๐ ๏ธ Active Directory Tools & Lab Setup
Comprehensive guide to Active Directory security tools, lab environment setup, and testing infrastructure
๐ Essential Enumeration Tools
Bloodhound
Purpose: Attack path analysis and AD relationship mapping
Language: JavaScript/C#
URL: https://github.com/BloodHoundAD/BloodHound
Usage: Run SharpHound collector, import to Bloodhound for visualization
PowerView
Purpose: PowerShell AD enumeration and situational awareness
Language: PowerShell
URL: https://github.com/PowerShellMafia/PowerSploit
Usage: Import PowerView, run enumeration cmdlets (Get-DomainUser, Get-DomainComputer)
ADRecon
Purpose: Comprehensive AD reconnaissance and documentation
Language: PowerShell
URL: https://github.com/adrecon/ADRecon
Usage: ./ADRecon.ps1 -DomainController DC01 -Credential $cred
ldapdomaindump
Purpose: LDAP enumeration and HTML report generation
Language: Python
URL: https://github.com/dirkjanm/ldapdomaindump
Usage: ldapdomaindump -u 'DOMAIN\user' -p password ldap://dc01
โ๏ธ Attack & Exploitation Tools
Impacket
Purpose: Python library for network protocols (SMB, MSRPC, etc.)
Language: Python
URL: https://github.com/fortra/impacket
Usage: secretsdump.py, GetUserSPNs.py, psexec.py, etc.
Rubeus
Purpose: Kerberos interaction and attack tool
Language: C#
URL: https://github.com/GhostPack/Rubeus
Usage: Rubeus.exe kerberoast, Rubeus.exe asreproast
Mimikatz
Purpose: Credential extraction and ticket manipulation
Language: C
URL: https://github.com/gentilkiwi/mimikatz
Usage: sekurlsa::logonpasswords, lsadump::dcsync
CrackMapExec
Purpose: Post-exploitation and lateral movement tool
Language: Python
URL: https://github.com/byt3bl33d3r/CrackMapExec
Usage: crackmapexec smb 192.168.1.0/24 -u user -p password
Evil-WinRM
Purpose: WinRM shell and post-exploitation
Language: Ruby
URL: https://github.com/Hackplayers/evil-winrm
Usage: evil-winrm -i 192.168.1.100 -u user -p password
๐ ADCS Attack Tools
Certify
Purpose: Active Directory Certificate Services enumeration and abuse
Language: C#
URL: https://github.com/GhostPack/Certify
Usage: Certify.exe find /vulnerable
Certipy
Purpose: Python-based ADCS attack tool
Language: Python
URL: https://github.com/ly4k/Certipy
Usage: certipy find -u user@domain.local -p password
PKINITtools
Purpose: Tools for Kerberos PKINIT and certificate-based attacks
Language: Python
URL: https://github.com/dirkjanm/PKINITtools
Usage: gettgtpkinit.py -cert-pfx user.pfx domain.local/user
๐ป Lab Setup - VirtualBox/VMware
- Download Windows Server 2019/2022 evaluation ISO
- Create Domain Controller VM (4GB RAM, 60GB disk)
- Create 2-3 Windows 10/11 client VMs (2GB RAM each)
- Create internal/NAT network for isolated lab
- Configure static IPs: DC (192.168.10.10), Clients (192.168.10.20+)
- Install Active Directory Domain Services on server
- Promote to Domain Controller (forest: testlab.local)
- Join client machines to domain
- Create vulnerable configurations for practice
๐งช Recommended: Build with GOAD
GOAD (Game Of Active Directory) is a complete vulnerable AD lab for practicing attacks and defenses.
Quick Start Checklist
- Review GOAD hardware requirements and choose a lab size (MINILAB/Light/Full)
- Clone repo and select provider (Vagrant/Ansible/Docker)
- Set variables in
globalsettings.inito fit your host - Run the chosen bootstrap (e.g.,
goad.shorvagrant up) - Verify forests/domains are reachable; snapshot base state
- Optionally enable ADCS/SCCM or extensions for advanced modules
โ ๏ธ Vulnerable Lab Configuration
- Create users with weak passwords for Kerberoasting practice
- Disable Kerberos pre-auth on test accounts (ASREPRoasting)
- Configure service accounts with SPNs
- Set up unconstrained delegation on test server
- Create misconfigured ADCS certificate templates
- Add users to high-privilege groups for practice
- Configure writable GPO permissions
- Set up SMB shares with weak permissions
- Disable SMB signing on some systems (NTLM relay practice)
- Create honeypot admin accounts