TL;DR I updated Mishky’s Range to include MSSQL, handle networking settings better, and learned about DSC along the way. The setup was also tweaked so one can run it on Windows 10 or 11 Pro with Hyper-V enabled.
Mishky’s AD Range is here.
The Expansion pack (second forest) is here.
Updates to Mishky’s AD Range
Changes include:
- Better handling of functions setting the VMs IP scheme, DNS, subnet, etc
- Queries the host OS to see if it’s on Windows 10/11 Pro vs Windows Server/Hyper-V Server and sets the vSW and RAM per VM accordingly
- Changed up where I cached credentials on each VM in order to force range players to dump more potential sources
- Added a VM running MSSQL to the second forest; Research.local (That forest is in our repo here.)
It has now been tested on Windows Server 2019 with Hyper-V enabled, Hyper-V Server 2019, and Windows 10 Professional with Hyper-V enabled.
Using the first forest
- Run Pre-reqs.ps1 (creates folders to hold the range files, downloads a Windows Server 2022 ISO, sets up the vSW)
- Run Create-Range.ps1 (spins up 4 VMs in parent & child domains, configs everything). Just hit Accept or Yes near the end, it prompts before grabbing & configuring a PS module.
- Open up Hyper-V Manager, connect to each VM, and hit Enter. This will leave each VM sitting at a login screen instead of a ‘select keyboard layout’ screen.
- Spin up your Kali VM, run Responder, run Generate-Traffic.ps1, and start attacking the range.
The first forest, lab.local, is on our GitHub here.
Using the second forest
Both forests can be run alone if you are short on RAM. Just dump all credentials you find in the first forest, lab.local, and then pivot accordingly.
- Run Pre-reqs.ps1 (creates folders to hold the range files, downloads a Windows Server 2022 ISO, sets up the vSW)
- Grab a MSSQL ISO from the Microsoft Evaluation Center and then run Extract-SQL_ISO.ps1 IOT extract the files, zip them, and prep them for range use
- Run Create-Cousin.ps1 (spins up 4 VMs in the second forest, configs them, and creates a trust relationship with the first forest).
- Open up Hyper-V Manager, connect to each VM, and hit Enter. This will leave each VM sitting at a login screen instead of a ‘select keyboard layout’ screen.
- Spin up your Kali VM and start attacking the range.
The second forest, research.local, is on our GitHub here.
Anyone who wants to use the second forest in Mishky’s Range, Research.local, will have to download a MSSQL ISO from the Microsoft Evaluation Center here. Once that’s done simply run Extract-SQL_ISO.ps1:
#Download MSSQL ISO from https://www.microsoft.com/en-us/sql-server/sql-server-downloads
#Save it as C:\VM_Stuff_Share\ISOs\SQLServer2022-x64-ENU.iso
#Run this part on the hypervisor to extract SQL from the ISO and then create the Zip
#Mishky's AD Range uploads the ZIP to a VM, intalls, & configures MSSQL automatically
New-Item -Path "C:\VM_Stuff_Share\SQL2022" -ItemType Directory
$mountResult = Mount-DiskImage -ImagePath 'C:\VM_Stuff_Share\ISOs\SQLServer2022-x64-ENU.iso' -PassThru
$volumeInfo = $mountResult | Get-Volume
$driveInfo = Get-PSDrive -Name $volumeInfo.DriveLetter
Copy-Item -Path ( Join-Path -Path $driveInfo.Root -ChildPath '*' ) -Destination "C:\VM_Stuff_Share\SQL2022" -Recurse
Dismount-DiskImage -ImagePath 'C:\VM_Stuff_Share\ISOs\SQLServer2022-x64-ENU.iso'
Compress-Archive -Path "C:\VM_Stuff_Share\SQL2022\*" -DestinationPath "C:\VM_Stuff_Share\Lab_Version1.1\CousinDomain\SQL2022.zip"
Desired State Configuration
This is just background information, Mishky’s AD Range automates all this in the background.
During testing I discovered there is a subtle difference between Windows Server 2019 with Hyper-V enabled and Hyper-V Server 2019. Hyper-V Server refused to run a PS1 file via PowerShell Direct on a VM that used Desired State Configuration (DSC) to create a mof file and then install MSSQL accordingly. This is apparently because Hyper-V Server doesn’t contain an implementation of Desired State Configuration, as per Microsoft Learn here.
However it ran fine on Windows Server with Hyper-V enabled. Therefore I tweaked the setup so that the mof file is already created and the setup only copies it to the VM and then installs MSSQL. This tactic worked find on Hyper-V Server as well as Windows Server.
The mof file was created via:
#Install PowerShell Desired State Configuration (DSC)
#Install-Module -Name SqlServerDsc
#Import-Module -Name PSDesiredStateConfiguration
#Import-Module -Name PSDscResources
#Import-Module -Name PowerShellGet
Import-Module -Name SqlServerDsc
#DSC
Configuration InstallSQLServer
{
Import-DscResource -ModuleName SqlServerDsc
Node "Research-SQL"
{
WindowsFeature 'NetFramework45'
{
Name = 'NET-Framework-45-Core'
Ensure = 'Present'
}
SqlSetup SQLInstall
{
InstanceName = "MSSQLSERVER"
Features = "SQLENGINE"
SourcePath = "C:\SQL2022"
SQLSysAdminAccounts = @("research\Administrator","research\SQL.Admin")
DependsOn = "[WindowsFeature]NetFramework45"
}
}
}
# Compile the DSC configuration file
InstallSQLServer -OutputPath "C:\DSC"
MSSQL is then installed via:
Copy-VMFile "Research-SQl" -SourcePath ".\Research-SQL.mof" -DestinationPath "C:\DSC\Research-SQL.mof" -CreateFullPath -FileSource Host
Invoke-Command "Research-SQL" {Start-DscConfiguration -Path "C:\DSC" -Wait -Verbose -Force} -Credential $CousinDomainAdminCredObject #Uses DSC to setup MSSQL on Research-SQL
Summary
All the tips that are outlined here still apply, in fact Version 1.1 of Mishky’s AD Range forces even more enumeration and post exploitation poking around as I cached credentials in at least 5 different locations. I believe that I configured every VM that does have cached credentials to have them in a unique place.
This range is more than enough preparation for PJPT and should prepare one well for CRTP. It’s also good for general AD Security training. I learned a ton creating, testing, de-bugging, tweaking, testing again, and verifying it. I only wish I could have put it on TryHackMe, that was the original intention.
If you have comments, questions, or suggestions on how to improve the range then please feel free to message me.
References
Desired State Configuration: https://learn.microsoft.com/en-us/powershell/dsc/getting-started/wingettingstarted?view=dsc-1.1