{"id":2242,"date":"2024-09-25T14:05:58","date_gmt":"2024-09-25T14:05:58","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2242"},"modified":"2025-07-29T03:29:46","modified_gmt":"2025-07-29T03:29:46","slug":"active-directory-penetration-dojo-setup-of-ad-penetration-lab-part-1","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/active-directory-penetration-dojo-setup-of-ad-penetration-lab-part-1\/","title":{"rendered":"Active Directory Penetration Dojo \u2013 Setup of AD Penetration Lab (Part 1)"},"content":{"rendered":"\n
\"Active
Active Directory Penetration Dojo – Setup of AD Penetration Lab (Part 1)<\/figcaption><\/figure>\n\n\n\n

The Prologue<\/strong><\/h2>\n\n\n\n

Hello everyone, welcome to the series of Active Directory Penetration Dojo. This series is for people who\u2019ve used Windows but haven\u2019t worked on Active Directory. This blog will be focusing primarily on understanding AD environment so that we can perform AD enumeration and simulate AD attacks as one would do when doing a Red Team Assessment<\/a>.<\/p>\n\n\n\n

Attacker\u2019s Paradise, Administrator\u2019s Hell<\/strong><\/h2>\n\n\n\n

From these blogposts, you will start seeing the AD from the view of Red Team members who perform different AD attacks and bypass these policies. That motivated us to research more on using the AD resources in an offensive manner. You will get to know AD from two different point of views i.e. as an Administrator who tries to add security policies to harden the environment and an attacker who tries to bypass that and uses the same policies to manipulate the environment. There are many things that lead to the compromise of AD, like misconfigured settings, poor maintenance procedures, and many other mistakes made by administrators. You can read what our AD security assessment<\/a> includes to give you a better idea of what we test for.<\/p>\n\n\n\n

This blog series may be little lengthy covering the ADDC setup and attacks, reason being to understand the concepts of Active Directory, we must first understand the basics. It\u2019s gonna be more interesting after understanding how  things work and when we setup a Virtual lab to test out the different attacks.<\/p>\n\n\n\n

Hello Windows!<\/strong><\/h2>\n\n\n\n

Active Directory<\/strong> is Microsoft\u2019s Directory service which acts as a centralised repository that holds all the data related to users, computers, servers, resources etc. of an organisation and it makes administration & management very easy for System administrators. Using AD, workstations can be updated, configured and maintained remotely. It is a single management interface that is accessible from anywhere on the network.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And this collection of all objects falls under a domain. Domains represent logical partitions within Active Directory for security and directory replication. A domain is always referred to by its unique name and has a proper domain name structure. (like- scriptdotsh.com)<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

A group of AD domains that share a contiguous namespace is called AD Tree<\/strong>. Objects in tree always follow hierarchy. (Example: If in AD Forest scriptdotsh.com, computer1 is in its child domain europe<\/strong>, its FQDN (fully qualified domain name) would be: computer1.europe.scriptdotsh.com<\/strong><\/p>\n\n\n\n

And a collection of domain trees is called a Forest<\/strong>. A domain is always a part of forest even if there is just a single domain. A forest is composed of one or more trees. Unlike a tree, a forest can contain several non-contiguous namespaces.<\/p>\n\n\n\n

Active Directory Domain Controller<\/strong><\/h3>\n\n\n\n

AD Domain Controllers host the service that authenticates user and computer accounts when they log on to the domain, so all users and computers must connect to AD DS domain controllers when signing into the network, that\u2019s why AD DS is the primary means by which you can configure\/manage user and computer accounts on your network. In corporate environment with big infra and lot of users, Microsoft Active Directory is quite famous.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Note<\/strong>: AD DS stands for \u201cActive Directory Domain Services\u201d<\/p>\n\n\n\n

AD Database<\/strong><\/h3>\n\n\n\n

The information on user identity, computers, groups, services and resources etc. is stored in Active Directory database which is made up of a single file named ntds.dit<\/strong>. By default, it is stored in the %SYSTEMROOT%\\NTDS<\/em> folder.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

LDAP<\/strong><\/h3>\n\n\n\n

LDAP stands for Lightweight Directory Access Protocol. This service is responsible for keeping track of what is on the network.<\/p>\n\n\n\n

AD integrated DNS<\/strong><\/h3>\n\n\n\n

DNS is important for Active Directory to work. There are several DNS records that AD requires to determine what services are available on the domain and who provides what. These records are managed automatically when you configure DNS in AD.<\/p>\n\n\n\n

Kerberos<\/strong><\/h3>\n\n\n\n

Kerberos is the services that allows you to use one username and password to log into multiple computers throughout the domain. It basically handles Single Sign On throughout the domain.<\/p>\n\n\n\n

Group Policies<\/strong><\/h3>\n\n\n\n

Group Policy is used to define user, security and networking policies at the machine level. Administrators can apply group policies from a centralized location to the whole domain or few computers\/users. There are still many security professionals who aren\u2019t very familiar with AD and many concepts of AD. So, I decided to discuss a few concepts of AD before explaining the setup part. Let\u2019s get started with setup.<\/p>\n\n\n\n

Active Directory Domain Controller Lab Setup<\/strong><\/h2>\n\n\n\n

For this lab setup, I will setup a small environment because of limited resources but this environment is enough to simulate AD Attacks:<\/p>\n\n\n\n

– Domain controller (Windows Server 2012 R2)<\/em><\/strong><\/p>\n\n\n\n

In production environment, there are multiple domain controllers like ADC (Additional Domain Controller), RODC (Read-Only Domain controller), CDC (Child Domain Controller).<\/p>\n\n\n\n

– Client machine (windows 7, windows 10)<\/em><\/strong><\/p>\n\n\n\n

– Member Servers like SQL server, File Server, FTP Server, IIS Server, Proxy Server, Antivirus Server etc.<\/p>\n\n\n\n

We\u2019ll discuss about two ways to set up the lab:<\/p>\n\n\n\n

– Graphical User Interface way<\/em><\/p>\n\n\n\n

– Command Line Interface way<\/em><\/p>\n\n\n\n

The Administrator\u2019s Way<\/strong><\/h3>\n\n\n\n

Let\u2019 get started with the first one. Download Oracle VirtualBox from here. Download the Server 2012 R2 ISO file which is evaluation version for 180 days which is good for testing from here.<\/p>\n\n\n\n

Note<\/strong>\u2013 Always download the evaluation copy of server OS ISO files from Microsoft\u2019s website.<\/p>\n\n\n\n

Creating a VM for Domain Controller<\/strong><\/h3>\n\n\n\n

Hardware Requirements:<\/em><\/strong><\/p>\n\n\n\n

We will create the DC with the below configuration, which can be changed later:<\/p>\n\n\n\n

– 1 vCPU<\/p>\n\n\n\n

– 2GB RAM<\/p>\n\n\n\n

– 25-30gb storage<\/p>\n\n\n\n

In VirtualBox, Select New Virtual Machine, enter the required details and click on Create. Remember, that your machines will be a part of host-only virtual network and will be segregated from the real environment but will be able to communicate with each other. To set this up, follow the steps:<\/p>\n\n\n\n

– Right click your newly created VM and select \u201cSettings\u201d<\/p>\n\n\n\n

– Go to Network and select \u201cHost-Only network\u201d.<\/p>\n\n\n\n

We\u2019re setting internal network so that only DC and Proxy server gets access to internet. Other clients will access internet via proxy server so we could gather logs as well.<\/p>\n\n\n

\n
\"\"
 <\/figcaption><\/figure>\n<\/div>\n\n\n

We will also set up another NAT adapter later for internet access. For now, let\u2019s configure only one adapter (Host-Only). Click to run it and browse the ISO file. It\u2019ll boot and come up with normal steps to install windows. Click \u201cInstall now\u201d and select partition and begin installation. Once installation finishes, power on the machine and assign a static IP address to it. That will be the address of your AD domain controller and DNS.<\/p>\n\n\n\n

Assign an IP address:<\/strong><\/p>\n\n\n\n

Go to network properties to assign IP to the machine. Type ncpa.cpl in RUN to open network and sharing center. Assign a static IP address to the machine.<\/p>\n\n\n

\n
\"\"
 <\/figcaption><\/figure>\n<\/div>\n\n\n

Change the computer name:<\/strong><\/p>\n\n\n\n

A meaningful name is required so that it\u2019s easy to remember which server is DC, File Server, DHCP server etc. Go to system properties and change the computer name. Type sysdm.cpl in RUN to open system properties and change computer name.<\/p>\n\n\n\n

Note<\/strong>:- Reboot machine to apply changes.<\/p>\n\n\n\n

Installing the ADDS Role:<\/strong><\/p>\n\n\n\n

Go to Server Manager and click Add roles and features<\/p>\n\n\n

\n
\"\"
 <\/figcaption><\/figure>\n<\/div>\n\n\n

Select the first option: \u2013 Role-based or feature-based installation<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Click next until you reach the step to select roles. Select \u201cActive Directory Domain Services\u201d and click \u201cAdd Features\u201d to the window that pops up. Click next.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Keep clicking \u201cNext\u201d until it installs roles and features. It takes some time to install the roles.<\/p>\n\n\n\n

Promoting the Server to a Domain Controller<\/strong><\/h2>\n\n\n\n

After the roles and features are installed, it will show below notification in the Server Manager. Click this to select the option to \u201cPromote this Server to Domain Controller\u201d<\/p>\n\n\n\n

Add a new forest<\/strong><\/h3>\n\n\n\n

Here, it shows an option to create a forest. Select \u201cAdd a New Forest\u201d and enter a domain name. I named the forest as \u201cscriptdotsh.local\u201d<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Click next. On the next screen, leave the defaults as it is and create a recovery password.<\/p>\n\n\n\n

This is called DSRM password (Directory Services Restore Mode). This password provides the administrator with a kind-of backdoor to the AD database in case there is some issue with the domain or when you need to restore\/recover the AD database.<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

Just accept the defaults in the next series of prompts. It will check some pre-requisites and show some warnings, that\u2019s Okay. Click \u201cInstall\u201d.<\/p>\n\n\n\n

Now in the backend, installation and configuration of Active Directory and DNS will take place and then the server will reboot. After the reboot, your domain controller is ready! A logon screen will appear. You can log in using the same Administrator account. Please note that now the account is promoted to a Domain Administrator as the computer is a Domain Controller now. Below is the format for login:<\/p>\n\n\n\n

Username<\/strong> – scriptdotsh\\Administrator<\/p>\n\n\n\n

Password<\/strong> – XXXXXXXXX<\/p>\n\n\n\n

CommandLine-Fu<\/strong><\/h2>\n\n\n\n

In only 4 commands, you can set up the domain controller. In short, these 4 commands will do the same things that was explained above in GUI way. Run PowerShell as administrator and enter below commands:<\/p>\n\n\n\n

Installing AD DS Role<\/strong><\/h3>\n\n\n\n
Install-windowsFeature AD-Domain-Services
<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Installing ADDS RSAT features<\/strong><\/h3>\n\n\n\n
Add-windowsfeature RSAT-ADDS
<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Promoting the Server to a Domain Controller<\/strong><\/h3>\n\n\n\n
Import-Module ADDSDeployment<\/p>\n\n\n\n
Note<\/strong>: There will be no output for this command as it is just to import the module.<\/p>\n\n\n\n
Add a new forest<\/strong><\/h3>\n\n\n\n
Install-ADDSForest<\/p>\n\n\n\n
Enter the domain name and password and select \u201cYes\u201d to continue.<\/p>\n\n\n\n
AD Domain forest \u201cscriptdotsh.local\u201d is being installed:<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
It takes a few minutes to complete the operation and then the server will reboot. After reboot, your domain controller is ready! Login in same way as shown in above GUI section. Once you\u2019re in, you can explore different AD tools.<\/p>\n\n\n\n
Epilogue<\/strong><\/h2>\n\n\n\n
That’s it for the first blog post. In the next post, we will populate AD with DNS, DHCP server, member servers, client machines, domain users etc. And after that, we will start with recon, exploiting misconfigurations and DC based attacks and hunts. Do let us know if you have any questions doubt :). You\u2019re welcome to provide any suggestions to add into this series.  Stay tuned for coming blogs \ud83d\ude42<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
The Prologue Hello everyone, welcome to the series of Active Directory Penetration Dojo. This series is for people who’ve used Windows but haven’t worked on Active Directory. This blog will be focusing primarily on understanding AD environment so that we can perform AD enumeration and simulate AD attacks as one would do when doing a […]<\/p>\n","protected":false},"author":1,"featured_media":2257,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2242","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2242","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2242"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2242\/revisions"}],"predecessor-version":[{"id":4215,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2242\/revisions\/4215"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2257"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2242"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2242"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2242"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}