1
00:00:00,120 --> 00:00:05,370
So for this video and the next video we're going to talk about physical components of Active Directory

2
00:00:05,370 --> 00:00:09,690
and then we're going to talk about the logical components of Active Directory.

3
00:00:09,750 --> 00:00:17,030
So I'm only going to introduce concepts and ideas that pertain to this course on the logical side.

4
00:00:17,040 --> 00:00:22,560
I am going to introduce some concepts and ideas that are out of scope for the course I think are still

5
00:00:22,560 --> 00:00:28,140
important but for the physical side I'm going to limit to what's in scope as to not confuse you or make

6
00:00:28,140 --> 00:00:32,660
things any more complicated because Active Directory can run really deep really fast.

7
00:00:32,700 --> 00:00:36,660
So we're going to give a high level overview and then it'll make a lot more sense once we start building

8
00:00:36,660 --> 00:00:37,650
things out.

9
00:00:37,680 --> 00:00:42,060
So let's talk about two very important physical Active Directory components.

10
00:00:42,060 --> 00:00:49,510
So the very very most important Active Directory component is what is called a domain controller.

11
00:00:49,530 --> 00:00:56,300
So if you've never heard of a domain controller that is the head honcho of all the servers right.

12
00:00:56,310 --> 00:01:01,560
When you set up Active Directory you have what is called a domain controller.

13
00:01:01,560 --> 00:01:09,960
Now the domain controller has a lot of features that it provides and does for the environment it hosts

14
00:01:09,990 --> 00:01:16,140
what is called the Active Directory Domain Services the directory store meaning it hosts your phone

15
00:01:16,140 --> 00:01:16,380
book.

16
00:01:16,390 --> 00:01:18,590
Remember we talked about it being a phone book.

17
00:01:18,630 --> 00:01:25,020
It has all the information on the users the computers of what printers are in the network etc. It knows

18
00:01:25,080 --> 00:01:27,560
everything on top of this.

19
00:01:27,660 --> 00:01:31,030
It's providing authentication and authorization.

20
00:01:31,140 --> 00:01:36,780
So going back to the last video and we talked about cobras it's doing that at the Domain Controller

21
00:01:36,780 --> 00:01:45,270
level and if we're in what's called a forest or in a domain where we have a parent child situation which

22
00:01:45,270 --> 00:01:49,560
we're going to talk about in the logical side of things it does replication.

23
00:01:49,560 --> 00:01:56,220
So that way the other forest or other domains we make an update to one item in one domain controller

24
00:01:56,250 --> 00:01:58,300
it updates across the board.

25
00:01:58,320 --> 00:02:05,160
Now we'll talk about that here in just a second but also we have administrative access with the domain

26
00:02:05,160 --> 00:02:05,790
controller.

27
00:02:05,790 --> 00:02:11,880
So that is to manage user accounts and network resources as you're going to see when we built our domain

28
00:02:11,880 --> 00:02:12,830
controller.

29
00:02:12,900 --> 00:02:16,080
What we do is we go in there and this is where we can add users.

30
00:02:16,080 --> 00:02:21,060
This is where we can add our computers where we can add policies where we can do all different sorts

31
00:02:21,060 --> 00:02:21,570
of things.

32
00:02:21,570 --> 00:02:23,600
We do it at the Domain Controller level.

33
00:02:23,670 --> 00:02:28,140
So when we talk about domain controller again it's the head honcho it's the top dog.

34
00:02:28,530 --> 00:02:32,090
When we attack an internal network it's very very bad.

35
00:02:32,100 --> 00:02:38,000
If we can compromise your domain controller because that means we can compromise the whole network potentially.

36
00:02:38,100 --> 00:02:43,230
So depending on how big the network is if it's just one domain and we compromise the Domain Controller

37
00:02:43,560 --> 00:02:44,810
we've compromised everything.

38
00:02:45,000 --> 00:02:45,760
OK.

39
00:02:45,840 --> 00:02:51,120
So this is one of the top targets when you're doing an internal assessment though it's not the only

40
00:02:51,120 --> 00:02:51,830
target.

41
00:02:51,930 --> 00:02:58,220
And I should note do not get your eyes set on just doing domain controller compromise in that being

42
00:02:58,230 --> 00:02:58,650
it.

43
00:02:58,740 --> 00:03:04,140
When it comes to Active Directory pen testing or internal pen testing there's other information that

44
00:03:04,140 --> 00:03:05,580
clients might want as well.

45
00:03:05,580 --> 00:03:12,060
Think about potentially PCI or personally identifiable information especially if it's related to social

46
00:03:12,060 --> 00:03:15,480
security numbers or sensitive information about people.

47
00:03:15,660 --> 00:03:20,330
Think about any kind of credit card information that might be obtained.

48
00:03:20,340 --> 00:03:25,290
Think about any kind of proprietary information that you might be able to obtain as well.

49
00:03:25,350 --> 00:03:31,860
So don't just go for domain admin or compromising the Domain Controller.

50
00:03:31,860 --> 00:03:33,000
Think beyond that.

51
00:03:33,000 --> 00:03:34,920
Think what could you do as an attacker.

52
00:03:34,920 --> 00:03:37,570
That would be really damaging to a client.

53
00:03:37,590 --> 00:03:42,960
Now from here let's also talk about Active Directory data stores.

54
00:03:42,960 --> 00:03:51,160
So the big takeaway from the Active Directory data store is that it holds this file called the N T DSA

55
00:03:51,180 --> 00:03:56,680
dot Det D I.T. OK and this file is very very sensitive.

56
00:03:56,680 --> 00:04:02,210
Now typically when you compromise a domain controller you want to grab this file.

57
00:04:02,250 --> 00:04:03,840
Why do we want to grab this file.

58
00:04:04,110 --> 00:04:09,150
Well it contains everything that is stored in Active Directory data.

59
00:04:09,210 --> 00:04:14,450
That means all the users the objects the groups etc..

60
00:04:14,490 --> 00:04:19,950
More importantly it contains password hashes for all users in that domain.

61
00:04:19,950 --> 00:04:25,200
So when you compromised that domain controller and then you go get the A.D. S debt file.

62
00:04:25,350 --> 00:04:25,880
Guess what.

63
00:04:25,890 --> 00:04:27,630
You've got all the password hashes.

64
00:04:27,630 --> 00:04:30,390
Doesn't mean you have all the passwords but you have the hashes.

65
00:04:30,390 --> 00:04:32,270
You can take them off line try to crack them.

66
00:04:32,310 --> 00:04:34,680
You can attempt past the hash attacks.

67
00:04:34,680 --> 00:04:37,260
You can tempt Golden Ticket attacks with a hash.

68
00:04:37,260 --> 00:04:39,820
And I know you might not know what all these are right now.

69
00:04:39,900 --> 00:04:47,910
But we're going to see why compromising this end TADS file will lead to amazing things as an attacker

70
00:04:47,940 --> 00:04:48,720
for us.

71
00:04:48,740 --> 00:04:50,820
We'll get into the attacking side of things.

72
00:04:50,940 --> 00:04:53,070
So that's all I want you to take away from this.

73
00:04:53,070 --> 00:04:58,800
I want you to take away these two components a domain controller and the data store because the domain

74
00:04:58,800 --> 00:05:01,920
controller is one of our primary targets is an attacker.

75
00:05:01,920 --> 00:05:04,050
That is the the big cheese right.

76
00:05:04,050 --> 00:05:05,010
We want to attack it.

77
00:05:05,010 --> 00:05:08,080
We want to compromise it because that's where all the data is stored.

78
00:05:08,100 --> 00:05:10,400
That's what's doing our authentication.

79
00:05:10,470 --> 00:05:14,100
That is where everything about anything is there.

80
00:05:14,100 --> 00:05:18,350
And we're going to live inside the domain controller for a while when we're doing our lab build.

81
00:05:18,360 --> 00:05:23,220
We set everything up we set up our policies you're going to get a good feel for what exactly you can

82
00:05:23,220 --> 00:05:30,210
do on a domain controller and then know the data store the data store has this and TADS file and that

83
00:05:30,210 --> 00:05:35,460
file includes all information from Active Directory data including password hashes.

84
00:05:35,460 --> 00:05:37,740
Big big big thing to remember.

85
00:05:37,770 --> 00:05:42,210
So that's it from here we're going to talk quickly about logical items and they're going to move on

86
00:05:42,210 --> 00:05:44,370
to building our lab which is going to be super exciting.