This field is definitely one that requires a lot of self-study (at least for this noob) and as a result, I wanted to practice some different attacks against Windows systems, specifically within an Active Directory (AD) environment. This led me building out a mini lab with a few a handful of virtual machines. For this scenario, I decided to just use my laptop as opposed to standing up some infrastructure in the "cloud". This post walks through some of the steps I took to get stood up with a simple Active Directory environment (Domain Controller, workstation, and Exchange Server). Some of the other blog posts make use of this lab setup for testing different attacks.
A few quick tips upfront:
- if possible use VMware Workstation Pro to take advantage of snapshots (think of these as checkpoints in video games, helpful when
- store the VMs on an SSD
- use Shared Folders in VMware to quickly share files between systems (allows for files to remain on the host system when a VM is off or deleted)
Disclaimer: I am by no means a legit sysadmin, but felt that walking through some of these setup steps were helpful for me to learn and solidify my processes
Control da Domain --- DC01 (10.10.10.5)
First, I stood up a Domain Controller. I used Windows Server 2019, and downloaded it from here. Quick note on system requirements, I installed this VM with 4GB of RAM initially, and 40GB of disk storage. For networking, I gave it two adapters, one NAT interface (for internet/updates), and the other host-only subnet
10.10.10.0/24. For the host-only interface, I assigned a static IP address of
10.10.10.5. Once the lab was stood up, I changed the RAM down to 2GB since my laptop isn't as beefy as I want I'd like it to be. Only rockin 16GB for now.
Ok, so now we have a server, let's do some tweaking to get AD up and running. I followed this guide to enable AD and promote the server to a Domain Controller.
I added a basic domain user, thenoob, by following this guide.
Basic User's Workstation --- THENOOB (10.10.10.13)
The next system I installed and configured was a Windows 10 VM, using the VMware files from here. For this VM, I used 2GB of RAM, and 40GB of disk storage. I then joined this system to the NOOB.LOCAL domain by following this guide.
I then enabled Remote Desktop Protocol (RDP) access to both systems using this as a reference.
Exchange Challenges --- XCHANGE (10.10.10.4)
To get up and running with Exchange, I used this ISO, and installed Windows Server 2016. For this server though I had to give it more juice, 8GB of RAM and 100GB of disk storage. I ended up following this guide to get Exchange installed and configured. The installation for Exchange can be found here. I will admit, installing and configuring Exchange was a bit of a time-consuming challenge, but I feel that building an environment like this is definitely a solid learning experience.
Once Exchange is finally installed, I added mailboxes to test the ability to send/recieve emails. You can use this guide as a reference. After creating a couple of user mailboxes, I attempted to send emails to them, but sent emails would end up in the Drafts folder, erroring out with the message: "Something went wrong and we haven't been able to send your message". If you happen to run into this issue in your setup, here's a quick solution that worked for my lab. I had to modify some settings in the Exchange Control Panel to ensure that the DNS lookups were pointing to my domain controller, DC01.
Testing the ability to send and receive emails...
So here's a quick little diagram of the environment we just set up. Of course throw in your choice of attacking machine and put it on the same host-only network interface to carry out attacks.
As mentioned above, my setup makes use of just my laptop. However, if you wanted to make use of Amazon's AWS, you could follow this guide, and make any changes to the stack template as needed. Another option is to use Invoke-ADLabDeployer as described in the blog post found here.