In the previous article, a comprehensive discussion of Active Directory concepts was done. In this, we will be going through each and every step of AD Lab Setup For Exploitation. Later on, we will use this lab environment for attacking purposes.
This article and series is inspired from TCM PEH course.
AD Lab Requirements
The lab environment will consist of
- 1 Windows Server 2019 machine
- 2 Windows 10 Enterprise machines
- Virtualization Software (I use VMWare Workstation)
Hardware requirements are as follows for a smooth experience
- 60GB Disk Space
- 16 GB RAM
You can download the ISOs from the following links
Make sure you download ISO (64-bit) and not any other format.
AD Lab Setup
First of all, we need to create virtual machines using ISO files
Setting Up Domain Controller
Open VMWare Workstation and create a new machine. Choose server ISO and you will see the
New Virtual Machine Wizard. Make sure to select
Windows Server Standard Core as the version and leave everything else at default.
Upon not entering the windows product key, it will show a warning prompt but continue it
Next, you need to name the Virtual Machine and choose the place where the VM files will be stored
For the space allocations, you can leave the default 60GB and
Split virtual disk into multiple files as below
Once these settings are done, you will see a summary. Make sure you uncheck
Power on this virtual machine after creation box
The reason for not turning on the VM after creation is that while attaching the ISO, it includes a Floppy Disc using file autoinst.flp which will ask for an activation key while installation.
To come around this issue, when the machine is created, click on
Edit Virtual Machine Settings button and from there remove the Floppy as below
Following that, for a smooth experience, we need to increase the RAM and for this, increase it to 4GB. You can increase as per your available resources.
Also, make sure that the
Network Adapter is set to NAT by default. If not, then change to NAT.
Installing Windows Server 2019
After allocating the resources, we are ready to install the Windows Server. Power on the virtual machine and you will see a black screen asking for a key press for installation to begin.
Press any key and you will see the
Operating System Selection wizard. In that, you need to choose
Windows Server 2019 Standard Evaluation (Desktop Experience) as below
Following that, choose
custom install option
There you will see a drive with unallocated space as below
Create a new partition by clicking on New and then Apply. This will create some partitions and you need to select the one with the maximum free space to install the server to and click Next.
This will start installing the
Windows Server. Wait till it finishes and you will see a password prompt screen to set a password for the Administrator account. Type the password and let the setup finish.
I set the password for Administrator as P@$$w0rd
After the installation and logging into the account, you will see a Server Manager. This will open every time you turn on and login into the Server machine.
For a better experience of fullscreen, you might need to install VMWare Tools. For that, on the VMWare top navigation buttons, click on
VM --> Install VMWare Tools and you will see a setup prompt on the server
Choose the complete installation package and wait for the installation to finish
After the installation, it will ask for a reboot but cancel it. Go to
Settings --> About and change the PC name to resemble a Domain Controller (I’m using HYDRA-DC)
After this, reboot the machine
Installing Domain Controller
Server Manager, click on
Manage --> Add Roles and Features
This will bring up the wizard as follows
Installation Type make sure
Role-based or feature-based installation is selected
Server Selection you will be able to see the PC name
And finally in the
Server Roles, you will see
Active Directory Domain Services in the roles section
Check that box and a follow through the wizard and click
For the next steps of the wizard, choose the default options and keep going next till the Active Directory Domain Service is completely installed. Following images will help you show the exact screens
Promoting to Domain Controller
After the Domain Service is installed, you will be able to see an alert notification to promote the server to a DC
Click on the blue link and a configuration wizard will popup. In the deployment configuration, make sure to select
Add a new forest and write the domain name (I’m using MARVEL.local)
Next, it will ask for Directory Services Restore Mode password, type in the password (I’m using P@$$w0rd)
Keep clicking next and you will reach
Install and the server will become a DC after installation is complete. The machine will reboot and now the login screen will show the username along with the domain name as below
This indicates that we are now logging into the domain as administrator.
Setting Up User Machines
Now that we have setup the server, we will now setup user machines. For this, similar to server installation, choose ISO in VMWare Workstation and make sure to choose
Windows 10 Enterprise in the version dropdown
Installation process is similar as that of the server installation till you reach the following sign in screen
In the bottom, there’s a
Domain join instead button which will enable to join this machine to the domain. Clicking on the button, the usual user prompt will ask for the username (I’m using Frank Castle)
Following that, enter the password (I’m using P@$$w0rd1)
Also set some security questions and for privacy you can deselect all options (totally up to you)
Let the setup to finish. Now similar to the previous machine, install VMWare Tools and change the PC name (I’m using THEPUNISHER)
The machine will reboot.
Similar to this machine, create another machine.
I’m using the following information to setup the second machine
PC Name: SPIDERMAN Username: Peter Parker Password: P@$$w0rd2
Setting Up Users, Groups, and Policies
Having main things setup, we are ready to set the configurations and settings. Navigate to Server machine and in the Server Manager, click on
Tools --> Active Directory Users and Computers
There you will see the domain MARVEL. Right click on it and create a new OU
Name that OU as Groups to put all groups into it and proceed
Now, from the left navigation bar, click on Users and then select and drag all groups to the Group OU in the navigation bar
You will see a warning popup but click yes and proceed
This will leave the Users clean
Now we need to add some more users. For this, right click and create new user
In the wizard, put the details. I’m using the details as of the machine users I created before. Also for the logon name I’m using first name initial and last name convention.
Next, enter the password for the domain user (I’m using the same password as of the machines). Make sure to uncheck all boxes except
Password never expires
Upon next, you will see a summary of the user config
Click finish and the new user will be created.
To add one more normal user account, right click on the created user and click copy. Then enter the details similarly.
We also need 2 admin accounts. So copy the default Administrator account and create 2 accounts.
For your ease, following are the credentials I’m using for the setup.
User1 Name: Frank Castle Logon: fcastle Password: P@$$w0rd1 User2 Name: Peter Parker Logon: pparker Password: P@$$w0rd2 Admin User1 Name: Tony Stark Logon: tstark Password: P@$$w0rdadmin123! Admin User2 Name: SQL Service Logon: SQLService Password: MYpassword123#
We created SQLService account to have a service account running as administrator (as a vulnerability). Also for this user, we put a description for the password (assuming the network admin would put something in description for later remembrance)
Following is the final list of users
We will setup a SPN (Service Principal Name) as an attack vector for kerberoasting. As we have a SQLService, we will setup SPN for this service. For this, open cmd as admin and type in the following command (you can pick any port instead of 60111)
setspn -a HYDRA-DC/SQLService.MARVEL.local:60111 MARVEL\SQLService
To ensure that SPN is created, use the following command
setspn -T MARVEL.local -Q */*
In the end, you can see the SPN is created for SQLService.
For this, from the server manager, click on
File and Storage Services
Next click on
Shares and from dropdown, create a new task
Make sure to choose
SMB Share - Quick profile
Leave the settings to be on default
Next set a name for the share (I’m using hackme)
Finally, you will be able to see the share in the list
Now we need to set the policy for every machine that will be connected to the domain. For this, open
Group Policy Manager from start. There you will see the domain. Right click on it and create a GPO
Name that GPO as
Disable Windows Defender since we want all machines that connect to domain to have antivirus turned off.
Next edit the created GPO to disable AV
In the wizard, go to
Computer Configuration --> Policies --> Administrative Templates --> Windows Components --> Windows Defender Antivirus. There will be an option for
Turn off Windows Defender Antivirus
Double click on it and choose Enable and then apply.
Also, from the GPO settings, make sure to choose
Enforced as follows
Join Machines to Domain
Setting Up Share
Navigate to one of the Enterprise machines and create a folder (named Share) to share in the C drive and share it
Upon sharing, it will ask for network discovery. Turn it on and click yes
Setting Up DNS
Since we are connecting to the domain, we want to use domain as our DNS. For this, check the IP address of the Domain Server as follows
Next, go to adapter options and go to the properties of the connection
From the options double click IPv4 and just change the DNS radio button and enter the IP of Domain Server
Connecting to Domain
Finally, go to
Access work or School from the start search menu and click Connect
You will see a prompt to enter the account but at the bottom there is an option for connecting the device to local AD domain.
Next you will be asked to enter the domain name. Enter the domain name that was set previously and click next
Next it will prompt to enter the admin credentials. Make sure to enter the domain admin credentials to connect to the domain.
In the end it will prompt for the user of machine, just skip it and the machine will reboot
When the machine will reboot, you can login into the domain as the domain user as below
Giving Local Admin Privileges
Now we will give the local admin privileges to the user over the machine. For this, signout of the current user from the machine and login again with the domain admin
After that, right click on start button and choose
From there, go to
Local Users and Groups --> Groups
Double click on Administrators and you can see the default accounts
Add an entry and in the object name, you can just enter the logon name
Check Names and it will auto complete to the full domain name
Click on OK and then apply. The final list will be as follows
Repeat the same process for the other Enterprise machine to share a folder and giving local admin privileges but add fcastle as well in the list as administrator. So with this, we will have a user (fcastle) having admin privileges on 2 machines.
AD Lab Setup Complete
Finally, navigate back to the Server machine and open
Active Directory Users and Computers. From there, expand the domain and click Computers. You will see the both machines connected to the domain.