Creating an Active Directory Lab Environment

Aug 11, 2021
·
  • Networking
  • Windows
·

When I bought, set up, and upgraded my desktop PC, the goal was to have a pretty powerful machine that I can use to power a home lab that could handle running multiple virtual machine instances with ease. Since I’ve recently upgraded my RAM up to 24GB and had some free time, I thought I would get on that and write a post about it.

We will be setting up a simple Active Directory lab. The network would consist of probably 3-4 machines with one Domain Controller. We’ll set it up, and then we can use this AD network to practise AD hardening concepts, as well as simulate attacks, enumeration and other AD-related security tasks.


It is typically used in a corporate environment and allows centralized authentication and authorization of all users and computers and allows access to these shared resources and the setting of a common shared settings in an office.


A Windows Active Directory deployment consists of the following elements
• Objects which represent a single entity (a printer, a computer, a user, a group (of users) ) and its attributes. An object has a unique name.
• Domains are a collection of objects that are all stored on the same Active Directory database. Domains have their own policies (password policy, user accounts, machines, update schedule, etc…)
• Trees are a collection of domains
• A Forests is a collection of trees


Domains are managed by a special Windows server known as the Domain Controller. It is the centralized server that other resources rely on for authentication into the network and access to the directory service. Due to the centralized nature of Active Directory, most corporate networks have more than one Domain Controller to provide failover redundancy in case of failure of the primary Domain Controller. Larger networks also have more Domain Controllers to scale up performance. The Domain Controller then can be thought of as the central brain of an Active Directory network. It is the machine that handles authentication and authorizes machines/users onto the network and for resource access.


The machines:
I downloaded a bunch of Windows Operating Systems from Microsoft’s ‘Windows Evaluation Centre’. We’ll set up an Active Directory environment using the following systems:
• Windows Server 2019
• 2 Windows 10 Enterprise Systems
• Windows 7 Professional


I’m using virtualbox as my hypervisor of choice to set up these virtual machines. This post will not go in-depth into the steps to install a Windows Virtual Machine (VM). There are many guides online such as this.

Our 4 VMs are installed and online



The Windows Server 2019 VM will be our sole domain controller on this AD network. We rename the PC to ‘CYDONIA-DC’, and install Active Directory Domain Services through the Server Manager on this server.

CYDONIA-DC; our soon-to-be Domain Controller. Click on ‘Add Roles and Features’ under the ‘Manage’ tab



Click next



Have ‘Role-based or feature-based installation’ selected and hit Next



Have our server, CYDONIA-DC selected and click Next



Have ‘Active Directory Domain Services’ selected and click Next



Keep the rest of the options as defualts and confirm the installation to install Active Directory Domain Services.



Installation can take a few minutes. Once this is done installing, we need to promote this server to a Domain Controller. We’ll need to create a new forest and give our root domain a name.

Select ‘Promote this server to a domain controller’



We’ll add a new forest and set our domain name to ‘SANCTUARY.local’



We’ll also need to create a password

The NetBIOS domain name is ‘SANCTUARY’



We’ll keep most of the rest of the settings as default.



Select ‘Install’



Once the server finishes installation and restarts, we’ll see that our login screen now shows that we are logging into the SANCTUARY domain as the domain user Administrator.

Logging in as ‘Administrator’ on the ‘SANCTUARY’ domain



The next step is to configure Users, Groups, and Policies objects. We’ll add a bunch of new users.

Select ‘Active Directory Users and Computers’ under the ‘Tools’ tab



Select ‘Users’ in the left hand expandable menu, and right click and select ‘New -> User’ to create a new Domain User.



Enter the user details and hit ‘Next’



Create a password for our user and hit ‘Next’ and then ‘Finish’



We should then see our newly created users



We’ll also set up a file share on our Domain Controller.

Under the ‘File and Storage Services’ on the left most menu, select ‘Shares’. Then under the ‘TASKS’ dropdown menu, select ‘New Share’



We’ll use the ‘SMB Share – Quick’ option and hit ‘Next’



We’ll have this share on our CYDONIA-DC domain controller



We’ll name this share ‘corporate’, click ‘Next’ and finish the installation



We will also set up a SQL service account. We have to set up something called a Service Principal Name (SPN) which is used by clients to identify a service instance, in this case, our SQL Service instance, and allow authentication to associate a service instance with a service logon account. This will be important for some of the attacks we will be conducting in the future on our Active Directory (AD) lab.

We’ll create a new User and name it SQL Service



Setting up SPN via the command line



Confirming SPN was set via the command line



Our Domain Controller is now up and running. We will return in the future to modify and edit this server but for now, we can move on to setting up the host machines.

We will boot up our host machines, rename them, and create a new share in our C: drive

Create a new folder under the C: Drive, right click and access its properties and navigate to the ‘Sharing’ tab and click ‘Share’



Click ‘share’



We then need to change our Network Adapter settings to perform DNS through our Domain Controller.

We can note from running ‘ipconfig’ on a command line on our Domain Controller that its IP address is 192.168.33.111. This is the IP address we need to set as the DNS server on each of our host machines.

Getting the IP address of our Domain Controller



In the ‘Network Connections’ section of the control panel, right click on our Ethernet connection and select ‘Properties’



Add the IP address of the Domain Controller as the Preferred DNS server of our host machines.



Finally, we will connect our host machine to the domain.

Select ‘Access work or school’ from our start menu



On the ‘Settings’ menu that pops up, select ‘Connect’



Select ‘Join this device to a local Active Directory domain’



Type in our domain name we want to connect to



Authenticate into the domain as one of our domain users



Our host machine will then prompt us to restart, and when we do, we can note that we are now prompted to log into our domain

Upon reboot, we can now log in as e.tonra on the SANCTUARY domain



We can then perform the same steps to set up the other hosts and connect them to the domain.

Our fully operational AD lab with 4 VMs



I booted up another 5th VM running an instance of Parrot Security and conducted a quick nmap scan on the network

Running an nmap connect scan on our AD lab environment



# Nmap 7.91 scan initiated Tue Aug 10 23:54:34 2021 as: nmap -n -sT -sC -oA nmap-generic 192.168.33.0/24
Nmap scan report for 192.168.33.1
Host is up (0.0067s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
| ssh-hostkey: 
|   1024 52:9d:3b:c8:e6:69:02:00:db:52:8f:3d:b2:4b:af:94 (DSA)
|_  1039 51:59:7f:80:47:b3:18:f0:73:b8:e5:18:01:3c:ea:3d (RSA)
23/tcp   open  telnet
80/tcp   open  http
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
1900/tcp open  upnp
MAC Address: 7C:8B:CA:C3:D0:94 (Tp-link Technologies)

Nmap scan report for 192.168.33.111
Host is up (0.0022s latency).
Not shown: 989 filtered ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
MAC Address: 08:00:27:A6:C1:72 (Oracle VirtualBox virtual NIC)

Host script results:
|_nbstat: NetBIOS name: CYDONIA-DC, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:a6:c1:72 (Oracle VirtualBox virtual NIC)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-08-11T03:55:23
|_  start_date: N/A

Nmap scan report for 192.168.33.112
Host is up (0.0014s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE
135/tcp open  msrpc
MAC Address: 08:00:27:B5:A5:BA (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.33.113
Host is up (0.0015s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE
135/tcp open  msrpc
MAC Address: 08:00:27:9F:F0:4B (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.33.115
Host is up (0.0016s latency).
Not shown: 999 filtered ports
PORT    STATE SERVICE
135/tcp open  msrpc
MAC Address: 08:00:27:D0:AC:7D (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.33.137
Host is up (0.051s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
902/tcp open  iss-realsecure
MAC Address: 44:33:4C:49:F7:BF (Shenzhen Bilian electronic)

Nmap scan report for 192.168.33.118
Host is up (0.048s latency).
All 1000 scanned ports on 192.168.33.118 are closed

# Nmap done at Tue Aug 10 23:56:03 2021 -- 256 IP addresses (7 hosts up) scanned in 89.78 seconds



We can see from this initial scan that the Domain Controller has a number of services running on it. We can thus determine that the network layout of our lab looks like the following.

Network Diagram of the network



With this AD homelab set up, we now have an entry point to experiment with Windows Active Directory and test out some Active Directory-specific attacks and exploits as well as practise hardening the network and other blue team activities!