Commands to create AD environment

PreviousActive Directory Methodology NextAttacks

Last updated 5 months ago

Commands to create AD environment

Install AD Dependencies

Windows Server Datacenter (GUI)

Next and Install.

Windows Server Standard (CLI)

Install AD DS (Active Directory Domain Services):

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Configure a new Forest:

Import-Module ADDSDeployment
Install-ADDSForest -DomainName "lanz-corp.com" -InstallDNS

Verify installation:

Get-Service adws,kdc,netlogon,dns

Promote Server to Domain Controller (GUI)

Click on "Promote this server to a domain controller":

Install:

The server has been promoted to a Domain Controller, and the authentication is now based in domain.

Users

Configure users, groups, machines...

Run from the start menu: Active Directory Users and Computers

Get-ADUser (search users)

Get-ADUser -Filter 'Name -like "*Paul*"'
Get-ADUser -Filter "Name -like '*Orion*'" -Properties *

Get-ADUser -Filter 'Name -like "*Mike*"' | Format-Table Name,SamAccountName

Name           SamAccountName
----           --------------
Mike Andrews   Jectle1984
Mike Rocha     Trequievery
Mike Rosa      Mans1990
Mike Blackmon  Stemodgme01
Joshua Mikels  Wifen1938
Mike Goodwin   Lovicher
Mike Dukes     Imosed
Mike Bynum     Barve1947
Mike Pritchard Pludenis
Mike O'Hare    mohare

New-ADUser (add user)

Using the Active Directory Users and Computers from the start-menu and inside a folder or using PowerShell commands:

New-ADUser -Name "Orion Starchaser" -DisplayName 'Orion Starchaser' -SamAccountName 'o.starchaser' -UserPrincipalName 'orion.starchaser@inlanefreight.local' -AccountPassword (Read-Host -AsSecureString 'Enter a password') -Enabled $true -ChangePasswordAtLogon $true -OtherAttributes @{'title'='analyst';'mail'='o.starchaser@inlanefreight.local'}

Get-ADUser -Identity o.starchaser

Set-ADUser (update user info)

Set-ADUser -Identity 'Artemis Callisto' -DisplayName 'Artemis Callisto'

Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties *

[...]
DistinguishedName : CN=Andromeda Cepheus,OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled           : True
GivenName         : Andromeda
Name              : Andromeda Cepheus
ObjectClass       : user
ObjectGUID        : 300c377e-db3d-4da4-aabd-7235d69693ff
SamAccountName    : a.cepheus
SID               : S-1-5-21-3842939050-3880317879-2865463114-7604
Surname           : Cepheus
UserPrincipalName : a.cepheus@INLANEFREIGHT.LOCAL
[...]
EmailAddress      :
[...]
mail              :
[...]

Let's update the Email:

Set-ADUser -Identity 'a.cepheus' -EmailAddress 'a.cepheus@inlanefreight.local'

Get-ADUser -Filter "Name -like 'Andromeda Cepheus'" -Properties *

[...]
EmailAddress      : a.cepheus@inlanefreight.local
[...]
mail              : a.cepheus@inlanefreight.local
[...]

Remove-ADUser (remove user)

Get-ADUser -Filter "Name -like '*Orion*'" | Format-Table Name,SamAccountName

Name             SamAccountName
----             --------------
Orion Starchaser Orion Starchaser

Remove-ADUser -Identity 'Orion Starchaser'

Unlock-ADAccount (unlock user)

Get-ADUser -Filter 'Name -like "*Masters*"'

DistinguishedName : CN=Adam Masters,OU=Interns,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled           : True
GivenName         : Adam
Name              : Adam Masters
ObjectClass       : user
ObjectGUID        : 56d0f2af-e8a0-4d12-a910-c55257c702a2
SamAccountName    : amasters
SID               : S-1-5-21-3842939050-3880317879-2865463114-6108
Surname           : Masters
UserPrincipalName : amasters@INLANEFREIGHT.LOCAL

Unlock-ADAccount -Identity 'amasters'
Set-ADAccountPassword amasters -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password')
Set-ADUser -ChangePasswordAtLogon $true -Identity amasters

Update credentials

Set-ADAccountPassword username -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
Set-ADUser -ChangePasswordAtLogon $true -Identity username -Verbose

Change DoesNotRequirePreAuth Right

This permission is used in Kerberos and is related to ASREP-Roast attack.

GUI:

Enable "Do not require Kerberos preauthentication":

CLI:

We have a list of valid users:

Does anyone have the DoesNotRequirePreAuth right?

python3 GetNPUsers.py -no-pass -usersfile users.txt -dc-ip 10.10.10.10 -format john -outputfile dc-freed-om-corp-asreproastable-users.txt 'lanz.com/'

Nop.

Let's activate it...

Get-ADUser -Identity paolo.suarez -Properties * | Format-Table Name,DoesNotRequierePreAuth
Get-ADUser -Identity paolo.suarez | Set-ADAccountControl -DoesNotRequirePreAuth $true

Again, does anyone have the DoesNotRequirePreAuth right?

Yeah, there is one!

Computers

Add-Computer (add a computer to a domain)

In the new computer we are going to execute:

Add-Computer -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT.LOCAL\htb-student_adm -Restart

Or remotely:

Add-Computer -ComputerName ACADEMY-IAD-W10 -LocalCredential ACADEMY-IAD-W10\image -DomainName INLANEFREIGHT.LOCAL -Credential INLANEFREIGHT\htb-student_adm -Restart

It will generate a pop-up to input credentials of a Domain Admin (or if the user is already created in the Domain, we can set the user credentials instead of Administrator).

Move a computer to an OU

Get-ADComputer -Identity 'ACADEMY-IAD-W10' | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'

Remove-Computer

Remove-Computer -ComputerName 'ACADEMY-IAD-W10' -UnjoinDomainCredential 'INLANEFREIGHT.LOCAL\htb-student_adm' -PassThru -Restart -Verbose

If doesn't work, do it manually in the local computer:

Group Policy Object (GPO)

Configure Group Policy Object with GUI

Run from the start menu: Group Policy Management

Force any particular computer to sync its GPOs

gpupdate /force

Copy-GPO (copy/duplicate a GPO)

Get-GPO -All | FT Displayname

Copy-GPO -SourceName 'Logon Banner' -TargetName 'Security Analysts Control'

New-GPLink (link a GPO to an OU)

New-GPLink -Name 'Security Analysts Control' -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes

Get-GPO -Name 'Security Analysts Control' | New-GPLink -Target 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' -LinkEnabled Yes

Organization Unit (OU)

Get-ADOrganizationUnit (obtain OUs)

Get-ADOrganizationalUnit -Filter 'Name -like "*"'

Get-ADOrganizationalUnit -Filter 'Name -like "*HelpDesk*"'

City                     :
Country                  :
DistinguishedName        : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy                :
Name                     : HelpDesk
ObjectClass              : organizationalUnit
ObjectGUID               : 2ad47f9e-4550-44c6-bb99-104bc3ac2105
PostalCode               :
State                    :
StreetAddress            :

Get-ADOrganizationalUnit -Identity 'OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'

City                     :
Country                  :
DistinguishedName        : OU=HelpDesk,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
LinkedGroupPolicyObjects : {}
ManagedBy                :
Name                     : HelpDesk
ObjectClass              : organizationalUnit
ObjectGUID               : 2ad47f9e-4550-44c6-bb99-104bc3ac2105
PostalCode               :
State                    :
StreetAddress            :

Get members of an OU

Get-ADuser -Filter * -SearchBase "OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" | select name,DistinguishedName

[...]
Andromeda Cepheus  CN=Andromeda Cepheus,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Artemis Callisto   CN=Artemis Callisto,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Orion Starchaser   CN=Orion Starchaser,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL

New-ADOrganizationUnit (create an OU)

New-ADOrganizationalUnit -Name 'Security Analysts' -Path 'OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'

Remove-ADOrganizationUnit (remove an OU)

Get-ADOrganizationalUnit -Identity 'OU=Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL' | Set-ADObject -ProtectedFromAccidentalDeletion:$false -PassThru | Remove-ADOrganizationalUnit -Confirm:$false

Move-ADObject (to move an object (user, group, etc) to another OU)

Move-ADObject -Identity "CN=Artemis Callisto,CN=Users,DC=INLANEFREIGHT,DC=LOCAL" -TargetPath "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL"

Get-ADUser -Identity a.callisto | Move-ADObject -TargetPath 'OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL'

Groups

New-ADGroup (create a security group)

New-ADGroup -Name "Security Analysts" -SamAccountName Analysts -GroupCategory Security -GroupScope Global -DisplayName "Security Analysts" -Path "OU=Security Analysts,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL" -Description "Members of this group are Security Analysts under the IT OU"

Security groups: Use to assign permissions to shared resources.
Distribution groups: Use to create email distribution lists.

Set-ADGroup (update group info)

Set-ADGroup -Identity 'Analysts' -SamAccountName 'Security Analysts'

Get-ADGroupMember (get members of a group)

Get-ADGroupMember -Identity 'Security Analysts'

Add-ADGroupMember (add members to a group)

Add-ADGroupMember -Identity 'Security Analysts' -Members a.cepheus
Add-ADGroupMember -Identity 'Security Analysts' -Members 'Orion Starchaser','Artemis Callisto'

Shared Folders

Create a shared folder

GUI:

Check "Type a custom path", and create a folder.

Click on "Customize permissions"
And set a user with full access (for test) over that folder

Create and we done:

CLI:

New-SmbShare -Name "Pagos" -Path "C:\Pagos" -FullAccess "lanz.com\jose.lopez"

And checking:

smbmap -H 10.10.10.10 -d lanz.com -u 'jose.lopez' -p 'Jose123!'

PreviousActive Directory Methodology NextAttacks

Last updated 5 months ago