Active directory is challenging to learn because you hardly encounter AD except in corporate environments. My approach for learning everything is to set up a lab from scratch by yourself. So that you know what misconfiguration can happen and where the configuration lies. So let's do our own lab setup.
The architecture looks like this-
- Windows 2016 server (DC)
- Windows 7 system joined the DC and hosts a vulnerable application, let's take dvwa.
- Windows 10 system joined DC, and it is running a few services (MSSQL); this is for the Kerberoasting demo.
Scenario: As a red teamer, you got command execution on win7(dvwa), a reverse shell, and then backdoor. Next, find out the services; here, you found MSSQL. Using kerberoasting, get a service token. From the service token, we get hold of DC and then, due to misconfiguration, escalate privilege and get Golden Ticket.
Download links for VMS and server are provided in the reference section below.
- Create a host-only network interface with the below config
- Go to the DHCP server tab and configure as shown in the below screenshot
- Once you install Windows 2016 server VirtualBox add the host-only adapter to Virtualbox.
- Now let’s start the windows server & go to ethernet properties.
- Assign a static IP as below
- Now go back to the server manager to install the Active directory.
- You can click on add roles and features, which will lead you to the below page. Then, select the first option.
- In the server selection, click next.
- Next is Important- In the "Server Roles," check “Active directory domain service.”
- Now it will install AD features.
- The next important step is to click on “promote this server to a Domain Controller.”
- Now you will be prompted to the below screen. Here you can specify the forest name; for example, I have “evilcorp.com”
- Now on the next page, add a restore mode password.
- Next, check on “Create DNS delegation.”
- Set up the configuration files as below.
- Now you know why a pentester credentials in SYSVOL and NTDS.dit.The AD database is stored in C:\Windows\NTDS\NTDS.DIT.The SYSVOL folder stores the server copy of the domain’s public files that must be shared for common access and replication throughout a domain. When a Domain Administrator would push out a local administrator account via Group Policy Preferences, it would store the encrypted credentials in the SYSVOL share on the domain controller.
- Click on next, and don’t worry about the errors.
- Once the installation is done, you should see a login screen like this-
DOMAIN JOINING
As architecture, we will be adding the win7 and win10 systems to AD.
Adding users
- From the AD server manager GUI, go to tools and select “Active Directory Users and Computers.”
- Click on the users of a specific domain forest as below.
- Right-click on users and add a user as below.
- Once the user is created, you can right-click on the properties of the user & select the “member of” tab, and assign the membership you want to give.
- Now let's start the window7 system (dev machine) with the same host-only network interface.
- Now go to properties and provide the preferred DNS server, which is the IP address of DC.
- Finally, connect it to the domain. Go to system properties & follow the below steps.
- Now it will prompt to restart. After that, you will see a domain login screen like this-
Similarly, let's create a service account to perform kerberosating.
