Active Directory Lab Setup - 101
A step-by-step guide for building your very own Cybersecurity Home Lab using VMware Workstation
Last updated
A step-by-step guide for building your very own Cybersecurity Home Lab using VMware Workstation
Last updated
For the Active Directory (AD) Lab we are going to configure three VMs. The first VM will be the Domain Controller (DC) of the environment. We will use Windows Server 2022 for this machine. The other two VMs will be the clients that use this environment. For the client VMs, we will use Windows 11 Pro.
After setting up the lab we will create snapshots for the VMs. The snapshots can also be used to roll back to the start of the evaluation period once it expires.
We can create an Active Directory Lab using a single client as well but there are certain AD attacks that require two clients to perform. Depending on your use case you may skip the setup of the second 2nd client.
ContextWindows 11 pro ( for Workstation)
Windows Server 2022 core (created as a CMD server so i can control from management client & Client workstation)
Creating our Server + Workstation Virtual EnvironmentGo to the following URL: Windows Server 2022 | Microsoft Evaluation Center
For Installation Walkthrough InfoSec Pat has a video about it. In that Installation video I choose Windows Server 2022 Standard Evaluation (No Desktop GUI)
NOTE: If you face tpm error when in Installation Process. This URL will help you to bypass the TPM check during installation.
After that Installation make a snapshot for each - I renamed as a BaseFiles in VMware.
I set up a robust environment to practice and hone my skills. Here’s a quick overview:
Workstation Setup: Installed Windows 11 as the primary workstation.
Command Server: Configured Windows Server 2022 as the command server.
Cloning: Took snapshots of both systems to easily clone new machines as needed for various testing scenarios.
Now, Create a folder in VMware called XYZ DC , then clone Base Win11 Worstation > Management Client and then Clone the Base CMD server > XYZ DC1 .
Lets Start OUR Journey by Clicking to the Power on the Virtual machine.
Joining a HOME LAB DomainBefore we starting lets just Install the VMware tools box for better performance. You can found the installation file inside of D drive.
Install & work with Active DirectoryFirst and First lets Install active directory to our DC1(Windows server 2022 core) This is the link have details details explanation about how to install active directory via Powershell. How to Install Active Directory Windows Server Core 2022
Use 'Sconfig' to Change the HOSTNAME : DC1 Change our IP address to Static : 10.10.0.100 Change the DNS server to our own IP : 10.10.0.100
Follow how to Install with Powershell
After install the Active Directory. Our dns server are changed automatically to loopback Address. So, dont forget to change it.
you can change it via powershell to.. HOW TO REPLACE AN EXISTING STATIC IP ADDRESS WITH POWERSHELL
Lets add our DC1(10.10.0.100) to our workstation. Enable-PSRemoting is a windows builtin commands that enable our access to psremoting.
Then, We have to add our DC1 as a trustedhosts. So we can winrm easily with workstation. This is the resource that i found How to Add a Computer to the TrustedHosts List .
Its very useful if you install choco you our workstation. Choco is a apt alternative in windows. if you type choco install girhub it will install it by his own. its really usefull.
Command to install choco.
After install choco. we install any tool or app with this.
Lets Create a Client workstation only for DC01. We can Clone a new workstation from our Base Win11 workstation and Name it to WS01.
After Open the WS01 the Importance thing you have to do is make sure about DNS server. you can do it with this command that i show you earlier. HOW TO REPLACE AN EXISTING STATIC IP ADDRESS WITH POWERSHELL
Now we can Add WS01 to our DC01 (XYZ Domain) . We can do it via powershell.
Dont forget to take a snapshot of DC01 & Make DC01 power on . so we can request to join DC01 from WS01 with DC01's creds. After joining the domain. WS01 are gonna restart.
Automating DOMAIN USERSThis github repository of mine are created for this home lab Active directory. from now , all code that i am talking that are saved in my repository. Please download it.
For the next Part we will work with only ad_schema.json & gen_ad.ps1 files.
At first Our Goal is to create some users in your DC01. Until now we are worked with DC01/Administrator. Its time make more verbose to our DC01. There is a Powershell Script that has a Prebuild lot of users and AD environment to play with Active Directory. All you have to do just run the script and script will take care all of it. We are not gonna do it like that . We create our own based on this. There was a json file in my git that map out every user. Download this file into our Management Workstation.
Lets connect to our DC01 from our Management Workstation First.
Transfer our ad_schema.json file from our Management Workstation to our DC01 and connect to DC01
If you done it you are great. This is how its easy to control everything from our Management Workstation. just like ad_schema.json we can send as much file are want and manage everthing from Management Workstation.
Lets write the powershell script gen_ad.ps1 for that to create are Domain users.
Installed Vs-code via choco install vscode (Management workstation)
If you are facing some blocks when running powershell scripts. just run this command to bypass
Set-ExecutionPolicy RemoteSignedafter that you can be able to run powershell command.
when you run the gen_ad.ps1 via vscode you can see have details explanation are here as much as possible. you can view json for more easy way. like we have a group called Employee and we have 3 employee user called Alice , Bob , Charlie. you can also view WS02 but WS02 are haven't created yet. but dont worry we can sort it out later. just run the script and of course you will get error but look at the output that our employee group and the users are created or not.
Final thing run on our WS01 and try to login with alice or charlie. if you see the json file you can see the charlie and the alice user are the part of WS01
POWERSHELL: Random Users & Weak PasswordsThe Groups and users we seen here lot of them are not usefull. We need more Random Users. & weak passwords to be able to Play with Active Directory.
Lets, Look at our Github Repository . Lets map it out.
Look at the files in the Data directory. The Data directory contains the following files: first_names.txt, group_names.txt, last_names.txt, and passwords.txt. These files will be used to create our random users and weak passwords.
Our goal will be accomplished with the help of the random_domain.ps1 file. This script takes the first_names.txt, group_names.txt, and last_names.txt files to create users, assigns each user to a group, and provides a password from passwords.txt. Just modify the random_domain.ps1 file slightly as I did.
So, the default is set to 5, but we will create 100 users with 12 groups, making our DC01 larger. With this setup, we can perform more Active Directory attacks, such as Kerberoasting, Pass-the-Hash, and DCSync attacks.
From Our Management Client run the random_domain.ps1 script , its generates data and saves it to out.json.
Then send the out.json to our DC01 . Login to our DC01 via PSSession.
gen_ad.ps1 now take the out.json file create the users and groups for us .
Now lets see our users and passwords are working or not . Lets try a user with his credential from out.json to our WS01 .
====>> Next Page ===>>>>
| Name | IP |
|---|---|
Management Clients
10.10.0.21
XYZ DC01
10.10.0.100
XYZ WS01
10.10.0.100 [DC01]
Management Client
XYZ DC1
