Journey to OSCP-TryHackMe Active Direcotry Basics Walkthrough - Christopher Boedicker's

This my attempt to create a walk through on TryHackMe’s Active Directory: [Task 1] Introduction Active Directory is the directory service for Windows Domain Networks. It is used by many of today’s top companies and is a vital skill to comprehend when attacking Windows. #1 I understand what Active Directory is and why it is used. ANSWER: No answer needed 99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller? Learning objectives:

Impacket
Kerbrute
AD Enumeration
Kerberos
Cracking Hashes
Hashcat
Privilege Scalation

[Task 2] Physical Active Directory #1 What database does the AD DS contain? Contains the NTDS.dit — a database that contains all of the information of an Active Directory domain controller as well as password hashes for domain users. ANSWER: NTDS.dit #2 Where is the NTDS.dit stored? Stored by default in %SystemRoot%\NTDS. ANSWER: %SystemRoot%\NTDS #3 What type of machine can be a domain controller? A domain controller is a Windows server that has Active Directory Domain Services (AD DS) installed and has been promoted to a domain controller in the forest. ANSWER: Windows Server [Task 3] The Forest #1 What is the term for a hierarchy of domains in a network? Trees: A hierarchy of domains in Active Directory Domain Services. ANSWER: Tree #2 What is the term for the rules for object creation? Domain Schema: Rules for object creation. ANSWER: Domain Schema #3 What is the term for containers for groups, computers, users, printers, and other OUs? Organizational Units: Containers for groups, computers, users, printers and other OUs ANSWER: Organizational Units [Task 4] User + Groups #1 Which type of groups specify user permissions? SecurityGroups: These groups are used to specify permissions for a large number of users. ANSWER: SecurityGroups #2 Which group contains all workstations and servers joined to the domain? DomainComputers: All workstations and servers joined to the domain ANSWER: DomainComputers #3 Which group can publish certificates to the directory? CertPublishers: Members of this group are permitted to publish certificates to the directory. ANSWER: CertPublishers #4 Which user can make changes to a local machine but not to a domain controller? LocalAdministrators: These users can make changes to localmachines as an administrator and may even be able to control other normal users, but they cannot access the domain controller. ANSWER: LocalAdministrators #5 Which group has their passwords replicated to read only domain controllers? Allowed RODC Password Replication Group: Members in this gropu can have their passwords replicated to all read-only domain controllers in the domain. ANSWER: Allowed RODC Password Replication Group [Task 5] User + Groups #1 What type of trust flows from a trusting domain to a trusted domain? Directional: The direction of the trust flows from a trusting domain to a trusted domain. ANSWER:Directional #2 What type of trusts expands to include other trusted domains? Transitive: The trust relationship expands beyond just two domains to include other trusted domains. ANSWER:Transitive [Task 6] Active Directory Domain Services + Authentication #1 What type of authentication uses tickets? Kerberos: The default authentication service for Active Directory uses ticket granting tickets and service tickets to authenticate users and give users access to other resources across the domain. ANSWER:Kerberos #2 What domain service can create, validate, and revoke public key certificates? Certificate Services: allows the domain controller to create, validate, and revoke public key certificates. ANSWER: Certificate Services [Task 7] AD in the Cloud #1 What is the Azure AD equivalent of LDAP? ANSWER:Rest APIs #2 What is the Azure AD equivalent of Domains and Forests? ANSWER: Tenants #3 What is the Windows Server AD equivalent of Guests? ANSWER: Trusts [Task 8] Hands- On Lab I connected machine with ssh connection after failing to connect with RDP #1: Deploy the Machine: No Answer needed #2: What is the name of the Windows 10 operating system: I used this command: