaining some fundamental AD concepts?

It wouldn't really be a tutorial on how to attack AD. More of just a tutorial about how AD works in general so that you've got a good grasp of the fundamentals. Some example things I'd probably cover:

  • Permissions
  • LDAP queries
  • How to structure AD object paths
  • Commonly used LDAP attributes
  • Group Policy (both AD and Sysvol sides)
  • DC replication
  • Kerberos authentication (just a brief summary)

This would take a fair amount of time for me to plan out and record, so yeah just trying to gauge the level of interest in something like this.

If you want to see whether I'm actually any good at explaining things in a video before deciding if you'd watch something like this, you can take a look at the two videos I've already done on one of the retired HTB boxes: https://www.youtube.com/channel/UCpoyhjwNIWZmsiKNKpsMAQQ

Oh and if there's a particular AD related topic you'd like me to cover please mention it here.

«1

Comments

  • edited February 19

    im interested in AD (group policy and AD analysis)

    peek

  • Yes! Please make videos about AD.
  • so much YES.

  • Yes please!

  • Yes, please, this would be amazing. I'd owe you at least a coffee :)
  • Yes, please :)

  • Would love to see those, too. Maybe I will then understand why certain things worked with one user, but didn't work with another even though they seemingly had the same privileges (according to net user and net user /domain)


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • edited February 26
    Thanks for the replies so far.

    Any areas in particular you guys would like to see covered? Either in this video or in a more in depth video about a particular part of AD in the future.

    EDIT: The video is now up (can't edit original post to include it as its over a week old)

  • @HomeSen said:
    Would love to see those, too. Maybe I will then understand why certain things worked with one user, but didn't work with another even though they seemingly had the same privileges (according to net user and net user /domain)

    Yeah I don't ever rely on Net User, in fact I can't remember the last time I even used that command. So yeah there's definitely alternatives to that if you want to enumerate user accounts and group membership, which I'll cover.

  • yes please!! would be nice to have something to point me in right direction of workflow..

    Hack The Box

  • @VbScrub Back in the days when I had to deal with/administrate AD there were mostly only GUI tools, the net tools and building custom VB scripts utilizing WMI. And it's tough getting rid of old habits :lol:


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • Haha yeah net is definitely an old school way of doing it. I want to say it's a left over thing from NT4 before active directory was even a thing but I might be wrong. But yeah these days there are plenty of alternatives so in the video I'll demonstrate a few of those.

    One thing that has just convinced me to definitely do this video is seeing in one of the recent Windows machine threads about 60% of the recent posts were people struggling to get Bloodhound to run, or running it successfully but then not knowing what to do with the information it gave them. Its a useful tool don't get me wrong, but I've never needed to use it for any of the machines on here so its not like its absolutely necessary. Seems like it would be good if people didn't have to rely on it so much as at the end of the day all it's doing is enumerating group membership and permissions as far as I can see. Two things you can do yourself with various other methods.

  • Well, IMHO, the biggest advantage of bloodhound is the graphical representation of the (sometimes huge amount of) data. Giving you the ability to map out your path to Domain Admin in complex directory structures.


    Hack The Box
    GREM | OSCE | GASF | eJPT

  • edited February 20

    Absolutely - in the real world its very useful. But in these HTB machines, where there's usually like 2 or 3 interesting groups at most... its painful to see people spend hours struggling to get bloodhound working when they could have just manually looked at the groups permissions.

    I guess it does make for better training for real world scenarios, but I feel like a lot of people here are just doing HTB machines for fun/challenge and aren't actually going to pentest a real environment. So for those people who just want to complete the boxes, its just causing them extra problems most the time. Again though there's no problem with people using it if they actually understand the fundamentals behind it and understand the output. But it seems a lot of the time that is not the case

  • yeah, I'd love to see such a video

  • Will start working on the video in the next couple of days. Thanks for the replies everyone.

    One quick video that I'm going to make today is about how and why the Impacket GetNPUsers.py script works, as I see a lot of people using it and not really understanding it. Will post a link when its done

  • I am interested :)

  • I would be interested in this. Not that AD is a complete weakness for me, but I could use some insight with it. Not to mention Windows SMB and Linux... (your recent box is escaping me right now...Nest) but I'm still plugging away at it.

    Available to help when I can and know how to help. However do not expect responses right away on these days. Sunday - Wednesday between 7am-8pm EST (USA, Orlando, Fl) as I work those days from 7a-7p and then the ride home. Just a forewarning is all :) Other than that I'll answer ASAP, or when I get home from work.

    CompTIA A+ | Network+ | Security+ | CySA+ (pending beta Results) | PenTest+ (In Progress) | C|EH (in Progress)
  • edited February 20

    @SnarkyWolf said:
    Not to mention Windows SMB and Linux... (your recent box is escaping me right now...Nest) but I'm still plugging away at it.

    I honestly don't mean this to sound like a smart arse or anything but what's hard about Windows SMB? Like there's not really much to get wrong. Connect to a share path and view the files and folders inside.

    On windows that's literally as simple as typing the path in to the start menu and pressing enter... then double clicking on files you see that you want to open. I guess from a linux box its a bit more complicated than that but if that's actually causing problems, there's yet another reason not to use linux when attacking windows machines :blush: lol bet everyone's sick of seeing me say that

  • Yes!


    Check out my blog
    Always happy to help! but please consider dropping some respect. ^^

  • Type your comment> @VbScrub said:

    Haha yeah net is definitely an old school way of doing it. I want to say it's a left over thing from NT4 before active directory was even a thing but I might be wrong. But yeah these days there are plenty of alternatives so in the video I'll demonstrate a few of those.

    One thing that has just convinced me to definitely do this video is seeing in one of the recent Windows machine threads about 60% of the recent posts were people struggling to get Bloodhound to run, or running it successfully but then not knowing what to do with the information it gave them. Its a useful tool don't get me wrong, but I've never needed to use it for any of the machines on here so its not like its absolutely necessary. Seems like it would be good if people didn't have to rely on it so much as at the end of the day all it's doing is enumerating group membership and permissions as far as I can see. Two things you can do yourself with various other methods.

    Personally I'd love to learn about these enumeration methods you speak of, especially methods that don't rely on something like bloodhound. I've been able to get user on most of the easy/med windows boxes so far, but after that I struggle with identifying what and where to enumerate in order to identify potential routes toward privilege escalation. Could very well be that I just lack basic windows knowledge, but it seems like I'm not the only one struggling with this. Thx!

  • Yes, I'd love a long talk about AD enumeration. :D

    publicist

  • Yes i am interested too

  • AD video will be coming next week but for now I've just finished up this video explaining how the Impacket GetNPUsers script works, which involves some AD related stuff that might be of interest to the people in this thread:

  • Just watched your vid on GetNPUsers.py and kerb pre auth, very good!
    A video on AD would me really helpful for me personally but for the whole htb community I think since as you said, a lot of people state that AD / Windows is their weakness.
    What I would personally like to see in this video is:

    What is LDAP and how it works
    What is RPC and how it works
    What is SMB and how it works
    more kerberos stuff
    Active directory objects etc
    forests (?)
    maybe you could also state what the best practice is for AD in general, what to look out for and maybe even how to look out for attacks.
    In any case thanks for making your videos, pretty nice :)

    Hack The Box

  • Video is now up :) There will be plenty more coming soon with more specific topics covered, but I just wanted to get this fundamental stuff out there first so that there's something to build from even for people who know nothing at all about AD.



    The topics I covered in this first video (along with timestamps) are:

    AD/LDAP/DS definition: 2:33
    Installing AD: 4:02
    Forests: 5:30
    Global Catalog: 6:05
    Domain functional levels: 6:48
    Local account migration: 8:08
    Viewing the contents of a domain: 8:58
    FSMO roles: 11:06
    Creating a new user: 12:51
    Viewing user account properties: 13:29
    Constructing distinguished names: 15:35
    Computer accounts: 21:03
    Groups: 24:17
    SIDs and RIDs: 27:55
    LDAP queries: 30:05
    LDAP attributes: 34:07
    Group policy: 35:39
    AD permissions: 44:17
  • Yes please!!

  • @Pilgrim23 scroll up :) the video just went live

  • thanks dude, if I may, could you speak a bit slower and dont move the mouse too much ?

    peek

Sign In to comment.