This module is a part of a larger series of building a security lab in VirtualBox. Click here to be taken back to the series landing page.
0xBEN
Active Directory Lab Overview
Note: if you don't want your AD lab to have Internet access, modify the firewall rules. I will not be showing you how to do this.
This guide will only cover the following concepts:
- Configuring pfSense
- Configuring the Domain Controller
- Joining clients to the domain
The Cyber Mentor has a great ethical hacking course and part of this course covers Active Directory attacks.
Note: Some attacks require Kali to be on the same LAN as the targets. To change Kali's network configurations, do the following:
- Stop the VM
- Go to VirtualBox settings for Kali VM
- Change the network adapter to be on the AD_LAB LAN
- Start Kali again
Getting the Windows ISO Files
We will be getting the ISO files from the Microsoft Evaluation Center. Most of the ISOs you encounter here will have a lifespan of 90 -- 180 days of usage. Some say that you can extend beyond the lifespan and the VMs will still function just fine
Windows Server 2019
- Please select your experience: ISO
- Fill out your information (uncheck the box for additional communications)
- Select your language and click Download
Windows 10 Enterprise
- Please select your experience: ISO - Enterprise
- Fill out your information (uncheck the box for additional communications)
- Select 64bit and Select your language and click Download
Windows 7
When this page was initially written, these download links — on download.microsoft.com — for Windows 7 were functional. At last check — June 23, 2023 — these links are all dead.
I am leaving the links here in case anyone reading this would like to try and look for them on the Internet Archive.
Windows 7 Ultimate (x64) ISO(dead link)Windows 7 Ultimate (x32) ISO(dead link)Windows 7 Professional (x64) ISO(dead link)Windows 7 Professional (x32) ISO(dead link)
Staging the VMs
Windows Server 2019
Click the New VM button
Choose VDI > Choose Dynamically Sized > Go with the default of 50 GB
Right-click on the VM and go to settings. Now, go to Storage.
Choose: 17763.737.190906-2324.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us_1.iso – or whatever your .iso file name is.
Choose Network settings
Save the settings. Don't start the VM yet!
Windows 10 Enterprise Template
Create a new VM and give it the name: Win10EnterpriseTempalte
Choose VDI > Choose Dynamically Sized > Go with the default of 50 GB
Right-click on the VM and go to settings. Now, go to Storage.
Choose: 19043.928.210409-1212.21h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso – or whatever your .iso file name is.
Choose Network settings
Install the Operating Systems
Windows Server 2019
Start the VM
Click Install Now
Click Next and accept the terms and conditions.
Click Next and wait for the installation to finish.
Press CTRL + ALT + DEL. Enter a local administrator password and save it to a password vault.
Configure the Network Interface
Right-click the network interface icon.
Choose Open Network & Internet Settings
Scroll down and choose Change adapter options
Right-click the adapter and choose Properties
Double-click Internet Protocol Version 4 (TCP/IPv4)
Configure your adapter as such:
For the DNS servers, the following will happen:
- First, check with the DNS server running on the domain controller (we will install this a bit later)
- If the DNS server doesn't know the answer, it will forward the DNS query to the default gateway and pfSense will resolve it
Rename the Server
Click the Start Menu and click Settings
Choose Restart Now. If a reason is required, choose Other (planned).
Configure Domain Services
Click Manage > Add Roles and Features
Click Next > Next > Next until you reach Server Roles. Check the following bokes:
- Active Directory Domain Services
- DNS Server (so we can resolve the domain controller by DNS name)
Click Next > Next > Next > Next > Install. Wait for the install to finish and click Close.
Configure Active Directory Domain Services
Log back into the domain controller as the local administrator and wait for the Server Manager app to load.
Choose Add a new forest and specify a root domain name. I chose ad.lab as my domain name, but you can choose any other local TLD.
TLDs such as .com, .org, .net will work as a local domain. Also, best not to use .local either, because that can interfere with multicast traffic.
Click Next. The default options are fine. Specify a restore password. You can use the same password as the local admin or something different. It doesn’t matter. Click Next.
Click Next and continue with the defaults.
Looks good. Click Install and wait for it to complete.
The server will automatically reboot.
Configure DNS Forwarders
The DNS server running on the domain controller will act as a resolver for the ad.lab domain (or whichever local domain you chose). We need a forwarder for any DNS query for which the DNS server does not know the answer.
We can use the pfSense default gateway as a downstream DNS server that the domain controller can pass queries to for any unknown hostnames.
Open up the Start Menu and search for DNS.
Expand DNS > DC1 and double-click Forwarders.
Click Edit and add the IP address of the default gateway. Click OK.
Add and Configure a DHCP Server
Open Server Manager and go to Manage > Add Roles and Features
Click Next > Next > Next
Click DHCP Server
Click Add Features and click Next > Next > Next > Install
Once the installation is complete, click on Complete DHCP Configuration
Click Next > Commit > Close > Close
Go to the Start Menu and search DHCP
Expand the DHCP server tree and right-click IPv4 and choose New Scope
Click Next and give your DHCP configuration a name and description. Then, click Next.
Configure the DHCP address space and subnet mask. Then, click Next.
We're not configuring any DHCP exclusions (reservations), so click Next.
We'll make it so clients' leases are good for one year. Click Next.
Click Next to configure it now.
Enter the address of the default gateway and click Add.
The default DNS configuration for DHCP clients is good here. Click Next.
We don't have a WINS server in our lab environment. Click Next.
Click Next to activate the DHCP scope and click Finish.
Adding a Domain Administrator Account
Go the Start Menu. Search for Active Directory Users and Computers and open the app.
Add Some Users to the Lab
Log in as the new domain administrator.
Go the Start Menu. Search for Active Directory Users and Computers and open the app.
Right click your domain and choose New > User.
John Doe
Jane Doe
Add a Group Policy Object to Disable Protections on Client Machines
Open the Start Menu and search for Group Policy.
Expand your forest until you see your domain
Right-click your domain name and choose Create a GPO...
Click OK. Right-click on your new group policy object and click Edit…
Expand down into Computer Configuration > Policies > Administrative Templates > Windows Components
Click on Windows Defender Antivirus. Double-click Turn off Windows Defender Antivirus.
Set it to Enabled and click OK. Click on Real-time Protection.
Double-click Turn off real-time protection
Set it to Enabled and click OK. Now, go to Network > Network Connections > Windows Defender Firewall > Domain Profile.
Double-click Windows Defender Firewall: Protect all network connections
Set it to Disabled and click OK. Right-click the group policy object and set it to Enforced.
Force Update the Group Policy Settings on the Domain Controller
Right-click the Start Menu and open Windows PowerShell (Admin)
Run gpupdate /force
Windows 10 Enterprise Template
Power on the VM.
Choose your language and click Next
Choose Install Now and accept the terms and conditions. Choose Custom: Install Windows Only.
Click Next. Wait for the installation to finish.
Select your regional and language settings. Choose Domain join instead.
Enter the username Template, as this is going to be our template VM.
Enter a password and set security questions. Save the information in a password vault. Turn off all the services here.
Choose Not now for Cortana.
Sysprep the Template
Log into the system using the template credentials and open a PowerShell terminal as administrator.
Run the command:
C:\Windows\System32\Sysprep\sysprep.exe
Click OK. Let the sysprep process run to completion. The VM should shutdown.
Windows 10 Enterprise VM 1
Right click the Windows 10 Enterprise Template and choose Clone.
Click Clone and wait for process to complete.
Windows 10 Enterprise VM 2
Right click the Windows 10 Enterprise Template and choose Clone.
Click Clone and wait for process to complete.
Joining the Computers to the Domain
Windows 10 Ent VM 1
Start up and login to Win10Ent1 using the template credentials. Go to the Start Menu > Search for This PC > Right-click > choose Properties
whoami commandYou Now Have a Small AD Forest
Congratulations! You now have a domain controller and two Windows 10 Enterprise clients joined to the domain controller.
If the VMs seem a little sluggish, you should probably increase the RAM on the VMs. Other than that, you are now ready for the next phase of your adventures.
Start of Authority (SOA) for the ad.lab local domain. If you are having trouble resolving computer hostnames to IP addresses, compare what is in DNS with what is in the DHCP pool.
ad.lab forward lookup zone (or whatever your local domain is)
Hack your Active Directory Lab
I encourage you to do some research on some courses that demonstrate some common Active Directory attacks. The Cyber Mentor has a great ethical hacking course and part of this course covers Active Directory attacks.
marvel.local in his course. Our local domain is ad.lab .Also, in his course, his domain administrator account and local users go by different accounts. In our lab, we have the following users:
- Domain Admin:
domain.admin@ad.lab - User 1:
john.doe@ad.lab - User 2:
jane.doe@ad.lab
Just remember these things when you're going through TCM's course, as there will be some differences.
Next Step: Troubleshooting Your Lab
0xBEN