Active Directory
AD
nslookup dcni bilish uchun setdagi kompyuterdan koriladi
dc lar xarxil nomlanadi agar 1dan oshiq bolsa, masalan dc1, dc2, etc...
barcha dc larni yigilgani forest deyiladi
cross forest attack
2xil boladi bog'liqlik, 1 - bidirectional relationship. 2 - unidirectional relationship 1 tomonlama (TRUST) dc1 - dc2 bolsa unidirectional dc1 - dc2 bolsa bidirectional
DCni yana childlari bolishi mumkin masalan dc1.1, DC1.2 etc... bularda ham relationshiplar yuqoridagiga oxshaydi faqat child asosiy DC ga kira oladi ammo asosiy da dustup bolmaydi xar doim tepadan pasga boladi (PARENT_CHILD)
- comp, users, groups = domain
- comp, users, groups, domains = tree
- comp, users, groups, domains, tree = forest
ADni ichiga kiruvchi barcha narsa Object deyiladi Attribute - objectlarda attribute bor, masalan: name, lastname, ip
Access control entries (ACE) -> AD dagi comp, users, groupslarni xuquqlari korsatiladi.
Access control list (ACL) -> ACEni yigilgani
Fully qualified domain name (FQDN) -> dc1.chala.uz kassa.chala.uz dev.chala.uz username.chala.uz Compni toliq nomi, yani host SAM Account name = bu userni nomi User Principal name = a.nosirov@chala.uz
Group Policy Object -> Groups uchun yozilgan qoidalar
Any user CAN enumerate -> ko'ra oladi.
Masalan:
- Users
- Computers
- Groups
- GPO
- ACL
- Password policy
- Domain trusts
- Organized unites
- Functional domain level