Professional Documents
Culture Documents
Lab Building Guide - Virtual Active Directory - by Vartai Security - Vartai Security - Medium
Lab Building Guide - Virtual Active Directory - by Vartai Security - Vartai Security - Medium
Introduction
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 1/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Fully test out and understand all of the capabilities of both built-in AD tools and
automated enumeration tools such as PowerView and Bloodhound.
The objective of this post to help readers build a fully functional mini AD lab that can
be spun up to practice a wide variety of attacks. We will walk through creating the
following lab structure:
Two Forests with a bidirectional forest trust and an intra-forest parent-child domain
trust.
1 workstation (Forest B)
Initial Setup
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 2/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Begin by building each host fully and installing VMWare Tools. For now do not worry
about applying any patches/updates. You can choose your own host names but for the
purposes of this exercise we will be using:
DC01(192.168.88.5)
DC02 (192.168.88.6)
DC03 (192.168.88.7)
MS01 (192.168.88.150)
WS01 (192.168.88.100)
WS02 (192.168.88.101)
Configure each with the same local administrator password for now — don’t forget it!
In order to create your lab you will need desktop virtualization software such as
VMWare Workstation/Fusion, VirtualBox or a separate hypervisor (server) running
ESXi or Proxmox. This guide will cover the basics of initial setup with VMWare
Workstation and VirtualBox. In-depth usage of each is out of the scope of this article.
The necessary software can be downloaded from the following URLs:
https://www.vmware.com/products/workstation-player/workstation-player-
evaluation.html
https://www.virtualbox.org/wiki/Downloads
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 3/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Choose Installer disc image file (iso) and select the appropriate ISO file on your local
system.
Enter a password for the administrator user. If you leave the license key blank, you will
have a 90 trial period.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 4/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Choose a name for the VM based on the naming convention in prior slides. For better
VM management and to avoid any conflicts create each VM in its own folder.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 5/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Select Store virtual disk as single file and give it a 40GB disk.
Click Finish on the next screen. The default 2 GB ram and 2 cores should be plenty for
lab purposes but can be adjusted later if issues arise.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 6/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
After clicking finish, the VM will boot. Hit enter to boot from the ISO image. Choose
Windows Server 2016 Standard (Desktop Experience). If you are already comfortable
with creating VMs/managing AD then you can choose Server Core Windows Server
2016 Standard. Server core has a smaller footprint on disk and utilizes less resources
but does not have a GUI so all configuration must be done via PowerShell.
The installation process will start and takes a while so we recommend creating each
VM in parallel to save time. Alternatively, you can create 1 VM image and clone and
then sysprep it but we will not cover that in this post.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 7/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
The process for building a VM in VirtualBox is similar. It can be downloaded from here:
https://www.virtualbox.org. VirtualBox is free to use and allows for multiple VMs to be
run simultaneously. It offers many enterprise-grade features and is cross-platform
(Windows, OSX, and Linux).
The defaults will work for the purposes of this lab. This can be adjusted based on your
available hardware and resources. The screenshot below shows the default options for
creating the virtual disk.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 8/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
For the purpose of this lab, be sure to leave the default Dynamically allocated. This will
only use hard drive space as it fills up and save space on your host.
As with VMware Workstation after clicking finish the VM will boot, hit enter to boot
from the ISO image.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 9/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Follow the same process to create a base image for each server/workstation VM. While
this entire process can be automated with Vagrant/Packer, Ansible, PowerCLI, etc., we
feel it is important to become comfortable manually performing each task, starting
from the basics, before moving towards automation.
Once the VMs are built, log in to the VM that will be your first Domain Controller.
Search for ‘Computer’ in the start menu or go to Control Panel → System and Security
→ Security and change the computer name to a host name such as DC01 and then
restart the server when prompted.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 10/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Change network settings to set a static IP address and set the DNS server to localhost
(127.0.0.1). You can also set DNS back to 8.8.8.8 if you need to do updates or
download something but its preferable to keep your vulnerable lab local and not
internet facing the majority of the time.
Your first Domain Controller is necessary for getting everything up and running with
Active Directory. Log in to Server Manager and click on Add roles and features.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 11/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Add the Active Directory Domain Services role, which is necessary before promoting the
server to a domain controller. Leave all other roles unchecked and click Next.
Check the box next to Restart the destination server automatically if required and click
Yes to confirm automatic restarts.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 12/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Once the role is installed click on Promote this server to a domain controller.
On the next screen, choose Add a new forest and select a root domain name. Choose
something ending in .local or .ad.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 13/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Leave all of the defaults on the next screen and enter a DSRM password.
Click Next and either leave the suggested NETBIOS name or modify it if desired.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 14/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Click Next and leave all defaults, click Next again to go through prerequisite checks.
Note: If you have not set a password for the built-in administrator account yet, installation
will fail. Set a password for the administrator account and click on Rerun prerequisites
check.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 15/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Once rebooted, confirm the new DC by opening a PowerShell window and typing Get-
ADDomain.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 16/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
1: $ipaddress = "192.168.x.x"
2: $dnsaddress = "127.0.0.1"
Restart-Computer
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 17/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Follow all of the prompts, set the DSRM password and allow the server to reboot.
Once rebooted, confirm the new DC.
Go into Network Connections and then adapter settings to change the DNS server to
point to the domain controller and set a static IP within whatever range your DC is in.
Here the DC IP address would be 192.168.88.5.
Search for Computer in the start menu, right click and select ‘properties’. Go down to
the Computer name, domain, and workgroup settings, and click on Change settings.
Click on Change next to To rename this computer or change its domain or workgroup,
Click Change.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 18/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Change the domain name to match the one you set up on the DC and you will be
prompted for credentials to join the computer to the domain.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 19/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
For this lab we will set up a child domain to set up an intra-forest trust as well as a
second forest in order to establish an external trust.
On the second Domain Controller go through the same process to create a DC and
choose either Add a new domain to an existing forest and select Child Domain from the
drop down to create a child domain within the same forest.
Make sure the DNS server on DC02 is the IP address of the parent Domain Controller.
Disable Windows firewall on both machines.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 20/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Type in the the parent domain and click Select. When the popup appears type in the
Administrator password for DC02 and select the parent domain from the list.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 21/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Choose a name for the child domain. This should be one word such as dev as it will be
prepended to the root domain name in the form of a subdomain (i.e. *.octagon.local).
Click on Select and put the Domain Admin credentials for the first domain into the
popup. You will then be prompted to select that domain within the forest. Follow all of
the prompts and leave the defaults.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 22/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Enter the child domain name, one word such as dev. Continue through the remaining
steps to finishing creating the new DC.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 23/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
The first step is setting up a new Conditional Forwarder under DNS Manager on both
DC01 and DC03 so the forests can communicate properly via DNS.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 24/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
The first step is setting up a new Conditional Forwarder under DNS Manager on both
DC01 and DC03 so the forests can communicate properly via DNS. Right click on
Conditional Forwarders and select New Conditional Forwarder.
On DC01 enter the domain name that you set on DC03 as well as the IP address of that
Domain Controller.
Click OK and check that the Conditional Forwarder appears in the list.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 25/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 26/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Next, open up Active Directory Domains and Trusts on DC01, right-click on the forest
root and select Properties. You’ll see the Child domain created prior.
Click on New Trust. Click Next and type in the domain name for DC03. Click Next and
select Forest trust.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 27/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Select Two-way to create a bidirectional trust, meaning that users in Forest A can
authenticate to Forest B and vice-versa.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 28/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
To save from having to repeat this process on DC03 select Both this domain and the
specified domain.
Type in the credentials for the Domain Admin in the other forest (DC03).
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 29/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 30/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Click Yes, confirm the outgoing trust and Yes, confirm the incoming trust.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 31/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
If everything went to plan you will get a confirmation message that the trust
relationship was successfully created.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 32/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Validate the trust relationship on both sides by running this command on both DC01
and DC03.
Note: Take snapshots of all VMs in a powered off state before continuing. This will preserve
the trusts in case you have to revert all of the images.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 33/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Now it is time to make a mess of these domains. You can add user/computer objects
manually or use BadBlood in each domain to add OUs, users, groups, computer objects
and ACLs.
Note: If you receive the error message “Could not Create SSL/TLS secure channel because
PowerShell defaults to TLS1.0 use enter the following command and re-try the wget
request:
[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
Open up the script to modify the number of users to speed things up. Change 1000…
5000 to 100..500 or something smaller than the default.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 34/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Many flaws and misconfigurations can be added to the lab to practice common and
more advanced Attack Directory enumeration and attacks.
Utilize BadBlood to add OUs, users and computers and set up many misconfigured
ACLs and groups. This can also be done manually.
Set up SPNs for Kerberoasting (set this up across the forest trust too!).
Simulated Phishing.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 35/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Below are a few examples of misconfigurations that you can add to your lab.
Kerberos pre-authentication not required (ASREPRoast). There are a few ways to set
this up. The easiest way is opening Active Directory Users and Computers, right click on
a user and choose Properties, and then browse to the Account tab.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 36/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
The attack can be tested out locally with Rubeus or remotely with the Impacket toolkit
GetNPUsers.py.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 37/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 38/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
Add some users with common/weak passwords. This can be done a number of ways
(cmd, PowerShell, etc.).
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 39/41
5/13/2021 Lab Building Guide: Virtual Active Directory | by Vartai Security | Vartai Security | Medium
enum4linux -U -P 192.168.88.5
Make a user list from the output and attempt password spraying for a common
password that you set for multiple users on DC01. Password spraying can be performed
a variety of ways. One way is using rpcclient from Linux. A nice Bash script for
performing password spraying with rpcclient can be found here.
https://medium.com/vartai-security/lab-building-guide-virtual-active-directory-d900dc68dbed 41/41