📖
Building a Windows AD lab
  • Building a Windows AD lab
  • Lab-setup
    • Lab overview
    • Building the lab
      • Prerequisite
      • Creating images
        • Optional: Install software & Settings
      • Network setup
      • Cloning & Creating VM's
      • Creating bank.local
        • Creating Domain Controller - DC01
          • Enable RDP
        • Creating amsterdam.bank.local
          • Creating Domain Controller - DC02
            • Creating a AD structure
            • Create a CA
            • Configure LDAPS
          • Creating Fileserver - FILE01
            • File services
          • Creating W10 client - WS01
            • PSRemoting
          • Creating Webserver - WEB01
            • Web Services
            • SQL Server
              • Create database
      • Creating secure.local
        • Creating Domain Controller - DC03
        • Creating File/SQL Server - DATA01
          • SQL Server
            • Create database
    • Attack Paths
      • Attack path 1 (hard)
        • Configuring
        • Tasks
        • Manual
      • Attack path 2
        • Configuring
        • Task
        • Manual
    • Troubleshooting
    • To-Do
  • Vulnerabilities & Misconfigurations & Attacks
    • Initial Access Attacks
      • Username Enumeration
        • Password Spraying
        • AS-REP Roasting
        • Empty Password
      • SMB Relaying
      • SMB Null-Session (To-Do)
      • SQL Server default login
    • Active Directory Attacks
      • Password spraying
      • AS-REP Roasting
      • Empty password
      • Password in description
      • Kerberoasting
      • Delegation Attacks
        • Unconstrained Delegation
          • Printerbug
        • Constrained Delegation
        • Resource Based Constrained Delegation
          • Computeraccount Takeover
          • Change-LockScreen
          • Webclient Attack (todo)
      • DACL-Abuses
        • Write Owner
        • Owns
        • WriteDacl
        • GenericAll
        • GenericWrite (todo)
        • ForceChangePassword
        • Add user to group (todo)
        • Targeted Kerberoast (todo)
        • Get-Changes
      • Reused local administrator (todo)
      • SQL Server Attacks (todo)
        • Initial Access
          • SQL Server default login
          • Normal domain user access
        • Privilege Escalation
          • Impersonation
          • DB-Owner
          • Enumerate Logins
            • Weak passwords
        • Executing Commands
        • Database-Links
        • Capturing hashes & Relaying
      • Reading LAPS passwords (todo)
      • Priviliged Groups (todo)
        • DNS-Admins (todo)
        • Account Operators (todo)
        • Backup Operators
        • Server Operators (todo)
      • Hopping domains and forests
        • Child to parent domain
          • Krbtgt hash
          • Trust key
        • Cross forest Attacks (todo)
          • Foreign user
    • Misc
      • Reverse shell trick
      • Lateral Movement
        • PSRemoting
        • PsExec (todo)
      • Misconfigured Service (todo)
        • Unqouted Service Path
      • Discovering Shares
      • Password on shares
      • Different methods of dumping credentials
        • LSASS (todo)
        • Dumping DPAPI
          • Browser passwords
        • Scheduled tasks (todo)
        • Services (todo)
        • Vssadmin Shadow Copy
      • ms-ds-machineaccountquota (todo)
      • add DNS Records (todo)
      • Bypassing UAC
    • Template page
  • Defence
    • Detection
    • Hardening
      • LDAP
        • LDAP Signing
        • LDAPS Binding
      • Strong Password Policy
      • Change who can join computers to the domain
      • Protected users group
      • Account is sensitive and cannot be delegated
      • Powershell Execution Policy
      • Template page
Powered by GitBook
On this page
  • Creating a Organizational Unit (OU)
  • Creating Groups
  • Creating Users
  • References
Edit on GitHub
  1. Lab-setup
  2. Building the lab
  3. Creating bank.local
  4. Creating amsterdam.bank.local
  5. Creating Domain Controller - DC02

Creating a AD structure

PreviousCreating Domain Controller - DC02NextCreate a CA

Last updated 3 years ago

  1. Open the "Server Manager", click on "Tools" and then "Active Directory Users and Computers".

Creating a Organizational Unit (OU)

2. Extend the directories and right click on "amsterdam.bank.local", select "New" and "Organizational Unit". Give it the name Employees and click on "OK"

Creating Groups

  1. Right click on the newly created OU and select "New" and then "Group"

2. Fill in "Finance" and click on "OK"

3. Repeat and create the following groups:

  • Finance

  • HR

  • Employees

  • IT

Creating Users

For attack path <url to attackpath> we need to create an user account in the IT-group, to create an account we can use net user /add <username> <password> /domain and to add it inside the IT-group we can use net group IT <username> /add /domain. In this example we're using the following commands:

net user /add IT-support01 Sup3rCompl1c4t3dP4ssw0rd2022 /domain
net group IT IT-Support01 /add /domain

With the command net user <username> /domain it's possible to check someone's group memberships. In this example we're using the following command:

net user IT-Support01 /domain

For attack path <url to attackpath> we need to create an user account in the Employees-group, to create an account we can use net user /add <username> <password> /domain and to add it inside the Employees-group we can use net group Employees <username> /add /domain. In this example we're using the following commands:

net user /add pukcab Bangbang123 /domain
net group Employees pukcab /add /domain

The password Bangbang123 is a commonly used password from 2020, see refferences for the passwordlist.

With the command net user <username> /domain it's possible to check someone's group memberships. In this example we're using the following command:

net user pukcab /domain

References

LogoSecLists/2020-200_most_used_passwords.txt at master · danielmiessler/SecListsGitHub