Active Directory Lab Setup
Status: Scaffold — content in progress
Lab Topology
- DC01: Windows Server 2019/2022, AD DS, DNS, ADCS (Issuing CA)
- WS01: Windows 10/11, domain-joined workstation
- Kali: Attacker machine (same network)
- Wazuh: SIEM (can be on a separate segment)
Prerequisites
- VirtualBox / VMware Workstation
- Vagrant (optional — for scripted builds)
- Windows Server 2019/2022 evaluation ISO
- Windows 10/11 evaluation ISO
- Kali Linux ISO
- 16GB+ RAM recommended
Build Steps
1. DC01 — Domain Controller
# Install AD DS
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
# Promote to DC
Install-ADDSForest `
-DomainName "itdr.lab" `
-DomainNetbiosName "ITDR" `
-SafeModeAdministratorPassword (ConvertTo-SecureString "Lab@Password1" -AsPlainText -Force) `
-InstallDns
2. Install ADCS (Issuing CA)
Install-WindowsFeature ADCS-Cert-Authority, ADCS-Web-Enrollment -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CACommonName "ITDR-CA"
Install-AdcsWebEnrollment -Confirm:$false
3. Create Vulnerable Accounts
# Service account with SPN (Kerberoasting target)
New-ADUser -Name "svc-sql" -AccountPassword (ConvertTo-SecureString "Password123!" -AsPlainText -Force) -Enabled $true
Set-ADUser -Identity "svc-sql" -ServicePrincipalNames @{Add="MSSQLSvc/dc01.itdr.lab:1433"}
# Account without pre-auth (AS-REP Roasting target)
New-ADUser -Name "svc-nopreauth" -AccountPassword (ConvertTo-SecureString "Password456!" -AsPlainText -Force) -Enabled $true
Set-ADAccountControl -Identity "svc-nopreauth" -DoesNotRequirePreAuth $true
4. Configure Audit Policy
# Enable advanced audit
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
5. Validation
# Verify SPN
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
# Verify pre-auth disabled
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}
# Test Kerberos
klist
Installed Attack Tools (Kali)
# Impacket
pip3 install impacket
# BloodHound
apt install bloodhound neo4j
# Certipy (ADCS attacks)
pip3 install certipy-ad
# Rubeus (compile or use pre-built)
Cross-Links
| Topic | Link |
|---|---|
| Lab Architecture | lab-architecture |
| Kerberoasting | kerberoasting |
| Simulation Scenarios | Scenarios |