TL;DR after knocking out The Cyber Mentor’s (TCM) Practical Ethical Hacking (PEH) course, automating the AD lab setup, and taking the PJPT exam we decided to create our own range/exercise. It’s on GitHub here.
Background
PJPT was great, but it didn’t go over a few attacker TTPs. Ditto for CRTP. I’m not all that original, so if I have screwed around with these TTPs in the lab then attackers are using them. Hence I wanted to create my own environment with an escalation path that stresses numerous TTPs, and of course learn something along the way.
Hence I created this thing entirely in Hyper-V using nothing but PowerShell Direct, a Windows Server 2022 ISO [free from Microsoft], and an answer file [included in the project files]. It’s on GitHub here.
One simply has to
- put the files in the places outlined below
- run Create-Lab.ps1
- wait about 45–60 minutes
- import the function in Generate-Traffic.ps1
and do the command ‘Generate-Traffic’ once they have their Kali VM fired up and are ready to start the exercise.
The exercise stresses
- Name poisoning
- Keberoasting
- Share drive enumeration
- Password spraying
- Credential dumping
- Pass the Hash (PTH)
- Lateral movement
- Bypassing smartcard requirements
- AD DACL enumeration & abuse
- NTFS DACL enumeration & abuse
- Dumping NTDS.dit
- Forging tickets to abuse domain trust relationships
If you follow the path correctly you will get from LAN access to Domain User to finally Enterprise Admin. There are 10–12 hops involved, or pivots if you prefer that term.
Setup
I created, de-bugged, and tested this setup out using ServerII in our home lab. ServerII is on the test.local domain, runs Windows Server 2019 with Hyper-V enabled, hosts about half our lab’s VMs, and is used as a de facto jump box. (ServerI runs Hyper-V Server 2019 and hosts the other half of the lab’s VMs.)
It will work fine on any version of Windows though that includes Hyper-V. The setup assumes a few things about where you saved the PS1s, the Windows Server 2022 ISO, and your VSwitch’s name. You can either tweak the variables at the top of Create-Lab.ps1 or simply run the below on your host OS:
New-VMSwitch -Name "Testing" -NetAdapterName "Ethernet" ; Set-VMSwitch -Name Testing -AllowManagementOS $true
New-Item C:\VM_Stuff_Share\Lab -ItemType Directory
New-Item C:\VM_Stuff_Share\ISOs -ItemType Directory
Invoke-WebRequest -Uri "https://software-static.download.prss.microsoft.com/sg/download/888969d5-f34g-4e03-ac9d-1f9786c66749/SERVER_EVAL_x64FRE_en-us.iso" -OutFile "Windows Server 2022 (20348.169.210806–2348.fe_release_svc_refresh_SERVER_EVAL_x64FRE_en-us).iso"
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
Install-Module -Name Convert-WindowsImage
Write-Host "If the above fails to install Convert-WindowsImage then download it from https://github.com/x0nn/Convert-WindowsImage"
Write-Host "Save it in C:\VM_Stuff_Share\Convert-WindowsImage (from PS Gallery)"
We tested with the VMSwitch in “bridge mode” as the Kali VM I use is on my laptop. Obviously the entire thing is NATed by my home router anyway.
The VMs use the first 3 octets of your router and hardcode the 4th octets to 140–143. Obviously if you are already using those IPs on your home network then tweak those in the PS1s. Each VM gets its network config from the P1 PS1. There are 4 of these, one per VM.
Please note:
- The setup uses 6 GB of RAM per VM and about 64.5 GB of HD space for all 4 VMs. You could probably get away with less RAM per VM. Adjust Lines 39 & 40 in Create-Lab.ps1 if you want to.
- The setup hard codes its VMSwitch name as “Testing” & shares Ethernet0 with the host OS.
- The setup hard codes the filename of the ISO and expects it to be in the ISO folder.
- The setup imports Convert-WindowsImage from
“C:\VM_Stuff_Share\Convert-WindowsImage (from PS Gallery)” - If you don’t already have Convert-WindowsImage then grab a copy from https://github.com/x0nn/Convert-WindowsImage or the PS Gallery.
- It also hard codes the Lab folder location and expects all the project files to be there. This includes the Notes.txt & Zip files!
- It does install one module on the US-Client VM. You’ll see a prompt to confirm that about halfway through setup.
- Once the lab finishes spinning up, go into Hyper-V Manager, right click on US-Client & US-ClientII, and hit Enter on that stupid keyboard selection screen. You should be looking at a login screen.
- After that, leave the VMs running, fire up Kali, run ‘Generate-Traffic’, and attack!
The escalation path
Obviously you could cheat and simply read through the PS1s that configure the VMs. This is meant to be ‘black boxed’ though. After spinning it all up in Hyper-V I validated it by following the path.
It starts out easy enough, but it gets rather brutal about halfway through. There were hops that should have worked fine in the GUI, but simply refused to until I ran a specific command in PowerShell.
There are NTLM hashes in here that aren’t meant to be cracked, in fact you can finish this range without cracking a single NTLM hash. Remember that you can spray NTLM just like a password and PTH. There is no brute forcing involved unless it’s offline cracking of something you caught via Name Poisoning, Kerberoasting, or similar.
Hints:
- If a TTP should work, but isn’t, try a different tool or command. (Set-Acl not working? Try takeown.)
- If you access a system, dump everything and try spraying it.
- Enumerate fully, and take over any other accounts you can, even if it’s not an admin. Domain Users can access data too!
- Impacket, evil-winrm, xfreerdp, Mimikatz, and PowerShell are your friends in this exercise.
- Defender, NLA, etc are not disabled! It is up to you to bypass or disable them if your access is blocked.
- Meterpreter is quite helpful at times, but you’d better disable Defender first!
- As soon as you get Domain User creds, enumerate AD and put all the usernames into a list for spraying later!
This snippet will take the output from Impacket and spit out just the SamAccountNames for easy spraying.
#Parse out usernames from lookupsid.py output
$Users = Get-Content ".\Range_Users.txt"
ForEach($User in $Users)
{
($User.split('\')[1]).split(' ')[0]
}
But do we have a course for our lab?
Yes, sort of. There’s nothing in here that’s not in one of our cheatsheets, TryHackMe writeups, or lab projects. Essentially our notes on Medium are the course. Start here, then just Ctrl + F and follow links. Everything is on that page or linked to it.
Summary
I put more than a few late nights into this one, had a lot of fun, and learned quite a bit about how to configure things using nothing but PowerShell. I’d actually encourage anyone who goes through the exercise to read the PS1s afterwards, I had to use more than a few tricks to get everything setup and ‘misconfigured’ just so.
This project ties up a few hands on exams I have taken, many of our lab projects, and more than a few TryHackMe rooms into one tidy, automated package.
I said this before in my PJPT review, but I owe The Cyber Mentor, Heath Adams, for getting me interested in the intersection of PowerShell and Windows security back when I was working auditing. I know some people bash his PEH course because it doesn’t include a lab, but I say that’s a good thing. Dive into Hyper-V and learn how to create your own, or borrow ours from here.
References
Windows Server ISOs, direct download: https://gist.github.com/vinhjaxt/a774ac87b0313a34f4c445048d8e13cf
Install-ADDSDomain: https://learn.microsoft.com/en-us/powershell/module/addsdeployment/install-addsdomain?view=windowsserver2022-ps
Add child domain to existing forest: https://onkelx.nl/2020/06/10/add-domain-to-forest-using-powershell/
Copy-VMFile: https://learn.microsoft.com/en-us/powershell/module/hyper-v/copy-vmfile?view=windowsserver2022-ps
Enable-VMIntegrationService: https://learn.microsoft.com/en-us/powershell/module/hyper-v/enable-vmintegrationservice?view=windowsserver2022-ps
Add-LocalGroupMember: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/add-localgroupmember?view=powershell-5.1
Good list of resources: https://jhalon.github.io/becoming-a-pentester/
Expand-Archive: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.archive/expand-archive?view=powershell-7.4
NTFS and inheritence: https://stackoverflow.com/questions/71876626/how-to-replace-all-child-object-permission-entries-with-inheritable-permission
Download entire folders with smbclient: https://superuser.com/questions/856617/how-do-i-recursively-download-a-directory-using-smbclient
AD DS course: https://learn.microsoft.com/en-us/training/paths/active-directory-domain-services/
AD Security topics: https://medium.com/@motasemhamdan/windows-active-directory-penetration-testing-study-notes-d0b41966879d
Reset the local admin password: https://learn.microsoft.com/en-us/answers/questions/1565898/how-do-i-reset-the-local-pc-administrator-password
Give yourself SESecurityPrivilege: https://blakedrumm.com/blog/set-and-check-user-rights-assignment/
Create a folder exception in Defender: https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=windowsserver2022-ps