SID: Security Identifier. Every security principal in AD gets assigned a SID. A security principal is a user or object that is set up to have security/permissions assigned to it for resource use. RID: Relative ID, This is the last bit that identifies the particular User or Group account.

• Indicates it is a SID string. The version of the SID structure. Windows NT and later starts with 1. Identifier Authority. 5 = NT Authority. Domain identifier. RID. Identifies the particular account or group.

Rids below 1000 are reserved/special accounts Important RIDs: 500(Administrator account), 512(Domain Admins group) Forests: Are clusters of domains that use “Trusts” between them. So one security principal in domain A can request and access information from domain B. Which in a corporate environment there is a legitimate need for this. There can also be multi-forest setups that have trusts between them. NTLM (Msv1_0.dll): Dependent on Net Logon service. Does client authentication and authorization. NTLM utilizes Trusts and is used when Kerberos is not available. Kerberos (Kerberos.dll): Connects the KDC(key distro center) and Active Directory for Ticket Granting Services TGS. This is used only for cross operating system permission interactions like between windows and linux. Net Logon (Netlogon.dll): This is the AD auth secure channel protocol. This is utilized when, trusts are being set up or managed, during authentication, DC locator, • Trust setup and management – Net Logon helps maintain trust passwords, gathers trust information and verifies trusts by interacting with the LSA process and the TDO. For Forest trusts, the trust information includes the Forest Trust Information (FTInfo) record, which includes the set of namespaces that a trusted forest claims to manage, annotated with a field that indicates whether each claim is actually trusted by the trusting forest. • Authentication – Supplies user credentials over a secured channel to a domain controller and returns the domain SIDs and user rights for the user • Domain controller location – Helps with finding or locating domain controllers in a domain or across domains • Pass-through validation – Credentials of users in other domains are processed by Net Logon. When a trusting domain needs to verify the identity of a user, it passes the user’s credentials through Net Logon to the trusted domain for verification • Privilege Attribute Certificate (PAC) verification – When a server using the Kerberos protocol for authentication needs to verify the PAC in a service ticket, it sends the PAC across the secure channel to its domain controller for verification. LSA (Lsasrv.dll): Local security authority that maintains local security policies and works in both the kernel mode and user mode for validating user access to objects. TDO (Trusted Domain Object): This is the container that is created for every trust that is established. The trust object will contain different information depending if its for a forest trust or a domain trust. The more of these set up the slower the access will be. New DCs will limit this at 2400 trusts. The trust link can also not be longer than 10 trusts to get to the object. - 1way vs 2way, trusts can be bi directional or single direction relationships where for a 1way only A can request information from B but not the other way. All forests are 2way but domains can have either. - Transitive vs Non-transitive, a non transitive trust is an explicate trust between domains that cannot be inherited. - pickup: http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)?redirectedfrom=MSDN https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/ https://dirkjanm.io/page3/

Look into

- AD hacking assistance PS scripts: https://github.com/PowerShellMafia/PowerSploit/tree/dev - PentestWS for notes - Responder - NTLMrelayx vs SMBrelay - MITM6 - ldapdomaindump - aclpwn.py

Attacks: