Setting up an AD Hacking Lab

Dell Poweredge Server Running Windows Server 2022

HOME LAB

6/18/20244 min read

Why do I want to do this?

For starters, I think this provides a hands-on learning experience that goes beyond theoretical knowledge. I can read up on attacks or do as many courses as I can fit into my schedule, but without actually putting things into practice, it's hard to grasp. It also allows me to apply security concepts and techniques in a controlled environment, making it easier to understand how attacks are executed and how defences can be implemented. There's no way to try this sort of thing unless you have access to an active environment, and even then you wouldn't want to mess with anything (if you were even allowed).

I'm hoping to develop skills in AD security as I think since almost everyone uses it, it is crucial. An AD hacking lab allows me to practice and refine my skills in areas such as:

  • Network reconnaissance

  • Privilege escalation

  • Password attacks

  • Service exploitation

  • Post-exploitation techniques

By experimenting with these techniques, I can become better equipped to defend against them in a live environment.

From what I have encountered in my studies, this will help me to recognize signs of compromise, trace attack paths, and implement effective countermeasures. This experience is invaluable when dealing with real-life security breaches, as it will allow me to respond quickly and effectively.

Initial Setup

I began by creating a bootable USB drive with Windows Server 2022 Evaluation and set up the server with the password: Password1. Although I am setting this up to be rather weak from a security standpoint, I can then remediate all of these vulnerabilities once I have learned how they are exploited.

Once the server was up and running, I added the Active Directory Domain Services (AD DS) and installed the necessary certificates.

Creating User Accounts

I created multiple employee accounts with weak passwords to simulate a typical vulnerable environment. From what I have heard from real-life scenarios, this is not too uncommon. Additionally, I created an SQL service account to facilitate certain attacks.

Configuring Service Principal Names (SPNs)

According to learn.windows

"A service principal name (SPN) is a unique identifier of a service instance. Kerberos authentication uses SPNs to associate a service instance with a service sign-in account. Doing so allows a client application to request service authentication for an account even if the client doesn't have the account name."

In context, once the SPNs are successfully set up, it will allow me to perform a Kerberoasting attack.

To configure the SPNs for the SQL service account, I used the following commands:

C:\Users\Administrator>setspn -a HL-DC/SQLService.TheCompany.local:60111 TheCompany\SQLService

To verify the SPN setup, I ran:

C:\Users\Administrator>setspn -T TheCompany.local -Q */

This gave me the output below:

Checking domain DC=TheCompany,DC=local

CN=HL-DC,OU=Domain Controllers,DC=TheCompany,DC=local

Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/HL-DC.TheCompany.local

TERMSRV/HL-DC

TERMSRV/HL-DC.TheCompany.local

ldap/HL-DC.TheCompany.local/ForestDnsZones.TheCompany.local

ldap/HL-DC.TheCompany.local/DomainDnsZones.TheCompany.local

DNS/HL-DC.TheCompany.local

GC/HL-DC.TheCompany.local/TheCompany.local

RestrictedKrbHost/HL-DC.TheCompany.local

RestrictedKrbHost/HL-DC

RPC/04b851ed-3449-4045-b7d3-440f2bcd62e9._msdcs.TheCompany.local

HOST/HL-DC/THECOMPANY

HOST/HL-DC.TheCompany.local/THECOMPANY

HOST/HL-DC

HOST/HL-DC.TheCompany.local

HOST/HL-DC.TheCompany.local/TheCompany.local

E3514235-4B06-11D1-AB04-00C04FC2DCD2/04b851ed-3449-4045-b7d3-440f2bcd62e9/TheCompany.local

ldap/HL-DC/THECOMPANY

ldap/04b851ed-3449-4045-b7d3-440f2bcd62e9._msdcs.TheCompany.local

ldap/HL-DC.TheCompany.local/THECOMPANY

ldap/HL-DC

ldap/HL-DC.TheCompany.local

ldap/HL-DC.TheCompany.local/TheCompany.local

CN=krbtgt,CN=Users,DC=TheCompany,DC=local

kadmin/changepw

CN=SQL Service Account,CN=Users,DC=TheCompany,DC=local

HL-DC/SQLService.TheCompany.local:60111

The SPNs were successfully set up.

Configuring Hyper-V Guests

I set up the Hyper-V role on the server and got to work creating a Windows 10 VM.

Initially, after changing the DNS on the guest to the server's IP, I encountered issues connecting to the domain. At first I tried disabling IPv6, as IPv6 can sometimes cause domain connectivity problems.

When attempting to connect to the domain using the "Access Work or School" wizard, I still received an error stating the domain could not be found. However, joining the domain through the System Properties window was successful. Unfortunately, I was unable to find out why this was happening, even though I managed to resolve the issue.

Setting Up Additional Machines

I set up a second machine with slightly altered configurations to avoid duplicating the first setup. Although I couldn't install Windows 11 on the server due to hardware constraints, I plan to set up another PC on the network and add it to the domain to have a mix of operating systems. I will also try a Linux VM in the mix.

Logging In and Configuring User Roles

Logging into the first VM with the admin account posed a challenge. Typing "Administrator" in the login box switched the login context to the local machine. Prefacing the username with the domain 'THECOMPANY\Administrator' resolved this issue. Once logged in as Administrator, I made each user the local admin of their respective machines. This is sometimes common practice, but can also be an issue.

Planned Attacks

With the environment set up, I plan to try the following attacks:

  • LLMNR / NBT-NS Poisoning

  • SMB Relay Attack

  • Pass the Password

  • Pass the Hash

  • Token Impersonation

  • Kerberoasting

  • Golden Ticket

  • BloodHound

  • Credential Dumping with Mimikatz

Conclusion

This lab setup provides a controlled environment to practice and refine various attack techniques, enhancing my understanding of Active Directory vulnerabilities and defences. I will follow this post up in the future with a breakdown of all of these attacks being used. I will also harden the system as I go. Once I have learned the attacks and what they do, I will implement stronger defences on the network to prevent them from being exploited.