001 - Active Directory Partitions

Active Directory

From Wikipedia,

Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating systems.

An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is asystem administrator or normal user.^[1]

Active Directory makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

End

Contents

EntryPoint. 1

1.      Introduction. 1

Active Directory Divided into 4 partitions:. 1

1.      Domain Partition. 2

2.      Configuration Partition. 2

Global catalogue. 3

3.      Schema Partition. 3

4.      Application partition. 3

2.      Inheritance. 3

3.      Installation. 4

1.      Setting IP Address. 4

4.      Consoles. 8

1.      Active Directory Sites and Services. 8

2.     Active Directory Schema. 9

5.      ADSI Edit. 9

Introduction

Active Directory contain 4 partitions:

Partition name	Console
Domain Partition	Active Directory Users and Computers
Configuration Partition	Active Directory Sites and Services
Schema Partition	mmc _ Active Directory Schema (regsrv32 schmmgmt.dll)
Application Partition	DNS Console

In order to install these 4 partition, we must have an NTSF partition, and a minimum space of 250 mb.

Before we start our tour, keep in mind that every operation related to a partition, can basically configured, and managed from the console attached to that partition.

Domain Partition

Contain all the objects inside my domain controller, means (users, OU, computers, groups, contacts …), any time you touch one of these object, you basically interact with the domain partition.

For the other object like (printers, and shared folder, …) they must have a link on active directory, so you manipulate them as a part of the domain partition, because shared folder for example can be located inside a server file, and can have no relation at all with the domain controller.

Configuration Partition

Before we go to the notion of this partition, let’s first discuss the philosophie used by Microsoft servers, to let a users access a particular data:

Now, you that understand how the authentication method is, let’s take another concept

Let’s assume that we have two sites, and a new user just hired as described in the following scheme:

Ok, how the domain controller, know about the new user, and how he decide to give him access to the data?

Global Catalogue

Is like a center contain information about all the ressources on the forest, and in order to keep track of these ressources, he do something called replication, wich mean replicate information between authorized domain controllers.

This is how the additional domain controller knew about the ressources on the 1 site, and this is how the new user gain access to the ressources that have permission on.

All of that require configuration, and all of it happen inside the configuration partition.

Schema Partition

Contain two parts: classes and attributes (properties of the classes), his role is to write information about users and computers.

For example when you install exchange server, you execute the command prepare id, for what?

Of course, to extend the schema, which means add extra properties to the classes, for example users and computers, all of that will be clear soon, don’t worry J.

Application Partition

Is the DNS, and he is optional, means that if the type of the zone is integrated zone, then you have 4 partitions, otherwise if it’s primary zone, then you only have 3 partitions.

Inheritance

Additional domain controller, toke whatever partitions available on the primary domain controller.

Child and tree toke only the schema and the configuration partition, configuration because he need to access the ressources, defined by the global catalogue, we saw before, schema as we will see later in exchange you can install it once on the whole forest.

Domain partition did not inherited because its unique, every one has its on st of object, where is the application partition optional, wich mean you can decide, by the type of the zone you chose.

Installation

I said before that the application partition is optional, but in reality its not, it’s the must important component, why?

Because it contain the DNS, and the DNS must be installed with the active directory, not later, but with the installation of active directory, or you domain will suffer a horrible life, tel you reformat it again, and you don’t wanna do that.

Now, let’s start the fun part J

Start you clean server 2008, no installation no configuration just clean as virgin J

Setting IP Address

We need to tel our domain controller that his is the DNS server, and we do that by specifying the same IP, both field as you see here:

In other word: “the server contain active directory, need to be one with the DNS”

Of course you can, if you ask you can install a secondary DNS in completely different server DHCP server for example, or even workgroup.

Another experiment, to better understand this concept, when you finish installation, change the type of the zone, to primary zone, then go and check ‘System32\DNS’ and you will find the database, no change the type of the zone to integrated zone, then go back to the previous location, what do you see, where is the database?

Now the database is in ‘\NTDS’, take a look (DNS_database.avi).

Run dcpromo, and chose advanced feature, and hit next, make sure you are here:

Keep in mind when you take this option, that the 1^st forest take the 1^st domain name as its name.

Hit next

Enter the domain name, and hit next, the forest name in this case will be also ‘hun7r.local’, because as I said before, the first forest take the name of the 1^st domain within this forest.

Accept the default NetBIOS name, and hit next.

Before I continue, I want to mention that the NetBIOS name used for the broadcast, where the FQDN name used with the DNS.

Chose the forest functional level, every mode open new features, read the detail section the review these features, for now I’ll just stick with 2000, do as I do if you follow my tutorials, I’ll be explain later why, whene we rich advanced stuff.

For now, you can assume that the forest functional level, decid what kind of servers this forest will have.

Accept the default, and hit next, make sure DNS is checked, otherwise you will suffer, then continue.

We discuss NTDS and log file, before on the introductory, for the SYSVOL that is for the policies, by default its shared and follow the users every where.

And that’s its couple of more next’s, before I forget you may wanna export the settings you just set in case ..

This is where the wizard start creating all the partitions we discuss early, one by one

Wait tel the installation end, restart your computer, and happy new domain controller J

Note

There is a couple of thing I want to mention here,

• ·         There is no such thing as SAM file, all the users even the local user that was there before installing the domain controller, are now inside active directory, and they can not access this computer that unless you enable access domain controller locally, you cab check that from (computer, manage), 

• ·         Open (active directory users and computers), any new thing you add modification you do anything from this console, that mean that you are playing on the domain partition ground.
• ·         For the story I said before about the published folder, you may wanna take a look at this demo (publish_folder.avi)

•  on this demo the time I set the folder to be published, the time LDAP can reach it from users and computers console, this mean that its now one of the component that you can play with, within the domain partition.

Consoles

Active Directory Sites and Services

From this console, you can manage the configuration partition, but before there is also a couple of note I want to mention:

• ·         Sites is the physical location where you can find the serves, by default windows create (Default-First-Sites-Name), which contain all the available servers, but you can create multiple sites, according to how many location you have.

• ·         Subnet , now we create the sites, but how windows is gonna tel that this Server/Child is from this site? Every site has its own subnet, so from this console, we tel the server the subnet used by each site, and when we create a server with a particular subnet, the configuration partition will magically put that server to the preferred site.

Then you add the subnet, and select a site and hit OK button:

We will delve into this in more detail, in later tutorial J

Active Directory Schema

From where you manage Schema Partition, in order to run this console you need 1^st to register schmmgmt.dll file, using this command regsvr32 schmmgmt.dll,then run it from mmc, the video (run_schema_console.avi) explain how to do that in more detail J

ADSI Edit

Allow you to manage all Active Directory Partition from one place, it’s by default installed on Server 2008, but on Server 2003, you need to install it.

You can take a look at (install_adsiEdit_2003.avi).

That’s it

Feel home and be my guest

Dr_Hun74

Read More

001 - BUILD, RUN and DEBUG DRIVERs

Prerequisite

Do you know how to code in C?

download WDK install it, get your hand on any text editor you like.

I will introduce you later to more advanced way to develop kernel drivers using visual studio, but if you’re a beginner you must learn the hard way first, to better understand the roles, then break them ;) 

Build Your First Driver

Create a new folder on your ‘C:\’ Drive, and called it ‘my_driver’, inside this folder create a new file named ‘HelloDriver.c’, then copy and paste the following code:

/*
 *+++++++++++++++++++++++++++++++++++++++++++++++++++
 * Author  : Dr_Hun74
 * Module  : HelloDriver.c
 * 
 * implement a very basic driver, to describe
 * how to use wdk to build the driver, load it
 * and debug it, using WinDBG(kd.exe) debugger.
 *+++++++++++++++++++++++++++++++++++++++++++++++++++
 */
#include <ntddk.h>

//
// NOTE: You don't have to use these macros you can simply use
//       DbgPrint () as printf ().
//
#define FUNCTION    ""
#define TRACE(msg_Trace)  DbgPrint("fnct__%s: %s\n", FUNCTION, msg_Trace)


/*++

Routine Description:
 This routine is the class driver unload routine.

Arguments:
        pDriverObject - Pointer to driver object Created by the system.

Return Value:
    None.

--*/
#define FUNCTION "DriverUnload"
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
 TRACE("Unloading the driver");

 return;
}


/*++

Routine Description:
    This is the EntryPoint of the driver.

Arguments:
    pDriverObject - Pointer to driver object created by system.
    pus_RegPath   - Pointer to the Unicode name of the registry path
                    for this driver.

Return Value:
    The function value is the final status from the initialization operation.

--*/
#define FUNCTION "DriverEntry"
NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject,
      PUNICODE_STRING pus_RegPath
      )
{
 TRACE("Loading the driver");

 //
 // This is to tel the driver we're the Unload Routine is
 // don't worry about it for now, i'll get to it in another 
 // tutorial
 //
 pDriverObject->DriverUnload = DriverUnload;

 return STATUS_SUCCESS;
}

Now create another file ‘SOURCES’, then copy the following code to it,

TARGETNAME   = HelloDriver
TARGETPATH   = obj
TARGETTYPE   = DRIVER

INCLUDES     = %BUILD%\inc
LIBS         = %BUILD%\lib

SOURCES       = HelloDriver.c

One more file ‘makefile.def’, I promise this is the last 

!INCLUDE $(NTMAKEENV)\makefile.def

Your ‘C:\my_driver’ should look like this

After you’ve done that, go to your start menu, and select the envirement you want to target, for me I’ll chose windows 7,

Another thing I want to tel you,

Checked : debug
Free    : release

Now, execute the following command, don’t forget to navigate to were you put the source files

cd \my_driver
build

if the build was successful you should see a new '.sys' driver, has been created inside your folder, meaning that your ready to go to the next step.

Load/UnLoad the Driver

To load our driver, we use scm, or service manager provided by Microsoft, we also gona use a tool from sysinternals DbgView.exe, to catch the messages from our driver.

From an elevated command prompt, execute the following command,

Load/Run the Driver

sc create Hello binpath= C:\my_driver\objchk_win7_x86\i386\HelloDriver.sys type= kernel
sc stop Hello 

UnLoad/Stop the Driver

sc stop Hello

Now, let’s take a look at DbgView and see what he catch for us, but before that:

And here we go_

Debug Driver

I will assume that you already know the basics of using WinDBG debugger, if you don’t there are some good really good ressources that give you a quick start J

Look at the folder ‘UsefulRessources’, provided with this document, or from the link bellow if your reading this from my blog ‘hun7r.blogspot.com’.

run your target machine, and set it to be debugged on kernel mode, then attach WinDBG to it, if you don’t know  how to do these stuff refer to the files I mention before.

After you do that, set an unresolved breakpoint (bu) on DriverEntry () function, wich means, (http://msdn.microsoft.com/enus/library/windows/hardware/ff560012(v=vs.85).aspx).

By default, DbgPrint messages do not appear in WinDbg when the driver is running on Windows Vista/7 due to filtering reasons. You can clear this filtering using this simple call

kd> ed nt!kd_DEFAULT_MASK 0x8

Now start the driver as we see before (sc start HelloDriver bin …), and do not forget to run DbgView.exe, on the target machine.

Take a look on your WinDBG, you’ll notice that it’s magically load the source code, and set a break point on the DriverEntry () routing.

Hit F10, twice to execute DbgPrint () method, and keep watching the debug window on WinDBG:

Now hit the go button, or just type g

Set another unresolved breakpoint, on Hello!DriverUnload, hit the go button, and stop the driver from the target machine, get back to WinDBG and repeat the same experiment.

Now stop the driver from an elevated command prompt as we see before.

Did it show unload driver trace message?

Debug Driver at Boot Time

This is just another experiment, nothing special, except two things:

1.       You need to copy your driver to ‘%SYSTEMROOT%\System32\Drivers\’
2.     Update some registry keys

And that’s it.

For the step 2, use the following c code, compile it, and pass to it, the driver name you want to run at boot time, as the first argument

/*
 * Author  : Dr_Hun74
 * Building straight forward .reg file, to start driver at boot time
 *
 * You are free to develop this .c program as you wich ;)
 *
 */

#include <stdio.h>

#define pDriverName argv [1]

int main (int argc, char *argv [])
{
 if (argc != 2)
 {
  printf ("\n> Dr_Hun74:\n");
  printf ("Usage: GenRegBootDriver <DriverName>\n", argv [0]);
  getchar ();
  return 0;
 }

 printf ("\n> Dr_Hun74!_GenRegBootDriver:\n");
 printf (" >>> Generating registry values, to start driver at boot time ...\n");
 printf (" >>> Happy Coding, zirek %c\n\n", 0x2);
 
 FILE *fptr;
 fptr = fopen ("BootRegDriver.reg", "w");
 
 fprintf (fptr, "Windows Registry Editor Version 5.00\n\n");
 fprintf (fptr, "[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s]\n", pDriverName);
 fprintf (fptr, "\"Type\"=dword:00000001\n");
 fprintf (fptr, "\"Start\"=dword:00000000\n");
 fprintf (fptr, "\"ErrorControl\"=dword:00000001\n");
 fprintf (fptr, "\"Group\"=\"Base\"\n");
 fprintf (fptr, "\"ImagePath\"=\"\\SystemRoot\\System32\\Drivers\\%s.sys\"\n", pDriverName);
 fprintf (fptr, "\"Description\"=\"Dr_Hun7r - Rootkit Driver, be careful\"\n");
 fprintf (fptr, "\"DisplayName\"=\"%s\"\n", pDriverName);
 
 printf (".done\n");
 
 return 0;
}

Assuming that you compile the code, using the name ‘GenRegbBootDriver.exe’, open your elevated command prompt, and exetute the previous code as follow, 

GenRegBootDriver HelloDriver, without ‘.sys’ and also make sure you copy the driver to the location I mentioned in the 1^st step.

After you generate the .reg file, run it and restart your system, if the machine is attached to WinDBG, it’ll break, before windows start any driver, repeat the same experiment, we’ev used before, to debug the driver.

Feel Home
and be my guest,

Best
Dr_Hun74

Read More