Users

Users

User Identification

SamAccountName: Username of the user
SID: domain +
DistinguishedName: used in LDAP to identify objects in an Active Directory.

User Secrets

NTLM

NTHash

NTHash = MD4(UTF-16-LE(password))
# UTF-16-LE: Little endian format of the UTF-16 charset

Can be used to perform Pass-The-Hash or Overpass-The-Hash attacks.

LMHash

Old and discontinued from Vista/Server2008

padded_password = PAD-14(password.to_upper())
padded_password = password1[0:7] + password2[8:14]
LMHash = DES("KGS!@#$%",password1) + DES("KGS!@#$%",password2)

Dumping password on modern system will show aad3b435b51404eeaad3b435b51404ee (LMHash of empty string)

Kerberos Keys

Kerberos keys are derived from the user's password.

Algorithms

AES 256 Key: Used by AES256-CTS-HMAC-SHA1-96 algorithm (Most Used).
AES 128 Key: Used by AES128-CTS-HMAC-SHA1-96 algorithm.
DES Key: Used by DES-CBC-MD5 algorithm.
RC4 Key: NTHash of the user used by RC4-HMAC algorithm.

User Account Control

A property of a User Class in AD. This property has certain flags:
ACCOUNTDISABLE: Account is disabled and cannot be used.
DONT_REQUIRE_PREAUTH: The account doesn't require Kerberos pre-authentication.
NOT_DELEGATED: This account cannot be delegated through Kerberos delegation.

User Properties

Description
AdminCount
MemberOf: Groups of which the user is a member of
PrimaryGroupID: Primary group of the user. Does not appear in MemberOf.
ServicePrincipalName

Computer Accounts

Each computer in the domain has it's own user. Users are stored in the User class. Computers are stored in the Computer class which a subclass of the User class. It is stored as Hostname$.

Trust Account

When trust is established with a domain, a trust user account is created which also ends with a $ symbol. The username of this account is the net-bios name of the domain. This user stores the trust key, as the NThash or kerberos keys.

Last updated 6 months ago