Install AD Dependencies
Windows Server Datacenter (GUI)
Next and Install.
Windows Server Standard (CLI)
From here https://medium.com/@serkanturan_79203/installing-active-directory-with-powershell-ea48de56088c
Install AD DS (Active Directory Domain Services):
Copy Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools Configure a new Forest:
Copy Import-Module ADDSDeployment
Install-ADDSForest -DomainName "lanz-corp.com" -InstallDNS Verify installation:
Copy Get-Service adws,kdc,netlogon,dns Promote Server to Domain Controller (GUI)
Click on "Promote this server to a domain controller":
Install:
The server has been promoted to a Domain Controller, and the authentication is now based in domain.
Users
Configure users, groups, machines...
Copy Run from the start menu: Active Directory Users and Computers Get-ADUser (search users)
Copy Get-ADUser -Filter 'Name -like "*Paul*"'
Get-ADUser -Filter "Name -like '*Orion*'" -Properties *
Copy Get-ADUser -Filter 'Name -like "*Mike*"' | Format-Table Name,SamAccountName
Name SamAccountName
---- --------------
Mike Andrews Jectle1984
Mike Rocha Trequievery
Mike Rosa Mans1990
Mike Blackmon Stemodgme01
Joshua Mikels Wifen1938
Mike Goodwin Lovicher
Mike Dukes Imosed
Mike Bynum Barve1947
Mike Pritchard Pludenis
Mike O'Hare mohare New-ADUser (add user)
Using the Active Directory Users and Computers from the start-menu and inside a folder or using PowerShell commands:
Copy New-ADUser -Name "Orion Starchaser" -DisplayName 'Orion Starchaser' -SamAccountName 'o.starchaser' -UserPrincipalName 'orion.starchaser@inlanefreight.local' -AccountPassword (Read-Host -AsSecureString 'Enter a password') -Enabled $true -ChangePasswordAtLogon $true -OtherAttributes @{'title'='analyst';'mail'='o.starchaser@inlanefreight.local'}
Copy Get-ADUser -Identity o.starchaser Set-ADUser (update user info)
Copy Set-ADUser -Identity 'Artemis Callisto' -DisplayName 'Artemis Callisto'
Copy Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties *
[...]
DistinguishedName : CN=Andromeda Cepheus,OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled : True
GivenName : Andromeda
Name : Andromeda Cepheus
ObjectClass : user
ObjectGUID : 300c377e-db3d-4da4-aabd-7235d69693ff
SamAccountName : a.cepheus
SID : S-1-5-21-3842939050-3880317879-2865463114-7604
Surname : Cepheus
UserPrincipalName : a.cepheus@INLANEFREIGHT.LOCAL
[...]
EmailAddress :
[...]
mail :
[...] Let's update the Email:
Copy Set-ADUser -Identity 'a.cepheus' -EmailAddress 'a.cepheus@inlanefreight.local'
Copy Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties *
[...]
EmailAddress : a.cepheus@inlanefreight.local
[...]
mail : a.cepheus@inlanefreight.local
[...] Remove-ADUser (remove user)
Copy Get-ADUser -Filter "Name -like '*Orion*'" | Format-Table Name,SamAccountName
Copy Name SamAccountName
---- --------------
Orion Starchaser Orion Starchaser
Copy Remove-ADUser -Identity 'Orion Starchaser' Unlock-ADAccount (unlock user)
Copy Get-ADUser -Filter 'Name -like "*Masters*"'
DistinguishedName : CN=Adam Masters,OU=Interns,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled : True
GivenName : Adam
Name : Adam Masters
ObjectClass : user
ObjectGUID : 56d0f2af-e8a0-4d12-a910-c55257c702a2
SamAccountName : amasters
SID : S-1-5-21-3842939050-3880317879-2865463114-6108
Surname : Masters
UserPrincipalName : amasters@INLANEFREIGHT.LOCAL
Copy Unlock-ADAccount -Identity 'amasters'
Set-ADAccountPassword amasters -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password')
Set-ADUser -ChangePasswordAtLogon $true -Identity amasters Update credentials
Copy Set-ADAccountPassword username -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
Set-ADUser -ChangePasswordAtLogon $true -Identity username -Verbose Change DoesNotRequirePreAuth Right
This permission is used in Kerberos and is related to ASREP-Roast attack.
GUI :
Enable "Do not require Kerberos preauthentication":
CLI :
We have a list of valid users:
Does anyone have the DoesNotRequirePreAuth right?
Copy python3 GetNPUsers.py -no-pass -usersfile users.txt -dc-ip 10.10.10.10 -format john -outputfile dc-freed-om-corp-asreproastable-users.txt 'lanz.com/' Nop.
Let's activate it...
Copy Get-ADUser -Identity paolo.suarez -Properties * | Format-Table Name,DoesNotRequierePreAuth
Get-ADUser -Identity paolo.suarez | Set-ADAccountControl -DoesNotRequirePreAuth $true Again, does anyone have the DoesNotRequirePreAuth right?
Yeah, there is one!
Computers
Add-Computer (add a computer to a domain)
In the new computer we are going to execute:
Copy Add-Computer -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT.LOCAL\htb-student_adm -Restart Or remotely:
Copy Add-Computer -ComputerName ACADEMY-IAD-W10 -LocalCredential ACADEMY-IAD-W10\image -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT\htb-student_adm -Restart It will generate a pop-up to input credentials of a Domain Admin (or if the user is already created in the Domain, we can set the user credentials instead of Administrator).
Move a computer to an OU
Copy Get-ADComputer -Identity 'ACADEMY-IAD-W10' | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' Remove-Computer
Copy Remove-Computer -ComputerName 'ACADEMY-IAD-W10' -UnjoinDomainCredential 'INLANEFREIGHT.LOCAL\htb-student_adm' -PassThru -Restart -Verbose If doesn't work, do it manually in the local computer:
Group Policy Object (GPO)
Configure Group Policy Object with GUI
Copy Run from the start menu: Group Policy Management Force any particular computer to sync its GPOs
Copy-GPO (copy/duplicate a GPO)
Copy Get-GPO -All | FT Displayname
Copy Copy-GPO -SourceName 'Logon Banner' -TargetName 'Security Analysts Control' New-GPLink (link a GPO to an OU)
Copy New-GPLink -Name 'Security Analysts Control' -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes
Copy Get-GPO -Name 'Security Analysts Control' | New-GPLink -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes Organization Unit (OU)
Get-ADOrganizationUnit (obtain OUs)
Copy Get-ADOrganizationalUnit -Filter 'Name -like "*"'
Copy Get-ADOrganizationalUnit -Filter 'Name -like "*HelpDesk*"'
City :
Country :
DistinguishedName : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy :
Name : HelpDesk
ObjectClass : organizationalUnit
ObjectGUID : 2ad47f9e-4550-44c6-bb99-104bc3ac2105
PostalCode :
State :
StreetAddress : Get members of an OU
Copy Get-ADuser -Filter * -SearchBase "OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" | select name,DistinguishedName
[...]
Andromeda Cepheus CN=Andromeda Cepheus,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Artemis Callisto CN=Artemis Callisto,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Orion Starchaser CN=Orion Starchaser,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL New-ADOrganizationUnit (create an OU)
Copy New-ADOrganizationalUnit -Name 'Security Analysts' -Path 'OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' Remove-ADOrganizationUnit (remove an OU)
Copy Get-ADOrganizationalUnit -Identity 'OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' | Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru | Remove-ADOrganizationalUnit -Confirm:$false Move-ADObject (to move an object (user, group, etc) to another OU)
Copy Move-ADObject -Identity "CN=Artemis Callisto,CN=Users,DC=INLANEFREIGHT,DC=LOCAL" -TargetPath "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL"
Copy Get-ADUser -Identity a.callisto | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' Groups
New-ADGroup (create a security group)
Copy New-ADGroup -Name "Security Analysts" -SamAccountName Analysts -GroupCategory Security -GroupScope Global -DisplayName "Security Analysts" -Path "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" -Description "Members of this group are Security Analysts under the IT OU" Security groups : Use to assign permissions to shared resources.
Distribution groups : Use to create email distribution lists.
Set-ADGroup (update group info)
Copy Set-ADGroup -Identity 'Analysts' -SamAccountName 'Security Analysts' Get-ADGroupMember (get members of a group)
Copy Get-ADGroupMember -Identity 'Security Analysts' Add-ADGroupMember (add members to a group)
Copy Add-ADGroupMember -Identity 'Security Analysts' -Members a.cepheus
Add-ADGroupMember -Identity 'Security Analysts' -Members 'Orion Starchaser','Artemis Callisto' Shared Folders
Create a shared folder
GUI :
Check "Type a custom path", and create a folder.
Click on "Customize permissions"
And set a user with full access (for test) over that folder
Create and we done:
CLI :
Copy New-SmbShare -Name "Pagos" -Path "C:\Pagos" -FullAccess "lanz.com\jose.lopez" And checking:
Copy smbmap -H 10.10.10.10 -d lanz.com -u 'jose.lopez' -p 'Jose123!' 
