This is my personal documentation on setting up a basic pentesting lab in a virtual environment to learn some AD attack scenarios, network pivoting, and C2 (command & control) with metasploit.

Prerequisites

Knowledge

  • Virtualization and VirtualBox
  • Windows OS and Server Installation
  • Basics knowledge of Windows/Windows Server (Desktop/GUI version)/
  • Basics knowledge of Active Directory:
    • AD Domain
    • Principle name
    • DNS
  • Basics knowledge of Networking (routing).

Hardware

The following are the main specifications that I recommend, the list is sorted by priority.

  • Storage: 256 GB minimum, SSD is a must for server, or use high speed USB 3.1/ type C drive.
  • RAM: 8 GB of minimum, 16 GB recommended dual channel.
  • CPU: AMD Ryzen 3 or Intel i3 6th (minimum), AMD Ryzen 5+ with H prefix or i5+ 6th gen with K/H prefix. (recommended).
    • 4th gen of i7 is still worth though.

For me, I used a single MSI laptop with the minimum requirements, except for the CPU.

Software

Topology

I know my topology is bad.

Note: It’s NIC (Network Interface Card) not NC

For pivoting, I removed the Windows 10 inside network range of 10.10.10.100/28 from AD Domain.

Setup

VM System Configuration

System

Initial for installation

  • Server: 2424 MB of RAM
  • Client: x2 1280 MB of RAM

After installation (removed style/desktop/disable junk service)

  • Server: 1280 MB of RAM
  • Client: 1024 MB of RAM
  • Attacking machine: 1024MB of RAM

Trust me, I use 8 GB to host these VM. 😂

  • Windows 2019 = Server
  • Windows 10 = Client
  • Kali Linux/Armed Ubuntu = Attacker

For initial setup, the two clients can stay inside 192.168.1.0/24 network.

Network

Server Adapter 1:

image-20210617143401181

Setting up Server

Initial setup

  • Admin credentials: administrator:p@$$w0rd!
  • PC Name: server19-DC (restart after)
  • Network (Static):
    • Adapter 1: 192.168.1.100/24
    • Adapter 2: 10.10.10.100/28

Promote to Domain Controller

  • Server Manager > Manage > Add Roles and Features.
  • Add Roles and Features Wizard:
    • Installation type: “Role-based or feature-based installation
    • Server selection: server19-DC
    • Server roles: “Active Directory Domain Services” and check the “Include management tools”.
    • Features: Check the “Group Policy Management”
    • Confirmation: Check on “Restart destination server automatically if required”
    • Close after it’s done.
  • Server Manager > Notification flag > Click on “Promote this server to a domain controller”
  • Active Directory Domain Services Configuration Wizard:
    • Deployment configuration: “Add a new forest” and set “server19.local” as root domain name
    • Domain controller options: set “Windows Server 2016” as FFL (Forest Functional Level) and DFL (Domain Functional Level). Checklist DNS server and set the same admin password for DSRM password.
    • Additional options: set NetBIOS domain name to SERVER19
    • Let the rest options in default state until installation section.
    • Restart after installation complete.

Domain Accounts

  • John Smith
    • User logon name: jsmith@server19.local
    • Password: jsmith@123
  • Carl Smith
    • User logon name: cmisth@server19.local
    • Password: @csmith@

All password is set to never expires.

Service Account

Fake SQL Service

  • User logon name: SQLService@server19.local
  • Password: Mysql@Password123

Set service principle name:

setspn -a SERVER19-DC/SQLService.SERVER19.local:60111 SERVER19\SQLService
setspn -T SERVER19.local -Q */*

Configure File Sharing (SMB):

  • Server manager > File and Storage Services > Shares > Task > New Share.
  • New Share Wizard:
    • Profile: SMB Share Quick
    • Share Location: C:\Shares\DATA (Create the Shares folder in C:)
    • Other Settings: Allow caching of share
    • Permission: Leave it default
    • Confirmation and create.

Setting up Client

Initial setup

  • Client 1:
    • IP: 192.168.1.101 (static)
    • PC name: NESCOFFEE
  • Client 2:
    • IP: 192.168.1.102 (static)
    • PC name: MILO

Local Accounts

Same with domain accounts, but add an L at the end of username/password.

  • Username: cmisthL, password: jsmithL@123
  • Username: jsmithL, password: @csmith@

Join Domain

Client 1:

  • Use Server’s IP as DNS server: 192.168.1.100
  • Hit Win+I, type “access”, click on Connect.
  • Microsoft account window:
    • Click on “Join this device to a local Active Directory domain” under the alternate actions.
    • Use the server administrator password to join.
    • Skip the Add an account section
    • Restart

Client 2 has the same steps

Local Admin:

  • Set John Smith (jsmith@server19.local) as local administrator for NESCOFFEE.
  • Set Carl Smith (cmisth@server19.local) as local administrator for MILO.

Setting up Attacking Machine

  • Put it on the same network
  • Set static IP: 192.168.1.10

AD Attack Scenarios

Here are some attack scenarios:

Attack scenario(s) that requires two clients online + server: