Building an Active Directory Attack Lab: A Deep Dive into Offensive Infrastructure Simulation

Table of Contents

• Why Should I Build an Active Directory Lab?
• Lab Overview
• Possible Attacks / Scenarios in Lab
• Resources to Learn AD Attacks
• Virtualization Setup: VMWare / VirtualBox
• Downloading ISOs from Microsoft Evaluation Center
• Installing Windows Server 2019
• Making Windows Server as a Domain Controller
• Setting Up a Certificate Authority
• Configuring Users, File Shares, and Service Accounts
• Installing Windows 10 Client
• Joining the Domain with Our User Machine(s)
• Final Setup of User Machine
• Engineer's Verdict: Is This Lab Worth It?
• Operator's / Analyst's Arsenal
• Practical Workshop: Initial Compromise & Persistence
• Frequently Asked Questions
• The Contract: Your First AD Breach Simulation

The digital shadows are long, and in the heart of every enterprise network lies Active Directory – a labyrinth of users, machines, and permissions. For the offensive security professional, it's not just a target; it's the central nervous system. A compromised AD means the keys to the kingdom. But how do you learn to dance with these digital ghosts without risking a real-world catastrophe? You build your own graveyard. This isn't about playing in a sandbox; it's about dissecting a live organism, understanding its pulse, its weaknesses, and how to exploit them. We're not just installing software today; we're architecting an attack surface.

Why Should I Build an Active Directory Lab?

In the grim reality of cybersecurity, theoretical knowledge is just foreplay. True mastery comes from hands-on experience, and when it comes to Active Directory (AD), the stakes are astronomical. AD is the bedrock of most corporate networks, the central authority managing users, groups, policies, almost everything. If you aim to be effective in penetration testing, red teaming, or even advanced threat hunting, understanding AD from an attacker's perspective is non-negotiable. Building your own AD lab provides a safe, controllable environment to:

• Master Attack Techniques: Practice common AD attack vectors like Kerberoasting, Pass-the-Hash, Golden Ticket attacks, and privilege escalation without impacting production systems.
• Understand Reconnaissance: Learn how attackers map out AD structures, identify sensitive accounts, and discover vulnerabilities before launching an attack.
• Develop Custom Tools: Test and refine your custom scripts and tools against a realistic AD environment.
• Improve Defense Strategies: By understanding how attackers exploit AD, you can better advise on and implement defensive measures.
• Prepare for Certifications: Many advanced cybersecurity certifications, like the OSCP, heavily feature AD attack scenarios.

Ignoring AD as a target is like a boxer refusing to train for their opponent's strongest punch. It's a critical oversight that can lead to catastrophic breaches. This lab is your training ground, your testing facility, your digital morgue.

Lab Overview

Our objective is to construct a functional, albeit simplified, Active Directory domain. This will involve setting up a Windows Server as the Domain Controller (DC) and at least one Windows client machine that will be joined to this domain. Think of the DC as the king's castle and the client as a subject within its walls. We'll then introduce the elements that make AD a target: users, groups, file shares, and potentially service accounts. The beauty of this setup is its scalability. You can expand it later with more domain controllers, member servers, and even Linux clients integrated into the domain.

Possible Attacks / Scenarios in Lab

Once the basic infrastructure is in place, the real fun begins. This lab isn't just for installation tutorials; it's a launchpad for mimicking real-world threats. Here are a few scenarios you can explore:

• Initial Foothold & Lateral Movement: Simulate gaining initial access to a client machine and then moving laterally within the domain to compromise the Domain Controller.
• Credential Harvesting: Practice techniques to extract user credentials, such as phishing simulations or exploiting vulnerabilities to capture hashes.
• Privilege Escalation: Learn how to escalate privileges from a standard user to an administrator, both on the client and potentially on the domain itself.
• Persistence: Implement methods to maintain access to compromised systems, even after reboots or credential changes.
• Data Exfiltration: Practice exfiltrating sensitive data from file shares or user directories.
• Kerberoasting & Pass-the-Hash: Master these fundamental AD post-exploitation techniques.

Resources to Learn AD Attacks

Building the lab is the first step; understanding the adversary's playbook is the next. Thankfully, the community has produced invaluable resources. Don't rely on hearsay; dig into the primary sources. For those serious about understanding and exploiting Active Directory, these are essential:

• ADSecurity.org: Sean Metcalf's blog is a goldmine for AD security. His insights into attack vectors and defensive strategies are unparalleled.
• Harmj0y's Blog: Will Schroeder's work, especially his contributions to tools like PowerSploit and Empire, provides deep dives into AD exploitation techniques.
• SpecterOps: While often focused on enterprise defense, their content regularly delves into offensive AD operations, making them a crucial resource for understanding the adversary's mindset.
• Books: "The Hacker Playbook" series often includes AD scenarios, and dedicated books on Windows Internals and Active Directory security are invaluable for deep dives.

This knowledge isn't optional; it's the ammunition you'll need once your lab is operational. Treat these resources with the reverence of a detective studying case files.

Virtualization Setup: VMWare / VirtualBox

We're not going to install bare-metal servers for a simulation environment. That's for amateurs with unlimited space and budget. Virtualization is your ally. It allows you to spin up, tear down, and snapshot environments with ease. For this lab, we'll focus on two industry standards:

• VMware Workstation Player/Pro: A powerful, robust choice, especially for more complex setups. The Player version is free for non-commercial use.
• Oracle VM VirtualBox: Completely free and open-source, VirtualBox is an excellent option for beginners and those on a budget.

Both platforms offer the necessary features: creating virtual machines (VMs), configuring virtual networks (crucial for isolating your lab), managing snapshots, and allocating resources (CPU, RAM, Disk). For this guide, we'll assume you've chosen one and have it installed. The core principles remain the same regardless of your hypervisor.

Downloading ISOs from Microsoft Evaluation Center

You can't build a Windows domain without Windows. Microsoft provides evaluation versions of its server and client operating systems, which are perfect for lab environments. These are fully functional for a limited time (usually 90-180 days), more than enough for building and testing your lab.

Steps:

1. Navigate to the Microsoft Evaluation Center.
2. Search for "Windows Server" and download the latest available version (e.g., Windows Server 2019 or 2022). You'll typically download an ISO file.
3. Similarly, search for "Windows 10 Enterprise" or "Windows 11 Enterprise" and download its ISO.

Ensure you download the correct architecture (usually 64-bit). Keep these ISO files handy; they will be your installation media.

Installing Windows Server 2019

This is where the foundation is laid. The Domain Controller is the heart of your AD environment. Treat its setup with meticulous care; a misconfigured DC is a weak DC.

Steps:

1. Create a new virtual machine in your hypervisor. Allocate sufficient resources: at least 2 vCPUs, 4GB RAM (8GB recommended), and 60GB+ disk space.
2. Configure the VM to boot from the downloaded Windows Server 2019 ISO.
3. Start the VM and proceed with the Windows Server installation.
4. Choose "Windows Server 2019 Standard (Desktop Experience)". The "Desktop Experience" option includes the graphical user interface (GUI), which is essential for this guide.
5. During installation, you'll be prompted for a product key. Since you're using an evaluation copy, you can skip this or enter a generic key provided by Microsoft for evaluation purposes.
6. Set a strong password for the Administrator account. This is critical.
7. Once installed, **do not connect it to the internet yet**. We need to isolate it first.
8. Configure the virtual network adapter for your server VM. For isolation, use a "Host-Only" network or create a custom virtual network that doesn't bridge to your physical network. This prevents accidental exposure.

Making Windows Server as a Domain Controller

Now, we transform the standard server into the core of our domain. This process involves installing the "Active Directory Domain Services" (AD DS) role and then promoting the server.

Steps:

1. Open "Server Manager" as Administrator.
2. Click "Add roles and features".
3. Proceed through the wizard, selecting "Role-based or feature-based installation".
4. Select your server from the server pool.
5. Under "Server Roles", check "Active Directory Domain Services". Accept the prompt to add required features (like Group Policy Management).
6. Continue through the wizard, accepting default features.
7. Once the role installation completes, you'll see a notification flag in Server Manager. Click it and select "Promote this server to a domain controller".
8. In the Deployment Configuration wizard:
   • Select "Add a new forest".
   • Enter a Root domain name. For labs, something like ad.local or contoso.local is common. Avoid using real TLDs like .com as it can cause DNS resolution issues.
   • Set the Forest functional level and Domain functional level (usually the highest available).
   • Ensure "Domain Name System (DNS) server" and "Global Catalog (GC)" are checked.
   • Set a Directory Services Restore Mode (DSRM) password. This is vital for disaster recovery; store it securely.
9. Proceed through the remaining steps (DNS options, paths, prerequisites check).
10. Click "Install". The server will reboot automatically, and upon restart, it will be your Domain Controller.

Congratulations, you've birthed your domain. The machine is now the authoritative source for your simulated network's identity.

Setting Up a Certificate Authority

While not strictly mandatory for a basic lab, setting up a Certificate Authority (CA) integrated with AD is a common and powerful configuration. It enables secure communication protocols like LDAPS (LDAP over SSL/TLS) and is foundational for many enterprise PKI (Public Key Infrastructure) deployments. For offensive scenarios, misconfigurations or vulnerabilities within the PKI can lead to significant attack opportunities.

Steps:

1. Open "Server Manager" > "Add roles and features".
2. Select "Active Directory Certificate Services".
3. Add the necessary features.
4. After installation, go to the notification flag in Server Manager and select "Configure Active Directory Certificate Services".
5. In the configuration wizard:
   • Select "Certification Authority" and "Certification Authority Web Enrollment" (optional, but useful).
   • Choose "Enterprise CA" (since we are in an AD domain).
   • Select "Root CA".
   • Create a new private key or use an existing one.
   • Configure the CA name (e.g., "Contoso-DC-CA").
   • Set the validity period for the CA certificate (e.g., 5 years).
   • Accept default store locations for the certificate database.
6. Complete the configuration.

This setup allows your domain to issue certificates, which can be used for various services and security enhancements. Attackers often target poorly managed PKI systems.

Configuring Users, File Shares, and Service Accounts

A domain without users and resources is just an empty shell. We need to populate it with entities that attackers will look to compromise or abuse.

User Accounts:

1. Open "Active Directory Users and Computers" (from Server Manager > Tools).
2. Create Organizational Units (OUs) to structure your users (e.g., "Users", "Executives", "IT-Staff").
3. Create several user accounts within these OUs. Give them realistic names and passwords.
4. Consider creating accounts with different privilege levels: standard users, administrators, and perhaps a service account.

File Shares:

1. Create a new folder on your server (e.g., C:\Shares\Public).
2. Right-click the folder > Properties > Sharing tab > Advanced Sharing. Share the folder (e.g., as "PublicShare").
3. Configure Share Permissions (e.g., "Everyone" - Read/Change).
4. Configure NTFS Permissions (Security tab) to be more granular. For example, grant specific OUs or users Read/Write access. This is where attackers look for sensitive documents or misconfigurations.

Service Accounts:

1. In "Active Directory Users and Computers", create new user accounts specifically for services (e.g., svc_sql, svc_web).
2. It's best practice to disable the "User cannot change password" and "Password never expires" options for service accounts and manage their credentials securely. However, for lab purposes, you might initially enable "Password never expires" for ease of use, but be aware this is a security risk in production.
3. Assign these service accounts the necessary permissions to run specific applications or services. Attackers love to find service accounts with overly broad permissions.

Installing Windows 10 Client

Every kingdom needs subjects. We'll set up a Windows 10 VM that will be a member of our newly created domain. This is the machine you'll typically target first in many attack scenarios.

Steps:

1. Create a new virtual machine. Allocate at least 2 vCPUs, 4GB RAM, and 40GB+ disk space.
2. Configure the VM to boot from the Windows 10 Enterprise ISO.
3. Perform a standard Windows 10 installation.
4. Crucially, during the setup phase where it asks for account setup (Microsoft account or local account), skip these steps if possible. We want to join this machine to the domain directly. If you must create an account, make it a temporary local one you'll discard later.
5. Once Windows 10 is installed and at the login screen, do not log in with a Microsoft account.
6. Configure the virtual network adapter for this client VM. It must be on the **same virtual network** as your Domain Controller (e.g., the same "Host-Only" network).

Joining the Domain with Our User Machine(s)

This is the moment the client becomes part of your AD ecosystem.

Steps:

1. On the Windows 10 client VM, log in with the local administrator account.
2. Open System Properties: Right-click "This PC" > Properties > Advanced system settings.
3. Under the "Computer Name" tab, click "Change...".
4. In the "Member of" section, select "Domain" and enter the domain name you created earlier (e.g., ad.local).
5. You will be prompted for domain credentials. Enter the username and password of an account that has permissions to join machines to the domain (typically, the administrator account of the domain controller, or a delegated account).
6. Click OK. You should see a welcome message indicating you've joined the domain.
7. The computer will require a restart.

After rebooting, when you get to the login screen, you should now see the option to log in with a domain account. You can log in using one of the standard user accounts you created on the DC.

Final Setup of User Machine

With the client joined to the domain, you can fine-tune its configuration. Install common applications that an end-user would have (e.g., a browser like Chrome or Firefox, potentially Microsoft Office if you have evaluation copies). Ensure the client is configured to use the Domain Controller's IP address for DNS resolution. This is critical for AD services to function correctly.

DNS Configuration:

1. On the Windows 10 client VM, open Network Connections (ncpa.cpl).
2. Right-click the network adapter > Properties.
3. Select "Internet Protocol Version 4 (TCP/IPv4)" > Properties.
4. Set the Preferred DNS server to the IP address of your Domain Controller.
5. Click OK to save.

Your domain-joined client is now ready. You can log in with a domain user account and start exploring the environment from a user's perspective, or more importantly, from an attacker's perspective.

Engineer's Verdict: Is This Lab Worth It?

Absolutely. Building an Active Directory lab is not a suggestion; it's a prerequisite for anyone serious about offensive security in corporate environments. The investment in time to set this up is minuscule compared to the potential gains in knowledge and skill. You gain:

• Safe Practice Ground: Experiment with destructive attacks (like Golden Ticket or DCSync) without real-world consequences.
• Deep Understanding: Move beyond surface-level knowledge to truly grasp how AD components interact and how they can be abused.
• Tool Proficiency: Become adept with tools like Mimikatz, PowerSploit, BloodHound, and others in a controlled setting.
• Defensive Insight: Understand what defenders need to protect by experiencing the attack from the other side.

The only downside is the initial setup complexity, which is why this guide exists. But once operational, it's an invaluable asset for continuous learning and skill development. Don't skip this step.

Operator's / Analyst's Arsenal

To effectively leverage your new AD lab, equip yourself with the right tools:

• For Attack Simulation:
  • Mimikatz: The quintessential tool for credential dumping.
  • PowerSploit / PowerShell Empire: Comprehensive post-exploitation frameworks.
  • BloodHound: Essential for mapping AD attack paths and relationships.
  • Responder: For LLMNR/NBT-NS poisoning and credential capture.
  • Impacket Suite: A collection of Python scripts for working with network protocols, crucial for AD attacks.
• For Analysis & Defense:
  • Wireshark: For network traffic analysis.
  • Sysmon: Advanced system monitoring for threat detection.
  • ELK Stack (Elasticsearch, Logstash, Kibana) / Splunk: For log aggregation and analysis.
• Essential Reading:
  • "The Hacker Playbook 3: Practical Guide To Penetration Testing" by Peter Kim
  • "Red Team Field Manual (RTFM)" by Ben Clark
  • "Active Directory Security Assessment" (various online resources)
• Certifications:
  • Offensive Security Certified Professional (OSCP) - heavily features AD attacks.
  • Certified Information Systems Security Professional (CISSP) - provides foundational knowledge.
  • eLearnSecurity's Penetration Testing Student (PTS) / eCPPT (eXtreme Penetration Tester)

Investing in these tools and knowledge is investing in your career. Don't get caught with a rusty toolkit.

Practical Workshop: Initial Compromise & Persistence

Let's outline a common attack path you can practice. Assume you've gained initial access to the Windows 10 client machine as a standard domain user. Your goal is to escalate privileges and potentially gain domain administrator access.

1. Reconnaissance on Client: Use commands like whoami /groups, net user currentuser /domain, gpresult /r to understand your current privileges and group memberships.
2. Credential Dumping: Execute Mimikatz (if you've managed to get it onto the client) to extract credentials from memory. Target the LSASS process. You might first need to elevate your local privileges to administrator on the client machine.
3. Pass-the-Hash/Ticket: If you successfully dump password hashes (LM/NTLM), use tools like CrackMapExec or Mimikatz to perform Pass-the-Hash attacks against other machines or the Domain Controller. If you extract Kerberos tickets, explore Pass-the-Certificate/Ticket.
4. Lateral Movement: Use tools like PsExec (part of the Sysinternals suite) or Impacket's psexec.py to execute commands or upload tools onto other machines, including the DC, using compromised credentials.
5. Privilege Escalation on DC: Once you have administrative access to the DC, you can start launching more powerful attacks like Golden Ticket or Silver Ticket creation, or dump the ntds.dit file for offline cracking.
6. Persistence: Explore techniques like creating malicious scheduled tasks, WMI event subscriptions, or backdoored services to maintain access.

This is a simplified overview. Each step has numerous variations and requires deep knowledge of Windows internals and AD security models. Your lab is where you'll learn these nuances.

Frequently Asked Questions

Can I use older versions of Windows Server?

Yes, but using supported versions like Windows Server 2019 or 2022 is recommended for access to the latest features and security patches. Older versions might have different installation steps or known vulnerabilities that could complicate or simplify your lab, depending on your goals.

What if I don't have enough RAM for two VMs?

You can start with just the Domain Controller and a Windows 10 VM. Limit the resources allocated to each: 2GB RAM for the DC and 2GB for the client might be the bare minimum. Performance will suffer, but it's doable for basic AD setup. Resource allocation is key; 8GB+ total RAM is highly recommended for a smoother experience.

How can I make my lab more realistic?

Add more client machines, introduce different user roles, set up member servers (e.g., a file server, a web server), and play with Group Policy Objects (GPOs). The more entities and configurations you introduce, the closer it mimics a real-world environment and the more attack vectors you can explore.

Is it safe to connect my lab VM to the internet?

Generally, no, not for a typical offensive lab. Isolate your lab using Host-Only networking. If you need specific updates or to download tools, temporarily switch to a NAT network or bridge mode, perform the task, and then switch back to isolation. Never expose your lab DC directly to the internet.

The Contract: Your First AD Breach Simulation

You've built the fortress, now it's time to see if you can breach it. Your task is straightforward: starting as a low-privileged domain user on your Windows 10 client, achieve Domain Administrator privileges on your Windows Server DC. Document every step, every command, and every tool used. If you get stuck, refer back to the resources provided. The simulation is complete when you can run a command like net group "Domain Admins" /domain and see your current user listed, or successfully execute administrative tasks on the DC.

Now, do you have what it takes to bring down your own kingdom? Or will your carefully constructed environment hold strong? The digital battleground awaits.