AD Hacking Lab Setup
Cybermentor
Description: A Beginners guide to hacking windows Active Directory. This is a follow along guide and notes for Cyber Mentor's udemy course https://www.udemy.com/course/practical-ethical-hacking/ Highly recommended to sign up (with a small fee) as he always gives out discount coupons!
Credits to:
Heath Adams (CyberMentor) Pentesting udemy course - https://www.udemy.com/course/practical-ethical-hacking/
%20Resources/Active%20Directory%20Attack.md
Setting up lab
Using VMWare workstation 15 player
1 x Win Server 2019 (Domain controller)
1 x Win 10 Enterprise - User machine 1
1 x Win 10 Enterprise - User machine 2
1 x Kali linux - Attacker
(all machines would be about 2gb ram each = total 8gb ram)
Download the required iso from https://www.microsoft.com/en-us/evalcenter/
VM Setup
remove floppy drives network: NAT Windows server installation:
Domain Controller (OS Installation)
(Setting up Domain Controller)
Settings > View Your PC Name > Rename this PC > eg.
myDomainController
and restartSet any password eg.
P@$$w0rd
Player > Manage > Install VMWare Tools
Server Manager > Dashboard > Manage > Add Roles and Features > Role-based install or feature-based Installation > [x] Active Directory Domain Services > Next > Install
Server Manager > Flag icon > 'Promote this server to a domain controller'
Add a new forest > Root domain name eg.
ADHACKING.local
> NextGive DSRM a password eg.
P@$$w0rd
> Next for all > Install
User machine (OS Installation)
(Setting up User machine)
Player > Manage > Install VMWare Tools
Settings > View Your PC Name > Rename this PC > eg.
Saul-PC
and restart
Note: Complete these steps again for the 2nd machine account name: walter white
pass:Password1
PC name: Walter-PC
Setting up AD, Groups and Policies
Login to windows server (domain controller)
Server Manager > Dashboard > Tools > Active Directory Users and Computers
Right click root domain eg
ADHACKING.local
> New > Organizational Unit > GroupsMove all users (except Administator and Guest) from
Users
directory toGroups
Right click under
Users
directory > create the following users
For all user creation do:
[uncheck] must change pass at next logon
[check] password never expires
Copy "administrator" domain admin account logon:gus
pass:Password2020@!
Copy "administrator" domain admin account logon:SQLService
pass:MYpassword123#
Description:Password is MYpassword123#
New > User domain user account logon:saul
pass: Password123
New > User domain user account logon:walter
pass: Password123
A no-no here is giving domain-admin rights to service accounts like SQL Service. Even though it is a fake account, in real life situation there are cases where domain-admin rights are given to these kind of services. Also the description where administrators sometimes think its a good idea to put their passwords there thinking no one else can see it.
Configuring File server (Opening SMB)
SMB File sharing is enabled for allowing 445,139 ports to be opened so that we can hack them in lab later.
Server Manager > Dash board > (side menu) File and Storage Services > Shares
TASKS > New Share > SMB Share - Quick > Next
Share name:
hackme
> Next until > Create
Creating Service Principal Name (SPN)
Setting up for kerberoasting attack
Win > Command Prompt > Run as administrator
Set spn using
setspn -a myDomainController/SQLService.ADHACKING.local:60111 ADHACKING\SQLService
Check that spn is set
setspn -T ADHACKING.local -Q */*
Group Policy Configuration
Disabling windows defender for lab purposes (topics like AV bypass and evasion is not covered in this lab)
Win > Group Policy Management > Run as administrator
Expand Forest > Domains >
ADHACKING.local
> right click > Create a GPO in this domain >Disable Windows Defender
Expand Forest > Domains >
ADHACKING.local
> right clickDisable Windows Defender
> EditComputer Configuration > Policies > Administrative Template > Windows Components > Windows Defender Antivirus
double click 'Turn off Windows Defender Antivirus' > [check] Enabled
Connecting all machines
On the both machine, create folder and setup network share.
On first machine, give first domain-user a local administrator rights.
On second machine, give BOTH domain-user local administrator rights.
Last updated
Was this helpful?