Tier 2: Recommended Lab (Active Directory)

Time Required: 4-6 hours Cost: $0 (evaluation licenses) Requirements: 16GB RAM minimum, 120GB free disk space

What You're Building

• 1 Kali Linux VM (attacker)

• 1 Windows Server 2019/2022 (Domain Controller)

• 2 Windows 10 VMs (domain workstations)

• 1 Ubuntu Server (Linux pivot target)

• Complete Active Directory domain

What You Can Practice: Everything in the 30-day series, including full AD compromise chains

Prerequisites

Complete Tier 1 first, or at minimum:

• VirtualBox or VMware installed

• Understanding of VM creation

• Network configuration knowledge

Step 1: Download All Required ISOs

Windows Server 2022

1. Go to: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2022

2. Select ISO - LTSC format

3. Download 64-bit ISO (~5.3GB)

4. Evaluation period: 180 days

Windows 10 Enterprise

1. Go to: https://www.microsoft.com/en-us/evalcenter/evaluate-windows-10-enterprise

2. Download 64-bit ISO (~5GB)

3. You'll need 2 instances

Ubuntu Server

1. Go to: https://ubuntu.com/download/server

2. Download Ubuntu Server 22.04 LTS (~1.4GB)

Kali Linux

1. Download pre-built VM from: https://www.kali.org/get-kali/#kali-virtual-machines

Step 2: Create Virtual Network

VirtualBox Setup

1. VirtualBox → File → Preferences → Network

2. Create NAT Network:

   • Name: ADLab

   • Network CIDR: 10.10.10.0/24

   • Enable DHCP: NO (we'll use static IPs)

   • Click OK

VMware Setup

1. VMware → Edit → Virtual Network Editor

2. Change Settings (admin required)

3. Add Network → VMnet3

4. Type: Host-only or NAT

5. Subnet: 10.10.10.0

6. Disable DHCP

7. Click Apply

Step 3: Create Domain Controller VM

Create VM

VirtualBox:

1. New VM: Name DC01

2. Type: Windows, Version: Windows 2019/2022 (64-bit)

3. RAM: 4096 MB minimum (6GB recommended)

4. Hard disk: 60 GB

5. Processors: 2 CPUs

6. Network: ADLab NAT Network

VMware:

1. Create New VM

2. Use ISO: Windows Server 2022

3. Name: DC01

4. Disk: 60GB

5. RAM: 4096MB

6. CPUs: 2

7. Network: VMnet3

Install Windows Server

1. Start VM, boot from ISO

2. Language: English → Next

3. Install Now

4. Version: Windows Server 2022 Standard Evaluation (Desktop Experience)

   • Important: Choose "Desktop Experience" not "Server Core"

5. Custom install

6. Select disk → Next

7. Wait for installation (~15 minutes)

8. Set Administrator password: P@ssw0rd123!

9. Press Ctrl+Alt+Delete to login

Configure Static IP

1. Open Server Manager (opens automatically)

2. Click Local Server on left

3. Click Ethernet (next to IPv4 address assigned by DHCP)

4. Right-click Ethernet → Properties

5. Select Internet Protocol Version 4 (TCP/IPv4)

6. Click Properties

7. Select Use the following IP address:

   • IP address: 10.10.10.10

   • Subnet mask: 255.255.255.0

   • Default gateway: 10.10.10.1

   • Preferred DNS: 127.0.0.1 (itself)

8. Click OK, close windows

9. Rename computer:

   • Server Manager → Local Server → Computer name

   • Click computer name → Change

   • Computer name: DC01

   • Click OK, restart

Step 4: Install Active Directory Domain Services

Add AD DS Role

1. After restart, login as Administrator

2. Server Manager → Manage → Add Roles and Features

3. Click Next through first 3 screens

4. Server Roles: Check Active Directory Domain Services

5. Click Add Features when prompted

6. Click Next through remaining screens

7. Click Install

8. Wait for installation (~5 minutes)

9. Click Close when complete

Promote to Domain Controller

1. In Server Manager, click notification flag (top right)

2. Click Promote this server to a domain controller

3. Select Add a new forest

4. Root domain name: corp.local

5. Click Next

6. Forest/Domain functional level: Windows Server 2016

7. Check Domain Name System (DNS) server

8. DSRM password: P@ssw0rd123!

9. Click Next through remaining screens

10. Prerequisites check will run

11. Click Install

12. Server will restart automatically (~10 minutes)

Verify AD Installation

1. Login as CORP\Administrator with password P@ssw0rd123!

2. Server Manager should show AD DS installed

3. Open Active Directory Users and Computers:

   • Server Manager → Tools → Active Directory Users and Computers

4. Expand corp.local → You should see organizational units

Step 5: Create Domain Users and Groups

Create Organizational Units

1. Open Active Directory Users and Computers

2. Right-click corp.local → New → Organizational Unit

3. Name: Corp Users → OK

4. Create another OU: Corp Computers

5. Create another OU: Service Accounts

Create Standard Domain Users

1. Right-click Corp Users → New → User

2. First name: John Last name: Smith

3. User logon name: jsmith

4. Click Next

5. Password: Welcome123!

6. Uncheck User must change password at next logon

7. Check Password never expires (for lab only!)

8. Click Next → Finish

Create these additional users:

Add Users to Groups

1. Right-click da_backup → Properties

2. Member Of tab → Add

3. Type: Domain Admins → Check Names → OK

4. Click OK

Create Service Principal Names (for Kerberoasting)

1. Open Command Prompt as Administrator

2. Add SPN to sql_svc account:

setspn -A MSSQLSvc/SQL01.corp.local:1433 corp\sql_svc
setspn -A MSSQLSvc/SQL01.corp.local corp\sql_svc

1. Verify SPN was added:

setspn -L corp\sql_svc

Step 6: Create Workstation VMs

Create First Workstation (WORKSTATION-01)

VirtualBox/VMware:

1. Create new VM: WORKSTATION-01

2. Type: Windows 10 (64-bit)

3. RAM: 2048 MB (2GB minimum)

4. Disk: 40 GB

5. CPUs: 1-2

6. Network: Same as DC (ADLab / VMnet3)

Install Windows 10

1. Boot from Windows 10 ISO

2. Install Windows 10 Enterprise Evaluation

3. Username: localuser

4. Password: Local123!

5. Disable all privacy settings

6. Complete setup to desktop

Configure Static IP

1. Control Panel → Network and Sharing Center

2. Change adapter settings

3. Right-click Ethernet → Properties

4. IPv4 Properties:

   • IP: 10.10.10.100

   • Subnet: 255.255.255.0

   • Gateway: 10.10.10.1

   • DNS: 10.10.10.10 (the DC)

5. OK → Close

Join Domain

1. Right-click Start → System

2. Click Rename this PC (advanced)

3. Click Change

4. Computer name: WORKSTATION-01

5. Member of: Domain → corp.local

6. Click OK

7. Enter credentials:

   • Username: Administrator

   • Password: P@ssw0rd123!

8. Welcome message will appear

9. Click OK → Restart

Post-Domain Join Configuration

1. Login as CORP\jsmith (password: Welcome123!)

2. Disable Windows Defender (same as Tier 1)

3. Install Chrome/Firefox

4. Save some credentials in browser (for harvesting practice)

5. Take a snapshot: Domain Joined - Clean

Create Second Workstation (WORKSTATION-02)

1. Clone WORKSTATION-01 VM (faster than reinstalling):

   • VirtualBox: Right-click VM → Clone → Full clone

   • VMware: Right-click VM → Manage → Clone

2. Name: WORKSTATION-02

3. Generate new MAC addresses

4. Start cloned VM

5. Change computer name to WORKSTATION-02:

   • System → Rename PC → WORKSTATION-02

   • Rejoin domain if needed

6. Change IP to 10.10.10.101

7. Restart

Step 7: Create Ubuntu Server VM (Linux Pivot Target)

Create VM

1. New VM: UBUNTU-SRV01

2. Type: Linux, Version: Ubuntu (64-bit)

3. RAM: 2048 MB

4. Disk: 20 GB

5. Network: Same network as other VMs

Install Ubuntu Server

1. Boot from Ubuntu Server ISO

2. Language: English

3. Keyboard: Default

4. Network: DHCP for now (we'll configure static later)

5. Storage: Use entire disk

6. Profile setup:

   • Name: ubuntu

   • Server name: ubuntu-srv01

   • Username: ubuntu

   • Password: ubuntu123

7. Install OpenSSH server: YES

8. Featured snaps: Skip

9. Wait for installation

10. Reboot when prompted

Configure Static IP

1. Login as ubuntu

2. Edit netplan configuration:

sudo nano /etc/netplan/00-installer-config.yaml

1. Configure static IP:

network:
  ethernets:
    ens33:  # or ens160, check with: ip link
      dhcp4: no
      addresses:
        - 10.10.10.50/24
      gateway4: 10.10.10.1
      nameservers:
        addresses:
          - 10.10.10.10
          - 8.8.8.8
  version: 2

1. Save (Ctrl+O, Enter, Ctrl+X)

2. Apply configuration:

sudo netplan apply

1. Verify:

ip addr show
# Should see 10.10.10.50

Install Vulnerable Software (for practice)

# Update system
sudo apt update && sudo apt upgrade -y

# Install some services
sudo apt install -y apache2 mysql-server ssh

# Enable services
sudo systemctl enable apache2
sudo systemctl enable mysql
sudo systemctl enable ssh

# Create a test user
sudo useradd -m -s /bin/bash testuser
echo "testuser:password123" | sudo chpasswd

Step 8: Setup Kali Linux (Attacker VM)

Import Kali VM

1. Import pre-built Kali VM (from Tier 1 steps)

2. Or create new if needed

Configure Static IP

# Edit network configuration
sudo nano /etc/network/interfaces

Add:

auto eth0
iface eth0 inet static
    address 10.10.10.5
    netmask 255.255.255.0
    gateway 10.10.10.1
    dns-nameservers 10.10.10.10

Or use Network Manager GUI:

1. Click network icon → Edit Connections

2. Edit Wired connection

3. IPv4 Settings → Manual

4. Add: IP 10.10.10.5, Netmask 255.255.255.0, Gateway 10.10.10.1

5. DNS: 10.10.10.10

6. Save

Install Additional Tools

# Update Kali
sudo apt update
sudo apt full-upgrade -y

# Install additional AD tools
sudo apt install -y bloodhound neo4j
sudo apt install -y crackmapexec
sudo apt install -y python3-impacket

# Install PowerShell (for PowerView, etc.)
sudo apt install -y powershell

# Download common tools
mkdir ~/tools
cd ~/tools

# PowerView
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1

# Rubeus
wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe

# SharpHound
wget https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.ps1

Step 9: Verify Full Lab Connectivity

Network Diagram

10.10.10.5    - Kali Linux (Attacker)
10.10.10.10   - DC01 (Domain Controller)
10.10.10.50   - Ubuntu-SRV01 (Linux target)
10.10.10.100  - WORKSTATION-01 (Windows target)
10.10.10.101  - WORKSTATION-02 (Windows target)

Connectivity Tests

From Kali:

# Ping all systems
ping -c 2 10.10.10.10
ping -c 2 10.10.10.50
ping -c 2 10.10.10.100
ping -c 2 10.10.10.101

# Scan entire network
nmap -sn 10.10.10.0/24

# Test DNS resolution
nslookup corp.local 10.10.10.10
nslookup dc01.corp.local 10.10.10.10

# Quick port scan on DC
nmap -sV -p 53,88,135,139,389,445,3389 10.10.10.10

Expected results:

• All pings should succeed

• DNS should resolve corp.local

• DC should show ports: 53 (DNS), 88 (Kerberos), 389 (LDAP), 445 (SMB)

Step 10: Test Active Directory Functionality

From Workstation

1. Login to WORKSTATION-01 as CORP\jsmith

2. Open Command Prompt

3. Test domain connectivity:

nltest /dclist:corp.local
net user jsmith /domain
gpresult /r

From Kali (Initial AD Enumeration)

# Test SMB access
smbclient -L //10.10.10.10 -U jsmith
# Password: Welcome123!

# Use CrackMapExec
crackmapexec smb 10.10.10.10 -u jsmith -p Welcome123! --shares

# Test with Impacket
python3 /usr/share/doc/python3-impacket/examples/GetADUsers.py corp.local/jsmith:We

Step 11: Take Snapshots of Complete Lab

Critical: Snapshot every VM now!

1. Shut down all VMs gracefully

2. Take snapshot of each:

   • Kali-Attacker → "AD Lab - Clean State"

   • DC01 → "Domain Controller - Configured"

   • WORKSTATION-01 → "Domain Joined - Clean"

   • WORKSTATION-02 → "Domain Joined - Clean"

   • UBUNTU-SRV01 → "Linux Target - Clean"

Tier 2 Complete! 🎉🎉

You now have a complete Active Directory environment. You can practice:

• All techniques from Tier 1

• AD enumeration (Day 22)

• Kerberoasting (Day 23)

• Pass-the-ticket attacks (Day 24)

• Golden/Silver tickets (Day 25)

• DCSync attacks (Day 26)

• Full AD compromise chains (Featured Walkthrough)

Optional Enhancements

Add More Users:

# On DC01, open PowerShell
1..20 | ForEach-Object {
    $user = "user$_"
    New-ADUser -Name $user -SamAccountName $user -UserPrincipalName "[email protected]" -AccountPassword (ConvertTo-SecureString "Welcome123!" -AsPlainText -Force) -Enabled $true -Path "OU=Corp Users,DC=corp,DC=local"
}

Add File Shares:

# On DC01
New-Item -Path "C:\Shares\Public" -ItemType Directory
New-SmbShare -Name "Public" -Path "C:\Shares\Public" -FullAccess "Everyone"

# Add some fake sensitive files
"SSN: 123-45-6789" | Out-File C:\Shares\Public\employees.txt

Configure Group Policy:

1. Server Manager → Tools → Group Policy Management

2. Create new GPO: "Disable Defender"

3. Link to domain

4. Configure to disable Windows Defender on all workstations

© 2025 Maxwell Cross - All Rights Reserved