Tier 3: Professional Lab (Enterprise-Scale)

Time Required: 8-12 hours Cost: $0-500 (hardware or cloud) Requirements: 32GB RAM minimum, 200GB free disk space

What You're Building

Everything from Tier 2, plus:

  • Second Domain Controller (DC02) for replication

  • File Server with shares

  • SQL Server for application attacks

  • Multiple network segments (DMZ, Internal, Management)

  • Certificate Services

  • DNS forwarding and conditional forwarding

  • Trust relationships (optional)

What You Can Practice: Enterprise-scale scenarios, advanced pivoting, multi-domain attacks

Prerequisites

  • Complete Tier 2 lab

  • Comfortable with PowerShell and Windows administration

  • Understanding of enterprise networking concepts

Architecture Overview

Network Segments:
- Management: 10.10.10.0/24  (Domain Controllers, Admin)
- Internal:   10.10.20.0/24  (Workstations, Users)
- Servers:    10.10.30.0/24  (File, SQL, App Servers)
- DMZ:        10.10.40.0/24  (Web servers, external-facing)

Systems:
10.10.10.5   - Kali (Attacker)
10.10.10.10  - DC01 (Primary DC)
10.10.10.11  - DC02 (Secondary DC)
10.10.20.100 - WORKSTATION-01
10.10.20.101 - WORKSTATION-02
10.10.20.102 - WORKSTATION-03
10.10.30.50  - FILE-SRV01
10.10.30.51  - SQL-SRV01
10.10.30.52  - UBUNTU-SRV01
10.10.40.80  - WEB-SRV01 (DMZ)

Step 1: Create Additional Virtual Networks

VirtualBox

  1. File → Preferences → Network → NAT Networks

  2. Create these networks:

    • ADLab-Management - 10.10.10.0/24

    • ADLab-Internal - 10.10.20.0/24

    • ADLab-Servers - 10.10.30.0/24

    • ADLab-DMZ - 10.10.40.0/24

VMware

  1. Virtual Network Editor

  2. Create:

    • VMnet3 - Management - 10.10.10.0/24

    • VMnet4 - Internal - 10.10.20.0/24

    • VMnet5 - Servers - 10.10.30.0/24

    • VMnet6 - DMZ - 10.10.40.0/24

Step 2: Reconfigure Existing VMs

Move DC01 to Correct Networks

DC01 needs interfaces on multiple networks to route between them.

VirtualBox:

  1. Shut down DC01

  2. Settings → Network

  3. Adapter 1: ADLab-Management (10.10.10.0/24)

  4. Adapter 2: Enable, ADLab-Internal (10.10.20.0/24)

  5. Adapter 3: Enable, ADLab-Servers (10.10.30.0/24)

  6. OK

VMware:

  1. Shut down DC01

  2. Settings → Add → Network Adapter

  3. Custom: VMnet4 (Internal)

  4. Add another: VMnet5 (Servers)

Configure DC01 Multi-Homing

  1. Start DC01, login

  2. Control Panel → Network Connections

  3. Rename adapters:

    • Ethernet → "Management"

    • Ethernet 2 → "Internal"

    • Ethernet 3 → "Servers"

  4. Configure each adapter:

Management (10.10.10.0/24):

  • IP: 10.10.10.10

  • Subnet: 255.255.255.0

  • Gateway: 10.10.10.1

  • DNS: 127.0.0.1

Internal (10.10.20.0/24):

  • IP: 10.10.20.10

  • Subnet: 255.255.255.0

  • Gateway: (leave blank)

  • DNS: 127.0.0.1

Servers (10.10.30.0/24):

  • IP: 10.10.30.10

  • Subnet: 255.255.255.0

  • Gateway: (leave blank)

  • DNS: 127.0.0.1

Enable Routing on DC01

# Open PowerShell as Administrator
Install-WindowsFeature -Name Routing -IncludeManagementTools

# Enable IP routing
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -Name IPEnableRouter -Value 1

# Restart computer
Restart-Computer

Step 3: Create Second Domain Controller (DC02)

Clone DC01 or Create New

Option A: Clone DC01 (Faster)

  1. Shut down DC01

  2. Clone VM → Full clone

  3. Name: DC02

  4. Generate new MAC addresses

Option B: Create from Scratch

  1. Create new Windows Server 2022 VM

  2. Install Windows Server

  3. Configure networking

  4. Add to domain first, then promote

Configure DC02 Networking

  1. Start DC02

  2. Before first login, rename computer to DC02

  3. Set static IP on Management adapter:

    • IP: 10.10.10.11

    • Subnet: 255.255.255.0

    • Gateway: 10.10.10.1

    • DNS: 10.10.10.10 (point to DC01)

Remove Old AD DS Installation (if cloned)

# Run this if you cloned DC01
Uninstall-WindowsFeature AD-Domain-Services -Restart

Join DC02 to Domain

# After restart, join domain
Add-Computer -DomainName corp.local -Credential CORP\Administrator -Restart

Promote DC02 to Domain Controller

  1. Login as CORP\Administrator

  2. Server Manager → Add Roles → AD Domain Services

  3. Install AD DS role

  4. Promote to DC:

    • Add domain controller to existing domain: corp.local

    • Supply CORP\Administrator credentials

    • Replicate from: DC01.corp.local

    • Install DNS server: Yes

    • DSRM password: P@ssw0rd123!

  5. Install and restart

Verify Replication

# On DC02, check replication status
repadmin /replsummary
repadmin /showrepl

# Test AD replication
Get-ADReplicationPartnerMetadata -Target DC02

Step 4: Create File Server (FILE-SRV01)

Create VM

  1. New VM: FILE-SRV01

  2. Windows Server 2022

  3. RAM: 4GB

  4. Disk: 60GB

  5. Network: ADLab-Servers (10.10.30.0/24)

Install and Configure

  1. Install Windows Server 2022

  2. Computer name: FILE-SRV01

  3. Static IP:

    • IP: 10.10.30.50

    • Subnet: 255.255.255.0

    • Gateway: 10.10.30.10

    • DNS: 10.10.10.10

Join Domain

Add-Computer -DomainName corp.local -Credential CORP\Administrator -Restart

Install File Server Role

# After domain join
Install-WindowsFeature -Name FS-FileServer -IncludeManagementTools

Create Shares

# Create share directories
New-Item -Path "C:\Shares\Finance" -ItemType Directory
New-Item -Path "C:\Shares\HR" -ItemType Directory
New-Item -Path "C:\Shares\IT" -ItemType Directory
New-Item -Path "C:\Shares\Public" -ItemType Directory

# Create SMB shares
New-SmbShare -Name "Finance" -Path "C:\Shares\Finance" -FullAccess "CORP\Domain Admins" -ChangeAccess "CORP\Finance Users"
New-SmbShare -Name "HR" -Path "C:\Shares\HR" -FullAccess "CORP\Domain Admins" -ReadAccess "CORP\HR Users"
New-SmbShare -Name "IT" -Path "C:\Shares\IT" -FullAccess "CORP\Domain Admins","CORP\IT Admins"
New-SmbShare -Name "Public" -Path "C:\Shares\Public" -FullAccess "Everyone"

# Add fake sensitive data for practice
@"
Employee,SSN,Salary
John Smith,123-45-6789,85000
Sarah Johnson,234-56-7890,92000
Mike Davis,345-67-8901,78000
"@ | Out-File C:\Shares\HR\employees.csv

"Confidential: Q4 Financial Results - Revenue: $10M" | Out-File C:\Shares\Finance\Q4_results.txt

# Set NTFS permissions (more restrictive than share permissions)
icacls "C:\Shares\Finance" /grant "CORP\Domain Admins:(OI)(CI)F"
icacls "C:\Shares\HR" /grant "CORP\Domain Admins:(OI)(CI)F"

Step 5: Create SQL Server (SQL-SRV01)

Create VM

  1. New VM: SQL-SRV01

  2. Windows Server 2022

  3. RAM: 6GB (SQL needs more)

  4. Disk: 80GB

  5. Network: ADLab-Servers

Install and Configure

  1. Install Windows Server 2022

  2. Computer name: SQL-SRV01

  3. Static IP: 10.10.30.51 (DNS: 10.10.10.10)

  4. Join domain

Download SQL Server

  1. Go to: https://www.microsoft.com/en-us/sql-server/sql-server-downloads

  2. Download SQL Server 2022 Developer Edition (free)

  3. Or use SQL Server 2019 Express (lighter)

Install SQL Server

  1. Run SQL Server installer

  2. Choose Basic installation type

  3. Accept license

  4. Install location: Default

  5. Wait for installation

  6. Click Install SSMS (SQL Server Management Studio)

Configure SQL Server

# Enable SQL Server Browser
Set-Service -Name SQLBrowser -StartupType Automatic
Start-Service SQLBrowser

# Enable TCP/IP
# Open SQL Server Configuration Manager
# SQL Server Network Configuration → Protocols for MSSQLSERVER
# Enable TCP/IP
# Restart SQL Server service

Configure SQL Service Account

  1. SQL Server Configuration Manager

  2. SQL Server Services → SQL Server (MSSQLSERVER)

  3. Right-click → Properties → Log On tab

  4. Change to: This Account

  5. Account: CORP\sql_svc

  6. Password: Summer2023!

  7. OK → Restart service

Set SPN (for Kerberoasting)

# On DC01
setspn -A MSSQLSvc/SQL-SRV01.corp.local:1433 CORP\sql_svc
setspn -A MSSQLSvc/SQL-SRV01.corp.local CORP\sql_svc

Create Test Database

  1. Open SSMS (SQL Server Management Studio)

  2. Connect to localhost

  3. New Query:

CREATE DATABASE TestDB;
GO

USE TestDB;
GO

CREATE TABLE Customers (
    CustomerID int IDENTITY(1,1) PRIMARY KEY,
    FirstName varchar(50),
    LastName varchar(50),
    Email varchar(100),
    CreditCard varchar(20)
);
GO

INSERT INTO Customers VALUES 
('John','Doe','[email protected]','4532-1234-5678-9012'),
('Jane','Smith','[email protected]','4532-9876-5432-1098');
GO

Step 6: Create DMZ Web Server (WEB-SRV01)

Create VM

  1. New VM: WEB-SRV01

  2. Windows Server 2022 or Ubuntu Server

  3. RAM: 2GB

  4. Disk: 40GB

  5. Network: ADLab-DMZ (10.10.40.0/24)

Configure Networking

If Windows:

  • IP: 10.10.40.80

  • Subnet: 255.255.255.0

  • Gateway: 10.10.40.1

  • DNS: 10.10.10.10

If Ubuntu:

sudo nano /etc/netplan/00-installer-config.yaml
network:
  ethernets:
    ens33:
      addresses:
        - 10.10.40.80/24
      gateway4: 10.10.40.1
      nameservers:
        addresses:
          - 10.10.10.10
  version: 2

Install Web Server

Windows IIS:

Install-WindowsFeature -name Web-Server -IncludeManagementTools

Ubuntu Apache:

sudo apt update
sudo apt install -y apache2 php mysql-server
sudo systemctl enable apache2

Deploy Vulnerable Web App (DVWA)

# On Ubuntu
cd /var/www/html
sudo git clone https://github.com/digininja/DVWA.git
sudo chmod -R 777 DVWA
cd DVWA
sudo cp config/config.inc.php.dist config/config.inc.php

# Configure MySQL
sudo mysql
CREATE DATABASE dvwa;
CREATE USER 'dvwa'@'localhost' IDENTIFIED BY 'password';
GRANT ALL PRIVILEGES ON dvwa.* TO 'dvwa'@'localhost';
FLUSH PRIVILEGES;
exit;

# Edit config file
sudo nano config/config.inc.php
# Set: $_DVWA[ 'db_password' ] = 'password';

# Access at: http://10.10.40.80/DVWA/setup.php

Step 7: Move Workstations to Internal Network

Reconfigure WORKSTATION-01 and WORKSTATION-02

  1. Shut down both workstations

  2. Change network adapter to: ADLab-Internal (or VMnet4)

  3. Start VMs

Update IP Addresses

WORKSTATION-01:

  • IP: 10.10.20.100

  • Subnet: 255.255.255.0

  • Gateway: 10.10.20.10

  • DNS: 10.10.10.10

WORKSTATION-02:

  • IP: 10.10.20.101

  • Gateway: 10.10.20.10

  • DNS: 10.10.10.10

Create Additional Workstation

  1. Clone WORKSTATION-01

  2. Name: WORKSTATION-03

  3. IP: 10.10.20.102

  4. Rename computer to WORKSTATION-03

Step 8: Configure Advanced AD Features

Install Certificate Services (on DC01)

Install-WindowsFeature -Name AD-Certificate -IncludeManagementTools

  1. Server Manager → AD CS → Configure Active Directory Certificate Services

  2. Credentials: CORP\Administrator

  3. Role Services: Certification Authority and Certificate Authority Web Enrollment

  4. Setup Type: Enterprise CA

  5. CA Type: Root CA

  6. Private Key: Create new

  7. CA Name: CORP-DC01-CA

  8. Validity: 5 years

  9. Configure and complete

Create Additional Security Groups

# On DC01
New-ADGroup -Name "Finance Users" -GroupScope Global -Path "OU=Corp Users,DC=corp,DC=local"
New-ADGroup -Name "HR Users" -GroupScope Global -Path "OU=Corp Users,DC=corp,DC=local"
New-ADGroup -Name "IT Admins" -GroupScope Global -Path "OU=Corp Users,DC=corp,DC=local"
New-ADGroup -Name "SQL Admins" -GroupScope Global -Path "OU=Corp Users,DC=corp,DC=local"

# Add users to groups
Add-ADGroupMember -Identity "IT Admins" -Members helpdesk
Add-ADGroupMember -Identity "SQL Admins" -Members sql_svc

Configure Group Policy Objects

Disable Windows Defender via GPO:

  1. Group Policy Management

  2. Create new GPO: "Disable Windows Defender"

  3. Link to: corp.local

  4. Edit GPO:

    • Computer Configuration → Policies → Administrative Templates → Windows Components → Windows Defender Antivirus

    • Turn off Windows Defender Antivirus: Enabled

  5. Force update on workstations:

   gpupdate /force

Configure Password Policy:

  1. Default Domain Policy → Edit

  2. Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy

  3. Configure:

    • Minimum password length: 8

    • Password complexity: Disabled (for lab)

    • Maximum password age: 0 (never expire - lab only!)

Step 9: Configure Kali Multi-Network Access

Add Network Adapters to Kali

  1. Shut down Kali

  2. Add 3 more network adapters:

    • Adapter 2: ADLab-Internal

    • Adapter 3: ADLab-Servers

    • Adapter 4: ADLab-DMZ

  3. Start Kali

Configure Multiple Interfaces

# Edit network configuration
sudo nano /etc/network/interfaces

Add all interfaces:

auto eth0
iface eth0 inet static
    address 10.10.10.5
    netmask 255.255.255.0
    gateway 10.10.10.1

auto eth1
iface eth1 inet static
    address 10.10.20.5
    netmask 255.255.255.0

auto eth2
iface eth2 inet static
    address 10.10.30.5
    netmask 255.255.255.0

auto eth3
iface eth3 inet static
    address 10.10.40.5
    netmask 255.255.255.0

Restart networking:

sudo systemctl restart networking

Or configure via Network Manager GUI for each interface.

Step 10: Advanced Lab Features

Create Honeypot Accounts

# On DC01
# Create fake admin account (honeypot)
New-ADUser -Name "SQL Admin Backup" -SamAccountName "sqladmin_backup" -UserPrincipalName "[email protected]" -AccountPassword (ConvertTo-SecureString "SQLAdmin2023!" -AsPlainText -Force) -Enabled $true -Path "OU=Service Accounts,DC=corp,DC=local"

# Set description to attract attackers
Set-ADUser -Identity sqladmin_backup -Description "Backup admin account for SQL Server - DO NOT DISABLE"

# Monitor this account for logon attempts (honeypot)

Configure Constrained Delegation (for practice)

# Allow FILE-SRV01 to delegate to SQL-SRV01
Set-ADComputer -Identity FILE-SRV01 -Add @{'msDS-AllowedToDelegateTo'='MSSQLSvc/SQL-SRV01.corp.local'}

Add Kerberos Delegation Vulnerabilities

# Set unconstrained delegation on FILE-SRV01 (vulnerable!)
Set-ADComputer -Identity FILE-SRV01 -TrustedForDelegation $true

Create Weak ACLs for Practice

# Give helpdesk GenericAll on domain admins (vulnerable!)
$helpdesk = Get-ADUser -Identity helpdesk
$domainAdmins = Get-ADGroup -Identity "Domain Admins"

$acl = Get-ACL "AD:\$($domainAdmins.DistinguishedName)"
$ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    $helpdesk.SID,
    [System.DirectoryServices.ActiveDirectoryRights]::GenericAll,
    [System.Security.AccessControl.AccessControlType]::Allow
)
$acl.AddAccessRule($ace)
Set-ACL -Path "AD:\$($domainAdmins.DistinguishedName)" -AclObject $acl

Step 11: Test Enterprise Scenarios

Test Multi-Segment Routing

# From Kali (10.10.10.5)
ping 10.10.20.100  # Internal workstation
ping 10.10.30.50   # File server
ping 10.10.40.80   # DMZ web server

# All should work if routing is configured correctly

Test DC Replication

# On DC01, create a new user
New-ADUser -Name "Test User" -SamAccountName testuser

# On DC02, verify user replicated
Get-ADUser -Identity testuser
# Should return the user

Test File Server Access

# From Kali
smbclient -L //10.10.30.50 -U jsmith
# Enter password: Welcome123!

# Should see Finance, HR, IT, Public shares

Test SQL Server Kerberoasting

# From Kali
python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py corp.local/jsmith:Welcome123! -dc-ip 10.10.10.10 -request

# Should return Kerberos ticket for sql_svc

Step 12: Create Comprehensive Snapshots

Take snapshots of entire lab in clean state:

  1. Kali-Attacker → "Enterprise Lab - Clean"

  2. DC01 → "Primary DC - Multi-homed"

  3. DC02 → "Secondary DC - Replication Configured"

  4. WORKSTATION-01 → "Internal Network - Clean"

  5. WORKSTATION-02 → "Internal Network - Clean"

  6. WORKSTATION-03 → "Internal Network - Clean"

  7. FILE-SRV01 → "File Server - Shares Configured"

  8. SQL-SRV01 → "SQL Server - Database Configured"

  9. WEB-SRV01 → "DMZ Web Server - DVWA Installed"

  10. UBUNTU-SRV01 → "Linux Pivot - Clean"

Tier 3 Complete! 🎉🎉🎉

You now have an enterprise-scale red team lab with:

  • Multiple network segments

  • Redundant domain controllers

  • File and SQL servers

  • DMZ with web applications

  • Vulnerable configurations for practice

  • Honeypot accounts for detection practice

What You Can Practice

Everything from Tiers 1 & 2, plus:

  • Multi-segment pivoting

  • Trust relationship exploitation

  • Constrained/unconstrained delegation attacks

  • Certificate services attacks (ESC1-ESC8)

  • SQL Server lateral movement

  • DMZ compromise and internal pivoting

  • Multi-domain attacks (if you add second domain)

  • Advanced persistence across multiple systems

  • Large-scale credential harvesting

  • Realistic enterprise engagement simulation

Optional Advanced Enhancements

Add Second Forest (Trust Relationships)

Create a second domain external.local for forest trust attacks:

  1. Create new DC: DC-EXTERNAL

  2. New forest: external.local

  3. Establish forest trust with corp.local

  4. Practice cross-forest attacks

Add SCCM Server

  1. Create new server: SCCM-SRV01

  2. Install System Center Configuration Manager

  3. Practice SCCM exploitation techniques

Add Exchange Server

  1. Create new server: EXCHANGE-SRV01

  2. Install Exchange Server 2019

  3. Practice email-based attacks and PrivExchange

Add Azure AD Connect

  1. Install Azure AD Connect on DC01

  2. Sync to trial Azure AD tenant

  3. Practice hybrid environment attacks

Congratulations! You now have a complete, enterprise-grade red team laboratory. Time to start breaking things! 🔴⚔️

Remember: Document everything you do. Your future self (and your lab reports) will thank you.

© 2025 Maxwell Cross - All Rights Reserved

PreviousTier 2: Recommended Lab (Active Directory)NextMaintenance Tips

Last updated

Was this helpful?