# Commands to create AD environment ## Install AD Dependencies ### Windows Server Datacenter (GUI)
Next and Install. ### Windows Server Standard (CLI) From here Install AD DS (Active Directory Domain Services): ```powershell Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools ``` Configure a new Forest: ```powershell Import-Module ADDSDeployment Install-ADDSForest -DomainName "lanz-corp.com" -InstallDNS ``` Verify installation: ```powershell Get-Service adws,kdc,netlogon,dns ``` ## Promote Server to Domain Controller (GUI)
Click on "Promote this server to a domain controller":

Domain name: freed-om-corp.com

Install:
The server has been promoted to a Domain Controller, and the authentication is now based in domain. ## Users ### Configure users, groups, machines... ``` Run from the start menu: Active Directory Users and Computers ``` ### Get-ADUser (search users) ```powershell Get-ADUser -Filter 'Name -like "*Paul*"' Get-ADUser -Filter "Name -like '*Orion*'" -Properties * ``` ```powershell Get-ADUser -Filter 'Name -like "*Mike*"' | Format-Table Name,SamAccountName Name SamAccountName ---- -------------- Mike Andrews Jectle1984 Mike Rocha Trequievery Mike Rosa Mans1990 Mike Blackmon Stemodgme01 Joshua Mikels Wifen1938 Mike Goodwin Lovicher Mike Dukes Imosed Mike Bynum Barve1947 Mike Pritchard Pludenis Mike O'Hare mohare ``` {% embed url="" %} ### New-ADUser (add user) Using the `Active Directory Users and Computers` from the start-menu and inside a folder or using PowerShell commands: ```powershell New-ADUser -Name "Orion Starchaser" -DisplayName 'Orion Starchaser' -SamAccountName 'o.starchaser' -UserPrincipalName 'orion.starchaser@inlanefreight.local' -AccountPassword (Read-Host -AsSecureString 'Enter a password') -Enabled $true -ChangePasswordAtLogon $true -OtherAttributes @{'title'='analyst';'mail'='o.starchaser@inlanefreight.local'} ``` ```powershell Get-ADUser -Identity o.starchaser ``` {% embed url="" %} ### Set-ADUser (update user info) ```powershell Set-ADUser -Identity 'Artemis Callisto' -DisplayName 'Artemis Callisto' ``` ```powershell Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties * [...] DistinguishedName : CN=Andromeda Cepheus,OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL Enabled : True GivenName : Andromeda Name : Andromeda Cepheus ObjectClass : user ObjectGUID : 300c377e-db3d-4da4-aabd-7235d69693ff SamAccountName : a.cepheus SID : S-1-5-21-3842939050-3880317879-2865463114-7604 Surname : Cepheus UserPrincipalName : a.cepheus@INLANEFREIGHT.LOCAL [...] EmailAddress : [...] mail : [...] ``` Let's update the Email: ```powershell Set-ADUser -Identity 'a.cepheus' -EmailAddress 'a.cepheus@inlanefreight.local' ``` 
Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties *

[...]
EmailAddress      : a.cepheus@inlanefreight.local
[...]
mail              : a.cepheus@inlanefreight.local
[...]
{% embed url="" %} ### Remove-ADUser (remove user) ```powershell Get-ADUser -Filter "Name -like '*Orion*'" | Format-Table Name,SamAccountName ``` ``` Name SamAccountName ---- -------------- Orion Starchaser Orion Starchaser ``` ```powershell Remove-ADUser -Identity 'Orion Starchaser' ```
{% embed url="" %} ### Unlock-ADAccount (unlock user) ```powershell Get-ADUser -Filter 'Name -like "*Masters*"' DistinguishedName : CN=Adam Masters,OU=Interns,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL Enabled : True GivenName : Adam Name : Adam Masters ObjectClass : user ObjectGUID : 56d0f2af-e8a0-4d12-a910-c55257c702a2 SamAccountName : amasters SID : S-1-5-21-3842939050-3880317879-2865463114-6108 Surname : Masters UserPrincipalName : amasters@INLANEFREIGHT.LOCAL ``` ```powershell Unlock-ADAccount -Identity 'amasters' Set-ADAccountPassword amasters -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') Set-ADUser -ChangePasswordAtLogon $true -Identity amasters ``` {% embed url="" %} {% embed url="" %} ### Update credentials ```powershell Set-ADAccountPassword username -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose Set-ADUser -ChangePasswordAtLogon $true -Identity username -Verbose ``` ### Change DoesNotRequirePreAuth Right This permission is used in Kerberos and is related to ASREP-Roast attack. **GUI**: Enable "Do not require Kerberos preauthentication":
**CLI**: We have a list of valid users:
Does anyone have the DoesNotRequirePreAuth right? ```bash python3 GetNPUsers.py -no-pass -usersfile users.txt -dc-ip 10.10.10.10 -format john -outputfile dc-freed-om-corp-asreproastable-users.txt 'lanz.com/' ```
Nop. Let's activate it... ```powershell Get-ADUser -Identity paolo.suarez -Properties * | Format-Table Name,DoesNotRequierePreAuth Get-ADUser -Identity paolo.suarez | Set-ADAccountControl -DoesNotRequirePreAuth $true ```
Again, does anyone have the DoesNotRequirePreAuth right?
Yeah, there is one! ## Computers ### Add-Computer (add a computer to a domain) In the new computer we are going to execute: ```powershell Add-Computer -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT.LOCAL\htb-student_adm -Restart ``` Or remotely: ```powershell Add-Computer -ComputerName ACADEMY-IAD-W10 -LocalCredential ACADEMY-IAD-W10\image -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT\htb-student_adm -Restart ``` It will generate a pop-up to input credentials of a Domain Admin (or if the user is already created in the Domain, we can set the user credentials instead of Administrator).
{% embed url="" %} ### Move a computer to an OU ```powershell Get-ADComputer -Identity 'ACADEMY-IAD-W10' | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' ``` ### Remove-Computer ```powershell Remove-Computer -ComputerName 'ACADEMY-IAD-W10' -UnjoinDomainCredential 'INLANEFREIGHT.LOCAL\htb-student_adm' -PassThru -Restart -Verbose ``` If doesn't work, do it manually in the local computer: {% embed url="" %} {% embed url="" %} ## Group Policy Object (GPO) ### Configure Group Policy Object with GUI ``` Run from the start menu: Group Policy Management ``` ### Force any particular computer to sync its GPOs ```powershell gpupdate /force ``` ### Copy-GPO (copy/duplicate a GPO) ```powershell Get-GPO -All | FT Displayname ``` ```powershell Copy-GPO -SourceName 'Logon Banner' -TargetName 'Security Analysts Control' ```
{% embed url="" %} {% embed url="" %} {% embed url="" %} ### New-GPLink (link a GPO to an OU) ```powershell New-GPLink -Name 'Security Analysts Control' -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes ``` ```powershell Get-GPO -Name 'Security Analysts Control' | New-GPLink -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes ```
## Organization Unit (OU) ### Get-ADOrganizationUnit (obtain OUs) ```powershell Get-ADOrganizationalUnit -Filter 'Name -like "*"' ``` ```powershell Get-ADOrganizationalUnit -Filter 'Name -like "*HelpDesk*"' City : Country : DistinguishedName : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL LinkedGroupPolicyObjects : {} ManagedBy : Name : HelpDesk ObjectClass : organizationalUnit ObjectGUID : 2ad47f9e-4550-44c6-bb99-104bc3ac2105 PostalCode : State : StreetAddress : ``` ```powershell Get-ADOrganizationalUnit -Identity 'OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' City : Country : DistinguishedName : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL LinkedGroupPolicyObjects : {} ManagedBy : Name : HelpDesk ObjectClass : organizationalUnit ObjectGUID : 2ad47f9e-4550-44c6-bb99-104bc3ac2105 PostalCode : State : StreetAddress : ``` {% embed url="" %} ### Get members of an OU ```powershell Get-ADuser -Filter * -SearchBase "OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" | select name,DistinguishedName [...] Andromeda Cepheus CN=Andromeda Cepheus,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL Artemis Callisto CN=Artemis Callisto,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL Orion Starchaser CN=Orion Starchaser,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL ``` {% embed url="" %} ### New-ADOrganizationUnit (create an OU) ```powershell New-ADOrganizationalUnit -Name 'Security Analysts' -Path 'OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' ```
{% embed url="" %} ### Remove-ADOrganizationUnit (remove an OU) ```powershell Get-ADOrganizationalUnit -Identity 'OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' | Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru | Remove-ADOrganizationalUnit -Confirm:$false ``` {% embed url="" %} {% embed url="" %} ### Move-ADObject (to move an object (user, group, etc) to another OU) ```powershell Move-ADObject -Identity "CN=Artemis Callisto,CN=Users,DC=INLANEFREIGHT,DC=LOCAL" -TargetPath "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" ``` ```powershell Get-ADUser -Identity a.callisto | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' ``` {% embed url="" %} {% embed url="" %} ## Groups ### New-ADGroup (create a security group) ```powershell New-ADGroup -Name "Security Analysts" -SamAccountName Analysts -GroupCategory Security -GroupScope Global -DisplayName "Security Analysts" -Path "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" -Description "Members of this group are Security Analysts under the IT OU" ``` * **Security groups**: Use to assign permissions to shared resources. * **Distribution groups**: Use to create email distribution lists. {% embed url="" %} {% embed url="" %} ### Set-ADGroup (update group info) ```powershell Set-ADGroup -Identity 'Analysts' -SamAccountName 'Security Analysts' ``` {% embed url="" %} ### Get-ADGroupMember (get members of a group) ```powershell Get-ADGroupMember -Identity 'Security Analysts' ``` {% embed url="" %} ### Add-ADGroupMember (add members to a group) ```powershell Add-ADGroupMember -Identity 'Security Analysts' -Members a.cepheus Add-ADGroupMember -Identity 'Security Analysts' -Members 'Orion Starchaser','Artemis Callisto' ```
{% embed url="" %} ## Shared Folders ### Create a shared folder **GUI**:
Check "Type a custom path", and create a folder.
* Click on "Customize permissions" * And set a user with full access (for test) over that folder
Create and we done:
**CLI**: ```powershell New-SmbShare -Name "Pagos" -Path "C:\Pagos" -FullAccess "lanz.com\jose.lopez" ```
And checking: ```bash smbmap -H 10.10.10.10 -d lanz.com -u 'jose.lopez' -p 'Jose123!' ```