Select Page

Setup an Active Directory Domain Controller to Hack At Home In 10 Steps

by | Nov 12, 2018 | Redteam

If you’re interested in how to setup a Windows Active Directory domain controller at home to ethically hack this is the right place. Rather learn about malware analysis? Read the tutorial here.

Active Directory Domain Controllers are essential to Windows security. As such you absolutely need to set one up using this guide in order to practice pen testing in an active-directory-domain-configured network that is similar to a real enterprise network.

The steps outlined in this tutorial are going to do the following:

  1. Setup an Active Directory domain controller on a Windows 2016 server.
  2. Setup a Windows 10 virtual machine that is joined to the pentestlab.com domain.
  3. Install a “DC Sync” vulnerability. This vulnerability allows for services like Mimikatz to dump passwords for Windows active directory users.
  4. (Optional) Setup Kali Linux virtual machine. With all our custom virtual networking settings going on you may want to reference this section if you have trouble using Kali.

Having Trouble? Troubleshoot

Common Issues

  1. When joining the Windows 10 vm to the DC I get an error of “there is no <domain name> available”!
  • In the network adapter settings for the Windows 10 virtual machine is there a manual DNS Server setting of <IP address of domain controller vm> and 8.8.8.8?
  • In the network adapter settings for the domain controller virtual machine is there a manual DNS Server setting of <IP address of domain controller vm> and 8.8.8.8?

Here’s What You Need

You will need several Windows OS virtual machines. For our purposes we are using Microsoft evaluation center copies of Windows 10 and Windows Server 2016.

  • Windows 10, get it here.
  • Windows Server 2016, get it here.
  • Create a Host Only network adapter. Connect each of these virtual machines to the same host only network.

Step 1. Set Up VirtualBox

1. Create a virtual machine for each(2)

Need help creating a new virtual machine? Read my tutorial here.

2. Networking in VirtualBox

Go to File > Host Network Manager

  • Create a new network, VirtualBox names the first new network vboxnet0 by default.
  • Make sure “DHCP Server Enable” is unchecked.
  • Set the vboxnet0 IPv4 Address to 198.168.0.10. This is the IP address of the interface (the network itself) remember this for later if you get lost!
  • Go to the Settings tab of the virtual machine. Go to Network and change Adapter1 to vboxnet0. (Do this for each of the virtual machines we set up in the lab – set the Adapter1 to vboxnet0)
  • (Optional) Add a NAT network adapter in Adapter 1 or Adapter 2 in addition to vboxnet0 if you want internet access. With host only networking you won’t have connectivity to the internet.

Step 2. Windows 2016 Active Directory Domain Controller

A domain controller is a Windows server with Active Directory installed, the server hosts the AD service to resources that are joined to the domain over the network.

Configure the DC Networking Settings

Directly on the DC

By going to Network Connections > IPV4 > Properties you are able to configure the networking settings for the DC directly.
AD DC Screen Set DC IP address
Set the IP address for the Domain Controller to 198.168.0.23. Set the DNS server addresses to localhost or 127.0.0.1 the loopback address and 8.8.8.8 for Google’s dns server address. The Default Gateway is the IP address for the vboxnet0 Host Only network adapter we set earlier in the tutorial.

Go ahead and test our new connections by pinging the domain controller device over the network.

We have a working connection to the Domain Controller, don’t forget to test your connection!

In VirtualBox

Go to the Settings tab of the virtual machine. Go to Network and change Adapter1 to vboxnet0.

Step 3. Windows 10

Configure Windows 10 Network Settings

Directly on the virtual machine

Assign the Win10 machine a static IP address of 198.168.0.15. Notice the DNS server address is the IP address we statically assign to the Domain Controller 198.168.0.15

In VirtualBox

Go to the Settings tab of the virtual machine. Go to Network and change Adapter1 to vboxnet0.

Step 4: Setup Domain

On the domain controller

To be able to make a new domain you have to add the role of Active Directory Domain Services to the server via the Server Manager app. Once this is done you will see an option to “promote server to domain controller”, choose to do so. Finally go ahead with Deployment Configuration.

Go to Server Manager > AD DS > Deployment Configuration and choose “Add a new forest”. Call yours “pentestlab”.

Choose a “new forest” ours is named pentestlab for this example.
The defaults are fine for this next step. Go ahead and create a password you will remember for the DSRM password.

Step 5: Join Win 10 to domain

On the Windows 10 virtual machine

Go to Control Panel > System and Security > System and click on “Change settings” on the bottom right of the screen.

Next we are adding the Windows 10 machine to the domain in order to interact with the device in our custom domain-enhanced private network environment.

Upon hitting “OK”, you should see a message that says “Welcome to the pentestlab.com domain.”. If you don’t, check that you have connectivity to all devices in the tutorial as this may be the root issue!

Step 6: Create a victim user

In this section we are going to add two new users each with similar properties only one will have 1.) Store password using reversible encryption (Bob the user) and 2.) Not store password using reversible encryption (Kirk). Both users will be added to the Domain Admins group however.

On the domain controller open Active Directory Users and Computers

(Optional) Give Bob the user a password with reversible encryption. This is will be useful if you would like to see how unsafe this option is later!

Add Bob to Domain Admins

Bob’s system administrator has added him to Domain Admins as a requirement for one of Bob’s roles. The admin has forgotten to remove him from this group leaving him as our new target!

Add Bob the user to the Domain Admins group. This is necessary for the next steps when we ethically hack him!

Step 7: Create DC Sync Vulnerability

On the Windows 10 virtual machine

What is “DC Sync”? DCSync refers to a special (non standard) permission granted to AD Users or AD User Groups. We are going to add this special permission to a privileged user.

This permission is the Replicating Directory Changes checkbox. I had to manually add this permission. After some Powershell testing I found that by default, even though my victim account had been granted Domain Admin privilege, it did not have this permission granted.

Create a “delegate control” for Bob the user.
Select Domain Admins and click “Add”.
Select “Create a custom task to delegate”.

For the final step of the procedure if you don’t see the option to select “Replicating Directory Changes”, check the user group you are adding a delegate control to, it should be Domain Admins!

Select “Replicating Directory Changes”.

Step 9: (Optional) Setup Kali Linux

In VirtualBox

Go to the Settings tab of the virtual machine. Go to Network and change Adapter1 to vboxnet0.

On the Kali Linux virtual machine

Here we are giving the Kali Linux virtual machine a static IP address so we don’t lose it’s ip later!

Go ahead and ping the Windows 10 virtual machine at 198.168.0.23 in order to check connectivity.

A ping should be successful. If it’s not check your network settings!

Step 10: Attack!

Carrying out the attack is done in a few steps.

  1. Get mimikatz onto the client(victim) vm.
  2. Call the dcsync module in mimikatz on the user and domain as specified in the command line arguments to mimikatz.

mimikatz # privilege::debug

mimikatz # lsadump::dcsync /pentestlab /user:kirk

screenshot
The result of running mimikatz on a privileged domain admin user Kirk. Password is not shown here 🙂

This command returns the NTLM hash for the domain admin user account “kirk@pentestlab”.

What next?

From here we can do further attacks and perform privilege escalation moving laterally by using methods such as PTH, pass the hash using the NTLM hash we have just discovered.

Updated: Use PowerShell for a Fast Installation

Adding the Active Directory Domain Services Role is done through Server Manager in recent versions of Windows Server, including 2016 which is what this tutorial is using.

Step 1. Import Module Server Manager.

Import-Module ServerManager

Step 2. Install AD DS Role.

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools| fl

Step 3. Install a new AD Forest, Install the DNS Server Role, Set Other Domain Settings.

# install new forest
# set DSRM password as secure string
$recoverypw = Read-Host "password for dsrm:" -AsSecureString
Install-ADDSForest -DomainNetbiosName testlab -DomainName testlab.local -DomainMode "WinThreshold" -ForestMode "WinThreshold" -InstallDns -LogPath "C:\Windows\NTDS" -SysvolPath "C:\Windows\SYSVOL" -SafeModeAdministratorPassword $recoverypw -DatabasePath "C:\Windows\NTDS" -NoRebootOnCompletion

A successful installation will look similar to this below.

hack a domain controller at home
A successful installation will look similar to this

From here you can test that the new AD Forest and domain are installed.

hack a domain controller at home
test that the new AD Forest and domain are installed.
hack a domain controller at home
test that the new AD Forest and domain are installed.
error: