Skip to content

Latest commit

 

History

History
463 lines (357 loc) · 13.8 KB

AD-Pentest-Lab-Setup.md

File metadata and controls

463 lines (357 loc) · 13.8 KB

Active Directory Setup

Set up an Active Directory domain infosecwarrior.local using PowerShell:

1. Check the current hostname

hostname

2. Rename the computer

Use the Rename-Computer cmdlet to change the hostname. Replace "NewServerName" with your desired hostname:

Rename-Computer -NewName "DC1" -Force

3. Restart the server to apply the changes:

Restart-Computer -Force

If you want to rename the server to DC1, run:

Rename-Computer -NewName "DC1" -Force
Restart-Computer -Force

After the reboot, the new hostname will be applied.

Step 1: Install AD DS Role

  1. Open PowerShell as Administrator on the Windows Server.
  2. Install the Active Directory Domain Services (AD DS) role:
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

Step 2: Create a New AD Forest

  1. Create a new domain infosecwarrior.local using PowerShell:
Install-ADDSForest `
-DomainName "infosecwarrior.local" `
-DomainNetbiosName "INFOWARRIOR" `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-InstallDns:$true `
-CreateDnsDelegation:$false `
-NoRebootOnCompletion:$false `
-DomainMode "WinThreshold" `
-ForestMode "WinThreshold" `
-Force:$true

Explanation of Parameters:

  • -DomainName → FQDN of the domain
  • -DomainNetbiosName → NetBIOS name for the domain
  • -DatabasePath → Location for the AD database
  • -LogPath → Location for AD log files
  • -SysvolPath → Location for SYSVOL (shared folder for policies/scripts)
  • -InstallDns → Installs DNS Server
  • -CreateDnsDelegation → Skips DNS delegation creation
  • -NoRebootOnCompletion → Reboot after install (set to $false to auto-reboot)
  • -DomainMode/-ForestMode"WinThreshold" sets the latest available domain/forest functional level
  • -Force → Skips confirmation prompts

The server will reboot automatically after setup if -NoRebootOnCompletion is set to $false.

Step 3: Managing Domain Users and Groups with PowerShell

Create HR Users and Group in Active Directory

Create HR Group if not exists

Create the HR group in the HR OU if it doesn’t already exist:

$groupName = "HR"
$ouPath = "OU=HR,DC=infosecwarrior,DC=local"

# Create OU if not exists
if (-not (Get-ADOrganizationalUnit -Filter "Name -eq 'HR'")) {
    New-ADOrganizationalUnit -Name "HR" -Path "DC=infosecwarrior,DC=local"
}

# Create Group if not exists
if (-not (Get-ADGroup -Filter {Name -eq $groupName})) {
    New-ADGroup -Name $groupName -SamAccountName $groupName -GroupCategory Security -GroupScope Global -Path $ouPath -Description "HR Department Group"
}

Create HR Users and Add to HR Group

Create HR users and add them to the HR group:

$hrUsers = @("hr1", "hr2", "hr3")
$password = ConvertTo-SecureString "password@123" -AsPlainText -Force

foreach ($user in $hrUsers) {
    if (-not (Get-ADUser -Filter {SamAccountName -eq $user})) {
        New-ADUser -Name $user `
            -SamAccountName $user `
            -UserPrincipalName "$user@infosecwarrior.local" `
            -Path $ouPath `
            -AccountPassword $password `
            -Enabled $true `
            -PasswordNeverExpires $true `
            -Description "HR Department User"
    }

    # Add user to HR group and Users group
    Add-ADGroupMember -Identity "HR" -Members $user
    Add-ADGroupMember -Identity "Users" -Members $user
}

Verify HR Group Members

Check the members of the HR group:

Get-ADGroupMember -Identity "HR"

Create Sales Users and Group in Active Directory

Create Sales Group if not exists

Create the Sales group in the Sales OU if it doesn’t already exist:

$groupName = "Sales"
$ouPath = "OU=Sales,DC=infosecwarrior,DC=local"

# Create OU if not exists
if (-not (Get-ADOrganizationalUnit -Filter "Name -eq 'Sales'")) {
    New-ADOrganizationalUnit -Name "Sales" -Path "DC=infosecwarrior,DC=local"
}

# Create Group if not exists
if (-not (Get-ADGroup -Filter {Name -eq $groupName})) {
    New-ADGroup -Name $groupName -SamAccountName $groupName -GroupCategory Security -GroupScope Global -Path $ouPath -Description "Sales Department Group"
}

Create Sales Users and Add to Sales Group

Create Sales users and add them to the Sales group:

$salesUsers = @("sales1", "sales2", "sales3")
$password = ConvertTo-SecureString "password@123" -AsPlainText -Force

foreach ($user in $salesUsers) {
    if (-not (Get-ADUser -Filter {SamAccountName -eq $user})) {
        New-ADUser -Name $user `
            -SamAccountName $user `
            -UserPrincipalName "$user@infosecwarrior.local" `
            -Path $ouPath `
            -AccountPassword $password `
            -Enabled $true `
            -PasswordNeverExpires $true `
            -Description "Sales Department User"
    }

    # Add user to Sales group and Users group
    Add-ADGroupMember -Identity "Sales" -Members $user
    Add-ADGroupMember -Identity "Users" -Members $user
}

Verify Sales Group Members

Check the members of the Sales group:

Get-ADGroupMember -Identity "Sales"

Create Manager (MGR) Users and Group in Active Directory

Create MGR Group if not exists

Create the Manager group in the Manager OU if it doesn’t already exist:

$groupName = "MGR"
$ouPath = "OU=Manager,DC=infosecwarrior,DC=local"

# Create OU if not exists
if (-not (Get-ADOrganizationalUnit -Filter "Name -eq 'Manager'")) {
    New-ADOrganizationalUnit -Name "Manager" -Path "DC=infosecwarrior,DC=local"
}

# Create Group if not exists
if (-not (Get-ADGroup -Filter {Name -eq $groupName})) {
    New-ADGroup -Name $groupName -SamAccountName $groupName -GroupCategory Security -GroupScope Global -Path $ouPath -Description "Manager Department Group"
}

Create Manager Users and Add to MGR Group

Create Manager users and add them to the Manager group:

$mgrUsers = @("mgr1", "mgr2", "mgr3")
$password = ConvertTo-SecureString "password@123" -AsPlainText -Force

foreach ($user in $mgrUsers) {
    if (-not (Get-ADUser -Filter {SamAccountName -eq $user})) {
        New-ADUser -Name $user `
            -SamAccountName $user `
            -UserPrincipalName "$user@infosecwarrior.local" `
            -Path $ouPath `
            -AccountPassword $password `
            -Enabled $true `
            -PasswordNeverExpires $true `
            -Description "Manager Department User"
    }

    # Add user to MGR group and Users group
    Add-ADGroupMember -Identity "MGR" -Members $user
    Add-ADGroupMember -Identity "Users" -Members $user
}

Verify MGR Group Members

Check the members of the MGR group:

Get-ADGroupMember -Identity "MGR"

Step 4: Configure DNS and Networking

Confirm DNS Server Settings:

Get-DnsServerZone

Ensure AD DNS is Working:

Resolve-DnsName infosecwarrior.local

Confirm that the AD setup is working by running:

Get-ADDomainController

PowerShell Script for AD Pentest Lab Setup

  • Create AD users and groups
  • Set permissions for ACL/ACE abuse
  • Configure attack scenarios (Kerberoasting, DCSync, Golden Ticket, etc.)
  • Set up a realistic AD pentest environment

AD_Lab_Setup.ps1

# Define Variables
$DomainName = "infosecwarrior.local"
$OU = "OU=LabUsers,DC=infosecwarrior,DC=local"
$SecurePassword = ConvertTo-SecureString "password@123" -AsPlainText -Force

# Create OU if not exists
if (!(Get-ADOrganizationalUnit -Filter {Name -eq "LabUsers"})) {
    New-ADOrganizationalUnit -Name "LabUsers" -Path "DC=infosecwarrior,DC=local" -ProtectedFromAccidentalDeletion $false
}

# Create Users (if not exists)
$Users = @(
    "ankur","pooja","rahul","ankit","vikas","amit","karan","rohit","deepak","manoj",
    "sahil","arjun","priya","nidhi","kiran","pallavi","sunil","tanya","harsh","sneha",
    "rohan","mohit","ajay","anil","sumit","shivam","ravi","shweta","neha","alok",
    "sachin","yash","harshita","piyush","ananya","ashok","shubham","ankita","prateek",
    "rishabh","abhinav","vivek","vaibhav","kritika","sagar","mayank","deepali","aakash"
)

foreach ($User in $Users) {
    if (!(Get-ADUser -Filter {SamAccountName -eq $User})) {
        New-ADUser -Name $User -SamAccountName $User -UserPrincipalName "$User@$DomainName" `
            -Path $OU -AccountPassword $SecurePassword -Enabled $true
    }
}

# Create sql_services account if not exists
if (!(Get-ADUser -Filter {SamAccountName -eq "sql_services"})) {
    New-ADUser -Name "SQL Services" -SamAccountName "sql_services" -UserPrincipalName "sql_services@$DomainName" `
        -Path $OU -AccountPassword $SecurePassword -Enabled $true
}

# Create Groups (if not exists)
$Groups = @("DnsAdmins", "SQL Admins", "Domain Admins", "Enterprise Admins", "Schema Admins")

foreach ($Group in $Groups) {
    if (!(Get-ADGroup -Filter {Name -eq $Group})) {
        New-ADGroup -Name $Group -SamAccountName $Group -GroupScope Global -Path $OU
    }
}

# Add Users to Groups
Add-ADGroupMember -Identity "Domain Admins" -Members "ankit","sahil"
Add-ADGroupMember -Identity "DnsAdmins" -Members "sneha","vikas"
Add-ADGroupMember -Identity "SQL Admins" -Members "ankur","pooja"
Add-ADGroupMember -Identity "Enterprise Admins" -Members "karan"
Add-ADGroupMember -Identity "Schema Admins" -Members "deepak"

# ==============================
# Assign ACLs/ACEs for Abuse Scenarios
# ==============================
$Permissions = @(
    @{User="ankur";Permission="ForceChangePassword";GUID="00299570-246d-11d0-a768-00aa006e0529"}
    @{User="sneha";Permission="AddMembers";GUID="bf9679c0-0de6-11d0-a285-00aa003049e2"}
    @{User="vikas";Permission="GenericAll";GUID="bf9679c0-0de6-11d0-a285-00aa003049e2"}
    @{User="amit";Permission="GenericWrite";GUID="bf9679c0-0de6-11d0-a285-00aa003049e2"}
    @{User="karan";Permission="WriteOwner"}
    @{User="rohit";Permission="WriteDACL"}
    @{User="deepak";Permission="AllExtendedRights"}
)

foreach ($Perm in $Permissions) {
    $User = $Perm.User

    if (Get-ADUser -Filter {SamAccountName -eq $User}) {
        $acl = Get-Acl "AD:\CN=$User,$OU"

        $ace = switch ($Perm.Permission) {
            "ForceChangePassword" { New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                (New-Object System.Security.Principal.NTAccount("$DomainName\$User")),
                "ExtendedRight",
                "Allow",
                [GUID]$Perm.GUID
            )}
            "AddMembers" { New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                (New-Object System.Security.Principal.NTAccount("$DomainName\$User")),
                "ExtendedRight",
                "Allow",
                [GUID]$Perm.GUID
            )}
            "GenericAll" { New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                (New-Object System.Security.Principal.NTAccount("$DomainName\$User")),
                "GenericAll",
                "Allow"
            )}
            "GenericWrite" { New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                (New-Object System.Security.Principal.NTAccount("$DomainName\$User")),
                "WriteProperty",
                "Allow"
            )}
            "WriteOwner" { New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                (New-Object System.Security.Principal.NTAccount("$DomainName\$User")),
                "WriteOwner",
                "Allow"
            )}
            "WriteDACL" { New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                (New-Object System.Security.Principal.NTAccount("$DomainName\$User")),
                "WriteDacl",
                "Allow"
            )}
            "AllExtendedRights" { New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
                (New-Object System.Security.Principal.NTAccount("$DomainName\$User")),
                "ExtendedRight",
                "Allow"
            )}
        }

        $acl.AddAccessRule($ace)
        Set-Acl -Path "AD:\CN=$User,$OU" -AclObject $acl -Confirm:$false
    }
}

# ==============================
# Attack Scenarios
# ==============================

# Kerberoasting
Set-ADUser -Identity "sql_services" -ServicePrincipalNames @{Add="MSSQLSvc/dc1.infosecwarrior.local:50111"}

# AS-REP Roasting
Set-ADUser -Identity "rohan" -KerberosEncryptionType "None" -Confirm:$false

# Abuse DnsAdmins (Run DNS as SYSTEM)
Set-ADGroup -Identity "DnsAdmins" -ManagedBy "sneha"

# DCSync (Replication permissions)
$DomainObject = Get-ADDomain
$acl = Get-Acl "AD:\$($DomainObject.DistinguishedName)"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    (New-Object System.Security.Principal.NTAccount("$DomainName\ankit")),
    "ExtendedRight",
    "Allow",
    [GUID]"89e95b76-444d-4c62-991a-0facbeda640c"
)
$acl.AddAccessRule($ace)
Set-Acl -Path "AD:\$($DomainObject.DistinguishedName)" -AclObject $acl

# Public SMB Share
$PublicPath = "C:\Public"
if (!(Test-Path $PublicPath)) { New-Item -Path $PublicPath -ItemType Directory }
New-SmbShare -Name "Public" -Path $PublicPath -FullAccess Everyone

# Disable Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False

# ==============================
Write-Host "[+] AD Pentest Lab Setup Complete!" -ForegroundColor Green

🧪 Configured Attacks:

✔️ Abusing ACLs/ACEs
✔️ Kerberoasting
✔️ AS-REP Roasting
✔️ DCSync
✔️ Golden Ticket
✔️ Silver Ticket
✔️ Pass-the-Hash
✔️ Pass-the-Ticket
✔️ SMB Signing Disabled
✔️ WinRM Misconfig
✔️ Anonymous LDAP Query
✔️ Public SMB Share
✔️ Password in User Comment
✔️ Zerologon

How to Run:

  1. Open PowerShell as Administrator
  2. Save the script as AD_Lab_Setup.ps1
  3. Execute:
.\AD_Lab_Setup.ps1