AD Hacking Lab Setup

Cybermentor

Description: A Beginners guide to hacking windows Active Directory. This is a follow along guide and notes for Cyber Mentor's udemy course https://www.udemy.com/course/practical-ethical-hacking/ Highly recommended to sign up (with a small fee) as he always gives out discount coupons!

Credits to:

• Heath Adams (CyberMentor) Pentesting udemy course - https://www.udemy.com/course/practical-ethical-hacking/

  %20Resources/Active%20Directory%20Attack.md

Setting up lab

Using VMWare workstation 15 player

• 1 x Win Server 2019 (Domain controller)

• 1 x Win 10 Enterprise - User machine 1

• 1 x Win 10 Enterprise - User machine 2

• 1 x Kali linux - Attacker

  (all machines would be about 2gb ram each = total 8gb ram)

Download the required iso from https://www.microsoft.com/en-us/evalcenter/

VM Setup

remove floppy drives network: NAT Windows server installation:

Domain Controller (OS Installation)

• Create new virtual machine

• Select iso for installer disc image

• Select version to install 'Windows Server 2019'

• Power on this virtual machine after creation

• VM Settings > remove floppy disk

• Network NAT

• Start VM and press any key to enter setup mode

• Select 'Windows Sever 2019 Standard Eval (Desktop Experience)'

• Select 'Custom install' > select unallocated space > Next

(Setting up Domain Controller)

• Settings > View Your PC Name > Rename this PC > eg. myDomainController and restart

• Set any password eg. P@$$w0rd

• Player > Manage > Install VMWare Tools

• Server Manager > Dashboard > Manage > Add Roles and Features > Role-based install or feature-based Installation > [x] Active Directory Domain Services > Next > Install

• Server Manager > Flag icon > 'Promote this server to a domain controller'

• Add a new forest > Root domain name eg. ADHACKING.local > Next

• Give DSRM a password eg. P@$$w0rd > Next for all > Install

User machine (OS Installation)

• Create new virtual machine

• Select iso for installer disc image

• Select version to install 'Windows 10 Enterprise'

• Power on this virtual machine after creation

• VM Settings > remove floppy disk

• Network NAT

• Start VM and press any key to enter setup mode

• Select 'Custom install' > select unallocated space > Next

• Select 'Domain join instead' > Enter acc name eg. saul goodman > password Password1

• No for 'Do more across devices...'

• Decline for 'Get help from digital assistant'

• all for privacy settings

(Setting up User machine)

• Player > Manage > Install VMWare Tools

• Settings > View Your PC Name > Rename this PC > eg. Saul-PC and restart

Note: Complete these steps again for the 2nd machine account name: walter white pass:Password1 PC name: Walter-PC

Setting up AD, Groups and Policies

• Login to windows server (domain controller)

• Server Manager > Dashboard > Tools > Active Directory Users and Computers

• Right click root domain eg ADHACKING.local > New > Organizational Unit > Groups

• Move all users (except Administator and Guest) from Users directory to Groups

• Right click under Users directory > create the following users

For all user creation do:

• [uncheck] must change pass at next logon

• [check] password never expires

Copy "administrator" domain admin account logon:gus pass:Password2020@!

Copy "administrator" domain admin account logon:SQLService pass:MYpassword123# Description:Password is MYpassword123#

New > User domain user account logon:saul pass: Password123

New > User domain user account logon:walter pass: Password123

    A no-no here is giving domain-admin rights to service accounts like SQL Service. Even though it is a fake account, in real life situation there are cases where domain-admin rights are given to these kind of services. Also the description where administrators sometimes think its a good idea to put their passwords there thinking no one else can see it.

Configuring File server (Opening SMB)

    SMB File sharing is enabled for allowing 445,139 ports to be opened so that we can hack them in lab later.

• Server Manager > Dash board > (side menu) File and Storage Services > Shares

• TASKS > New Share > SMB Share - Quick > Next

• Share name: hackme > Next until > Create

Creating Service Principal Name (SPN)

    Setting up for kerberoasting attack 

• Win > Command Prompt > Run as administrator

• Set spn using setspn -a myDomainController/SQLService.ADHACKING.local:60111 ADHACKING\SQLService

• Check that spn is set setspn -T ADHACKING.local -Q */*

Group Policy Configuration

    Disabling windows defender for lab purposes (topics like AV bypass and evasion is not covered in this lab)

• Win > Group Policy Management > Run as administrator

• Expand Forest > Domains > ADHACKING.local > right click > Create a GPO in this domain > Disable Windows Defender

• Expand Forest > Domains > ADHACKING.local > right click Disable Windows Defender > Edit

• Computer Configuration > Policies > Administrative Template > Windows Components > Windows Defender Antivirus

• double click 'Turn off Windows Defender Antivirus' > [check] Enabled

Connecting all machines

    On the both machine, create folder and setup network share. 
    On first machine, give first domain-user a local administrator rights.
    On second machine, give BOTH domain-user local administrator rights.

• Create network share folder

• Create a folder share in C: drive

• Right click > Properties > Sharing > Share > Share > Yes, turn on network discovery...

• Configure network settings

• Open network & Internet settings > change adapter options > IPv4 > Prefered DNS Server

• Enter IP address of Domain controller here.

• Join domain

• Win > domain > Access work or school > Connect > 'Join this device to local Active Directory domain'

• Enter domain name ADHACKING.local

• Join domain as Administrator pass: P@$$w0rd

• When prompt for add an account > Skip > Restart now

• Upon restart > select other user and login as domain user eg. saul pass: Password123

• Giving local administrator rights

• Win > Computer Management > Local Users and Groups > Groups > double click Administrators

• Add > eg. saul > Check names > Apply > OK

• Turn on Network Discovery Computer > Network > Click OK when prompted > top menu bar > Click "Turn on network discovery..."

• Verify computers join domain

• On Domain controller > Active Directory Users and Computers > ADHACKING.local > Computers

• See that there are 2 computers added

• Setting up for mitm6 attack lab example

• Login to Domain controller > Server Manager > Dashboard > Add roles and features > Next

• Active Directory Certificate Services > Add features > Next

• Restart the destination server automatically > Install

• Click Flag notification icon > configure active directory services on the destination server

• Credentials: ADHACKING\Administrator

• Certification authority > Next

• Validity: 99 years > Next > Configure