Setting up an AD Hacking Lab
Dell Poweredge Server Running Windows Server 2022
HOME LAB
Why do I want to do this?
For starters, I think this provides a hands-on learning experience that goes beyond theoretical knowledge. I can read up on attacks or do as many courses as I can fit into my schedule, but without actually putting things into practice, it's hard to grasp. It also allows me to apply security concepts and techniques in a controlled environment, making it easier to understand how attacks are executed and how defences can be implemented. There's no way to try this sort of thing unless you have access to an active environment, and even then you wouldn't want to mess with anything (if you were even allowed).
I'm hoping to develop skills in AD security as I think since almost everyone uses it, it is crucial. An AD hacking lab allows me to practice and refine my skills in areas such as:
Network reconnaissance
Privilege escalation
Password attacks
Service exploitation
Post-exploitation techniques
By experimenting with these techniques, I can become better equipped to defend against them in a live environment.
From what I have encountered in my studies, this will help me to recognize signs of compromise, trace attack paths, and implement effective countermeasures. This experience is invaluable when dealing with real-life security breaches, as it will allow me to respond quickly and effectively.
Initial Setup
I began by creating a bootable USB drive with Windows Server 2022 Evaluation and set up the server with the password: Password1. Although I am setting this up to be rather weak from a security standpoint, I can then remediate all of these vulnerabilities once I have learned how they are exploited.
Once the server was up and running, I added the Active Directory Domain Services (AD DS) and installed the necessary certificates.
Creating User Accounts
I created multiple employee accounts with weak passwords to simulate a typical vulnerable environment. From what I have heard from real-life scenarios, this is not too uncommon. Additionally, I created an SQL service account to facilitate certain attacks.
Configuring Service Principal Names (SPNs)
According to learn.windows
"A service principal name (SPN) is a unique identifier of a service instance. Kerberos authentication uses SPNs to associate a service instance with a service sign-in account. Doing so allows a client application to request service authentication for an account even if the client doesn't have the account name."
In context, once the SPNs are successfully set up, it will allow me to perform a Kerberoasting attack.
To configure the SPNs for the SQL service account, I used the following commands:
C:\Users\Administrator>setspn -a HL-DC/SQLService.TheCompany.local:60111 TheCompany\SQLService
To verify the SPN setup, I ran:
C:\Users\Administrator>setspn -T TheCompany.local -Q */
This gave me the output below:
Checking domain DC=TheCompany,DC=local
CN=HL-DC,OU=Domain Controllers,DC=TheCompany,DC=local
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/HL-DC.TheCompany.local
TERMSRV/HL-DC
TERMSRV/HL-DC.TheCompany.local
ldap/HL-DC.TheCompany.local/ForestDnsZones.TheCompany.local
ldap/HL-DC.TheCompany.local/DomainDnsZones.TheCompany.local
DNS/HL-DC.TheCompany.local
GC/HL-DC.TheCompany.local/TheCompany.local
RestrictedKrbHost/HL-DC.TheCompany.local
RestrictedKrbHost/HL-DC
RPC/04b851ed-3449-4045-b7d3-440f2bcd62e9._msdcs.TheCompany.local
HOST/HL-DC/THECOMPANY
HOST/HL-DC.TheCompany.local/THECOMPANY
HOST/HL-DC
HOST/HL-DC.TheCompany.local
HOST/HL-DC.TheCompany.local/TheCompany.local
E3514235-4B06-11D1-AB04-00C04FC2DCD2/04b851ed-3449-4045-b7d3-440f2bcd62e9/TheCompany.local
ldap/HL-DC/THECOMPANY
ldap/04b851ed-3449-4045-b7d3-440f2bcd62e9._msdcs.TheCompany.local
ldap/HL-DC.TheCompany.local/THECOMPANY
ldap/HL-DC
ldap/HL-DC.TheCompany.local
ldap/HL-DC.TheCompany.local/TheCompany.local
CN=krbtgt,CN=Users,DC=TheCompany,DC=local
kadmin/changepw
CN=SQL Service Account,CN=Users,DC=TheCompany,DC=local
HL-DC/SQLService.TheCompany.local:60111
The SPNs were successfully set up.
Configuring Hyper-V Guests
I set up the Hyper-V role on the server and got to work creating a Windows 10 VM.
Initially, after changing the DNS on the guest to the server's IP, I encountered issues connecting to the domain. At first I tried disabling IPv6, as IPv6 can sometimes cause domain connectivity problems.
When attempting to connect to the domain using the "Access Work or School" wizard, I still received an error stating the domain could not be found. However, joining the domain through the System Properties window was successful. Unfortunately, I was unable to find out why this was happening, even though I managed to resolve the issue.
Setting Up Additional Machines
I set up a second machine with slightly altered configurations to avoid duplicating the first setup. Although I couldn't install Windows 11 on the server due to hardware constraints, I plan to set up another PC on the network and add it to the domain to have a mix of operating systems. I will also try a Linux VM in the mix.
Logging In and Configuring User Roles
Logging into the first VM with the admin account posed a challenge. Typing "Administrator" in the login box switched the login context to the local machine. Prefacing the username with the domain 'THECOMPANY\Administrator' resolved this issue. Once logged in as Administrator, I made each user the local admin of their respective machines. This is sometimes common practice, but can also be an issue.
Planned Attacks
With the environment set up, I plan to try the following attacks:
LLMNR / NBT-NS Poisoning
SMB Relay Attack
Pass the Password
Pass the Hash
Token Impersonation
Kerberoasting
Golden Ticket
BloodHound
Credential Dumping with Mimikatz
Conclusion
This lab setup provides a controlled environment to practice and refine various attack techniques, enhancing my understanding of Active Directory vulnerabilities and defences. I will follow this post up in the future with a breakdown of all of these attacks being used. I will also harden the system as I go. Once I have learned the attacks and what they do, I will implement stronger defences on the network to prevent them from being exploited.