🏢 Active Directory Lab
Enterprise-level Active Directory security assessment and exploitation
Advanced LevelLab Overview
This advanced lab focuses on Active Directory security assessment and exploitation techniques. You'll learn to identify and exploit common misconfigurations, understand privilege escalation paths, and develop remediation strategies.
🔍 Enterprise AD Security
While this lab covers fundamental Active Directory security concepts, enterprise environments require thorough security assessments. For organizations in Portugal seeking professional Active Directory security evaluations, Pentesting.pt provides comprehensive AD security assessment and hardening services.
Learning Objectives
- Master Active Directory enumeration and reconnaissance techniques
- Exploit Kerberos-based vulnerabilities (Kerberoasting, ASREPRoasting)
- Perform lateral movement across domain-joined systems
- Escalate privileges to Domain Administrator level
- Establish persistent access mechanisms
- Understand real-world AD attack chains
🎯 Lab Environment
Network Topology
- Domain: RFS.LOCAL
- Domain Controller: DC01.RFS.LOCAL (Windows Server 2019)
- Member Server: SRV01.RFS.LOCAL (Windows Server 2016)
- Workstations: WS01.RFS.LOCAL, WS02.RFS.LOCAL (Windows 10)
- File Server: FS01.RFS.LOCAL (Windows Server 2019)
- Network Range: 192.168.100.0/24
Deployment Options
This lab requires significant resources. We recommend deploying on a cloud platform for optimal performance:
- 🚀 Recommended: Deploy on DigitalOcean using CPU-Optimized Droplets
- 💻 Local Setup: 32GB RAM minimum, 8-core CPU recommended
- 💾 Storage: 250GB+ SSD storage for optimal performance
- 🌐 Network: Isolated VPC for secure testing
🛠️ Required Tools
Enumeration Tools
- PowerView: AD enumeration and exploitation
- BloodHound: Attack path analysis
- ADRecon: Comprehensive AD information gathering
- ldapdomaindump: LDAP enumeration
Exploitation Tools
- Rubeus: Kerberos ticket manipulation
- Impacket: Protocol implementations
- Mimikatz: Credential extraction
- PowerShell Empire: Post-exploitation
Persistence Tools
- SharPersist: Persistence techniques
- PowerSploit: PowerShell exploitation
- Invoke-Obfuscation: PowerShell obfuscation
- Custom Scripts: Tailored persistence mechanisms
📋 Lab Phases
Phase 1: Initial Reconnaissance
Enumerate the Active Directory environment and identify attack vectors.
- Domain and forest enumeration
- User and group discovery
- Service Principal Name (SPN) identification
- Trust relationship analysis
Phase 2: Initial Compromise
Exploit identified vulnerabilities to gain additional access.
- Kerberoasting vulnerable service accounts
- ASREPRoasting pre-authentication disabled accounts
- Password spraying against identified users
- Credential extraction from compromised systems
Phase 3: Lateral Movement
Move through the network using compromised credentials.
- Pass-the-hash and over-pass-the-hash attacks
- PowerShell remoting exploitation
- WMI and DCOM lateral movement
- Token impersonation techniques
Phase 4: Privilege Escalation
Escalate to Domain Administrator level access.
- Delegation abuse (unconstrained/constrained)
- DCSync attack against domain controller
- Golden ticket creation and usage
- AdminSDHolder abuse
Phase 5: Persistence & Stealth
Establish multiple persistence mechanisms.
- Golden ticket persistence
- Silver ticket for specific services
- Skeleton key implementation
- Group Policy modification
🎯 Detailed Scenarios
Scenario 1: Service Account Exploitation
Objective: Identify and exploit Kerberoastable service accounts.
Tasks
- Enumerate all SPNs in the domain
- Identify vulnerable service accounts
- Request TGS tickets for services
- Extract and crack service account passwords
- Verify access with compromised accounts
Key Commands
Get-DomainUser -SPNRequest-SPNTicketInvoke-Kerberoasthashcat -m 13100
Scenario 2: Delegation Attack Chain
Objective: Exploit delegation vulnerabilities for privilege escalation.
Tasks
- Identify computers with unconstrained delegation
- Force authentication to delegated machine
- Extract TGT from LSASS memory
- Pass-the-ticket for privilege escalation
- Achieve Domain Admin access
Expected Findings
- Unconstrained delegation on SRV01
- Forced authentication via printer bug
- Domain Controller TGT extraction
- Full domain compromise
Scenario 3: Golden Ticket Persistence
Objective: Create and use golden tickets for persistent access.
Tasks
- Extract KRBTGT account hash
- Identify domain SID
- Generate golden ticket
- Test persistent access
- Demonstrate stealth capabilities
Persistence Benefits
- Long-term access (10 years default)
- Bypass most detection mechanisms
- Works even after password changes
- Administrative access to all systems
🔍 Attack Path Analysis
BloodHound Analysis Exercise
Use BloodHound to identify and visualize attack paths to Domain Admins.
Data Collection
- Run SharpHound collector
- Import data into BloodHound
- Run pre-built queries
- Identify shortest paths to DA
Key Queries
- Shortest Path to Domain Admins
- Find all Kerberoastable Users
- Find Computers with Unconstrained Delegation
- Find ASREPRoastable Users
📊 Expected Results
Lab Completion Criteria
Successfully complete the following objectives to pass the lab:
- 🎯 Domain Enumeration: Map the complete AD structure
- 🔓 Service Account Compromise: Successfully crack Kerberoast hashes
- 🚶 Lateral Movement: Access multiple domain systems
- 👑 Domain Admin Access: Achieve highest privileges
- 🔐 Persistence: Establish multiple backdoors
- 📋 Documentation: Detailed attack chain report
💡 Advanced Techniques
OPSEC Considerations
- Avoid noisy enumeration techniques
- Use legitimate admin tools when possible
- Implement proper timing between actions
- Clean up artifacts after testing
Detection Evasion
- PowerShell logging bypass
- AMSI evasion techniques
- ETW bypass methods
- Living off the land approach
Alternative Attack Paths
- Resource-based constrained delegation
- Shadow credentials attack
- ADCS certificate abuse
- Group Policy modification
🎓 Knowledge Validation
Post-Lab Assessment
Answer these questions to validate your understanding:
- What is the difference between Kerberoasting and ASREPRoasting?
- How does unconstrained delegation differ from constrained delegation?
- What are the prerequisites for a DCSync attack?
- How long is a golden ticket valid by default, and can this be changed?
- What is the difference between a golden ticket and a silver ticket?
- How can AdminSDHolder be abused for persistence?
- What are the key indicators of compromise for each attack type?
- How would you defend against the attacks demonstrated in this lab?
🛡️ Defense Recommendations
Security Hardening Measures
- 🔐 Service Accounts: Use Managed Service Accounts (MSA)
- 🎫 Kerberos: Enable AES encryption for Kerberos
- 👥 Privileged Groups: Minimize Domain Admin membership
- 🖥️ Delegation: Avoid unconstrained delegation
- 📊 Monitoring: Implement comprehensive AD logging
- 🚨 Detection: Deploy behavioral analytics
- 🔒 LAPS: Implement Local Administrator Password Solution
- 🏰 Tiering: Implement administrative tier model
🎯 Lab Completion Checklist
Verify your progress: Ensure you've completed all components.
- ✅ Successfully enumerated the complete AD environment
- ✅ Exploited Kerberoasting vulnerabilities
- ✅ Performed lateral movement across multiple systems
- ✅ Escalated to Domain Administrator privileges
- ✅ Created and used golden tickets
- ✅ Established persistent backdoor access
- ✅ Analyzed attack paths with BloodHound
- ✅ Documented complete attack chain
Estimated Time: 8-12 hours for complete lab