Organizations around the world rely on Active Directory to centralize the management of network resources and user accounts. Its widespread adoption and usage globally make it a common target for attackers seeking to compromise large-scale networks. In response to evolving attacks, setting up penetration testing lab environments that mimic real-world implementations can help organizations simulate various types of attacks and strengthen their security measures to keep their network resources and data safe.

In this chapter, we will set up and configure an Active Directory lab inside an isolated network environment in Microsoft Azure. In this lab setup, we will have various security misconfigurations along with deliberately weak configurations present in actual Active Directory implementations. Once the lab environment is ready, we will perform a penetration testing simulation to validate our lab setup configuration.

We will...

Before we start, we must have the following ready:

• The Microsoft Azure account we used in Chapter 5, Setting Up Isolated Penetration Testing Lab Environments on Azure
• The Microsoft Remote Desktop application installed on your local machine
• The golden image of the Kali Linux VM instance created in the Leveraging Terraform to automatically set up the attacker VM instance section of Chapter 5, Setting Up Isolated Penetration Testing Lab Environments on Azure
• Any text editor (such as Notepad++, Visual Studio Code, or Sublime Text) where we can temporarily store specific values (for example, your local machine’s IP address) that will be used in the hands-on solutions in this chapter

You may proceed with the next steps once these requirements are ready.

Important note

Make sure that you have worked on the hands-on solutions of Chapter 5 before proceeding. This chapter assumes that we have already created the golden VM image of...

In this section, we will set up the isolated network environment where the target resources will be launched. This will ensure that vulnerable and misconfigured resources and services can only be accessed by trusted machines – our local machine and the attacker’s machine:

Figure 8.1 — Preparing the prerequisites

We will also generate the SSH keys (the public key and the private key) for accessing the attacker VM instance later in this chapter. As shown in Figure 8.1, the private key will be stored inside your local machine while the public key will be stored inside the attacker VM instance. With this setup, the server (the attacker VM instance) can confirm the identity of the client (your local machine) using the private key. This will allow us to access the attacker VM instance via SSH and run commands remotely. In addition to this, we will make sure that the attacker VM instance...

In this section, we will launch two Windows VM instances for the target resources inside the network environment. The first VM instance will serve as the domain controller, while the second VM instance will serve as the workstation machine that will be joined to the domain:

Figure 8.8 — Launching the target VM instances

If this is your first time setting up Active Directory, then we can think of the domain controller as the brain of the network that oversees user authentication, resource management, and directory services. We can think of the workstation machine as one of the arms connected to the body, which interacts with the brain (domain controller) to access and utilize network resources and services. It is important to note that we can have multiple machines joined to the domain, each acting as a separate arm but still under the control and guidance of the domain controller. However, in this chapter, we’...

In this section, we will set up the Active Directory domain controller, along with the workstation machine (which will be joined to the domain). Before we proceed with the hands-on portion of this section, let’s discuss some of the relevant concepts and terminologies first:

• Domain: This represents a logical group of network resources. We can think of a domain as a virtual city with its own unique identity and infrastructure. Just as a city groups together various neighborhoods, a domain logically groups network resources together.
• Domain controller: This is a server that’s responsible for providing authentication and authorization services for domain users and computers. We can think of a domain controller as the city’s main security office that ensures only authorized individuals can access different parts of the city.
• Forest: This represents the highest hierarchical level in Active Directory...

Given that our lab environment in Azure has been set up successfully, we can now focus on performing the penetration testing simulation to verify that everything has been configured correctly. Similar to the previous chapters, we will work with a simplified penetration process since our primary goal is to assess if the penetration testing lab environment has been set up and (mis)configured correctly.

Our simulation will start with a port scan to check the open ports of one of the target Windows VM instances (ad-domain-controller). We will then use ldapsearch to retrieve the domain name (domain.local) that’s used in our Active Directory setup. Next, we will use Kerbrute to enumerate valid usernames along with brute-forcing the password of one of the enumerated user accounts (johndoe). Using the domain (domain.local) along with the credentials of the johndoe account, we will use Impacket to obtain the service_account account...

Cleaning up the cloud resources we created or deployed is a crucial step when working with vulnerable cloud applications and environments. If we don’t clean up and delete the resources we created right away, we might end up paying for unused cloud resources. At a minimum, we will be paying for the time the following resources are running:

• 1 x Standard_DS1_v2 Azure VM instance for the attacker machine
• 2 x Standard_B2ms Azure VM instances for the target machines (ad-domain-controller and ad-workstation-machine)

Please be aware that there are other costs we have to take into account as well – including data transfer fees, storage costs for persistent data used by the instances, potential charges for other Azure services utilized in the account, along with any applicable taxes or fees associated to the usage of Azure resources.

Note

Since the overall cost when running these resources depends on several parameters, it is best to refer to...

In this chapter, we were able to successfully set up an Active Directory Lab inside an isolated network environment in Microsoft Azure. We started by using Terraform to set up the isolated network environment so that we could secure the lab environment resources from external attacks. Inside this isolated network environment, we then launched two Windows VM instances. After that, we prepared and configured an Active Directory setup (using the VM instances we launched) with one domain controller and one workstation machine. After completing the lab environment, we performed a penetration testing simulation to verify if our lab had been (mis)configured correctly.

In the next chapter, we will discuss the best practices and strategies when building and automating penetration testing labs in the cloud. We will tackle specific techniques that will help us build on top of what we’ve learned in the chapters of this book.

For additional information on the topics covered in this chapter, you may find the following resources helpful:

• Active Directory Domain Services Overview (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview)
• What is Active Directory Certificate Services? (https://learn.microsoft.com/en-us/windows-server/identity/ad-cs/active-directory-certificate-services-overview)
• Microsoft Kerberos (https://learn.microsoft.com/en-us/windows/win32/secauthn/microsoft-kerberos)
• Using Windows Remote Management (https://learn.microsoft.com/en-us/windows/win32/winrm/using-windows-remote-management)