VHL002 - Setting up the Domain Controller and Workstations

For the initial creation, I'm going to create 5 machines in total.

  • 1 Microsoft Windows Server 2016
  • 3 Windows 10 Enterprise Workstations
  • 1 Kali Linux Machine

    To create the virtual machines of the Windows Server and Enterprise, you will need the ISO files of these systems. These can be found at the following links. You may be required to fill out a form of information, however, this has no checking on it so you can use completely fake information.

    You might be wondering why I chose a 2016 server. In company networks, the most common servers you are going to come across are 2012 and 2016, there will be minimal 2019. Outside of those, it is rare to find other Active Directory server years, so I chose the more recent of the two most common.

    I will get into how to set up the Kali Linux machine in the next post where I will cover the installation of the system and tools that you will need for the attacks. 

    I apologize in advance for some of the screenshots around the setup of the domain controller, the video was lower quality that I thought. 



Creating the Domain Controller

Once you have created the virtual machine, you are going to need to go through the server install setup.

 

Make sure to choose Desktop Experience.

 

Do the custom install.


It will show the storage format, click New > Apply > Ok, then next.

The setup will take a minute to install.


 

Once done, it will prompt you to set a password, keep this password written down.


Once logged in, I suggest installing the complete VMware tools into the system. 


If you installed the VMware tools, it will ask you to restart, click no and go to the windows settings. Click search and type in pc name. Click on the “View your PC name”.


 

Click Rename PC and name it how you would like. I will be naming this machine "HWDC16" for Hogwarts Domain Controller 2016

Now restart the machine when it is prompted.

Once this is restarted, we are going to set up a static IP address. To do so do the following.


The default gateway that your network is using can be found in the command prompt when typing “ipconfig”

You can also confirm that these settings have been completed with the same command.


Now we are going to set up the domain services.

Go into Server Manager and click on the manage and click the Add Roles and Features.



A new window should open up. Click Next > Role Based, Next > Your DC Name, Next > Select Active Directory Domain Services, Add Features, Next



Next > Next > Install 

Once done installing, there will be a Yellow warning at the top next to the flag, Click it.


  

Click on the “Promote this server to a domain controller”


 

This window will pop up. Type in the domain name you would like to set up. Click Next. 


 

Make sure to keep the password you have here written down along with any other information that you are creating. Click Next


 

Click Next > Next > Next > Next > Install.


 

Once it is done, the server will restart.

Again sorry for these images, I tired to explain what you need to click in the description's if the image was poor. 


Users, Groups, GPO, Kerberos, and Shares

Under the AD DS tab, right click on the domain controller. Click on Active Directory Users and Computers. 


 

In the Users folder, add in some users for the network. This will just add some more information in the domain for us to try to get and enumerate. I used the following naming convention.


 

I highly recommend making the password never expire and writing down each one for future reference.


 

You will also need to create the Kerberos account. I created a copy of the Administrator account to make this a vulnerability, a service account as a domain administrator. I named mine “kerberking” with an easy password for cracking.

I then also created the Professors security group for additional fun.


 

Setting up the share, click the File and Storage Services. 

Click on Shares. 


Right click and click New Share...


Click Next



Click next > Create share name


Click Next > Customize Permissions



Click Select a principal. 


I'm adding the Professors into the groups. 


I'm giving them full control over this share. Click Ok. 



Apply > Ok. Then Click Next

Create and Close


 

To do some of the attacks that we want for this lab, we will need to turn off some firewalls and protections on the machines. In the future, I want to turn these back on when I start to learn EDR evasion. But for now, we will keep them off.  

Open Group Policy Management. Right click on the domain. Click Create a GPO. 



Click Edit...


Go to Computer Configuration > Policies > Administrative Templates > Windows Components > click Windows Defender. Right click on Turn off Windows Defender > Edit > Enable > apply.


 

Once done, close it out and right click > Enforced



Go into a command prompt and type “gpupdate”


 

Now adding the Kerberos account, type in this command.

```

setspn -a HWDC16/kerberking.HOGWARTS.local:54321 HOGWARTS\kerberking

```


 

You can check that it worked with this command.


 

You can see the account there.


 


Domain Workstations

This will get into how to create one Windows 10 workstation in the domain, if you want more, just repeat the steps. I set up three.

Choose your language and click Install now.


 

Accept the Terms and Conditions. Then Click Custom


 

Click New > Apply > Ok. You should see this now.


 

Wait for the installation to finish. It will restart when finished.


 

It will then start going through the Windows set up.


Add your language, region, and keyboard.

 

It will then ask you to sign in, click on the Domain join instead at the bottom.


 

Type in the user.


 

Type in their password. Again make sure to have a copy of this.


 

It will as for security questions, these are not important, just put whatever you want and keep it all written down.


 

Turn off all the Privacy settings and say Not Now on the Cortana page.


 

Once it is done, I’m using VMware so Ill be installing their VMware Tools. Once that is finished, we need to change the Workstation name.

Type in PC Name to the search bar and click View your PC name.


 

Click the Rename this PC.


 

Type in the name you want for the workstation. It will then ask you to restart to take the effect.


 

Once it has been restarted, put in the domain controller as the preferred DNS server in the network configuration. If you need a reminder on how to do this, there is a guide in the domain controller section.


 

Now we can join it into the domain. Type "domain" into the search bar. Click on the Access work or school.


 

Click on connect.


 

Click on the join device to a local domain.


 

Type in the domain.


 

It will ask for authentication. Put in the Domain Administrators credentials.


Type in the account that you want to use for this machine. Make sure to put them as a local administrator.

It will ask you to restart now, go ahead and do so.


 

Once restarted we need to clean up the users on the machine. Type in “users” in the search bar and click on the edit local users and groups.


 

Now go into the users, and you should see the following.


 

Once of the attacks that I would like to simulate is a Local Admin Password Reuse. Right click on the administrator and click "Set Password".



Click Proceed,  then set the password for the local administrator.


 

Also make sure that you enable the local administrator’s account.


 

Delete the original user we created when setting up the machine.


 

Make sure to sign into this account at some point to have it “set up” so that attacks on this account will work.


 

To do some of the attacks that we want for this lab, we will need to turn off some firewalls and protections on the machines. In the future, I want to turn these back on when I start to learn EDR evasion. But for now, we will keep them off.  


 

Turn off real-time protection.


 

Turn off the windows firewall.


We may need to turn off more defenses to do some attacks, I will update this when I figure out what exactly needs to be off for the attacks I would like to do.

Once everything is in place, I found doing a restart helps everything work properly.


The next post will go into setting up the Kali Linux machine and installing the tools that we will need to do the attacks. 


Popular posts from this blog

Active Directory Through an Attacker's Lens

     Say you work as the sole IT personnel in a small newly formed company. This company currently has five computers which could be easy for you to manage, but as the company grows, the computers you are tasked to handle will grow with it. This can quickly lead to there being too much for a single person to oversee, causing the company to look for solutions for easier management of the company's ever-growing computer arsenal. This is where Active Directory can step in and take some significant load off the IT Department's shoulders.    What is Active Directory      Active Directory is Microsoft's directory service that can be implemented into company networks for more accessible and efficient management of their resources. This will allow the administrators to set up groups, users, Organizational Units, Computers, etc., and manage all the differing policies and access each person has to the network more easily. This  is an extensive syst...
Read more

VHL005 - Own the Workstations, Local Admin Password Re-use

Image
     From the last attack that we accomplished; we were able to gain a user’s credentials. This opens more attacks for us to attempt on the network. The first that I’m going to attempt is an attack dumping the SAM and LSA Secrets files to get the accounts associated with the workstation and possibly search for local admin password re-use. The program that we will be doing this with is secretsdump.py in the impacket’s repository. This is a large repository of applications that are great for attacks against an Active Directory environment. You can access the repository from this link. impacket In your kali, type in “git clone https://github.com/fortra/impacket” and this will download the impacket’s repository with all the applications in it.
Read more

VHL004 - LLMNR Poisoning

Image
     In an active directory environment, attackers can use the mistakes of the users to their advantage to gain information that they should otherwise not have access to. One such attack is exploiting LLMNR and using it to gather user credentials. The LLMNR, Link-Local Multicast Name Resolution, protocol is used to locate host in a local network without the need of DNS. It will do so by contacting every machine in its network asking for a specific hostname in hopes to find it. As an attacker, this can be very beneficial. If we are on that network, that query will be sent to us as well, which we can respond to. Attackers can use the program Responder to answer this query and request the machine to give their username and hash to authenticate. It will in turn hand over their credentials to the attacker who can use that credential to further their attacks. [1]
Read more

VHL003 - Kali Linux Setup

Image
     The first attacker machine that we are going to set up is a Kali Linux machine. This is a popular operating system for attackers as it has many of the tools that they need come pre-installed. We will be creating another attacker virtual machine much later on using the Windows operating system.  To install this operating system, go to the Kali Linux website and scroll down till you see the virtual machine tab and select your virtual machine application that you are using. You can use the link provided as well. 
Read more

VHL001 - In the Beginning

     This post is the beginning of my Virtual Home Lab series. This series will go into how I set up my home lab and act as a guide to help anyone attempting to create their own Active Directory lab environment. These blog posts will go into my thought process, guide to creating the environment, and demonstrating attacks you can simulate in this Active Directory environment.      I want to start by laying out some plans before flying in blind into this project. I want to have a base understanding of where I want this project to go, and where I might want this project to possibly end if at all. To start I'm going to lay out the components that I know I want this lab to eventually include.  2 Active Directory Domain Controllers  1 Active Directory Certificate Services Server 2+ Windows Workstations Multiple Organizational Units Many Domain Users I would like this lab to allow me to simulate the following attacks.  Responder Bloodhound Enumerati...
Read more