Install AD Dependencies
Windows Server Datacenter (GUI)
Next and Install.
Windows Server Standard (CLI)
From here https://medium.com/@serkanturan_79203/installing-active-directory-with-powershell-ea48de56088c
Install AD DS (Active Directory Domain Services):
Copy Install-WindowsFeature - Name AD - Domain - Services - IncludeManagementTools Configure a new Forest:
Copy Import-Module ADDSDeployment
Install-ADDSForest - DomainName "lanz-corp.com" - InstallDNS Verify installation:
Copy Get-Service adws , kdc , netlogon , dns Promote Server to Domain Controller (GUI)
Click on "Promote this server to a domain controller":
Install:
The server has been promoted to a Domain Controller, and the authentication is now based in domain.
Users
Configure users, groups, machines...
Copy Run from the start menu: Active Directory Users and Computers Get-ADUser (search users)
Copy Get-ADUser - Filter 'Name -like "*Paul*"'
Get-ADUser - Filter "Name -like '*Orion*'" - Properties *
Copy Get-ADUser - Filter 'Name -like "*Mike*"' | Format-Table Name , SamAccountName
Name SamAccountName
---- --------------
Mike Andrews Jectle1984
Mike Rocha Trequievery
Mike Rosa Mans1990
Mike Blackmon Stemodgme01
Joshua Mikels Wifen1938
Mike Goodwin Lovicher
Mike Dukes Imosed
Mike Bynum Barve1947
Mike Pritchard Pludenis
Mike O 'Hare mohare New-ADUser (add user)
Using the Active Directory Users and Computers from the start-menu and inside a folder or using PowerShell commands:
Copy New-ADUser - Name "Orion Starchaser" - DisplayName 'Orion Starchaser' - SamAccountName 'o.starchaser' - UserPrincipalName 'orion.starchaser@inlanefreight.local' - AccountPassword ( Read-Host - AsSecureString 'Enter a password' ) - Enabled $true - ChangePasswordAtLogon $true - OtherAttributes @ { 'title' = 'analyst' ; 'mail' = 'o.starchaser@inlanefreight.local' }
Copy Get-ADUser - Identity o.starchaser Set-ADUser (update user info)
Copy Set-ADUser - Identity 'Artemis Callisto' - DisplayName 'Artemis Callisto'
Copy Get-ADUser - Filter "Name -like 'Andromeda Cepheus'" - Properties *
[...]
DistinguishedName : CN = Andromeda Cepheus , OU = Analysts , OU = IT , OU = HQ - NYC , OU = Employees , OU = Corp , DC = INLANEFREIGHT , DC = LOCAL
Enabled : True
GivenName : Andromeda
Name : Andromeda Cepheus
ObjectClass : user
ObjectGUID : 300c377e - db3d - 4da4 - aabd - 7235d69693ff
SamAccountName : a.cepheus
SID : S - 1 - 5 - 21 - 3842939050 - 3880317879 - 2865463114 - 7604
Surname : Cepheus
UserPrincipalName : a.cepheus@INLANEFREIGHT.LOCAL
[...]
EmailAddress :
[...]
mail :
[...] Let's update the Email:
Copy Set-ADUser - Identity 'a.cepheus' - EmailAddress 'a.cepheus@inlanefreight.local'
Copy Get-ADUser - Filter "Name -like 'Andromeda Cepheus'" - Properties *
[...]
EmailAddress : a.cepheus@inlanefreight.local
[...]
mail : a.cepheus@inlanefreight.local
[...] Remove-ADUser (remove user)
Copy Get-ADUser - Filter "Name -like '*Orion*'" | Format-Table Name , SamAccountName
Copy Name SamAccountName
---- --------------
Orion Starchaser Orion Starchaser
Copy Remove-ADUser - Identity 'Orion Starchaser' Unlock-ADAccount (unlock user)
Copy Get-ADUser - Filter 'Name -like "*Masters*"'
DistinguishedName : CN = Adam Masters , OU = Interns , OU = HQ - NYC , OU = Employees , OU = Corp , DC = INLANEFREIGHT , DC = LOCAL
Enabled : True
GivenName : Adam
Name : Adam Masters
ObjectClass : user
ObjectGUID : 56d0f2af - e8a0 - 4d12 - a910 - c55257c702a2
SamAccountName : amasters
SID : S - 1 - 5 - 21 - 3842939050 - 3880317879 - 2865463114 - 6108
Surname : Masters
UserPrincipalName : amasters@INLANEFREIGHT.LOCAL
Copy Unlock-ADAccount - Identity 'amasters'
Set-ADAccountPassword amasters - Reset - NewPassword ( Read-Host - AsSecureString - Prompt 'New Password' )
Set-ADUser - ChangePasswordAtLogon $true - Identity amasters Update credentials
Copy Set-ADAccountPassword username - Reset - NewPassword ( Read-Host - AsSecureString - Prompt 'New Password' ) - Verbose
Set-ADUser - ChangePasswordAtLogon $true - Identity username - Verbose Change DoesNotRequirePreAuth Right
This permission is used in Kerberos and is related to ASREP-Roast attack.
GUI :
Enable "Do not require Kerberos preauthentication":
CLI :
We have a list of valid users:
Does anyone have the DoesNotRequirePreAuth right?
Copy python3 GetNPUsers.py -no-pass -usersfile users.txt -dc-ip 10.10.10.10 -format john -outputfile dc-freed-om-corp-asreproastable-users.txt 'lanz.com/' Nop.
Let's activate it...
Copy Get-ADUser - Identity paolo.suarez - Properties * | Format-Table Name , DoesNotRequierePreAuth
Get-ADUser - Identity paolo.suarez | Set-ADAccountControl - DoesNotRequirePreAuth $true Again, does anyone have the DoesNotRequirePreAuth right?
Yeah, there is one!
Computers
Add-Computer (add a computer to a domain)
In the new computer we are going to execute:
Copy Add-Computer - DomainName INLANEFREIGHT.LOCAL - Credential INLANEFREIGHT.LOCAL\htb - student_adm - Restart Or remotely:
Copy Add-Computer - ComputerName ACADEMY - IAD - W10 - LocalCredential ACADEMY - IAD - W10\image - DomainName INLANEFREIGHT.LOCAL - Credential INLANEFREIGHT\htb - student_adm - Restart It will generate a pop-up to input credentials of a Domain Admin (or if the user is already created in the Domain, we can set the user credentials instead of Administrator).
Move a computer to an OU
Copy Get-ADComputer - Identity 'ACADEMY-IAD-W10' | Move-ADObject - TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' Remove-Computer
Copy Remove-Computer - ComputerName 'ACADEMY-IAD-W10' - UnjoinDomainCredential 'INLANEFREIGHT.LOCAL\htb-student_adm' - PassThru - Restart - Verbose If doesn't work, do it manually in the local computer:
Group Policy Object (GPO)
Configure Group Policy Object with GUI
Copy Run from the start menu: Group Policy Management Force any particular computer to sync its GPOs
Copy-GPO (copy/duplicate a GPO)
Copy Get-GPO - All | FT Displayname
Copy Copy-GPO - SourceName 'Logon Banner' - TargetName 'Security Analysts Control' New-GPLink (link a GPO to an OU)
Copy New-GPLink - Name 'Security Analysts Control' - Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' - LinkEnabled Yes
Copy Get-GPO - Name 'Security Analysts Control' | New-GPLink - Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' - LinkEnabled Yes Organization Unit (OU)
Get-ADOrganizationUnit (obtain OUs)
Copy Get-ADOrganizationalUnit - Filter 'Name -like "*"'
Copy Get-ADOrganizationalUnit - Filter 'Name -like "*HelpDesk*"'
City :
Country :
DistinguishedName : OU = HelpDesk , OU = IT , OU = HQ - NYC , OU = Employees , OU = Corp , DC = INLANEFREIGHT , DC = LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy :
Name : HelpDesk
ObjectClass : organizationalUnit
ObjectGUID : 2ad47f9e - 4550 - 44c6 - bb99 - 104bc3ac2105
PostalCode :
State :
StreetAddress :
Copy Get-ADOrganizationalUnit - Identity 'OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'
City :
Country :
DistinguishedName : OU = HelpDesk , OU = IT , OU = HQ - NYC , OU = Employees , OU = Corp , DC = INLANEFREIGHT , DC = LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy :
Name : HelpDesk
ObjectClass : organizationalUnit
ObjectGUID : 2ad47f9e - 4550 - 44c6 - bb99 - 104bc3ac2105
PostalCode :
State :
StreetAddress : Get members of an OU
Copy Get-ADuser - Filter * - SearchBase "OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" | select name , DistinguishedName
[...]
Andromeda Cepheus CN = Andromeda Cepheus , OU = IT , OU = HQ - NYC , OU = Employees , OU = Corp , DC = INLANEFREIGHT , DC = LOCAL
Artemis Callisto CN = Artemis Callisto , OU = IT , OU = HQ - NYC , OU = Employees , OU = Corp , DC = INLANEFREIGHT , DC = LOCAL
Orion Starchaser CN = Orion Starchaser , OU = IT , OU = HQ - NYC , OU = Employees , OU = Corp , DC = INLANEFREIGHT , DC = LOCAL New-ADOrganizationUnit (create an OU)
Copy New-ADOrganizationalUnit - Name 'Security Analysts' - Path 'OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' Remove-ADOrganizationUnit (remove an OU)
Copy Get-ADOrganizationalUnit - Identity 'OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' | Set-ADObject - ProtectedFromAccidentalDeletion: $false - PassThru | Remove-ADOrganizationalUnit - Confirm: $false Move-ADObject (to move an object (user, group, etc) to another OU)
Copy Move-ADObject - Identity "CN=Artemis Callisto,CN=Users,DC=INLANEFREIGHT,DC=LOCAL" - TargetPath "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL"
Copy Get-ADUser - Identity a.callisto | Move-ADObject - TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' Groups
New-ADGroup (create a security group)
Copy New-ADGroup - Name "Security Analysts" - SamAccountName Analysts - GroupCategory Security - GroupScope Global - DisplayName "Security Analysts" - Path "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" - Description "Members of this group are Security Analysts under the IT OU" Security groups : Use to assign permissions to shared resources.
Distribution groups : Use to create email distribution lists.
Set-ADGroup (update group info)
Copy Set-ADGroup - Identity 'Analysts' - SamAccountName 'Security Analysts' Get-ADGroupMember (get members of a group)
Copy Get-ADGroupMember - Identity 'Security Analysts' Add-ADGroupMember (add members to a group)
Copy Add-ADGroupMember - Identity 'Security Analysts' - Members a.cepheus
Add-ADGroupMember - Identity 'Security Analysts' - Members 'Orion Starchaser' , 'Artemis Callisto' Shared Folders
Create a shared folder
GUI :
Check "Type a custom path", and create a folder.
Click on "Customize permissions"
And set a user with full access (for test) over that folder
Create and we done:
CLI :
Copy New-SmbShare - Name "Pagos" - Path "C:\Pagos" - FullAccess "lanz.com\jose.lopez" And checking:
Copy smbmap -H 10.10.10.10 -d lanz.com -u 'jose.lopez' -p 'Jose123!' 
