This article is a part of:

This article documents a virtual Active Directory lab I built to learn some Active Directory attacks, network pivoting, and basic Command and Control (C2) using Metasploit.

The lab is designed to resemble a small enterprise Windows environment with minimal requirements that enough to run on a mid-range specification.

Assumptions & Threat Model

This lab assumes:

  • An internal attacker with network access
  • Minimal internal monitoring
  • Default or weak Windows security configurations
  • Misconfigured behavior

Prerequisites

Knowledge

  • Virtualization (VirtualBox)
  • Windows and Windows Server installation
  • Basic Active Directory concepts (Domain, DNS, SPNs)
  • Basic networking and routing

Hardware

Recommended minimum (sorted by priority):

  • Storage: 256 GB SSD (or high-speed USB 3.x)
  • RAM: 8 GB minimum, 16 GB recommended
  • CPU:
    • Minimum: Intel i3 6th gen / Ryzen 3
    • Recommended: i5 / Ryzen 5 (H or K variants)

The lab was built and tested on an 8 GB system by aggressively disabling unused services after installation.

Software

Topology Overview

The environment consists of:

  • 1 Domain Controller
  • 2 Domain-joined Windows clients
  • 1 Attacker machine (Kali Linux)

Two network segments are used:

  • 192.168.1.0/24 – Internal domain network
  • 10.10.10.96/28 – Segmented network used for pivoting scenarios

Note: It’s NIC (Network Interface Card) not NC

Network Segments

This lab intentionally uses two network segments to simulate an internal enterprise environment and to enable pivoting scenarios later on.

SegmentCIDRNamePurpose
1192.168.1.0/24windows_domainMain internal network (initial setup & attacker access)
210.10.10.96/28internal_windowsRestricted internal segment (pivoting target)

VirtualBox Setup

System Configuration

Initial installation:

  • Server: 2424 MB
  • Clients: 1280 MB each

Post-installation (after disabling unnecessary services):

  • Server: 1280 MB
  • Clients: 1024 MB
  • Attacker: 1024 MB

This configuration allows all VMs to run concurrently on an 8 GB host. For initial setup, the two clients can stay inside 192.168.1.0/24 network.

Network Configuration

For each VM (initial setup):

  • Adapter 1
    • Type: Internal Network
    • Name: windows_domain
    • IP Range: 192.168.1.0/24

For the Domain Controller only:

  • Adapter 2
    • Name: internal_windows
    • IP Range: 10.10.10.96/28

This makes the Domain Controller act as a bridge between segments.

image-20210617143401181

Active Directory Setup

Server

Initial Setup

  • Admin credentials: administrator:p@$$w0rd!
  • PC Name: server19-DC (restart after)
  • Network (Static):
    • Adapter 1: 192.168.1.100/24
    • Adapter 2: 10.10.10.100/28

Promote Server to Domain Controller

  • Server Manager > Manage > Add Roles and Features.
  • Add Roles and Features Wizard:
    • Installation type: “Role-based or feature-based installation
    • Server selection: server19-DC
    • Server roles: “Active Directory Domain Services” and check the “Include management tools”.
    • Features: Check the “Group Policy Management”
    • Confirmation: Check on “Restart destination server automatically if required”
    • Close after it’s done.
  • Server Manager > Notification flag > Click on “Promote this server to a domain controller”
  • Active Directory Domain Services Configuration Wizard:
    • Deployment configuration: “Add a new forest” and set “server19.local” as root domain name
    • Domain controller options: set “Windows Server 2016” as FFL (Forest Functional Level) and DFL (Domain Functional Level). Checklist DNS server and set the same admin password for DSRM password.
    • Additional options: set NetBIOS domain name to SERVER19
    • Let the rest options in default state until installation section.
    • Restart after installation complete.

Create Domain Accounts

  • John Smith
    • User logon name: jsmith@server19.local
    • Password: jsmith@123
  • Carl Smith
    • User logon name: cmisth@server19.local
    • Password: @csmith@

All password is set to never expires.

Create Fake Service Account

Fake SQL Service

  • User logon name: SQLService@server19.local
  • Password: Mysql@Password123

Set service principle name:

setspn -a SERVER19-DC/SQLService.SERVER19.local:60111 SERVER19\SQLService
setspn -T SERVER19.local -Q */*

Configure File Sharing (SMB):

  • Server manager > File and Storage Services > Shares > Task > New Share.
  • New Share Wizard:
    • Profile: SMB Share Quick
    • Share Location: C:\Shares\DATA (Create the shares folder in C:)
    • Other Settings: Allow caching of share
    • Permission: Leave it default
    • Confirmation and create.

Clients

Initial Setup

  • Client 1:
    • IP: 192.168.1.101/24 (static)
    • PC name: NESCOFFEE
  • Client 2:
    • IP: 192.168.1.102/24 (static)
    • PC name: MILO

For pivoting

  • Client 2:
    • IP: 10.10.10.101/28(static)

Create Local Accounts

Same with domain accounts, but add an L at the end of username/password.

  • Username: cmisthL, password: jsmithL@123
  • Username: jsmithL, password: @csmith@

Joining Domain

Client 1:

  • Use Server’s IP as DNS server: 192.168.1.100
  • Hit Win+I, type “access”, click on Connect.
  • Microsoft account window:
    • Click on “Join this device to a local Active Directory domain” under the alternate actions.
    • Use the server administrator password to join.
    • Skip the Add an account section
    • Restart

Client 2 has the same steps

Create Local Admin

  • Set John Smith (jsmith@server19.local) as local administrator for NESCOFFEE.
  • Set Carl Smith (cmisth@server19.local) as local administrator for MILO.

Attacker

Initial Setup

  • Put it on the same network
  • Set static IP: 192.168.1.10/24
  • Perform ping test

Attack Scenarios

Here are some attack scenarios that can be reproduced using this lab:

Attack scenario(s) that requires two clients online + server: