Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
From Domain Admin to Enterprise Admin
Kerberoasting
Kerberos: Golden Tickets
Kerberos: Silver Tickets
AS-REP Roasting
Kerberoasting: Requesting RC4 Encrypted TGS when AES is Enabled
Kerberos Unconstrained Delegation
Kerberos Constrained Delegation
Kerberos Resource-based Constrained Delegation: Computer Object Takeover
Domain Compromise via DC Print Server and Kerberos Delegation
DCShadow - Becoming a Rogue Domain Controller
DCSync: Dump Password Hashes from Domain Controller
PowerView: Active Directory Enumeration
Abusing Active Directory ACLs/ACEs
Privileged Accounts and Token Privileges
From DnsAdmins to SYSTEM to Domain Compromise
Pass the Hash with Machine$ Accounts
BloodHound with Kali Linux: 101
Backdooring AdminSDHolder for Persistence
Active Directory Enumeration with AD Module without RSAT or Admin Privileges
Enumerating AD Object Permissions with dsacls
Active Directory Password Spraying
Active Directory Lab with Hyper-V and PowerShell
ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate
From Misconfigured Certificate Template to Domain Admin
Shadow Credentials
Abusing Trust Account$: Accessing Resources on a Trusted Domain from a Trusting Domain
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Active Directory Lab with Hyper-V and PowerShell
Below are some notes with a couple of simple Powershell scripts that I use to:
  • Promote a computer to Domain Controller
  • Create an Active Directory (AD) domain offense.local
  • Join computer to offense.local domain
  • Create users in offense.local domain
The scripts are not intended to fully automate building of the Active Directory lab, rather they serve as cheatsheets that suit most of my needs most of the time.
I use Hyper-V to run my virtual machines (VM) which I installed manually:
  • WS01 - Windows 10
  • DC01 - Windows Server 2019

Promote Computer to Domain Controller

Below script establishes a Powershell Remoting session to the DC01 VM using credentials administrator:123456 (I set that password on DC01 manually before running this script) and does the following:
  • Congifures the IP/DNS addresses - Domain Controller DC01 will have a static IP 10.0.0.6;
  • Installs AD services and management tools;
  • Creates a domain offense.local.
You may need to change the passwords depending on your password policies.
Promote-DC.ps1
1
$plainPassword = "123456"
2
$password = $plainPassword | ConvertTo-SecureString -asPlainText -Force
3
$credential = New-Object System.Management.Automation.PSCredential("administrator", $password)
4
​
5
$session = New-PSSession -Vmname dc01 -Credential $credential -Verbose
6
​
7
$code = {
8
$plainPassword = "123456"
9
$password = $plainPassword | ConvertTo-SecureString -asPlainText -Force
10
$credential = New-Object System.Management.Automation.PSCredential("administrator", $password)
11
​
12
netsh int ip set address "ethernet" static 10.0.0.6 255.255.255.0 10.0.0.6 1
13
netsh int ip set dns "ethernet" static 10.0.0.6 primary
14
​
15
$domainName = "offense"
16
$domain = "$domainName.local"
17
​
18
Write-Host "Installing management tools"
19
Import-Module ServerManager
20
Add-WindowsFeature RSAT-AD-PowerShell,RSAT-AD-AdminCenter
21
​
22
Write-Host "Deploying Active Directory Domain..."
23
Install-WindowsFeature AD-domain-services, DNS -IncludeAllSubFeature -IncludeManagementTools -Restart
24
Import-Module ADDSDeployment
25
Install-ADDSForest `
26
-SafeModeAdministratorPassword $password `
27
-CreateDnsDelegation:$false `
28
-DatabasePath "C:\Windows\NTDS" `
29
-DomainMode "7" `
30
-DomainName $domain `
31
-DomainNetbiosName $domainName `
32
-ForestMode "7" `
33
-InstallDns:$true `
34
-LogPath "C:\Windows\NTDS" `
35
-NoRebootOnCompletion:$true `
36
-SysvolPath "C:\Windows\SYSVOL" `
37
-Force:$true
38
​
39
Restart-Computer -Force -Verbose
40
}
41
​
42
Invoke-Command -Session $session -ScriptBlock $code
Copied!
Output of Promote-DC.ps1

Join Computer to Domain

Below script establishes a Powershell Remoting session to the WS01 VM using credentials mantvydas:123456 (I set that password on WS01 manually before running this script) and does the following:
  • Configures IP/DNS settings - the workstation WS01 will have a static IP 10.0.0.7 and a DNS pointing to 10.0.0.6, which is our DC01;
  • Adds computer to the domain.
Join-Member.ps1
1
$plainPassword = "123456"
2
$password = $plainPassword | ConvertTo-SecureString -asPlainText -Force
3
$credential = New-Object System.Management.Automation.PSCredential("mantvydas", $password)
4
​
5
$session = New-PSSession -Vmname ws01 -Credential $credential -Verbose
6
​
7
$code = {
8
netsh int ip set address "ethernet" static 10.0.0.7 255.255.255.0 10.0.0.6 1
9
netsh int ip set dns "ethernet" static 10.0.0.6 primary
10
​
11
$plainPassword = "123456"
12
$password = $plainPassword | ConvertTo-SecureString -asPlainText -Force
13
$credential = New-Object System.Management.Automation.PSCredential("administrator", $password)
14
Add-computer -computername ws01 -domain offense.local -domaincredential $credential -Verbose -Restart
15
}
16
​
17
Invoke-Command -Session $session -ScriptBlock $code
Copied!

Create Domain Users

Below script establishes a Powershell Remoting session to the DC01 VM and does the following:
  • Creates some domain users
  • Sets their passwords to 123456
Create-Users.ps1
1
$plainPassword = "123456"
2
$password = $plainPassword | ConvertTo-SecureString -asPlainText -Force
3
$credential = New-Object System.Management.Automation.PSCredential("offense\administrator", $password)
4
​
5
$session = New-PSSession -Vmname dc01 -Credential $credential -Verbose
6
​
7
$code = {
8
$plainPassword = "123456"
9
$password = $plainPassword | ConvertTo-SecureString -asPlainText -Force
10
$credential = New-Object System.Management.Automation.PSCredential("offense\administrator", $password)
11
12
# Create users
13
"spotless", "sandy", "bob" | % { New-ADUser $_ }
14
15
# Reset users' passwords
16
Get-ADUser -Filter * -Properties samaccountname | select -exp samaccountname | ? {$_ -notmatch "krb|guest"} | ForEach-Object { Write-host Changing password for $_ to $plainPassword; net user $_ $plainPassword | out-null }
17
}
18
​
19
Invoke-Command -Session $session -ScriptBlock $code
Copied!
Before running this script, the password policy needs to be manually updated on DC01:
  • Minimum password length: 0
  • Password must meet complexity requirements: disabled
Don't forget to run gpupdate.exe on the DC01 for the new password policy to take affect. This step is mandatory before running Create-Users.ps1 script, otherwise the user passwords will not be changed.

Setting up Kali in Enhanced Session Mode

Execute the below in kali:
1
sudo git clone https://github.com/mimura1133/linux-vm-tools /opt/linux-vm-tools
2
sudo chmod 0755 /opt/linux-vm-tools/kali/2020.x/install.sh
3
sudo /opt/linux-vm-tools/kali/2020.x/install.sh
4
sudo reboot -f
Copied!
Execute the below on the host OS with Hyper V, that is hosting your kali VM:
1
Set-VM "KALI02" -EnhancedSessionTransportType HVSocket
Copied!
Previous
Active Directory Password Spraying
Next
ADCS + PetitPotam NTLM Relay: Obtaining krbtgt Hash with Domain Controller Machine Certificate
Last modified 1yr ago
Copy link
Contents
Promote Computer to Domain Controller
Join Computer to Domain
Create Domain Users
Setting up Kali in Enhanced Session Mode