How To Set Up an AD Attack Lab Part One

Preparation

What you need for this lab:

  • At least 16GB RAM, if you do not have, you might experience some performance issue
  • VMware Workstation (Player should be fine but I used Pro 15.5)
  • Windows Server 2019 (Standard should be fine but I used Datacenter)
  • Windows 10 (2x) (Pro should be fine but I used Education)

Note, in order for the GPO(Group Policy Object) to work on disable the windows defender, I highly suggest you use windows 10 build 1809 or before because the GPO can’t disable windows defender on the newer version. I realized this issue while I was doing this lab and have to switch from build 1909 to build 1809. You can see more information about this here.

I downloaded my ISO images from Azure Education, but if you do not have one, you can use the evaluation version from the following addresses:

Windows Server 2019 Download

Windows 10 Download

Note, in this lab, I will use NAT DHCP for my environment, but you can choose the network type based on your environment.

Install Windows 2019

In your VMWare, choose “File -> New Virtual Machine”.

Choose from browsing where your ISO file downloaded.

Keep the default setting for the next two pages.

Uncheck “Power on this virtual machine after creation”, then hit the finish. Now, you can start the machine and the installation process will automatically start for you.

Once the installation process finished, login, and change the server name to whatever you want. Here, I named it “DC-2019”. Now take a snapshot and restart the computer.

Once login, go to “Manage”, then go to “Add Roles and Features”, accept the default settings till the “Server Roles” page. Now, click “Active Directory Domain Services” and hit “Add Feature”.

Accept the default setting in the remaining pages and wait till the installation process to finish. Now, restart the server.

Once the server restarted, we will go to the “Post Server Configuration”.

Add a new forest, and choose a domain name you prefer. Here, I chose “KUDOS.local” as my domain name.

Setup a password for your DSRM, accept all the default configuration in the rest of the pages, and click “install” on the last page.

Once the server restarted again, you will see the server ask you to log in as the domain admin, which means our Active Directory successfully installed on this server.

Install Windows 10

Choose where your windows 10 ISO located in the browser.

Accept the default settings in the rest pages and install the image. Note, if you use the evaluation version, you do not need a product key.

Now, depends on whether you used a VMWare player or pro. If you used the Player, you have to repeat the steps again to install a second windows 10. If you have pro, you can use the clone function to clone an identical installation from the current one. Since I have the Pro, I used the clone method.

Change the windows 10 system names and restart the machines.

Configuring the Active Directory on Server 2019

Login Server 2019, opens the “Active Directory Users and Computers”, creates a new OU object named “Groups” under the current domain.

Place all the Groups users to the created “Groups” object.

Now, I created the following users as domain users. They are created for the purpose of our later attacking and follows a poor practice. DO NOT DO this in the production environment!

  • first user:bwallis
  • second user:calcock
  • second admin:csherman
  • SQL service running as the administrative privilege:SQLService

Create the user bwallis:

Create the second admin csherman by coping from the Administrator:

Create the user calcock by coping the existing user bwallis:

Create the SQL service by coping from Administrator user:

Now, we can see we have the following users being created:

I also left the password in the description field of the SQL service user for the later attack, this is a very BAD practice and should be avoided 100% in a production environment:

Now, head to your “Server Manager->File and Storage Service”, choose “new shares” under tasks because we want to create a file share on the Active Directory.

Choose the default “SMB Share — Quick”.

Give a name to your share, I named it “Documents”. Then, accept the default settings for the rest pages and create the share.

Now, open a “CMD” prompt as “Administrator”. We want to set the “Service Principal Name” for our newly created “SQL Service”. Adjust the commands based on your server and domain name.

In this lab, we will examine the various AD attack against the misconfiguration and the AD default setting. So we will disable the windows defender from Domain GPO for now. Note, the GPO only could work on the windows period to 1809. Newer 1903 would not let the GPO disable the windows defender. Go to “Server Manager -> Tools”, open “Group Policy Management”. Then select the domain, go to “Create a GPO in this domain” option. Another way to do it is directly open the “Group Policy Management” directly as Administrator from the Start menu. We will name it “Disable Windows Defender”.

Right-click the newly created policy. Go to “Edit”. Under “Policies -> Administrative Templates -> Windows Components -> Windows Defender antivirus”, we will enable “Turn off windows defender antivirus” GPO. Select “Enable” Then click “Apply” and “OK”.

Now, we can see the GPO is enabled. This will ensure that when any clients join this domain, the windows defender antivirus will be disabled.

Configuring the Windows 10, and join them to the domain

Login the windows 10 we previously created, then create a folder named “Share” on the C drive, enable the share on it.

Add Server 2019’s IPv4 address to the Windows 10 DNS setting.

Go to “Access work or school”, click “Connect”. Select “Join this client to a local Active Directory Domain”. Type in the domain name, and the domain admin user name and password. Now, windows 10 should enroll in the domain.

Log in to one of the windows 10 machines. Go to “Computer Management”. set one of the domain users to the local admin group. Also, set it as the local administrator by creating a new user.

Repeat the same step on the other windows 10 machine, except this time, the domain user belongs to this machine does not have access to another windows 10 machine. Note, you will see “bwallis” domain user appeared in the second machine as well because we want this user to have the local admin to the second windows 10 machine.

Last, enable the network to discover and verify the two machines have joined the domain on the Server 2019. Note, you also need to start the “Function Discover Resource Publication” in “Services” in order for the machines to be discovered by others. See here for more info.

In this post, we learned how to set up the AD environment for our AD attack lab. In the following posts, I will discuss various ways to compromise the AD. Thank you for reading :)

Commands for creating SPN:

setspn -a DC-2019/SQLService.KUDOS.local:62111 KUDOS\SQLService

setspn -T KUDOS.local -Q */*

--

--