Build It Before Breaking It !!
So, You want to be a red teamer? Then You have to create your small Active Directory Home Lab right now! Remember if you want to break it, You have to build it!!
This is the first post in the series “Creating your own Active Directory Lab” that I will be continuing in the upcoming weeks.
In this blog, I will be helping you to setup a couple of attacks that are possible because of clicking couple of check boxes that you should be aware of before clicking (Mis-configurations) that you will be encountering while doing your pentests :)
We will be setting up the following attacks in this post.
- Asrep-Roasting
- Kerberoasting
- DC Sync
Let’s get started!
I am running Windows Server 2019 as my Domain Controller and Kali Linux as my attacking VM. You can download the windows server from here.
NOTE: I am using evaluation version of windows server and I have already added the “Active Directory Domain Services” feature. There are plenty of videos available online on ‘How to setup Active Directory’.
Make sure that both DC and Kali are in same network.
ASREP-ROASTING:
First Login as Administrator. Open Server Manager → Tools → Active Directory Users and Computers.
On the Active Directory & Computers window, click view → Advanced Features .
First let’s create a test user account because we need a successful bind in order to perform these attacks. I am going to create a test user named “Test” with the password as “P@ssw0rd”. Follow the instructions for creating the same.
Expand your forest (Here APT.LOCAL) → Right click on New → Users. It will pop-up another windows, Enter the details and create a user.
Click Next. Enter your password and before clicking Finish, Uncheck User must change password on next logon and check the next two options.
To check if it’s created or not, Press the refresh button in Active Directory Users & Computers Windows or Enter the following command in PowerShell or Command prompt.
net user /domain
You can also create an user via Command-Line using the below command.
net user test 'P@ssw0rd' /add /domainLet’s make it vulnerable to Asrep-roast now :)
Go to Active Directory Users & Computers → Users → Account You created (in my case “test”) → Right click and press properties.
On the new popped up window, Go to Account and check ‘Do not require Kerberos pre-authentication’ box.
Let’s see if we can exploit it or not . Spin up your kali VM , I will be using Impacket scripts for exploitation purposes. You can get the scripts from here.
Add the domain names, hostname of your DC to your hosts file which is located in /etc/hosts. Use the following command to test and request the password hash for test user.
impacket-GetNPUsers apt.local/test:'P@ssw0rd' -request
This blog is about setting up the environment so I won’t be discussing how this script works or how to exploit them. Let’s move to next misconfiguration.
KERBEROASTING:
I am going to create another user account called “Kerberoast-me” for demonstration purpose. Follow the same instructions that we did earlier for creating one.
Now, in-order to make it vulnerable, Right click on the user account → properties → Attribute Editor → Look for servicePrincipalName and add a new attribute by using the correct syntax. For example “http/FQDN”
That’s it !! Yeah, this account is vulnerable to kerberoasting now.
Now , Let’s check . Go to your Linux VM and enter the following command.
impacket-GetUserSPNs apt.local/test:'P@ssw0rd' -request
DC Sync:
Once again, I am going to create a new user account named “DCSync-Me” for doing this attack.
In order to make it vulnerable, Go to Active Directory users & Computers → Right click on the domain name (APT.LOCAL in my case) → click properties → Security → Advanced.
On the new popped-up window, click Add → click select a principal
Add the user account name that you created and click “check names”. Click ok once done.
Next scroll through the Permissions and check the boxes as follows.
Click ok , Apply and Finish. That’s it !! It is vulnerable to DCSync now :)
Let’s check.
Type the following command in your Linux VM.
impacket-secretsdump apt.local/dcsync-me:'P@ssw0rd'@192.168.182.159
OK. That’s it for this blog. In next post we will see how to setup delegation based attacks such as Constrained & Unconstrained delegation etc.
Feel free to text me on LinkedIn, Twitter or Discord if you are facing any issues setting it up.
Buy me a coffee, if you think, I deserve it :)
