Active Directory Lab Setup - 101

A step-by-step guide for building your very own Cybersecurity Home Lab using VMware Workstation

For the Active Directory (AD) Lab we are going to configure three VMs. The first VM will be the Domain Controller (DC) of the environment. We will use Windows Server 2022 for this machine. The other two VMs will be the clients that use this environment. For the client VMs, we will use Windows 11 Pro.

After setting up the lab we will create snapshots for the VMs. The snapshots can also be used to roll back to the start of the evaluation period once it expires.

We can create an Active Directory Lab using a single client as well but there are certain AD attacks that require two clients to perform. Depending on your use case you may skip the setup of the second 2nd client.

Context

• Windows 11 pro ( for Workstation)

• Windows Server 2022 core (created as a CMD server so i can control from management client & Client workstation)

• Github Repository For this Home LAB

Creating our Server + Workstation Virtual Environment

Downloading Windows ISO Files

Windows Server 2022

Go to the following URL: Windows Server 2022 | Microsoft Evaluation Center

For Installation Walkthrough InfoSec Pat has a video about it. In that Installation video I choose Windows Server 2022 Standard Evaluation (No Desktop GUI)

Windows 11 Pro

Go to the following URL: Windows 11

For Installation Walkthrough John Hammond has a video about it. In that Installation video I choose Windows 11 pro for VMware Workstation

NOTE: If you face tpm error when in Installation Process. This URL will help you to bypass the TPM check during installation.

After that Installation make a snapshot for each - I renamed as a BaseFiles in VMware.

Created a folder and created a snapshots

I set up a robust environment to practice and hone my skills. Here’s a quick overview:

• Workstation Setup: Installed Windows 11 as the primary workstation.

• Command Server: Configured Windows Server 2022 as the command server.

• Cloning: Took snapshots of both systems to easily clone new machines as needed for various testing scenarios.

Now, Create a folder in VMware called XYZ DC , then clone Base Win11 Worstation > Management Client and then Clone the Base CMD server > XYZ DC1 .

Lets Start OUR Journey by Clicking to the Power on the Virtual machine.

Management Client

XYZ DC1

---

Joining a HOME LAB Domain

CONFIGS Map

Name	IP
Management Clients	10.10.0.21
XYZ DC01	10.10.0.100
XYZ WS01	10.10.0.100 [DC01]

Before we starting lets just Install the VMware tools box for better performance. You can found the installation file inside of D drive.

cd D://
./setup64.exe 

Install & work with Active Directory

First and First lets Install active directory to our DC1(Windows server 2022 core) This is the link have details details explanation about how to install active directory via Powershell. How to Install Active Directory Windows Server Core 2022

Use 'Sconfig' to Change the HOSTNAME : DC1 Change our IP address to Static : 10.10.0.100 Change the DNS server to our own IP : 10.10.0.100

Follow how to Install with Powershell

Install-Windowsfeature AD-Domain-Services -IncludemanagementTools

import-Module ADDSDeployment
install-ADDSForest                   

After install the Active Directory. Our dns server are changed automatically to loopback Address. So, dont forget to change it.

you can change it via powershell to.. HOW TO REPLACE AN EXISTING STATIC IP ADDRESS WITH POWERSHELL

//show the dns interface we have to change the dns settings
Get-DnsClientServerAddress


Set-DnsClientServerAddress -InterfaceIndex 12 -ServerAddresses [IP]

Add our DC1 to Management workstation with WinRM

Lets add our DC1(10.10.0.100) to our workstation. Enable-PSRemoting is a windows builtin commands that enable our access to psremoting.

XYZDC1 > Enable-PSRemoting
XYZDC1 > Start-Service WinRM

Then, We have to add our DC1 as a trustedhosts. So we can winrm easily with workstation. This is the resource that i found How to Add a Computer to the TrustedHosts List .

//in Management Workstation

ls wsman:\localhost\Client\TrustedHosts

Set-Item WSMan:\localhost\Client\TrustedHosts -Value "10.10.0.100"

//Enter Creds
New-PSSession -ComputerName 10.10.0.100-Credential (Get-Credential)

//try to connect
Enter-PSSession 1

Successfully joined DC01 with our Management Client

Its very useful if you install choco you our workstation. Choco is a apt alternative in windows. if you type choco install girhub it will install it by his own. its really usefull.

Command to install choco.

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

After install choco. we install any tool or app with this.

Create a Client workstation for DC01

Lets Create a Client workstation only for DC01. We can Clone a new workstation from our Base Win11 workstation and Name it to WS01.

XYZ Domain Map (Added WS01)

lets add our DC01 to our Ws01

After Open the WS01 the Importance thing you have to do is make sure about DNS server. you can do it with this command that i show you earlier. HOW TO REPLACE AN EXISTING STATIC IP ADDRESS WITH POWERSHELL

//show the dns interface we have to change the dns settings
Get-DnsClientServerAddress


Set-DnsClientServerAddress -InterfaceIndex 12 -ServerAddresses [IP]

Now we can Add WS01 to our DC01 (XYZ Domain) . We can do it via powershell.

Add-Computer -Domainname xyz.com -Credential xyz\Administrator -Force -Restart

Dont forget to take a snapshot of DC01 ＆ Make DC01 power on . so we can request to join DC01 from WS01 with DC01's creds. After joining the domain. WS01 are gonna restart.

Automating DOMAIN USERS

GitHub - akuma-log/Active-Directory: Notes and resourcesGitHub

This github repository of mine are created for this home lab Active directory. from now , all code that i am talking that are saved in my repository. Please download it.

For the next Part we will work with only ad_schema.json & gen_ad.ps1 files.

At first Our Goal is to create some users in your DC01. Until now we are worked with DC01/Administrator. Its time make more verbose to our DC01. There is a Powershell Script that has a Prebuild lot of users and AD environment to play with Active Directory. All you have to do just run the script and script will take care all of it. We are not gonna do it like that . We create our own based on this. There was a json file in my git that map out every user. Download this file into our Management Workstation.

git clone https://github.com/akuma-log/Active-Directory.git

Lets connect to our DC01 from our Management Workstation First.

$dc = Enter-PSSession 10.10.0.100 -Credential (Get-Credential)          
                                 //Create a new PSSession for us. 

$dc = New-PSSession 10.10.0.100 -Credential (Get-Credential)             
                                  //use to submit our sessions.


$creds = (Get-Credential)                 
                                   //for to save our time create a another variable 
                                   call creds. then submit the credential in creds. 
                                   so everytime we wanted to sign into our DC01. 
                                   and give the creds variable to our New-PSSession and 
                                   Enter-PSSession we dont have to give the credential 
                                   again and again.

echo $dc                                  //To confirm our session .

$dc = Enter-PSSession 10.10.0.100 -Credential $creds   
                                   //Assign our credentials (&creds) to our sessions.

Transfer our ad_schema.json file from our Management Workstation to our DC01 and connect to DC01

Copy-Item .\ad_schema.json -ToSession $dc C:\Windows\Tasks

Enter-PSSession $dc

cd C:\Windows\Tasks\

If you done it you are great. This is how its easy to control everything from our Management Workstation. just like ad_schema.json we can send as much file are want and manage everthing from Management Workstation.

Lets write the powershell script gen_ad.ps1 for that to create are Domain users.

DC01 >code .\gen_ad.ps1

DC01 >.\gen_ad.ps1             //run the .\gen_ad.ps1 give the json file name.

Installed Vs-code via choco install vscode (Management workstation)

If you are facing some blocks when running powershell scripts. just run this command to bypass Set-ExecutionPolicy RemoteSigned after that you can be able to run powershell command.

Explaining gen_ad.ps1

when you run the gen_ad.ps1 via vscode you can see have details explanation are here as much as possible. you can view json for more easy way. like we have a group called Employee and we have 3 employee user called Alice , Bob , Charlie. you can also view WS02 but WS02 are haven't created yet. but dont worry we can sort it out later. just run the script and of course you will get error but look at the output that our employee group and the users are created or not.

//for easily view the users and the groups.

net user

net groups

Final thing run on our WS01 and try to login with alice or charlie. if you see the json file you can see the charlie and the alice user are the part of WS01

Confirming our users & groups

POWERSHELL: Random Users & Weak Passwords

The Groups and users we seen here lot of them are not usefull. We need more Random Users. & weak passwords to be able to Play with Active Directory.

Lets, Look at our Github Repository . Lets map it out.

GIthub Repository

Look at the files in the Data directory. The Data directory contains the following files: first_names.txt, group_names.txt, last_names.txt, and passwords.txt. These files will be used to create our random users and weak passwords.

Our goal will be accomplished with the help of the random_domain.ps1 file. This script takes the first_names.txt, group_names.txt, and last_names.txt files to create users, assigns each user to a group, and provides a password from passwords.txt. Just modify the random_domain.ps1 file slightly as I did.

# Default UserCount set to 5 (if not set)
if ( $UserCount -eq 0 ){
    $UserCount = 100
}
# Default GroupCount set to 5 (if not set)
if ( $GroupCount -eq 0 ){
    $GroupCount = 12

So, the default is set to 5, but we will create 100 users with 12 groups, making our DC01 larger. With this setup, we can perform more Active Directory attacks, such as Kerberoasting, Pass-the-Hash, and DCSync attacks.

Process to create user, groups & passwords

• From Our Management Client run the random_domain.ps1 script , its generates data and saves it to out.json.

• Then send the out.json to our DC01 . Login to our DC01 via PSSession.

gen_ad.ps1 now take the out.json file create the users and groups for us .

Now lets see our users and passwords are working or not . Lets try a user with his credential from out.json to our WS01 .

// Credentials Sample
"groups":  "Employees",
"name":  "Yvonne James",
"password":  "loveme"

Username : yjames        //Only the first letter from the first name then added with last name

====>> Next Page ===>>>>