Windows Security Lab (Part 1): Setting up the Windows Domain

This guide is intended to help beginners set up their own Red Team/Windows Pentesting lab using Oracle VM VirtualBox and Virtual Private Servers (VPSs).

In Part 1, we configure a basic Windows domain in VirtualBox. In Part 2, we setup our attack infrastructure using DigitalOcean Virtual Private Servers. In Part 3, we will perform a basic attack against our Windows Client machine in order to test our lab.


Introduction

After completing my OSCP certification, I felt motivated to learn more about offensive security in a contemporary Windows environment. Specifically, I wanted more exposure to attacking Windows Domains using “Red Team”-style infrastructure. The lack of available materials inspired me to create my own home lab and to write this series.

My intention in writing these articles is to help you get started on setting up an interesting lab and expose you to certain tools. Don’t read these articles if you’re looking for a guided walkthrough on how to get SYSTEM privileges on fully patched Windows 10 machines.

You will need to be familiar with basic networking and offensive security concepts and terminology. Also, I don’t pretend to be an expert, so please feel free to inform me of any mistakes.

NOTE: You will need access to ISO images of Windows Server and Windows Pro/Enterprise. Windows Product Keys aren’t necessary, but will save you the headache of re-creating your Windows domain every few weeks.

The Plan

The plan is to use Virtual Machines (VMs) to build a basic Windows Domain, which will be the target for our attacks. In order to separate the Windows Domain from the rest of our home network, we will use a pfSense firewall and VirtualBox’s host-only networking option to place it on its own subnet.

Afterwards, we will setup internet-facing attack infrastructure on Virtual Private Servers (VPSs) hosted by DigitalOcean. These servers will be used to launch attacks on the Windows Domain.

Refer to Figure 1–1 for a basic diagram of our planned network.

Figure 1–1: The network layout

The Windows Domain will exist on the subnet 10.2.2.1/24 and contain three Virtual Machines (VMs):

  • pfSense Firewall (IP Address: 10.2.2.2)
  • Windows Server 2012 R2 (Active Directory, File Server, DHCP Server) (IP Address: 10.2.2.254)
  • Windows 7 Professional (IP Address: 10.2.2.x)

The attack infrastructure will be hosted on the Internet and be composed of four servers:

  • Ubuntu 16.04.4 x64 HTTP Command & Control (C2) Server
  • Ubuntu 16.04.4 x64 Redirector Server
  • Debian 9.5 x64 DNS Command & Control (C2) Server
  • Ubuntu 16.04.4 x64 Redirector Server

Creating the Host-Only Network

Host-only networking in VirtualBox allows us to create a virtual private network within our private home network. This option will allow us to isolate our Windows Domain from other devices on our home network (excluding our host computer).

Prior to installing our Windows VMs, we need to configure the VirtualBox Host-Only Ethernet Adapter to use our desired subnet.

Select File > Host Network Manager … and then click on VirtualBox Host-Only Ethernet Adapter.

In the Adapter tab, select Configure Adapter Manually and enter “10.2.2.1” as the IPv4 Address, and “255.255.255.0” as the IPv4 Network Mask. Also, make sure to uncheck the Enable Server checkbox in the DHCP tab; our Windows Server will be functioning as the DHCP server in our network.

Figure 1–2: Host-Only Ethernet Adapter settings

Verify your settings and apply them.

pfSense Firewall

We’ve created our new private network, but devices on this network will not be able to access the Internet without a default gateway. In order to address this, we will install a pfSense firewall and configure it to use two network adapters.

One adapter will connect the firewall to our host-only network and use 10.2.2.2 as its IP address. The other adapter will be configured to use “NAT” settings. The NAT adapter will provide the firewall with access to the Internet through the home router/modem, while also assigning it an IP address from a different subnet than our home network.

Download the 64-bit pfSense CD Image (ISO) Installer from the pfSense website. In VirtualBox, create a new VM with the following settings:

  • Name: Domain Firewall
  • Type: FreeBSD
  • Version: 64-bit
  • Memory: 512 MB
  • Storage: Dynamically allocated 3.00 GB VirtualBox Disk Image

Highlight the VM and select Settings > Network. Verify that Adapter 1 is set to “NAT”. Enable Adapter 2 and set it to be “Attached to: Host-only Adapter” with the name “VirtualBox Host-Only Ethernet Adapter”.

Power-on the firewall VM and choose the pfSense ISO file as the start-up disk. Select the Install pfSense option and confirm default settings for any prompts. The VM will reboot after installation; make sure to eject the disk image via Devices > Optical Drives > Remove disk from virtual drive.

After reboot, you should arrive at the pfSense options menu. Select Set interface(s) IP address (option #2) and then LAN (option #2). Use these settings:

  • IPv4: 10.2.2.2
  • Subnet bit count: 24
  • IPv4 upstream gateway address: *leave this blank*
  • IPv6 address: *leave this blank*
  • Do you want to enable the DHCP server on LAN?: No
  • Do you want to revert to HTTP as the webConfigurator protocol?: No

Press Enter to continue. Your LAN’s (em1) v4 address should now be set to 10.2.2.2/24. Your WAN’s (em0) v4 address should be in a different subnet than your home computer. As you can see in the example below, mine is set to 10.0.2.15/24, which is in a different subnet than 10.2.2.1/24 or my home subnet of 192.168.1.1/24.

Figure 1–3: Configured pfSense network adapters

Leave the VM running and minimize it.

Windows Server Installation

Create a new VM with the following settings:

  • Name: Windows Server
  • Type: Microsoft Windows
  • Version: Windows 2012 (64-bit)
  • Memory: 2048 MB
  • Storage: Dynamically allocated 40.00 GB VirtualBox Disk Image

Configure the VM to use the Host-Only adapter, load the disk image, and begin the setup process. Select Windows Server 2012 R2 Standard (Server with a GUI) and choose Custom: Install Windows only as the installation type. Set your Administrator password when prompted.

Login to the server, open the Network and Sharing Center and change the Properties of your Ethernet adapter to use the following:

  • IP address: 10.2.2.254
  • Subnet mask: 255.255.255.0
  • Default gateway: 10.2.2.2
  • Preferred DNS server: 8.8.8.8
  • Alternate DNS server: 8.8.4.4

Rename the server “AD01”; restart when prompted. Following reboot, navigate to the Server Manager window, which should have opened on login. Click on the Add roles and features option, which should be visible in the top window.

Figure 1–4: Adding roles and features

Run through the default selections until you get to the “Server Roles menu”. Add the DHCP Server, DNS Server, Active Directory Domain Services roles. You can add additional roles later.

Click Next through the remaining menus, until you can select Install. After the installation has finished, you should see an option in the results to Promote this server to a domain controller. Click on it.

Figure 1–5: Promoting the server

For your deployment operation, select Add a new forest, and then make your Root domain name “example.com”. Set your DSRM password and proceed through the remaining menus until you can Install. The server will automatically reboot after the promotion. Note that your Administrator account is now the Domain Administrator for the EXAMPLE domain.

Open Server Manager and click on the DHCP tab. You should see a notification saying that configuration is required for the DHCP server. Click More… to open the “All Servers Task Details” window and click on Complete DHCP configuration. Click Next through the options and commit the configuration.

Figure 1–6: Completing DHCP configuration

Now open the DHCP applet and expand “ad01.example.com”. Right-click on IPv4 and select New Scope… Give the scope a name and set it to distribute 10.2.2.1–10.2.2.254, with a length of 24 and subnet mask of 255.255.255.0. Add 10.2.2.2 and 10.2.2.254 to the exclusions. Set the Router (Default Gateway) to 10.2.2.2 and click Next through the remaining menus.

Configuring the Domain

In this section, we’re going to setup some basic shared folders, security groups, and a GPO. These won’t come into play during our simulated attack in Part 3, but you need to know how to configure these kinds of things if you want to expand your lab.

Open the Active Directory Users and Computers applet. Right-click on the “example.com” forest and select New > Organizational Unit.

Figure 1–7: Creating a new OU

Create two new Organizational Units (OUs):

  • Domain Users
  • Domain Security Groups

In Domain Security Groups, create two new Groups:

  • Sales (Scope: Domain local / Type: Security)
  • Management (Scope: Domain local / Type: Security)

In the Domain Users OU, create the following users:

  • Employee
  • IT

Double-click on the IT user and add them to the “Domain Admins” group using the Member Of tab. Add Employee to the newly-created “Sales” group.

Figure 1–8: Adding IT to Domain Admins

Now open up File Explorer on your server and create a folder on the C: drive called “Company”. Within that folder, create a sub-folder called “Sales” and another called “Management”. These will be our domain’s shared drives. Create text files containing a few words in each of these folders to act as flags.

To setup sharing on a folder, right-click on it and select Properties > Sharing > Advanced Sharing > Share this folder. Under Permissions, remove “Everyone” and give Full Control to “Authenticated Users”. Apply the settings.

Figure 1–9: Sharing the Management folder

Open the Security tab of each folder and then click on Advanced > Disable inheritance. Convert the inherited permissions into explicit permissions and then remove all groups except for “SYSTEM” and “CREATOR OWNER”. Add “Domain Admins” and give them Full Control.

On the Management folder, add “Management” and give them everything except for Full Control (Read, Write, Modify, etc.). Give similar permissions to the “Sales” group on the Sales folder.

Figure 1–10: Modifying permissions for the Management folder

In order to publish these shares in Active Directory, open the Computer Management applet. Expand the Shared Folders directory, right-click on each of the shared folders, open Properties, and select the option to Publish this share in Active Directory.

Figure 1–11: Publishing the Management share to AD

As a final step, we will make a simple Group Policy to map our shared drives. Open up Group Policy Management and expand the Forest and Domain directories so you can see “example.com” domain. Right-click on the domain, select Create a GPO in this domain, and Link it here… and name the policy “Drive Mapping”.

Expand “example.com”, right-click on the new GPO, and select the option to Edit. Under User Configuration > Preferences > Windows Settings, right-click on Drive Maps > New > Mapped Drive. Assign \\AD01\Management to drive letter “A” and \\AD01\Sales to drive letter “B”.

Under the Common tab of each mapped drive, enable Item-level targeting. Select Targeting… > New > Security Group and located the appropriate security group in Active Directory.

Figure 1–12: Configuring the Management Drive in the Drive Mapping GPO

Apply the settings and you should see both drives now listed in the Drive Maps list. We’re done with the Windows Server for now, so sign out and leave the VM running.

Setting up the Windows Client

Create a new VM with the following settings:

  • Name: Windows Client
  • Type: Microsoft Windows
  • Version: Windows 7 (64-bit)
  • Memory: 2048 MB
  • Storage: Dynamically allocated 20.00 GB VirtualBox Disk Image

Configure the VM to use the Host-Only adapter, load the disk image, and begin the setup process. Choose “Custom (advanced)” as the installation type and wait for the install to finish.

Create your local Administrator account and rename the computer to “Client”. Configure a password. Use the “Ask me later” option for updates and indicate that you are connected to a “Work Network”.

Right-click on Computer > Properties > Change settings > Change… In the Domain field, write “example.com” and click OK. Sign-in with a domain administrator account and then restart when prompted.

Figure 1–13: Joining the example.com domain

Select Switch User > Other User at the sign-in menu and sign-in with the Employee account. We are now signed in as a domain user and our Client computer is joined to the domain.

We are finished setting up our basic Windows domain. Log off and leave the VM running.


Improving the Windows Domain

Our current Windows Domain is small and very basic. If you’re interested in improving this part of the lab, you should try the following:

  • Patch the Virtual Machines.
  • Add additional computers/users to the Domain.
  • Replace your VMs with Windows Server 2016 and Windows 10 Professional.
  • Configure the pfSense firewall. Enable Snort and setup some rules.
  • Put a Web Server on the network.
  • Create new GPOs. Try to introduce security vulnerabilities using these GPOs.
  • Install more applications on your Client.

Next Section

Now that we have finished setting up our Windows network, we will move on to the attack infrastructure. In Part 2, we will setup our primary Command & Control (C2) Server, a DNS C2 Server, and two Redirector servers using DigitalOcean Virtual Private Servers.