If you’re interested in how to setup a Windows Active Directory domain controller at home to ethically hack this is the right place. Rather learn about malware analysis? Read the tutorial here.
Active Directory Domain Controllers are essential to Windows security. As such you absolutely need to set one up using this guide in order to practice pen testing in an active-directory-domain-configured network that is similar to a real enterprise network.
The steps outlined in this tutorial are going to do the following:
- Setup an Active Directory domain controller on a Windows 2016 server.
- Setup a Windows 10 virtual machine that is joined to the pentestlab.com domain.
- Install a “DC Sync” vulnerability. This vulnerability allows for services like Mimikatz to dump passwords for Windows active directory users.
- (Optional) Setup Kali Linux virtual machine. With all our custom virtual networking settings going on you may want to reference this section if you have trouble using Kali.
Table of Contents
Having Trouble? Troubleshoot
Common Issues
- When joining the Windows 10 vm to the DC I get an error of “there is no <domain name> available”!
- In the network adapter settings for the Windows 10 virtual machine is there a manual DNS Server setting of <IP address of domain controller vm> and 8.8.8.8?
- In the network adapter settings for the domain controller virtual machine is there a manual DNS Server setting of <IP address of domain controller vm> and 8.8.8.8?
Here’s What You Need
You will need several Windows OS virtual machines. For our purposes we are using Microsoft evaluation center copies of Windows 10 and Windows Server 2016.
- Windows 10, get it here.
- Windows Server 2016, get it here.
- Create a Host Only network adapter. Connect each of these virtual machines to the same host only network.
Step 1. Set Up VirtualBox
1. Create a virtual machine for each(2)
Need help creating a new virtual machine? Read my tutorial here.
2. Networking in VirtualBox
Go to File > Host Network Manager
- Create a new network, VirtualBox names the first new network vboxnet0 by default.
- Make sure “DHCP Server Enable” is unchecked.
- Set the vboxnet0 IPv4 Address to 198.168.0.10. This is the IP address of the interface (the network itself) remember this for later if you get lost!
- Go to the Settings tab of the virtual machine. Go to Network and change Adapter1 to vboxnet0. (Do this for each of the virtual machines we set up in the lab – set the Adapter1 to vboxnet0)
- (Optional) Add a NAT network adapter in Adapter 1 or Adapter 2 in addition to vboxnet0 if you want internet access. With host only networking you won’t have connectivity to the internet.
Step 2. Windows 2016 Active Directory Domain Controller
A domain controller is a Windows server with Active Directory installed, the server hosts the AD service to resources that are joined to the domain over the network.
Configure the DC Networking Settings
Directly on the DC
Go ahead and test our new connections by pinging the domain controller device over the network.
In VirtualBox
Go to the Settings tab of the virtual machine. Go to Network and change Adapter1 to vboxnet0.
Step 3. Windows 10
Configure Windows 10 Network Settings
Directly on the virtual machine
In VirtualBox
Go to the Settings tab of the virtual machine. Go to Network and change Adapter1 to vboxnet0.
Step 4: Setup Domain
On the domain controller
To be able to make a new domain you have to add the role of Active Directory Domain Services to the server via the Server Manager app. Once this is done you will see an option to “promote server to domain controller”, choose to do so. Finally go ahead with Deployment Configuration.
Go to Server Manager > AD DS > Deployment Configuration and choose “Add a new forest”. Call yours “pentestlab”.
Step 5: Join Win 10 to domain
On the Windows 10 virtual machine
Next we are adding the Windows 10 machine to the domain in order to interact with the device in our custom domain-enhanced private network environment.
Upon hitting “OK”, you should see a message that says “Welcome to the pentestlab.com domain.”. If you don’t, check that you have connectivity to all devices in the tutorial as this may be the root issue!
Step 6: Create a victim user
In this section we are going to add two new users each with similar properties only one will have 1.) Store password using reversible encryption (Bob the user) and 2.) Not store password using reversible encryption (Kirk). Both users will be added to the Domain Admins group however.
On the domain controller open Active Directory Users and Computers
Add Bob to Domain Admins
Bob’s system administrator has added him to Domain Admins as a requirement for one of Bob’s roles. The admin has forgotten to remove him from this group leaving him as our new target!
Step 7: Create DC Sync Vulnerability
On the Windows 10 virtual machine
What is “DC Sync”? DCSync refers to a special (non standard) permission granted to AD Users or AD User Groups. We are going to add this special permission to a privileged user.
This permission is the Replicating Directory Changes checkbox. I had to manually add this permission. After some Powershell testing I found that by default, even though my victim account had been granted Domain Admin privilege, it did not have this permission granted.
For the final step of the procedure if you don’t see the option to select “Replicating Directory Changes”, check the user group you are adding a delegate control to, it should be Domain Admins!
Step 9: (Optional) Setup Kali Linux
In VirtualBox
Go to the Settings tab of the virtual machine. Go to Network and change Adapter1 to vboxnet0.
On the Kali Linux virtual machine
Go ahead and ping the Windows 10 virtual machine at 198.168.0.23 in order to check connectivity.
Step 10: Attack!
Carrying out the attack is done in a few steps.
- Get mimikatz onto the client(victim) vm.
- Call the dcsync module in mimikatz on the user and domain as specified in the command line arguments to mimikatz.
mimikatz # privilege::debug
mimikatz # lsadump::dcsync /pentestlab /user:kirk
This command returns the NTLM hash for the domain admin user account “kirk@pentestlab”.
What next?
From here we can do further attacks and perform privilege escalation moving laterally by using methods such as PTH, pass the hash using the NTLM hash we have just discovered.
Updated: Use PowerShell for a Fast Installation
Adding the Active Directory Domain Services Role is done through Server Manager in recent versions of Windows Server, including 2016 which is what this tutorial is using.
Step 1. Import Module Server Manager.
Import-Module ServerManager
Step 2. Install AD DS Role.
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools| fl
Step 3. Install a new AD Forest, Install the DNS Server Role, Set Other Domain Settings.
# install new forest
# set DSRM password as secure string
$recoverypw = Read-Host "password for dsrm:" -AsSecureString
Install-ADDSForest -DomainNetbiosName testlab -DomainName testlab.local -DomainMode "WinThreshold" -ForestMode "WinThreshold" -InstallDns -LogPath "C:\Windows\NTDS" -SysvolPath "C:\Windows\SYSVOL" -SafeModeAdministratorPassword $recoverypw -DatabasePath "C:\Windows\NTDS" -NoRebootOnCompletion
A successful installation will look similar to this below.
From here you can test that the new AD Forest and domain are installed.