Creating An Ad Environment
Guide for setting up an Active Directory environment using virtual machines for the purpose of practicing common exploits.
Overview
This guide was originally created as notes for myself to create an active directory environment to test some exploits on whilst following the Practical Ethical Hacking Course on Udemy. The course is incredibly informational and part of it includes setting up an AD environment. This guide will utilise one domain controller and 2 users however the instructions can be replicated to make more users if you wish. This guide requires 16gb of ram to run fast enough. Throughout the guide I use <> to represent areas of commands where you need to input the names you chose yourself. Finally, I will publish some basic attacks at a later date that can be done on this exact environment which are both interesting and realistic.
Downloading the ISO Images
This guide will require you to have 2 types of ISO images. The first is for the domain controller and can be downloaded from this link
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise
make sure you get the enterprise version and that it is 64 bit.
You also need to get the server ISO from this link
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2019
Setting up the Domain Controller
Start by creating a new virtual machine in vmware and find the Windows Server ISO.
- Select standard for Windows Server 2016 when it shows a dropdown for the version of windows.
- Continue on until you get to a page that will give you an option for storage.
- Choose where you want it stored on your system then click next and select 60gb size and to store virtual disk into multiple files.
- Click next and on the last step uncheck power on this virtual machine after creation.
You have now created the virtual machine and you need to now click edit virtual machine settings.
On this window you need to remove the floppy drive, select the network to NAT and select 2gb memory for it to run on.
Once you have done this start the machine and press any key multiple times until you are brought to the installer.
Hit next and press install now.
On the following page select the desktop experience version of the windows server 2019 standard evaluation install.
Continue through the installer and select custom install when presented with 2 options.
Then let the install complete itself. When it is finished it should restart itself.
You should now be presented with a username and password page.
For the purpose of this environment use the password:
P@$$w0rd!
Enter this in again and click finish.
You are now at the windows server log in page and you can log in with your password.
When you are logged in you should see that you are not in fullscreen. Go to the VMware settings at the top and hover over Player > Manage > Install VMware Tools. When you install this it should pop up in the machine as a notification. Click this and select run. Go through the launcher and select complete install.
Go to the start menu and type in view your pc name. Rename this pc to anything you want. It will prompt you to restart the pc so click restart now.
When restarted you should get to a log in screen. Put in your password and you will be back in the system. Go to the server manager > manage > add roles and features.
In the new window select next, next, next. When you get to the server roles window select Active Directory Domain Services. Click add features and then next, next, next and finally install.
When this is done you should now be back at the dashboard and should see a yellow warning flag at the top right. Click this and click Promote this server to a domain controller. You will be brought to a new window.
Select add a new forest and name the root domain name as anything you want that will be the name of your entire environment. Make it something.local Select next. Then select a password for the Directory Services restore mode and select next, next and it should now populate your name in the NetBIOS domain name. Click next until you get to a page that tells you to install.
Your machine should have rebooted after the install and it should show you now Domain/Administrator. Log in with the same password and you are now a administrator of the domain.
Setting up User Machines
To setup the users you need to create another virtual machine like you did for the server machine above however you now need to select theWindows Enterprise ISO. Select Windows 10 enterprise and select next and choose a storage location, select 60gb of space and then deselect the option for turning on the machine after creation.
Once again as you did for the previous machine
- Remove the floppy drive
- Leave connection as NAT
- Select 2gb of memory
- Press play again and press any key as soon as you see the prompt to press a key
You should have now reached an install window. You dont need to do anything here so click next and select custom install and add a new drive just as you did for the first machine.
Go through the installer until you reach this page
Select Domain join instead option and select a name for your user and then select a password. You will also need to set up some security questions so fill these out as well.
Select no, decline and then uncheck all of the options. The machine should now be setting everything up.
Once again install vmware tools in player > manage and then rename the pc to anything you want.
As you have now swetup one user you also need to do all of these steps again to create the second user machine.
Setting up Users and Groups
Start and log into the domain controller using the administrator passport. Select Tools > Active Directory Users and Computers in the dashboard.
Once you have selected that, click into your .local > users and you should see lots of users. These need to be moved into a new folder so right click your .local and click New > Organisational Unit and call it Groups.
Now take all of the groups in the user accounts by highlighting them and moving them over to groups. When this is done you should only have Administrator and Guest left in users and groups should have anything else.
Right click in the users folder and click new > User. Select a user with the same name as the account set up on the first user VM. You will also need to choose a naming convention in the User logon name section. I have chosen first letter of first name with lastname so mine would be sjones but you can choose whatever you like. Select a password you would like to use for it as well as select password never expires and deselect change password on next login.
Copy the user you just made and create 1 more users with any name you like.
You now have a basic user. You now also need to create a domain admin. Click the Administrator user and copy it to create a new one. You will be brought to another page where you need to create the name for a domain admin that you would like and write a user login name that is in the same convention as the previous one. Choose a password for this admin as well.
Finally, copy this user that you have just made and create another that will be used for a service. Call it something like SQL Service and make the login name SQLService. Select a password for this user as well.
Whilst having services running as domain administrators is not recommended, it is still a very common practice for many companies which is why we are going to replicate this here. You should also double click on the new SQL Service user and put the password in the description. This is obviously insecure, however it is very common and will allow you to further practice exploits on the network.
When all of this is done you should have 6 total users with 2 being Administrator and Guest and then 1 actual administrator, 2 normal users and 1 domain administrator user for the SQL Service.
We now want to create a fileshare. If you go to server manager > File and Storage Services
Then go to Shares and click the TASKS dropdown > New Share.
Click next and create a share name as anything you like. Clcik next until you get to the final page and click create.
The reason for doing this is to open ports 139 and 445 on the domain controller by enabling smb.
Setting up a Service Principle Name
Open up a command prompt as administrator and use the command
<.local name> refers to the name chosen earlier when you created the new forest and chose a root domain name.
setspn -a <domainControllerName>/SQLService.<.local name>.local:60111 <.local name>/SQLService
You can check it worked by doing
setspn -T <.local name>.local -Q */*
It should show you that the SQLService has been set at the bottom of the output with the correct port.
Setting up Group Policy
In the start search bar type in Group Policy Management. Go to Forest > Domains and click your .local. Right click it and press Create a GPO in this domain, and Link it here.
Name this GPO “Disable Windows Defender”
You may be wondering why we are disabling windows defender. The reason for this is that windows defender is updated and changing very regularly, whereas the exploits that you can practice on this machine are going to work regardless of the anti virus that you have.
You can learn about anti virus evasion separately however it will most likely be completely different in a few months time.
Right click on Disable Windows Defender and click edit.
Navigate through Computer Configuration > Policies > Administrative Templates > Windows Defender Antivirus and click on it and double click Turn off Windows Defender Antivirus.
Select Enabled > Apply > ok.
Joining the Machines to the Domain
You will need to do all of these steps twice for both machines.
Go to the C drive and right click create new folder and make a Share folder. Right click and select properties > sharing and click share > share > Yes, Turn on network discovery.
Go to your domain controller vm and go to a command prompt to run the command
ipconfig
Copy down the ipv4 ip address. Now go back to your user machine and search Network Status in the start bar and select change adapter options.
Right click ethernet0 and select properties. Double click on ipv4 and click Use the following DNS server addresses and enter the IP address you just copied down.
Exit out of all of that.
Now go back to the search bar and type in Access work or school. Select that and click connect. Click Join this device to a local active directory domain.
Enter your .local name from earlier and log in using Administrator and the password we set at the very beginning. Skip > Restart Now.
When it reboots you need to log in as the first user you created. When it restarts you should see one user that is a local user and you should also see a button for other user.
You need to use the username and password that you set up from within the Users group on the domain controller. You need to log in with the same format ie sjones.
When it loads in sign back out of that user and sign in as administrator using <.local name>/administrator and use your password. You need to make the user a local administrator on the machine.
Right click on the windows sign and click Computer Management. This should bring up your local administrator settings.
Go to Local Users and Groups > Groups > Administrators.
You then want to click add, and add the name of the user in the same format as sjones into the box titled Enter the object names and click Check Names.
Repeat all of this for the other user you created as well and do it on the other vm.
When both are setup with local administrator go to the second machine and for the purposes of testing exploits make the first user a local administrator of it.
In the end you should have 1 domain controller administrator, 1 user with local admin on their machine, 1 user with local admin on both user machines and 1 SQLService user.
If you go back to the domain controller machine and look at your Active Directory Users and Computers you should now see both machines in the computers tab and the environment setup.