Requirements:

  1. Kali linux
  2. Vmware workstation pro
  3. Windows 10 workstation
  4. windows server 2022
  5. Metasploitable Linux 2
  6. Linux mint(optional) You should have basic knowledge of setting up vms inside vmware, plus feel free to ommit any machine as your system needs.

Vmware workstation pro:

  • Install by signing up from this site VMWARE

Kali linux:

Note

Install prebuilt vm images for vmware


Linux mint(optional):

  • We will be using this distro for setting up basic blue team operations regarding detection of the attacks. It’s an optional setup. If you have limited resources skip this.
  • Install linux mint from this site LINUX MINT , install the xfce edition for lightweight usage.

Metasploitable-2-linux:


windows 10 enterprise iso:

  • Install from this site Win 10 (link not working), i will provide a drive link later on ;)) You can use any windows workstation for testing!!

Windows server 2022 iso:


Network segmentation inside vmware:

We will be making 5 different folders for our homelab inside vmware. First one which will be ATTACK-BOX: inside this kali linux will be present. Second one will be PENTEST-NET: inside this metasploitable-2-linux will be present. Third one will be PIVOT-NET: inside this 2 windows 10 workstations(name them THEPUNISHER, SPIDERMAN) will be present. Fourth one will be SECURE-NET: inside this windows server 2022 will be present. Fifth one will be DETECTION-NET: inside this our linux mint machine will be present. You can make the folders by right clicking onto the empty space on vmware -> by selecting New folder option. ls_1

  • Now after making and separating the machines, we need to segment the network.
  • To do so follow the next steps:
    • Open vmware -> click on Edit -> then virtual network editor
    • You should see two network named NAT and another would be your host only connection.
    • We will add 2 more subnets
    • click on change settings -> click on Add network -> select your preferred vmnet and click add
    • After adding we need to change some subnet settings on the left down corner.
    • Follow the screenshots to give the same as mine: ls_2 ls_3
Important

If you don’t want to segment the network and make the lab with only NAT network, you can do so, for simpler setup use NAT(if inexperienced). For this whole Network pentesting guide i am going to use kali on 3 of the vmnets for ease of the audience.

  • Now click on Apply
  • Then come to vmware -> click on kali linux -> edit virtual machine -> add 2 extra network adapters by clicking on the add button and selecting Network adapter.
  • After that add your kali machine into vmnet2 , vmnet3 (according to my subnet naming)
  • Then come to your Linux mint machine do the same as kali
  • Add your metasploitable 2 linux machine into vmnet2 only.
  • For the NAT only setup you will add metasploitable 2 in NAT .

Network segmentation summary:

  1. All devices in NAT: Just normal default importing of all the vms in vmware. ls_4
  2. Kali is on NAT, vmnet2 and vmnet3, used linux mint as a router for pivoting through machines inside the network segment so that all of the workstations under the forest can talk to each other: current_lab

Later on for advanced level pivoting i will show how we can make the following type of network, where kali will be only on NAT with some added changes: ls_6 Feel free to use any of the architecture, but i would suggest you to make the first one for easy setup and rapid exploitation wihtout network failures plus less resources consumed. If you want to actually feel like more of a real world scenario use the second one.

Note

I will be using the second one for this whole Network pentesting tutorial.For some practicals i have added new vulnerable machines which i will be providing later on throughout the course. Sometimes i have also used a different Domain controller like windows server 2019 for demo purposes, you can do all these works inside your own DC which we will be setting up.


Active Directory LAB setup:

  1. We will first setup the Domain controller

Setting up the Domain controller:

  1. Come to your windows server 2022 -> Add it into vmnet3 along with NAT in case of internet related tasks like installations.
  2. Boot your windows server -> make sure you are at this stage: ls_7
  3. Click on next -> Install Now
  4. You should see a page like this : ls_8
  5. Click on windows server 2022 standard evaluation(Desktop Experience) -> then hit next
  6. Check the box -> hit next
  7. Once you are at this page: ls_9
  8. Click on custom install
  9. Then on this page hit New -> Apply ls_10
  10. Hit ok on the warning
  11. Click next again on this page: ls_11
  12. Now let it install.
  13. After that you will come to this page: ls_12
  14. Give the password P@$$w0rd!
  15. Now login using the creds.
  16. Install vmware tools -> click vm -> Install vmware tools -> open cmd -> run the command D:\setup.exe -> After installing a complete vmware tools using the popped up wizard -> restart
  17. Now we need to rename our windows server -> press on the windows button -> type name -> Then click on this option: ls_13
  18. After that click on Rename PC ls_14
  19. We will be building this Lab as a MARVEL theme, so i gave the name HYDRA-DC -> then restart again. ls_15
  20. Login again
  21. Now we will actually start setting our windows server as Domain controller.
  22. Onto server manager -> Click on the Manage button -> Click Add roles and features ls_16
  23. A wizard will pop up, click 3 times next. On selection of Server Roles , select Active Directory Domain Services . This will allow us to have our domain. ls_17
  24. Hit Add features on the next pop up. Then click 3 times next again on the options given.
  25. After coming to this page Check this option: ls_18
  26. Then hit install .
  27. After installation click on this option: ls_19
  28. A new wizard will pop up, click on these options, and give this domain name{you can give your unique domain name, but make sure you have added .local at the end of the name}: ls_20
  29. Hit next -> Give the same admin password into this page also: ls_21
  30. Hit next 2 times including the previous step.
  31. Populated the NetBIOS domain name successfully: ls_22
  32. Hit next again.
  33. Our pathways: ls_23

What is SYSVOL: SYSVOL is a shared folder on each domain controller (DC) in a Windows Server Active Directory (AD) domain that stores critical files for common access and replication across the domain. It contains a copy of Group Policy Objects (GPOs) and scripts, such as logon and startup scripts, which are essential for applying policies to member computers

What is NTDS: NTDS, or NT Directory Services, is the underlying technology and database that powers Microsoft’s Active Directory (AD). It is responsible for storing and managing all the information about network resources, such as user accounts, computer objects, groups, and security identifiers (SIDs). The physical database file is named ntds.dit (Directory Information Tree) and is stored by default in the %SystemRoot%\NTDS folder on every domain controller.

  1. Hit next again 2 times including this pathways page.
  2. You should see a prerequisite check running, and after some time it should say successful -> then hit install ls_24
  3. Then on installation it should give a pop up like this -> click close ls_25
  4. You DC will be automatically restarted and bring you to the login screen.
  5. Login . We will now install another feature called ADCS(active direcotry Certificate Services) , this allows us to use LDAPS on our DC , and manages certificates for authentication purposes.
  6. Again on server manager -> click manage -> add roles and features -> 3 times next -> Select ADCS -> add features -> 4 times next -> Check the restart box -> hit install
  7. Then after installation -> click on this option: ls_26
  8. Hit next on the first option. Check the box of Certificate auhority and hit next ls_27
  9. Hit 5 times next again -> change the validity option to 99 years ls_28
  10. Hit next and come to this page then click configure ls_29
  11. Restart again after the completion.

Setting up the windows 10 machines:

  1. Boot up both the windows 10 machine now, i removed previous machines containing windows 10 enterprise iso .This time i am having normal windows 10 iso , so we will be using windows 10 education . Remember while adding the vm you gave username and password , in my case then only the following pages came up.
  2. Then setup the basic requirements on both the machines ls_30
  3. Use the option domain joined instead , rather than using online accounts. ls_31

ls_32 4. Name THEPUNISHER vm’s user as frankcastle with password Password1 , and SPIDERMAN vm’s user as peterparker with password Password1 `` ls_33 5. Select the security questions and answer them as bob for every single one of them in both the machines. ls_34 6. Turn off all the privacy settings, we don’t want to send any data to Microsoft ls_35 7. Don’t accept crotana ls_36 8. After doing the complete setup , it will automatically boot up the machines, then rename these two machines as THEPUNISHER, SPIDERMAN respectively . Then restart again. ls_37


Setting up GPO(Groups, Policies and Users):

  1. Open up the Domain controller

  2. On server manager -> Click on tools -> Active Directory users and computers

  3. This page should load up: ls_38

  4. Separating the groups from users: ls_39

  5. Give the name as Groups

  6. Grab all the groups from the users tab and move them to Groups except Administrator and Guest user. ls_40

  7. Making Domain admin:

    1. Right click on the Administrator user -> Copy -> Fill the following information ls_41
    2. Give the password as : Password12345! ls_42
    3. Click next and hit finish
  8. Making a service account which will be our another Domain admin :

    1. Again copy from the Administrator account and use the following info: ls_43
    2. Give the password as MYpassword123#
    3. Then do this step: ls_44
  9. Making some low level users which will part of our Domain users group:

    1. Use the following steps to open the wizard: ls_45
    2. Add the frank castle user: ls_46
    3. Use the following checkboxes, and give the same password of frankcastle which is Password1 ls_47
    4. Add peterparker using the following steps: ls_48
    5. We will give here his password as Password2
  10. All users: ls_49

  11. SETTING UP FILESHARE:

    1. Come to server manager -> Click on Files and storage services ls_50
    2. Click on Shares -> Tasks -> New share -> SMB share quick -> click next -> Click next again -> give the share name as hackme -> click 2 times next -> hit create
      ls_51 ls_52
  12. Setting up the service account(SQL Service):

    1. Open command prompt as administrator
    2. use the following command:
    setspn -a HYDRA-DC/SQLService.MARVEL.local:60111 MARVEL\SQLService
    

    ls_53 3. Verifying the changes using the following command by querying:

    setspn -T MARVEL.local -Q */*
    
    1. At the end of the command’s output we should see this result: ls_54
  13. Setting up a group policy:

    1. On the start menu type group ls_55
    2. Use the following options to create a new GPO: ls_56
    3. Give this name: ls_57
    4. Our motive is to disable the windows defender accross the whole domain , as we are not going to perform any modern defender evasion techniques.
    5. Use the following steps for editing the GPO: ls_58
    6. Come to this column: ls_59
    7. Find Microsoft Defender Antivirus -> and double click on this turn off option: ls_60
    8. A wizard should pop up -> click on enabled -> apply -> click ok ls_61
    9. Then again come back to the GPO management tab -> right click -> click enforced
  14. Then give the DC a static IP from the adapter settings, used linux mint as the DNS server: ls_62 ls_63 I have used linux mint as the gateway, if you are not using any intermediate os for acting as a router, don’t give any gateway(as no default gateway exists inside vmnet’s host only networks, in case if you are using the network segmentation). If you are using the NAT only setup give your NAT's default gateway. You can identify your NAT's default gateway through Virtual Network Editor -> Change settings -> select the NAT network -> NAT settings.


Note

Don’t get fooled by my lab result’s IP addresses. Your lab will be having different setup of IPs as well as NICs. Understand those carefully and then add accordingly throughout the lab setup as well as on practical demos.

Setting up Linux mint as an intermediate router(optional):

For the advance lab setup

  1. Set up static IP for both wired connection 2 and 3 in linux mint: ls_64 ls_65

  2. ENABLING IP FORWARDING:

# Turn on forwarding immediately
sudo sysctl -w net.ipv4.ip_forward=1

# Make it permanent (so it survives a reboot)
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf

ls_66

  1. FIXING THE FIREWALL BY ALLOWING ROUTING:
  • Allow traffic from vmnet2 to go to vmnet3:
sudo ufw route allow in on ens34 out on ens35
  • Allow traffic from vmnet3 to go to vmnet2:
    sudo ufw route allow in on ens35 out on ens34

ls_67


Joining the Machines to the Domain controller:

  1. Pointing those machines to our Domain controller:
    1. If you have followed the linux mint one this one is for you:
      1. Our motive is to point SPIDERMAN to route it’s traffic to linux mint to Domain controller and vise versa.
      2. To do so use the following settings in your vmnet 2 adapter on SPIDERMAN: ls_68
      3. Onto THEPUNISHER machine use the following settings for vmnet 2: ls_69
      4. Settings for vmnet 3 on THEPUNISHER machine: ls_70
    2. If you are doing the NAT only setup:
      1. Give the default gateway of your NAT network for both of the machine.
      2. Give the Domain controller's IP as DNS for both the machine.
  2. Testing the connections:
    1. Ping SPIDERMAN to Linux mint , then SPIDERMAN to THEPUNISHER
    2. Ping THEPUNISHER to linu mint and then to SPIDERMAN
    3. Ping Domain controller from Spiderman and THEPUNISHER machine both and vise versa.
    4. If you face request timeout issue, turn off windows firewall fully on both the PUNISHER and SPIDERMAN machine. Then try again.
  3. Joining the domain from THEPUNISHER machine:
    1. Click on the start button -> type Domain and access this option: ls_71
    2. Click on connect -> and click on join this device to a local AD domain ls_72
    3. Give your local domain name and hit next: ls_73
    4. If this windows loads up that’s mean your lab setup is successful: ls_74
    5. Give username as administrator and password as P@$$w0rd! ls_75
    6. Then on this pop up, select account type as Administrator ls_76
  4. Joining domain for SPIDERMAN machine:
    1. Do the exact same stuff we did for THEPUNISHER machine.
  5. Let those machines reboot, come to the DC -> server manager -> Active Directory users and computers -> Under your local domain -> select Computers . You should see your two Windows 10 workstations ls_77
  6. Now login onto both the workstations as MARVEL\administrator using the DC's admin password which is P@$$w0rd!
  7. Now adding local admins inside THEPUNISHER machine:
    1. click on the start button -> type users and go to the settings Edit local groups and users: ls_78
    2. or you can press win + r and type lusrmgr.msc
    3. Come to the users tab -> right click on Administrator -> then set a password -> give this password Password1!
    4. Enable this account by double clicking it -> and disabling the checkbox telling Account is disabled ls_79
    5. Adding fcastle which we made inside the DC inside THEPUNISHER machine’s Administrator groups: ls_80
    6. Click on Add -> type fcastle -> click on check names and this should appear: ls_81
    7. Hit apply and ok
    8. Then enable Network discovery by going into the network folder ls_82
  8. Adding local admins inside SPIDERMAN machine:
    1. Do the same steps as THEPUNISHER's step number 4
    2. Then add 2 accounts into the administrators group using the following steps:
    3. Write pparker and click check names ls_83 ls_84
    4. add fcastle the same way we did it inside THEPUNISHER
    5. Now peterparker and frankcastle both as local admins inside SPIDERMAN machine
    6. Enable network sharing by clicking the option click to change -> turn on network discovery and file sharing ls_85
    7. Restart your computer and login as peterparker like this: ls_86
    8. Now we will map the network drive
    9. Follow these steps: ls_87
    10. Type \\HYDRA-DC\hackme and check both the boxes: ls_88
    11. Use the domain admin credentials administrator and P@$$w0rd! ls_89
    12. Now we should access the shared drive: ls_90

CONGRATS WE HAVE COMPLETED THE LAB SETUP !! Let’s start hacking.