Hello Everyone !
I always adopted the following philosophy;
You don’t have to know everything exactly but you have to know everything.
I try to learn everything because I try to have an idea about everything. Therefore, on this site, I share information on web security, reverse engineering, CTF and the system. I don’t master all of these topics. I’m just curious and investigating…
In this series, it will be practically penetration test about Active Directory. Active Directory is the directory service used on Microsoft networks. Active Directory stores all information of the organization, such as users, computers, locations, printers. If you pay attention to this site, I’ve always posted information on the practice. I’m not going to give much theoretical knowledge in this series.
At the end of the article, you can find theoretical information about Active Directory from the links. In the first article of the series, we will install our own Active Directory lab. The lab to be prepared will be on the command line. I will share lab configs from GitHub.
Let’s start !
In our Active Directory lab;
- DC (Domain Controller) is the name given to computers that establish the domain structure and store the database of each Object within the domain. Therefore, we will need 1 DC (Domain Controller).
- We will add 1 ADC (Additional Domain Controller) to reduce the workload of the domain. If the first DC crashes, jobs will be executed for a certain period of time via ADC, users will continue to log in and some services connected to the directory service will not be affected.
- 1 Client with which we will perform the penetration test.
You can download the Windows Server 2019 ISO file and Windows 10 ISO file from the addresses given below;
https://www.microsoft.com/en-us/evaluate-windows-server-2019?filetype=ISOWindows Server 2019
We will have the possibility to install more than 2 servers in the future. Therefore, we will install a machine named MASTER2019 and copy the other servers on this machine. Thus, we will speed up the installation processes.
We need to create our virtual network before installing the lab. You can create it by clicking virtual network editor on the edit tab of VMware. Remember, the lab we will create will have our own private network, so we need to set it as Host-Only. Also, DHCP feature should not be active.
Let’s start the installation of Windows Server 2019 by clicking New Virtual Machine on the File tab.
Usually the Administrator user name is used by default. It is generally used as Password1 in the password. In real life, please don’t make such a mistake 🙂
The important point here is that the network setting remains NAT before starting the installation process. Otherwise, the installation process will fail.
As suggested, a 60 GB virtual disk will suffice.
When the virtual machine setup is finished, we can start the server setup. After opening MASTER19, apply the following items in order;
- Select Windows Server 2019 Standard Evaluation (Desktop Experience) and click next
- Select Custom: Install Windows Only (advanced) and click next
- Select Drive 0 Unallocated Space and click next
- Server installation will start.
After the virtual machine restarts, enter the password you set on the screen.
Installing one by one on multiple computers with the same hardware features spends time and is an unnecessary workload. We need to ensure that the image we want to copy gives different SID, different user, computer name and license information on each computer. We can achieve this with the “Sysprep” installation tool developed by Microsoft.
To summarize the Domain Controller briefly;
- The servers where the Active Directory Service is installed and configured are called Domain Controllers.
- Authentication operations of all users and computers hosted by Active Directory Domain Services are performed by the Domain Controller.
- At least one can have dozens of DCs as needed.
Let’s create our DC machine by copying the pre-installed MASTER19 virtual machine.
NOTE: Don’t forget to change NID…
You can install the DC-MATRIX machine by following the above steps in order.
Let’s start the installation process by opening Windows PowerShell ISE.
|Add-DnsServerPrimaryZone||Adds primary zone on a DNS server|
|-NetworkID||Network ID and prefix length for a reverse lookup zone|
|-ReplicationScope||The domain directory partition on which to store an Active Directory-integrated zone.|
|Add-DnsServerResourceRecordPtr||Adds pointer (PTR) record to a specified Domain Name System (DNS) zone.|
|-Name||Part of the IP address for the host|
|-ZoneName||The name of a reverse lookup zone|
|-PtrDomainName||FQDN for a resource record in the DNS namespace|
|Get-ADObject||Get an Active Directory object or performs a search to retrieve multiple objects|
|-Identity||Active Directory object by providing one of the following property values|
|New-ADReplicationSubnet||To creates a new Active Directory subnet object|
|-Site||The site associated with this subnet|
When we query the IP address with nslookup, we now see that our DC-MATRIX server has successfully defined the DNS role. At the beginning of the article, Türk Telekom now writes local ip instead of the IP address written in DNS. Instead of the value of “127.0.0.1”, let’s enter the IP address “18.104.22.168” that we set at the beginning of the article again.
After performing the required DNS setups, we can add users to AD structure with PowerShell command to add an Additional Domain Controler. When you run the command as before, it will ask you to create a recovery password. By the way, this password does not have to be the same as DC-MATRIX.
|Install-ADDSDomainController||Installs a domain controller in Active Directory|
|-CreateDnsDelegation||Creates a delegation for the domain in DNS|
|-DatabasePath||That will contain the domain database|
|-DomainName||The fully qualified domain name for the domain|
|-InstallDns||Determined whether a DNS role needs to be installed for the DC|
|-LogPath||The location where the domain log files will be saved|
|-NoGlobalCatalog||Defines if domain controller will hold a global catalog replica or not|
|-SiteName||Existing site where you can place the new domain controller|
|-SysvolPath||Define the SYSVOL folder path|
|-NoRebootOnCompletion||Not reboot the computer upon completion of this command|
|-Force||Forces a command to execute, ignoring the given alert.|
After the computer restarts, you can see that ADC-MATRIX also takes DNS role. We can say that the configurations of our servers are now complete. Now let’s move on to the installation of the CLIENT-MATRIX machine.
You can follow the sequence below to perform the installation procedures.
- You can download and install the ISO file from the link I provided to create the virtual machine: Figure – 2, Figure – 4 and Figure – 5.
- Let’s not forget to choose NID from CLIENT-MATRIX settings… 22.214.171.124/24
- After starting the virtual machine, you can proceed to ISO setup: Figure – 7, Figure – 8 and Figure – 9
We need to make the configurations of Windows 10 machine. I entered this “…89.4” IP because the domain has the NID 126.96.36.199/24.
The process done here is to add the computer to your domain. The most confused detail here is that only Domain Admin can add users. WRONG ! Any authenticated user can add the computer to the domain. After the login is confirmed, you can restart the computer.
It’s time to use the users which we created for the domain… You can log in from the users we created by clicking the Other User tab at the bottom left.
And now our lab is ready… DC, ADC and CLIENT computers are ready. With this lab, we will learn many tools to pentest AD structure.
See you in the next article…