📖
Building a Windows AD lab
  • Building a Windows AD lab
  • Lab-setup
    • Lab overview
    • Building the lab
      • Prerequisite
      • Creating images
        • Optional: Install software & Settings
      • Network setup
      • Cloning & Creating VM's
      • Creating bank.local
        • Creating Domain Controller - DC01
          • Enable RDP
        • Creating amsterdam.bank.local
          • Creating Domain Controller - DC02
            • Creating a AD structure
            • Create a CA
            • Configure LDAPS
          • Creating Fileserver - FILE01
            • File services
          • Creating W10 client - WS01
            • PSRemoting
          • Creating Webserver - WEB01
            • Web Services
            • SQL Server
              • Create database
      • Creating secure.local
        • Creating Domain Controller - DC03
        • Creating File/SQL Server - DATA01
          • SQL Server
            • Create database
    • Attack Paths
      • Attack path 1 (hard)
        • Configuring
        • Tasks
        • Manual
      • Attack path 2
        • Configuring
        • Task
        • Manual
    • Troubleshooting
    • To-Do
  • Vulnerabilities & Misconfigurations & Attacks
    • Initial Access Attacks
      • Username Enumeration
        • Password Spraying
        • AS-REP Roasting
        • Empty Password
      • SMB Relaying
      • SMB Null-Session (To-Do)
      • SQL Server default login
    • Active Directory Attacks
      • Password spraying
      • AS-REP Roasting
      • Empty password
      • Password in description
      • Kerberoasting
      • Delegation Attacks
        • Unconstrained Delegation
          • Printerbug
        • Constrained Delegation
        • Resource Based Constrained Delegation
          • Computeraccount Takeover
          • Change-LockScreen
          • Webclient Attack (todo)
      • DACL-Abuses
        • Write Owner
        • Owns
        • WriteDacl
        • GenericAll
        • GenericWrite (todo)
        • ForceChangePassword
        • Add user to group (todo)
        • Targeted Kerberoast (todo)
        • Get-Changes
      • Reused local administrator (todo)
      • SQL Server Attacks (todo)
        • Initial Access
          • SQL Server default login
          • Normal domain user access
        • Privilege Escalation
          • Impersonation
          • DB-Owner
          • Enumerate Logins
            • Weak passwords
        • Executing Commands
        • Database-Links
        • Capturing hashes & Relaying
      • Reading LAPS passwords (todo)
      • Priviliged Groups (todo)
        • DNS-Admins (todo)
        • Account Operators (todo)
        • Backup Operators
        • Server Operators (todo)
      • Hopping domains and forests
        • Child to parent domain
          • Krbtgt hash
          • Trust key
        • Cross forest Attacks (todo)
          • Foreign user
    • Misc
      • Reverse shell trick
      • Lateral Movement
        • PSRemoting
        • PsExec (todo)
      • Misconfigured Service (todo)
        • Unqouted Service Path
      • Discovering Shares
      • Password on shares
      • Different methods of dumping credentials
        • LSASS (todo)
        • Dumping DPAPI
          • Browser passwords
        • Scheduled tasks (todo)
        • Services (todo)
        • Vssadmin Shadow Copy
      • ms-ds-machineaccountquota (todo)
      • add DNS Records (todo)
      • Bypassing UAC
    • Template page
  • Defence
    • Detection
    • Hardening
      • LDAP
        • LDAP Signing
        • LDAPS Binding
      • Strong Password Policy
      • Change who can join computers to the domain
      • Protected users group
      • Account is sensitive and cannot be delegated
      • Powershell Execution Policy
      • Template page
Powered by GitBook
On this page
Edit on GitHub
  1. Lab-setup
  2. Building the lab
  3. Creating bank.local
  4. Creating amsterdam.bank.local
  5. Creating Domain Controller - DC02

Configure LDAPS

PreviousCreate a CANextCreating Fileserver - FILE01

Last updated 2 years ago

  1. Search for "Certificate Authority" in the Windows Search Function and Right click on it and select "Run as different user". Then fill in the Enterprise Admin credentials from bank\administrator and the password Welcome01!.

2. Open the directories and click on "Certificate Templates" and select "Manage".

3. Look for the template "Kerberos Auithentication" and select "Duplicate Template".

4. Open the tab "General" and give the template name LDAPS and select "Public certificate Active Directory".

5. Open the tab "Request Handling" and select "Allow private key to be exported".

6. Open the tab "Subject Name" and select "User Principal Name" and "Serviec Principal Name".

7. Click on "Apply" and "OK" and the template should be created.

8. Return to "certsrv" window and right click "Certificate Templates" and select "New" and then "Certificate Template to Issue".

9. Locate the LDAPS template and select it, click "OK".

Generate SSL Cert

  1. Search for mmc.exe and open it.

2. At the top click on "File" and then "Add/Remove Snap-in" .

3. Select "Certificates" and click "Add".

4. Select "Computer account"

5. Select "local computer" and click "Finish".

6. Click on "Certificates" again and on "Add". This time select "Service account"

7. Select "Local Computer" again and click "Next". Then select "Active Directory Domain Services" and click "Finish". There should be two Certificate snap-ins now:

8. In mmc.exe open the "Certificates (Local Computer)" directory --> Personal and right click on "Certificates" and select "All tasks" and click on "Request new certificate".

9. Click on "Next" and select "LDAPS" and click on "Enroll".

10. Create a new directory in the C:\ disk with the following powershell command:

New-Item -Path C:\ -Name Certs -ItemType Directory

11. Execute the following command to list all Certs and filter for specific information. Then note down the Thumbprint ID of the cert which has KDC authentication etc.:

Get-ChildItem Cert:\LocalMachine\My\ | Select-Object ThumbPrint, Subject, NotAfter, EnhancedKeyUsageList

12. Export the certificate with a password using the following commands and the Thumbprint:

$password = ConvertTo-SecureString -String "123456" -Force -AsPlainText
Get-ChildItem -Path Cert:\LocalMachine\My\B152D39E3CC245E22629C58FF6993FE9F47FD05C | Export-PfxCertificate -FilePath C:\Certs\LDAPs.pfx -Password $password

13. In mmc.exe the new certificate will be listed here too. You can open it and check in the "details" and "Thumbprint" to check it:

14. Next copy the certificate from LocalMachine Personal store to the Active Directory Domain Services Service Account Certificate store under NTDS\Personal Certificates, using below command. Change the thumbprint accordingly:

Move-Item "HKLM:\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\B152D39E3CC245E22629C58FF6993FE9F47FD05C" "HKLM:\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\MY\Certificates\"
Get-ChildItem -Path "HKLM:\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\MY\Certificates\"

15. Open ldp.exe and test the connection to the domain controller: