How to Build an Active Directory Hacking Lab

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

didn't watch (at work) but seems pretty long to say, setup a vm host, install windows server, install roles, profit ;-)

really though, mostly commenting to make it easier to find later to watch.

👍︎︎ 44 👤︎︎ u/[deleted] 📅︎︎ Dec 31 2019 🗫︎ replies

Hey. This is me. Really neat to see this get posted. Thanks for the share <3

👍︎︎ 6 👤︎︎ u/DorkNowitzki41 📅︎︎ Jan 02 2020 🗫︎ replies

This video looks to be from his Udemy Course Practical Ethical Hacking. If you are interested in the pen testing scenarios he talks about, the course lays them out in more detail.

I think there is a coupon code for the course (THECYBERMENTOR) which brings the price down to $19 or so. If I recall, the coupon is good through today (31 December 2019).

👍︎︎ 7 👤︎︎ u/MusclesLinguine 📅︎︎ Dec 31 2019 🗫︎ replies

This is fun, because all I need to do is copy all the VMs I'm already using, spin them up in my lab cluster and try to break things (without disrupting production). Thanks for the share!

👍︎︎ 5 👤︎︎ u/exps35 📅︎︎ Dec 31 2019 🗫︎ replies

I'm really just commenting on this right now so it will be a viable poor-man's bookmark.

👍︎︎ 2 👤︎︎ u/[deleted] 📅︎︎ Jan 01 2020 🗫︎ replies

Sweet!!!!

👍︎︎ 1 👤︎︎ u/netsecbruh 📅︎︎ Dec 31 2019 🗫︎ replies

Nice saving for full view later!

👍︎︎ 1 👤︎︎ u/tenchel 📅︎︎ Dec 31 2019 🗫︎ replies

This is great - thanks!

👍︎︎ 1 👤︎︎ u/I_heart_cancer 📅︎︎ Dec 31 2019 🗫︎ replies

Thanks for this amazing video...

👍︎︎ 1 👤︎︎ u/patmm010 📅︎︎ Dec 31 2019 🗫︎ replies
Captions
[Music] what's up everybody so we've been getting a lot of requests on building an Active Directory lab environment and what that looks like so in this video we're going to go ahead and build out a lab environment we're gonna have a domain controller and a couple of user machines and we're just gonna set that up so that you can actually attack this environment now this is not an attack video I will give you resources in the video on how to find those attacks and this kind of assumes that you know a little bit about what Active Directory is you don't have to have any experience setting it up that's what we're going to do here and we're going to talk about at a high level why these certain settings that we use are vulnerable and a lot of these settings are just out of the box settings so we'll talk through some of the attacks very very high level again and I'll provide those resources for you to learn more about the attacks if you want to so before we get started as always if you liked the video please do comment down below hit that subscribe button hit the bell hit the like do whatever you want but please do show some love for the channel if you are loving the channel so from here let's take a quick ad from our sponsor and they'll dive right into this video this video is brought to you by our sponsors and friend of the channel fixing now mixing has just released a new mechanical keyboard this guy right here and you may have seen it in the beginning of the video now this mechanical keyboard is RGB backlit and comes equipped with 18 preset light modes as well as the ability to customize your own keys it comes with nice blue switches and a 96 key layout that saves space but acts like a full keyboard and keeps all the same functions also it just sounds amazing at $39.99 you really can't beat the price for what it offers if you don't believe me just go ahead and check the reviews lastly fixing is running a promotion right now for I love coding this event is where you can join other coding lovers and receive a discount of 20% off of certain products including the mechanical keyboard seen in the video so for links and more information please see the description down below alright let's get started so there's gonna be a tiny bit of death by PowerPoint and trust me I hate PowerPoint more than anybody but it's a tiny bit of a necessity just to kind of go over the lab requirements and what we're gonna be building out and then we'll get hands-on and we'll leave the PowerPoint behind so why should I build a lab what is interesting about this Active Directory attack lab well from an Active Directory perspective when you're becoming a penetration tester or ethical hacker 95% of the Fortune 1000 companies utilize Active Directory in their environments from my perspective I have never had an internal assessment that did not have Active Directory somewhere in its environment and what does this even mean right well Active Directory relates to what is called internal penetration testing now a lot of courses out there and a lot of material out there covers what I call external tactics and methodologies not a lot of them cover the internal methodologies and tactics so what this allows you to do is it allows you to build out that lab in practice because that course material is really just not out there so you can build up the slab look up some tutorials online watch some videos and just kind of piece together a lot of these attacks figure them out and then you'll look really good an interview when you can talk about these attacks and even how to defend against them so from here let's talk about the lab overview so the set up is going to be like this for me I'm going to be running a Windows 10 Pro base and on that I'll be utilizing VMware Pro so we'll talk about that here in a minute as to what you can use depending on what operating system you're on but I will be virtualizing everything now my environment contains one windows 2019 server and that acts as a domain controller and then I have two windows 10 computers and those act as user machines now you could technically get away with one computer however utilizing two is ideal because we can use relay attacks in other attacks that will allow us to take full advantage of all the techniques that are available to us lastly there will be a attack machine now for the specs of this lesson we're not going to be utilizing a tach machine this is just how to build out this lab so now the recommended specs that I always say is about 80 gigabytes in disk space that's 20 gigabytes for each machine since we technically have for being virtualized and 16 gigabytes of RAM I'm utilizing 32 16 should be ok you could apply 2 gigabytes of RAM to each Plus you have your base operating system that has around 8 gigabytes or so if you have 32 you can utilize 4 gigabytes and if you have 8 you can utilize one gigabyte or so for each machine just understand that you might experience really really slow lab let's quickly cover some of the possible attacks and scenarios that you can utilize in this lab now you can do LM an r + mb TNS poisoning SMB relay attacks ipv6 attacks past the password pass the hash token impersonation Kerberos ting golden ticket you could do a bunch of enumeration with Power View bloodhound or other enumeration tools you could do credential dumping with me me cats and there's a lot more than this but this is just some of the really common attack scenarios that I like to cover now you may be saying I have no idea what the hell you're talking about I'm really new to this I don't know any of these attacks and that's ok my suggestion to you is to screenshot what I just showed you and go out there and learn some of these attacks and I'm going to provide some resources for you so going down the list ad Security org is one of the most fantastic websites out there if you are a beginner it might be a little complicated but they have all different kinds of ad resources in here and once you kind of figure out what you're looking for this really really helps now this might be considered advanced reading once you kind of get some of the generic attacks down you come in here read more about the latest and greatest of attacks and really get into Active Directory on top of that there is a guy named harm joy and he writes fantastic material as well blog harm droid net and I'll be posting all this in the description down below so don't worry if you're not writing this down a bunch of different attacks here related to ad he is fantastic when it comes to Active Directory and some of the common attacks that we use are simply because of him in his research so he's fantastic when it comes to Active Directory I'm going to throw a little bit of myself out there I have a lot of this material so say for example you're looking for LLM anar which is one of the attacks you can just come in and type L M&R and search it on my channel and you can see hey Active Directory exploitation here I'll look here it is as well popping a shell of SMB relay also the full penetration testing course that's on my channel has a lot of these attacks so if you come here you can sort by the most popular and you'll see that course probably pop-up right at the top and that will give you an indication on a lot of these attacks and what you can do to utilize them now if you're in the market for a course and you want to get more hands-on I do have a course out on udemy you can utilize that as well it covers pretty much anything and everything related to the beginnings of ethical hacking all the way through building out this lab and doing all these attacks that I'm showing you plus more so if you want that hand-held walkthrough type deal you can come out here and for the next week or so there will be a special discount that I'll put down that will take this course under $20 so if you're in the market for a course this is it otherwise free options exist you can absolutely piece this together or you can just google the attacks and look for walkthroughs as well so hopefully that gives you a good idea as to what you're gonna be capable of doing and how you can utilize that once you are done building out this lab so let's go ahead and now dive right into the lab built itself in order to build out our lab we need to run what is called a VM or virtualized machine now there are two dominant tools out there that we can utilize based on the OS that we're running I'm going to be utilizing what is called VMware pro now I'm showing you the free option here which is workstation Player if you're already familiar with this you can go ahead and kind of skip ahead but what we're going to be using is we're workstation player if you are using Windows or Linux if you are running on Mac OSX you can use VirtualBox here and I'll paste these links down in the description below as well and you can actually run this on Windows Linux Solaris as well I just prefer and have the preference for VMware but you can utilize whichever these tools that you want now go ahead and download these if you don't have it downloaded already it's very point-and-click so just go ahead Next Next Next through accept and then get it up and running and then what I show you on either tool do whatever you download whatever I show you can be applied either way on the tools they're very very similar so pause now if you need to and then meet me back once you have this downloaded and installed and then we're going to work on downloading the files that we need to actually get this up and running so to actually start building out the lab we're gonna be utilizing Microsoft's evaluation Center you can go out to Google and just type in Microsoft evaluation Center and you'll be brought to this here I'm gonna go ahead and just open right click new window with Windows 2019 server and Windows 10 Enterprise so for example you'll have Windows Server 2019 and these are evaluation copies meaning that they're good for 180 days for Server 2019 and 90 days for Windows 10 if I'm being honest with you you can completely ignore that these servers won't just stop working because you haven't bought the license so I have really really old licenses or expired servers that I utilize for my lab environments and it's absolutely fine but these are for you to demo and evaluate their materials so from here you're gonna go ahead and select ISO when you get to the server page and hit continue and it's gonna ask you for your first name last name company name all this stuff here and I just put in a bunch of fake material doesn't matter what you're gonna what you're gonna have here just select random stuff and it doesn't matter go ahead and just say continue and then select your language English for me and then you'll hit download and down the ISO file same thing here with Windows 10 Enterprise download the ISO Enterprise enter in your information again it does not have to be real information it can be fake information hit continue and download your ISO file now these ISO files are rather large so go ahead and get them downloaded pause the video again if you need to once they're downloaded meet me with your virtualized machine software either VMware or VirtualBox open and ready to go and we'll go ahead and start building out this lab step by step now we're moving on to the actual build of the workstation so you should have your ISO files downloaded your VM software up and running here's my workstation Pro and we're gonna go ahead and just select create a new virtual machine and we'll do typical hit next and then it's gonna say where is your installer disk image file go ahead and browse to that and we're going to start with your server so here's my server eval and I'm gonna go ahead and just hit next it says Server 2016 detected that's fine and it's going to ask for a product key do not provide a product key and do not provide a password this is absolutely fine go ahead and just do standard and we'll hit next and it'll give you this prompt go ahead and just say yes and then it's gonna ask you where do you want to install this I'm just gonna go ahead and leave this default you can see I already have a server here of 2016 I'm gonna go ahead and name it Server 2019 because that's actually what it is I'm gonna hit next and it's gonna say how much disk space you want to give it I say 60 gigabytes and split it into virtual disk images so it's only gonna utilize what it needs which isn't a lot of space so again I say about 20 gigabytes per machine and then this will just build as you were to download items into it so go ahead and hit next once you have this figured out and then uncheck this power on this virtual machine after creation super important to make sure this is unchecked so go ahead and pin Shh and now it should load this machine like this so we're gonna do is we're gonna come in here and edit this virtual machine and we're going to need to do a few things here first of all depending on the RAM that you have this is your opportunity to change this I'm only going to be using two gigabytes of RAM which is 2048 on the slider and we're gonna go ahead and also take out this floppy disk so go ahead and remove this the issue is if we were to power on my our machine right away it would actually cause this auto install to load with this floppy for whatever reason and cause a bunch of issues for us so we're gonna make sure that that flop is removed to gigabytes of memory and then we're going to come to the network adapter here and make sure that the network adapter is set to NAT so make sure you see this as well and then go ahead and hit OK and then power on this machine and get your finger ready because we are going to need to press a button pretty much right away so that'll allow us to get the Windows setup running and if you're stuck and you can't see your mouse hit Control Alt that'll get you out of that VM and then back out on to your actual computer so now I'm gonna try to make this bigger we only can get so big with this unfortunately until we install the tools needed but for now we have Windows Server 2019 I'm gonna go ahead and hit next and I'm gonna hit install now on this okay now we're brought to this screen we're gonna say Windows Server 2019 standard evaluation desktop experience go ahead and hit next except the go ahead and hit next and then select custom install here come in here it should say drive zero unallocated hit new hit apply hit OK and then go ahead and hit next and now it's going to begin installing windows this will take a minute it's going to likely reboot so go ahead and pause the video again once everything has rebooted you're on to a screen where you can make another action come back and we'll continue on so now you should be brought to this screen and it's asking you to set up an administrator password you can just go ahead and type in anything you want I'm just going to say something like password 1 and it's going to be a weak password but this is a weak lab environment we're just setting up a pen test lab environment so that can be penetrated or packed in whatever we want to do with it so go ahead and hit finish once you've got that set up and you should be brought to this screen here you can come come up here and just hit all control delete with this little three button prompt and then it's gonna ask you for that password you just set up I'm gonna type in password 1 hit enter and then it's gonna start logging in so from here we're gonna go ahead and start setting up our machine with how we want it first thing I want to do is I want to go ahead and come up here and go to workstation and I want to go to VM and install VMware tools because otherwise this is going to be very small for us the rest of the time and we don't want that so let's go ahead and install VMware tools on this and that'll allow this to be a little bit bigger it should give us a prompt here in just a second saying that a drive has come up we can also click on this PC and see for it here so we can go ahead and just double click run the setup you and just click Next through this select the complete tool setup and install so once this is complete it should allow our screen to go full-size automatically and then we'll just need to set up a few things while we're doing this what we're going to be doing is setting up what is called a domain controller here in just a couple of more steps and we'll cover what a domain controller actually is now don't restart your computer at this moment go ahead and just say no and we're going to change the PC name while we can so I'm gonna say PC name and go ahead and just select that and now name this whatever you want to name this I'm gonna rename this PC and I'm gonna call this Hydra DC because I like Marvel I'm gonna make my Active Directory environment Marvel themed so go ahead and hit next and then we will need to restart once we rename the computer so once that's up and ready with a prompt go ahead and reboot to your machine and then if you need to take a break anything else go ahead and pause I'm just gonna let this speed up for a second reboot and I'll meet you back when we're logged in so now we are officially logged in and you should be brought to your server manager dashboard here we're gonna go ahead and just come up to manage and we're gonna add roles and features and go ahead and just select next next next and we're going to add in Active Directory domain services hit add features next next next and install now this is going to take a minute to install and I want to talk about Active Directory here for just a minute so what is after directory it is a directory service that was developed by Microsoft to manage Windows domain networks and that's what we're setting up we're setting up a domain network and for this domain network we're going to be storing information that is related to now these objects can be computers users printers etc and you could think of this like a phone book it just stores information that you can go and look up later now we're setting up a domain controller that is the hub of all this information and our machines that were going to be setting up here in just a minute we're going to be utilizing those to connect to this domain controller and the domain controller is going to store all these objects including what computers are connected what users we have etc so that's all we're doing here as we're setting up this Active Directory environment and if you've ever been in a workplace setting and you're able to log into a computer and then maybe you're able to go to another computer down the hall and use the same credentials and log in there chances are that was Active Directory so now this is finished setting up go ahead and hit close and then we're going to come here and you see this flag here we're going to go ahead and say promote this server to a domain controller now what are we gonna call this domain so I like marble I'm gonna call this marble dot local and it says add a domain to a existing domain we're gonna go ahead and just make this a new forest and sorry you're gonna have to type it again marble that local just like this on the root domain name go ahead and hit next and you can call this whatever you want by the way I'm just using this marble theme feel free to use your own creative expression now we're gonna need a password here I'm just gonna make it the exact same thing password one go ahead and hit next next and this will take a second to populate it should pull up your NetBIOS domain name as Marvel or whatever you chose for it okay that's populated go ahead and hit next and if at any time you're doing this along with me and it's going slower my environments going faster than yours feel free to pause and keep going go ahead and hit next here and hit next one more time now it's gonna do a prereq check this is going to take a minute here once this is finished doing its prereq check go ahead and just hit the install button hit next and install install everything and get this all rebooted so that's your next task just next install reboot and then meet me back when you're logged into the machine again or at the login prompt so go ahead and now and hit install this will install ask you to reboot reboot meet me at the login prompt and I'll see over there okay we are back to a login screen so now we're gonna go ahead and log back in you can see that it says Marvel slash administrator meaning that we do have a domain now so I'm going to go ahead just type password 1 and login it should bring up the server prompt we've got one more feature that we need to install and that is just the certificate so we're going to install a certificate so that we could have LDAP secure running and we're gonna need that later on if you ever want to utilize attacks against LDAP s or something like an ipv6 takeover attack utilizes LDAP s and you can get pretty creative with it so we're going to go ahead and go to manage and add roles and features on this one we'll hit next a couple times just like before click through and then we're looking for Active Directory certificate services so right here go ahead and select that and add the feature hit next next again next next and then we'll restart destination server automatically if required and we'll just say yes we're gonna go ahead and hit install and this is going to install as well we're gonna have the same situation where the flags didn't come up and we're going to need to promote the certificate or add the certificate in once it's installed so go ahead and just let this run through pause here again if you need to and then once it's done go ahead and meet me back and we'll go ahead and install this certificate all right your screen should look like this go ahead hit close same bill up here with the flag configure these certificate services and we're just going to hit next on the credentials click certification authority up here hit next Enterprise CA is fine root CA is fine we're gonna use a new private key next on the default Next again and then validity period I always like to put 99 years just so that never expires so you never know how long you're gonna have this lab for let's go ahead and hit next next and then configure now this is configured we need to go ahead and restart the server to make sure that this takes effect so we're gonna do that and then once this is restarted again go ahead and just log back in and we'll move on to the next step so go ahead and pause let this reboot move on to the next step now that all the settings configure we're gonna go ahead and add some users to this we're gonna add a file share and we're gonna set up a service account so that way we can have a Kerberos ting attack be possible later so first of all let's go up to tools and we're going to say Active Directory users and computers right here and go ahead and click on this marble dot local and you can come in here now and this is kind of where your objects are we have these these oh use right and these organizational units and these are just basically folders you can see here's one of your objects it's a computer it's a domain controller and you see that's under domain controllers once we join computers to the network that's gonna show up here and then the computer section we also have users we only have one user right now that's the administrator and that's okay and we got a bunch of security groups in here including one of the targeted groups by pentesters which is domain admins you see this guest account anytime it has this little down arrow next to it that means it's actually disabled right now so I like to add a organizational unit for groups so I'm going to go ahead and right-click and just say new organizational unit here and I'm just going to call this groups hit OK and go over to users and I'm just gonna take anything that's not administrator and move it into groups just say yes grab all these moving into groups and now it's a little bit more organized so the first thing I want to do is create a few users you can create as few or as many as you want I'm going to create a domain administrator and I'm going to create a couple of user accounts as well so we already have our administrator account what I'm going to do is just create a new user here and I'm going to have the user Frank Castle and this user is just going to be f castle for my naming convention just like that and then next and I'm gonna make the password password one as well and I'm making it all the same thing across the board because password reuse in networks is really big especially when it comes for password attacks like past the password or pass the hash if you can capture one password or one hash and throw it around the network with a tool like crack map exec you can actually leverage that and gain access to a lot of machines if that reuses in existence so go ahead here and just say password never expires hit next and finish go ahead and right click and just copy this user and I'm going to add in a second user who is Peter Parker and I'm just going to call this Pete Parker hit next and then here we're gonna go ahead and just make the same password a password one and same DL password never expires next finish now lastly right-click on your administrator and we're going to go ahead and copy the administrator and I'm going to add in a sequel service account it is very common to have service accounts in your network this account is going to look something like this sequel service now it's very common to see service accounts running as domain administrator that is a no-no but it happens a lot and we can run attacks against this such as Kerberos Singh where we can abuse this and try to attack a weak password and we're going to make this a weak password because that'll allow us to do a proof of concept I'm gonna make this password my password one two three pound and I'll show you how to spell that but it's a capital n capital y lowercase password one two three pound password never expires next finish and I'm gonna go ahead and double click on this user and put in the description password is my password one two three pound why am I doing this because a lot of domain admins will come in here and they'll put a password in the description and then guess what we can actually see that we don't need administrator privileges to be able to pull down a lot of these properties from a domain controller so if we can see these objects and we can get the descriptions pulled down we can see what the password is and I would say about ten percent of the time maybe fifteen percent I see a password in a description and that gives us access to an account we're able to own that account so from here we're gonna go ahead and make this sequel service an actual service we're going to set up what's called a SPN or a service principle name which is needed for a service so go ahead and go to command and run this as administrator and we're going to type in the following command set SP n - a and this is hydra DC - DC sequel service dot Marvel dot local and I'm just going to utilize port 6 0 1 1 1 is gonna say Marvel like a type Marvel sequel service just like this so if you need a second go ahead and type this out and we're just associating this SPN and a port together ok and it's updating the object now it's registering a service principal name for the sequel service and we can check this that is actually there with set SpMT Marvel local and we'll do a dash Q to look this up like this and then go ahead and hit enter and you should see down at the bottom we have our sequel service right here important six zero one one one perfect okay so SP n is all set up we can now perform the Kerberos attack in our environment so next a lot of attacks in environments are related to SMB so we need to have SMB ports 139 445 open I'm going to go ahead and just go out to the C Drive and make a new folder and call that hack me and then I'm gonna come into our files and storage services and here there is a share so C shares right here go ahead and do a task new share and then we're just gonna say SMB share click Next and then next actually back sorry we're going to use a custom path and we're going to use Hackney as the folder select next and then next here next next and create okay close and now we have SMB open in our network so we can perform attacks against 139 445 not only against the domain controller but we're gonna do the same kind of deal for our user machines as well so that they're discoverable on the network so last thing we're gonna go ahead and go out to a command prompt and we're just gonna type in ipconfig and pull down the IP address of this server so now what we have done is we have set up our domain controller for this Active Directory environment we now need to build out a couple user machines these user machines are going to be identical so as we build these out go ahead and build one or build both at the same time if you want I'm going to build one and then talk about the other and we'll see what it all looks like when it's said and done and what other settings you might want to consider once you're have your lab environment built so let's go ahead and now move on and we're gonna go up here and go to a workstation file new virtual machine same deal this time we're gonna go ahead and hit next browse and I'm gonna select this one here which is my Windows 10 workstation and go ahead and hit next same deal just Windows 10 we'll just call it enterprise and we're gonna hit next say yes and then this obviously I have multiple machines again same deal don't worry about that I'm gonna hit next split the virtual machines up don't power it on just like before go ahead and hit finish and this will create the file on disk what we're going to do is the same exact setup as before so if you don't recall we're gonna edit the settings we're gonna go in there make sure it's running on nat network two gigabytes of ram or more depending on your setup and to remove that floppy most importantly the Windows 10 is gonna take a little bit longer to set up it has a beefier install so go ahead and hit it edit your virtual machine settings and again if you want to do two at once you're more than welcome so go ahead two gigabytes is fine I'm gonna remove the floppy drive and we should be running NAT so hit OK there and now we're gonna go ahead and power on this virtual machine make sure your fingers are ready we're gonna hit any key and that's gonna boot to the setup now the setup is going to be pretty similar to how we did this for the other machine I'm gonna utilize the the same passwords across the board and just keep it simple so we're gonna hit next here and install now and this will bring up that prompt we're going to set up our files again or our structure of our disk and then as you need to again just pause if you need to I accept the license terms Custom Install and we're gonna say new apply okay and look similar to before next and go ahead and let this install so go ahead pause your video meet me back once you're at the next prompt and we'll go ahead and move forward with this install so that probably took you about I don't know five minutes or so a little bit longer as I said so you should be brought to this screen go ahead and pick whatever region is I'm in the US so I'm going to say US and say yes and then keyboard layout for me is the US so yes skip the second keyboard layout and then we're going to do a little bit of setup here so pause again as you need to wait it out and then meet me back when you're ready now you should be brought to this screen here where it says signing with Microsoft go ahead and just say domain join instead and then it's gonna say who's gonna use this PC so I have Frank Castle so Frank Castle is gonna use this PC Frank Castle and then your other one can be whoever I made Frank Castle and Peter Parker so you can use those users and then create a super memorable password guess what password one for me next and then I'm gonna confirm that sucker and you would think that they would make you utilize a a stronger password policy but they don't so my first pet's name was Bob and then my city I was born in was Bob and then Wilmore we've got your childhood nickname guess what that was Bob so next next next we're gonna say do more with devices go ahead and say no decline all these features just turn all this stuff off it's really just it's nonsense so go ahead turn all this off and then hit accept and it's going to do its wonderful high screen if you've never seen this before so same process here what we're gonna need to do is we're going to need to come in we're going to have to set up the install of the VMware tools so that we can get this to a nice full screen and then we're going to rename this computer reboot it and try to join the domain once we do so go ahead and pause one more time here we're gonna let this do its install and then meet me once you're actually on a Windows screen and logged in okay so your screen should look something like this and now we're gonna go up here same deal as before go to the VM install your VMware tools hit install go ahead and go out to the folder and we're going to install those alright and this is gonna be same thing just next complete next next next so once this pops up alright that's gonna install while we're waiting on that to install we can go ahead and change the PC name so we'll just say PC name start typing it out and I'm gonna call this the punisher something along the lines of the punisher because that's whose machine it's gonna be you can call this whatever you want the punisher - i have one one other one in my network so we'll just call this - and we'll hit next and then we're gonna have to reboot here and then we'll end up joining us the domain see what it looks like once it's joined the domain so go ahead and reboot and so from here if you're doing this basically all you need to do is repeat all these steps i know i said i want to say it again repeat all these steps make your second machine now that machine is going to be utilized for SMB relay attacks and other attacks would related to relays if you're tight on space again that's an optional machine to set up we can perform a lot of these attacks with just one machine in the network and let's go ahead now and log back in here as Frank Castle password one and then I'm going to join the domain now so remember on Windows Server we came in here and we grabbed our IP address I'm gonna grab that one more time because I don't remember it and mine is 192 168 57 143 I'm going to copy that or at least attempt to and I'm gonna come into here we're gonna right click and open network and internet settings down here below we're going to change adapter options we're gonna double click on a thern and 0 go to properties go to ipv4 and double click and we're going to use DNS server here go ahead and paste your DNS server your DNS server is going to be your domain controller alright so that will allow us to actually be able to communicate with it at a level where we can join the domain so once you have that done go ahead and go to a command prompt actually don't go to command prompt we won't need you go ahead and just type in domain and it'll say access work or school go ahead and click on that hit connect up here and we're going to join our domain now so join this device to a local Active Directory domain the domain is Marvel dot local hit next that should pop up if this does not pop up then you're not communicating between your domain controller and this machine alright now I'll go ahead and type in the administrator and password 1 or whatever password you set up hit OK it should accept the credentials go ahead and just skip this account and restart now so that's going to join the computer to the domain let's pop over to our server and go into our our Active Directory users and computers come over to computers and hit refresh and you can see now that the punisher 2 computer has been added here so we now have access to this and what we're going to do is we're going to come in here and we're going to log in as the marvel administer we're gonna set up something on this machine and then I'm going to instruct you how you should set it up on your other machine or your secondary machine so that you have access to do some relay attacks so come in here and go to other user sign into we're gonna do a Marvel slash administrator I will say password one that will login to this computer and then we're going to make the user Frank Castle F Castle the domain user a local administrator on this computer so it's very common in networks Active Directory networks to have local administrators or users be local administrators of their own computers whether that's right or wrong it's not right we're going to let them do that and we're going to emulate that sort of network here and that's going to allow us to have access to a lot of common attacks and be able to elevate privileges on that machine via SMB etc so go ahead and come here and we're going to we're going to say manage and go to computer management load that up local users and groups go to groups administrators and then we're going to add an administrator here and we're going to add F Castle you should be able to check and autocomplete that say ok apply and ok now last thing and you're gonna do this on both machines so let me type this out on a notepad you have machine one for me that's the punisher right i can spell it the punisher and f castle is a local admin you have machine to that is spider-man and p parker should be a local admin now on these machines you could do it either way you can have f castle as a local admin here and you can have p Parker if you want or just one location if you want as well but I like to just have it in one place to the other but you can have Peter part her and Frank Castle as admins on these machines and that will allow you to perform relay attacks in the network so go ahead and set that up I'll actually emulate that here with the computer management one more time so go to computer management and we'll set that up and then we're going to set up the SMB for this and we'll have SMB enabled and allow for a lot more attacks as well so administrators I'm gonna add P Parker here check names hit OK apply there we go and then come into here open a folder and go to network and it says network discovery is turned off we're gonna go ahead and turn on that we're discovery and file-sharing that enables 139 445 we should be able to start seeing machines pop up like the Punisher we need to be able to enter in credentials etc to access these but now we have network discovery on so what does this all mean let's go back to the PowerPoint and kind of talk through this since we've got this set up now so let's go back one slide possible attack scenarios ll M&R poisoning ll M&R is a feature that is enabled by default on a Windows setting it allows us to capture hashes and either take them offline and crack them or use what it called relay attacks to pass them along we have set up SMB relay attacks because there is a feature called SMB signing that has automatically disabled in a Windows network on workstations so we have two machines where we can relay a credential from one machine to another via that llm in our and so that attack scenario is now set up ipv6 is enabled by default and we have the LDAP s set up with the certificate and your you're seeing here that a lot of this is just default settings and that's that's really what Active Directory is it's abusing a lot of these default configurations and just out of the box settings that are quote unquote features but they allow us to attack networks that aren't secure utilizing strong credentials or just not having the best policies in place now we have SMB enabled which is going to allow us to utilize past the password or past the hash on these machines token impersonation is a feature of Windows and is there by default Kerberos ting we set up when we added the sequel service user and golden ticket attacks are a feature that we can abuse by default Power View bloodhound etc me me cats all that we can install and utilize in this network play around with the numeration as well so all of these attack scenarios have been set up for us now it is your task to go out there and learn these scenarios and figure out how to pull these off in your network but it's fully possible to do every single one of these attacks that are on the screen plus more the only thing that's not here would be more advanced attacks and things that abuse items like trusts so if you have multiple domain controllers or if you have a parent domain controller and a child domain controller and that just gets to become a bigger and bigger network and you need more resources so this is built for the home user that has a somewhat decent computer a little bit of RAM a little bit of space and can build out this attack scenarios so hopefully this has been informative for you I know we kind of just went through the build it was a lot of start stop start stop but now you have that foundation you might not have any idea what's going on right now and that's okay but you have the foundation now it's up to you to take the foundation look at these possible attacks and work your way through it I guarantee you there is a blog or resource out there for every single attack listed on this screen so I challenge you to work on the left side down and then the right side down and work in that order figure it out have fun with it and I hope you really enjoy this lab so if you did please do comment down below hit that like subscribe hit the bell you know please do support the channel if you can just by by hitting that thumbs up or that subscribe button and that's it my name is Heath Adams and I I do thank you for joining me
Info
Channel: The Cyber Mentor
Views: 86,733
Rating: undefined out of 5
Keywords: thecybermentor, the cyber mentor, pentesting, pen testing, m4v3r1ck, tcm, cybersecurity, ethical hacking, penetration testing, penetration tester, kali linux, walkthrough, mitm6 tutorial, ipv6 dns takeover, dns takeover, ipv6 attack, hacking, hacker, domain admin, dns, takeover, active directory, lab build, active directory lab, kerberoasting, llmnr
Id: xftEuVQ7kY0
Channel Id: undefined
Length: 48min 6sec (2886 seconds)
Published: Fri Dec 27 2019
Related Videos
How to Setup a Basic Home Lab Running Active Directory (Oracle VirtualBox) | Add Users w/PowerShell
Josh Madakor
11K
Attackive Directory Walkthrough (TryHackMe)
The Cyber Mentor
27K
Linux for Ethical Hackers (Kali Linux Tutorial)
freeCodeCamp.org
2.9M
How Cryptocurrency ACTUALLY works.
Mrwhosetheboss
4M
Don't Talk to the Police
Regent University School of Law
16M
you need to learn Virtual Machines RIGHT NOW!! (Kali Linux VM, Ubuntu, Windows)
NetworkChuck
3.2M
HakByte: How to find anything on the internet with Google Dorks
Hak5
469K
HOW TO MAKE A SUPER EXTENSION CORD! (Perfect for Christmas!)
Stud Pack
1.1M
The Creepiest OSINT Tool to Date
The Cyber Mentor
138K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.