I have been asked by few peeps on how to setup an Active Directory lab for penetration testing. In this post I will go through step by step procedure to build an Active Directory lab for testing purposes. Moreover I will be going through steps to perform to turn off Microsoft Defender so that our techniques and tools are not blocked by Defender. This is not a long read but contains number of Screen caps to make job easier for someone building their first lab.
I perfected the correct way to create AD lab for testing after going through Heath Adams course on “Practical Ethical Hacking”.
The lab I will be creating is build on a Laptop with 32 Gig RAM running Windows 10 as Host operating system. The virtual machine software we will be using is Virtual Box, which can be found here
Once we Install the Virtual Box we need to Download a copy of Windows 2019 Server and Windows 10 Enterprise operating system. Both can be found at Microsoft Evaluation Center.
CONFIGURING VIRTUAL BOX
Before we install the OS we need to create and configure a new network for our testing lab. Once we are create the network we need to configure the correct networking interface.
The process to carve out a separate network for our Lab is show below; click Tools -> Create
Below screen cap show how to configure correct networking interface for our virtual machine.
CONFIGURING WORKSTATION
The Process for installing operating system is pretty straight forward. There is no difference in how you install a Server or Workstation except few configuration setting during installation process.
Once the OS installation process is complete we need to configure couple of things on our workstation.
- Change the name of the workstation to something we can remember and
- Create a Share and select turn on network discovery.
During the installation you might come across with something shown below, don’t worry about it and just select I don’t have internet.
The screen shots below shows how we can change the computer name to something we can remember. It’s not a requirement but it’s always good practice to name our machines to something we can remember. The process is pretty simple and straight forward.
Next we configure a share on our workstation, you can name the folder whatever you want but its important that you Share it as shown below and enable turn on network discovery.
This Section is New however you need to do one more thing, In order for us to turn off Windows Defender from GPO you need to disable the Tamper Protection manually, the issue has been raised on GitHub and currently there is not programmatic way to do this.
You can turn the Protection off by going to Settings of Windows Defender as shown below
Now Let’s turn our attention to our Windows 2019 Install and set it up as our Domain Controller.
CONFIGURING DOMAIN CONTROLLER
In order to configure the Domain Controller we first assign the Server a permanent IP address. As shown in screen caps below note down the IP address assigned to the machine and then change that as shown in screen shots below.
After assigning permanent IP address I changed the name of my server to Skynet. Once we change the name it requires a restart.
After the restart we get to work and start by adding the role of Active Directory Domain Services to our Server. As show in Figures below from Server Manager select Manage -> Add Role and Features.
After this you will be presented with following windows just click next until you are presented with select server roles window.
Select the Active Directory Domain Services as shown below.
Once the installation finishes, you need to promote the server to Domain Controller as shown below.
This presents us with Deployment configuration where you select the name of the Domain and select Directory Services Restore Password. Take note that this password is required when you restore directory services and is different from your Domain Admin password. Although you have the option to keep it same but its not good practice.
CONFIGURE SHARE ON THE DOMAIN CONTROLLER
Once the configuration finishes the server restarts and you will be presented with a login screen.
The next step is to configure a Share on the Server as shown below.
CONFIGURE USER ACCOUNT IN ACTIVE DIRECTORY
The next step is to create some users in Active Directory. We will be creating two regular user account and one Domain Admin account.
The process is pretty straight forward from Server Manager under tools select Active Directory Users and Computers as shown below.
This will bring up the screen below, from here on its just a matter of adding new users. The best way to create a new account for a Domain Admin is to just right click the Administrator account and select copy option.
CREATING GROUP POLICY TO DISABLE WINDOWS DEFENDER
This one is important as we don’t want Windows Defender to mess around with our tools and technique. So we will configure a new group policy called Disable Windows Defender. There are two specific setting which we want to enable
- Turn Off Windows Defender Antivirus
- Turn off real-time protection
The screen shots below show how to navigate and enable them.
ADD WORKSTATION TO THE DOMAIN
The next and the most important step is to add workstation the Domain. The Process is pretty straight forward. However we need to do one small configuration change before we add the workstation to the domain, configure the DNS server on the workstation to point at the IP address of our Domain Controller as shown below.
Once you configure the DNS , the rest of the process is pretty straight forward. All we are left to do is join the domain. Once you successfully join the domain the workstation will reboot.
Use the credentials of regular users that we configured in Active Directory to log back into the workstation and you are all set. If you need to create the user local admin then use the Domain Admin account to log into the workstation and add the user to local Administrator group.
If everything goes according to the plan you will see the workstation under computers on the Domain Controller.
I hope this article help you in case you want to create your own Active directory lab for learning or fun :)
~ Sonny
Further Resources to Learn about Active Directory
