Active Directory Pentesting Lab

 This is my Pentesting active directory lab. I already have a simple AD lab which I used to learn how active directory works but this one I will use to attack it and to try and exploit some vulnerabilities and misconfigurations.

I Started by installing Windows Server  2022 as well as a Windows 10 Vm.

This Windows Server 2022 will act as my Domain Controller which is the server that runs the active directory services.

  The first thing I did was change the name of my Windows server machine to something that I would remember. In this case, it's named ROOT-DC.

I then went to manage and added  “roles and features”



I made sure to add Active Directory Domain Services which is also known as Active Directory Data store.

After installing everything I went and promoted my server to be a domain controller. I had to add a new forest because I don’t have an existing domain nor to do I have an existing forest.


I named it Root_Lab.local


Here is the NTDS this file is very important.

NTDS.dit stands for new technology directory services directory information tree. This file stores all the data of the active directory. This includes the hashes, users, computers, groups as well as security descriptors.

GPO’s which are group policy objects are distributed to the network via a network share called SYSVOL. As can be seen, this is stored on the domain controller.



Now that everything was set up properly I can login with the admin account for this domain.

 

Now the next step is for me to set up certificate services. This is because I want to try and attack this machine later and this will be required.

To do this is the same way I added the AD DS but in this case, I would add certificate services instead of the Data store.

Certificate services are used to verify identities in a domain controller. In simple it is extra security that it is usually on in most businesses. It allows me to use LDAP and secure LDAPS. LDAP is port 389 and LDAPS is port 636 which is LDAP over SLL

There are quite a few attacks that are related to Active Directory Certificate Services and I would like to try them to learn from them.

After this, I set up 2 Windows machines with different names.


These machines were integrated into the domain and I also renamed them to be able to better identify which machines they are.

Now I will start to manage the users and computers. I will also start to add them to different OU’s so that I can apply policies to them better.


I made a new organizational unit to keep the users separated.


Now the only accounts in users are the Admin account and the guest account which is disabled.

Now I will create some more accounts.


I purposely made 2 accounts that shouldn’t be made. One of them is another Administrator account and the second one is a SQL service account but instead of having the needed privileges I am giving it admin privilege. Another thing that I did was to give it a password that meets the standards of passwords with uppercase, lowercase, numbers, and symbols as well as more than  8 characters but this password can be easily broken.



I also added this in the description because as far as I know, it is a common occurrence that domain admins tend to do.


Here I made some other low-level accounts to be part of the user group.

I am purposely keeping the admin users with normal users because this is a common misconfiguration that is often seen and I want to try and exploit it.

My next step is to make a file share that I can later use to hack into the system.


I made a new share called hackme which I will use at a later time to hack into the system. Most likely I will be trying to do an LLMNR poisoning.




Here I added an SPN to my SQL Service. SPN is a unique identifier for services in the active directory.


After querying the system for the service It can be seen that SQL.Service is there.

 

Now the final thing I need to do is set up a group policy

This group policy I will push for the entire domain.

This GPO will be to disable Windows Defender this way I can easily run the attacks without having to worry about the attacks being stopped.







 

Now I set up my ip as static because I didn’t want it to change.

Lastly, now I need to add the machines to the domain. The first thing I did was go to the network settings and add the domain controller's IP to the DNS server.



I did this for both machines.

I then went and connected to the domain







Now the computers have fully joined the domain.

By going into my domain controller, tools and “Active Directory Users and Computers”  I can check in the computers' OU to see if the computers are really there. This is because every time a computer joins the domain they go into that OU by default.


Now I log back into the machines to change a few settings that will be needed for me to do my attacks later.

The first is in “edit local users and groups”


I enabled this account

In a best practice, you would want this account disabled but in this case, I want it to be able to attack the active directory.

This is also often on at most places. It shouldn’t but it is a common thing that occurs.


I checked if my network discovery was on. Since it wasn’t I turned it on.

Lastly, I configured it so that my network share could be accessed with another account which was the administrator account.











Comments

Post a Comment

Popular posts from this blog

Vulnerability Management(Nessus)

Image
Welcome to the vulnerability management lab! In this lab, I will be using Nessus to identify and prioritize vulnerabilities within the Virtual machine. Nessus is a powerful vulnerability scanner that allows us to scan our network and systems for known vulnerabilities, misconfigurations, and other weaknesses that could potentially be exploited by malicious actors.  In this lab, I set up Nessus Essentials, installed Windows 10 inside a virtual machine using VMware Workstation Player, added some outdated software, and performed vulnerability checks on the virtual machine to look for any potential security flaws. Later, I make an effort to fix some of the flaws. I first start by downloading, Vmware Workstation, a windows 10 iso and Nessus. It is crucial to set the network adapter to bridged while constructing the Windows virtual machine. It connects the virtual machine to the physical computer's network so that Nessus can communicate with the virtual machine effortlessly. After complet
Read more

Active Directory Home Lab

Image
In this lab, I'll be utilizing Oracle VirtualBox to run an active directory. I'm undertaking this lab to learn more about Windows networking and how Active Directory functions. Installing VirtualBox will be the first step in getting the virtual machines up and running. I'll next install Windows 10 and Windows Server 2019 isos, which I'll use to set up two different virtual machines with two different operating systems. The domain controller, which will host the active directory, will be the first virtual machine. I'm going to give this virtual machine two network adapters, one for connecting to the public internet and the other for connecting to VirtualBox, which will act as a sort of virtual private network for the clients   After creating the virtual machine, I'll install Server 2019 on it and then assign it an IP address for the internal network. The external network will automatically obtain IP addresses from the home network. I can tell if the adapter is
Read more

TightVNC and Colasoft Packet Builder Lab

Image
 Welcome to the remote access and packet analysis lab! In this lab, I will learn how to perform remote access using TightVNC and how to use Colasoft Packet Builder to analyze IP packet headers. The first part of this lab will focus on using TightVNC for remote access. TightVNC is a popular open-source remote desktop software that allows us to access and control a computer from a remote location. This can be useful in a variety of situations, such as when you need to access a computer that is not physically located near you, or when you need to provide technical support to someone who is not in the same location as you. To use TightVNC, I will need to install the software on both the computer that I want to access remotely (the server) and the computer that you will use to access the server (the client). Once the software is installed, I can start the TightVNC server on the server and the TightVNC viewer on the client. The viewer  prompts me  to enter the IP address or hostname of t
Read more

Lab 2 Access Controls

Image
  Like usual I start by opening the page and seeing what it has to offer in terms of any vulnerabilities. I then go to robots.txt because it often has information about admin pages that could be found. If it not found there then I would probably try to brute force the admin pages. In the robots.txt I found that they don’t want crawlers on the /administrator-panel. This is an admin panel that a normal user might not have access to. But it is always good to try in case the website doesn’t have any verification or security when it comes to accessing unauthorized pages. The page is not checking to see if I am authorized to access the page as such it gives me full admin access right away. I then deleted the user without ever having to sign in or have any type of admin authorization.
Read more