This page is part of the larger series of converting an old laptop into a bare metal home lab server. Click the link to be taken back to the original post.
0xBEN
The nature of this section is to help you get the following components added and connected to form a small Active Directory (AD) forest:
- Domain Controller (DC)
- 2 Windows 10 Enterprise hosts
This is not intended to be an exhaustive resource on AD.
Warning: Additional Compute Resources Required
Windows is a very demanding operating system. If your Proxmox node is running out of resources as you have been building out your lab, you have the following options:
- Upgrade any hardware components where possible
- Power off some other VMs or containers and see if you can free up resources
- Keep the Windows hosts off whenever you do not need them
- Remember, you will need the resources available whenever you want to run the Windows hosts
- Add another Proxmox server and build out your lab over there
- This option will require you to rebuild a pfSense lab with Open vSwitch and any desired VLANs. It won’t need to be an exact copy of the one we already set up
Getting the ISO Files
Refer back to this page for links to download Windows ISOs.
0xBENOnce the ISOs are downloaded, be sure to transfer them to your Proxmox node.
Staging the Network
Adding a VLAN
I am not going to walk you through creating the VLAN. We've already learned this exercise. Please reference the link below if you need a refresher on adding new VLANs, interfaces, and subnets to your cyber range.
0xBENYou need to add this VLAN to your cyber range:
- VLAN ID Number: 80
- VLAN Network ID: 10.80.80.1/24
- Interface Name: AD_LAB
- DO NOT ENABLE the DHCP server on this VLAN, as the Domain Controller is going to be filling that role
Hands-On Example of Adding the VLAN
If you prefer a bit more of a walkthrough of adding the VLAN, IP3C4C does an outstanding job demonstrating how to add the VLAN to Proxmox Open vSwitch and pfSense. His write-up is also a bit of a spin-off of mine with a few deviations.
- Whereas I use the
ad.lablocal domain, he follows The Cyber Mentor's naming conventions to keep it in line with the PEH course - He also uses the groups and users from the PEH course as well, whereas I use a different username convention
Creating an AD Lab the Insecure Way
Typically you should not put your domain controllers (DC) on the same subnet as the clients. You create a separate /29 subnet and put your DCs there. Then, create a separate subnet for your clients and make them routable.
While it would be good to adhere to best practices, this is a learning environment. Therefore, you will be creating a flat AD lab network, and putting all of the infrastructure on the same broadcast domain. That way you can leverage as many attacks as possible.
Getting Kali on the AD VLAN
We started out by putting Kali on the native LAN. We need to move Kali to the AD VLAN in order to learn about as many attacks as possible. It's easy to make the change.
- In Proxmox, change the Kali VM's network interface so that it is on VLAN 80
- In Kali, run these commands:
Replace <interface-name> with your Kali VM's interface
sudo ip link set <interface-name> down
sudo ip link set <interface-name> upPutting Kali Back on the Native VLAN
If you want to move Kali back to the native VLAN, just reverse your steps:
If you want to move Kali back to the native VLAN, just reverse your steps:
- In Proxmox, change the Kali VM's network interface so that there is no VLAN ID
- In Kali, run these commands:
Replace <interface-name> with your Kali VM's interface
sudo ip link set <interface-name> down
sudo ip link set <interface-name> up
Running Windows Guests on Proxmox
Refer back here for a refresher on general best practices when running Windows guests on Proxmox.
0xBENWindows Server 2019: The Domain Controller
Installation and Initial Setup
This is your template when creating the VM in Proxmox.
General
OS
System
Hard Disk
CPU
Memory
Network
Drivers Disc
Add another CD/DVD drive to your VM and load the VirtIO drivers disc.
Verify the Boot Order
Ensure the VirtIO drivers disc is unchecked.
Installing Windows Server 2019
Power on the VM and open a NoVNC console.
Choose your language and click Next.
Choose Install Now and choose Windows Server 2019 Standard Evaluation (Desktop Experience)
Click Next. Accept the terms and conditions. Choose Custom: Install Windows Only.
Load the SCSI Driver
Choose Load Driver > OK
Click Browse and expand this disk
Go to vioscsi > 2k19 > amd64
Choose this driver
Click Next and wait for it to finish loading.
Load the Network Driver
Choose Load Driver > OK
Click Browse and expand this disk
Go to NetKVM> 2k19 > amd64
Choose this driver
Click Next and wait for it to finish loading.
Finish the Installation
Click Next and wait for the installation to finish.
Once the installation is finished, set the local administrator password and save it. You could put it in a password manager, or you can put it in the Notes field of the VM.
Configure the Network Interface
Right-click the network interface icon.
Choose Open Network & Internet Settings
Scroll down and choose Change adapter options
Right-click the adapter and choose Properties
Double-click Internet Protocol Version 4 (TCP/IPv4)
Configure your adapter as such:
For the DNS servers, the following will happen:
- First, check with the DNS server running on the domain controller (we will install this a bit later)
- If the DNS server doesn't know the answer, it will forward the DNS query to the default gateway and pfSense will resolve it
Rename the Server
Open the Start Menu and click the Settings icon.
Enter a name for your server
Choose Restart Now. Enter Other (planned) for the reason.
Take a Snapshot of the VM
In Proxmox, click on your Windows Server 2019 VM and go to Snapshots. Click Take Snapshot. Set the following values:
- Name:
WinServer2k19_PreDomain - Include RAM:
yes - Description:
Windows Server 2019 Active Directory Domain Services installed. Pre-domain-controller configuration.
Now, we can restore this snapshot any time if we want to roll back to a pre-domain install.
Configure Domain Services
Installing the Domain Controller
Click Manage > Add Roles and Features
Click Next > Next > Next until you reach Server Roles. Check the following bokes:
- Active Directory Domain Services
- DNS Server (so we can resolve the domain controller by DNS name)
Click Next > Next > Next > Next > Install. Wait for the install to finish and click Close.
Configure Active Directory Domain Services
Log back into the domain controller as the local administrator and wait for the Server Manager app to load.
Choose Add a new forest and specify a root domain name. I chose ad.lab as my domain name, but you can choose any other local TLD.
TLDs such as .com, .org, .net will work as a local domain. Also, best not to use .local either, because that can interfere with multicast traffic.
Click Next. The default options are fine. Specify a restore password. You can use the same password as the local admin or something different. It doesn’t matter. Click Next.
Click Next and continue with the defaults.
Looks good. Click Install and wait for it to complete.
The server will automatically reboot.
Configure DNS Forwarders
The DNS server running on the domain controller will act as a resolver for the ad.lab domain (or whichever local domain you chose). We need a forwarder for any DNS query for which the DNS server does not know the answer.
We can use the pfSense default gateway as a downstream DNS server that the domain controller can pass queries to for any unknown hostnames.
Open up the Start Menu and search for DNS.
Expand DNS > DC1 and double-click Forwarders.
Click Edit and add the IP address of the default gateway. Click OK.
Add and Configure a DHCP Server
Open Server Manager and go to Manage > Add Roles and Features
Click Next > Next > Next
Click DHCP Server
Click Add Features and click Next > Next > Next > Install
Once the installation is complete, click on Complete DHCP Configuration
Click Next > Commit > Close > Close
Go to the Start Menu and search DHCP
Expand the DHCP server tree and right-click IPv4 and choose New Scope
Click Next and give your DHCP configuration a name and description. Then, click Next.
Configure the DHCP address space and subnet mask. Then, click Next.
We're not configuring any DHCP exclusions (reservations), so click Next.
We'll make it so clients' leases are good for one year. Click Next.
Click Next to configure it now.
Enter the address of the default gateway and click Add.
The default DNS configuration for DHCP clients is good here. Click Next.
We don't have a WINS server in our lab environment. Click Next.
Click Next to activate the DHCP scope and click Finish.
Add a Domain Administrator Account
Go the Start Menu. Search for Active Directory Users and Computers and open the app.
Click on Users and choose Domain Admins
Click on Members > Add. Enter the username, click Check Names. Click OK > OK.
Log out of the local administrator account.
Add Some Users to the Lab
Log in as the domain administrator.
Go the Start Menu. Search for Active Directory Users and Computers and open the app.
Right click your domain. Choose New > User
John Doe
Jane Doe
Add a Group Policy Object to Disable Protections on Client Machines
Open the Start Menu and search for Group Policy
Expand your forest until you see your domain
Right-click your domain name and choose Create a GPO...
Click OK. Right-click on your new group policy object and click Edit…
Expand down into Computer Configuration > Policies > Administrative Templates > Windows Components
Click on Windows Defender Antivirus
Click on Real-time Protection
Double-click Turn off real-time protection
Now, go to Network > Network Connections > Windows Defender Firewall > Domain Profile
Double-click Windows Defender Firewall: Protect all network connections
Right-click the group policy object
Force Update the Group Policy Settings on the Domain Controller
Right-click the Start Menu and open Windows PowerShell (Admin)
Run this command
Windows 10 Enterprise Clients
Preparing a Template VM
General
OS
System
Hard Disk
CPU
Memory
Network
Drivers Disc
Add another CD/DVD drive to your VM and load the VirtIO drivers disc.
Verify the Boot Order
Installation and Initial Setup
Choose your language and click Next.
Click Next. Accept the terms and conditions. Choose Custom: Install Windows Only.
Load the SCSI Driver
Choose Load Driver > OK
Click Browse and expand this disk
Go to vioscsi > 2k19 > amd64
Choose this driver
Click Next and wait for it to finish loading.
Load the Network Driver
Choose Load Driver > OK
Click Browse and expand this disk
Go to NetKVM> 2k19 > amd64
Choose this driver
Click Next and wait for it to finish loading.
Finish the Installation
Click Next and wait for the installation to finish.
Select your regional and language settings. Then, choose Domain join instead.
Enter Template and click Next.
Enter a password and set security questions. I recommend saving them somewhere. You can use the Notes field of the VM in Proxmox.
Turn off all the services.
Choose Not now for Cortana
Sysprep the Template
Log into the system using the template credentials and open a PowerShell terminal as administrator.
Run the command:
C:\Windows\System32\Sysprep\sysprep.exe
Click OK. Let the sysprep process run to completion. The VM should shutdown.
Convert the VM to a Template
Go to Proxmox and right-click the Windows 10 Enterprise VM. Then, choose Convert to template.
We will use this template any time we want to create a new Windows 10 Enterprise VM, rather than go through this build process every time.
Create the Domain Computers
In Proxmox, you can identify a template by its icon.
Right-click the template and choose clone
Create one more clone
Start up both VMs.
Joining the Computers to the Domain
Log into one of the VMs using the template credentials we created earlier. Go to the Start Menu > Search This PC > Right-click > choose Properties.
Go to Advanced System Settings
Click on Computer Name
Click Change
Click More
Set the DNS suffix to match your domain forest. Uncheck the box.
Change the computer name to anything you'd like
Choose Member of domain and set it to your domain forest
You will get a prompt. Enter the domain admin credentials.
Reboot the VM. You can now login to the computer as john.doe@ad.lab or jane.doe@ad.lab.
Repeat this process on the other Windows 10 Enterprise VM.
You Now Have a Small AD Forest
Congratulations! You now have a domain controller and two Windows 10 Enterprise clients joined to the domain controller.
If the VMs seem a little sluggish, you should probably increase the RAM on the VMs. Other than that, you are now ready for the next phase of your adventures.
Start of Authority (SOA) for the ad.lab local domain. If you are having trouble resolving computer hostnames to IP addresses, compare what is in DNS with what is in the DHCP pool.
ad.lab forward lookup zone (or whatever your local domain is)
Hack your Active Directory Lab
I encourage you to do some research on some courses that demonstrate some common Active Directory attacks. The Cyber Mentor has a great ethical hacking course and part of this course covers Active Directory attacks.
marvel.local in his course. Our local domain is ad.lab .Also, in his course, his domain administrator account and local users go by different accounts. In our lab, we have the following users:
- Domain Admin:
domain.admin@ad.lab - User 1:
john.doe@ad.lab - User 2:
jane.doe@ad.lab
Just remember these things when you're going through TCM's course, as there will be some differences.
Next Step: Creating a Windows 7 Buffer Overflow VM
0xBEN
