BUILDING A BASIC ACTIVE DIRECTORY LAB

Haystack - Hack The Box Machine

This blog post was written by Amarjit Labhuram.

Introduction

These days most enterprises run Microsoft Active Directory Services for building and managing their infrastructure. With the current rise of attacks against corporations, it is important for the security team to understand the sort of attacks that can be carried out on their infrastructure as well as develop defense and detection mechanisms to better secure them.

Having your own playground is essential to understand Tactics, Techniques, and Procedures (TTPs) used by cybercriminals. This post will take you through how to build your own Active Directory lab on-premise in which you can practice the attacks as well as find its detection mechanisms.

Active Directory is a directory service that centralizes the management of users, computers and other objects within a network. Its primary function is to authenticate and authorize users and computers in a windows domain.

Prerequisites

I shall be using Virtualbox as my hypervisor to create the lab but feel free to use any hypervisor of your choice, the concept is the same. You will need several Windows OS virtual machines. For our purposes, we are using Microsoft evaluation center copies of Windows 10 and Windows Server 2019.

I also assume that the reader is able to do base installations of the above OSs in Virtualbox.

Lab Setup

The lab setup will comprise of the following:

SERVER

  • Windows Server 2019: 1 instance

      Processor: 1

      RAM: 2GB

      HDD: 20GB

DESKTOP

  • Windows 10: 2 instances

      Processor: 1

      RAM: 2GB

      HDD: 20GB

 

Active Directory Domain Setup

Once the Windows Server base operating system is installed I begin setting up the AD that will be called telecorp.local. I shall start off by setting up the network interface of the DC. Log in to the server and open Network and Sharing Center. Setup the IPv4 configuration to look like the following image:

 

If all is setup properly you should be able to ping google.com from powershell on DC01.telecorp.local.

 

With all the network interface of DC01 setup I then install the Active Directory Domain Services role to the Windows Server 2019 so that it can prepare the device to become a domain controller for the telecorp.local domain. Start the Add Roles and Features Wizard and leave everything on default until you get to Server Roles.

 

With the rest of the settings left as default click on Next until you get to the Confirmation section. Ensure you tick the Restart the destination server automatically if required option and click on Yes.

 

Click on Install and let the roles get installed on the server.

 

Once installation is complete you can close the window. In the Server Manager window at the top right corner there is a notification flag that shows pending tasks that are required to be done on the server. Start with Promote this server to a domain controller. As this is the first domain in the lab I select the Add a new forest section and give it the root domain name of telecorp.local.

 

Next, I set the Forest and Domain functional levels to Windows Server 2012 and I set the DSRM password.

 

You can leave the next items as default and click Next till you get to Additional Option where it will populate the NetBIOS name which should be the same as the domain name.

 

Again, you can leave the rest of the settings as default and click Next till the Prerequisite Check section. If all has gone well, you should get an All prerequisite check passed notification upon which I can click Install to complete the process.

 

Once installation is complete, I got a message like this:

 

Once the device restarts, I have a ready domain environment waiting for me.

 

Adding A PC to The Forest Domain

Next, I set up a PC that will play the victim in the lab that will be called PC01.telecorp.local. I set up the network interface of the PC. Log in to the PC and open Network and Sharing Center. Setup the IPv4 configuration to look like the following image:

 

And ensure that I can ping DC01.telecorp.local from the PC.

 

With that the PC is ready to be added to the domain. Open File Explorer and right-click on This PC.

 

In the System window that opens, under Computer Name click on the Change Settings link.

 

In the System Properties window, select Change.

 

In the Computer Name/Domain Changes window ensure that the Computer Name is set to PC01 and Member of is set to telecorp.local.

 

Authenticate with the administrator account on to the domain to complete the adding of the PC to the domain.

 

With that the PC is now added to the domain.

 

This can be verified as well on the Domain Controller.

 

You will be required to restart the PC to complete the joining of the domain. Restart the PC and login using domain credentials.

 

The PC is now part of the domain telecorp.local.

 

Building In a Vulnerability: AS-REP Roastable Account

However, for some strange reason (dark one though), it is possible to disable the pre-authentication prerequisite for user accounts. For example in this article, the author states that in order to benefit from SSO on a database hosted on a Unix server, he has to disable the pre-authentication for the user. So, to do this I create a user account using the Active Directory Users & Computers management interface:

 

In the new window fill in the details of the new user being created:

 

Give the user a password that exists in the RockYou list so that we can use this for the word list in the attack phase. Disable the User must change password at next logon and enable the Password never expires option.

 

Once you click Next the user will be created. Click on Finish.

 

Right click on the newly created user and select Properties.

 

In the property window for the user select the Account tab, under the account options, scroll to the bottom and select the Do not require Kerberos authentication option, and click Ok.

 

NOTE:

The Impacket GetNPUsers.py can perform the operation of requesting for a TGT for a user that has this setting enabled. Once in possession of the domain controller response KRB_AS_REP, the attacker can try to find out the victim’s clear-text password offline, by using John The Ripper with the krb5tgs mode, or with hashcat.

What Next?

I highly suggest going through this site to learn about more AD vulnerabilities and attack vectors:

https://adsecurity.org/

Also, check out this presentation by Gabi (@_theVIVI) from AfricaHackon 2019:

https://thevivi.net/wp-content/uploads/2019/08/theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf

 

Disclaimer

The MacroSec blogs are solely for informational and educational purposes. Any actions and or activities related to the material contained within this website are solely your responsibility. The misuse of the information on this website can result in criminal charges brought against the persons in question. The authors and MacroSec will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.