Post

Phase I: Deploying the Active Directory Target

Posted Updated
By Jaakko Oja
4 min read
Phase I: Deploying the Active Directory Target
:: SYSTEM_BROADCAST :: [MSG_ID: 0X99]

DEPLOYMENT CONFIRMED: Hack Academy's OSCP Active Directory Chain Practice Lab.
> ACTIVE VERSION: CHAIN #2 > QUEUED: CHAIN #3

System Deployment

Although this project was originally scheduled to begin in January, I felt a strong urge to dive in early. I simply couldn't wait to start deploying and pentesting Active Directory environments. I am currently deeply fascinated by the entire AD ecosystem and my goal is to learn as much as possible. After all, it remains the industry standard for enterprise identity management, making it a critical area of study.

:: TARGET INTELLIGENCE: ACTIVE DIRECTORY PRIORITY: HIGH

Definition: Microsoft's proprietary directory service acting as the centralized database for network identity, authentication, and policy management.

Why is this critical for Red Teaming?

  • [!] The Standard: Used by 95% of Fortune 500 companies. To hack enterprise networks, you must speak AD.
  • [!] Keys to the Kingdom: AD controls "who can do what." Compromising a Domain Admin account grants total control over every server, workstation, and user in the environment.
  • [!] Attack Surface: It relies on legacy protocols (Kerberos, NTLM, LDAP) which are often misconfigured. This allows for attacks like Kerberoasting, DCSync, and Pass-the-Hash.
:: MISSION RESOURCE: HACK ACADEMY TARGET: OSCP EXAM

Asset Acquired: OSCP Active Directory Chain Practice Lab

This is not a random setup. This lab is a downloadable VM pack purpose-built to replicate an OSCP-style Active Directory environment. It simulates real attack chains, forcing us to move beyond simple exploits and practice the full lifecycle:

[>] Discovery:
Initial enumeration & footing.
[>] PrivEsc:
Vertical movement to Admin.
[>] Lateral Move:
Pivot between workstations.
[>] Dominance:
Full Post-Exploitation.

"The network topology, host roles, and vulnerabilities are arranged so you practice the same steps you will encounter during exam-style AD challenges. Everything is designed for learning by doing, not just reading."

>> Objective: Use this high-fidelity simulation to build the confidence needed to crush the exam.

:: PROJECT OBJECTIVES STATUS: IN PROGRESS

Goal: Construct a high-fidelity target range for adversary simulation.

  • [+] Infrastructure: Deploy Domain Controller & Workstations on virtualized environment.
  • [+] Red Teaming: Simulate attack scenarios and master standard AD attack vectors.
  • [+] Verification: Validate domain connectivity and replication services.

For this lab environment, I chose to import the appliances directly. The setup consists of a Windows Server acting as the Domain Controller (DC01) and two Windows 10 client workstations.

My priority was to establish a realistic but isolated network; I configured the network adapters to use an internal "NAT Network." This ensures the machines can communicate with each other and reach the internet for necessary updates, while keeping the vulnerable Active Directory services segregated from my main home network.

:: NETWORK TOPOLOGY VISUALIZATION
Active Directory Network Topology
FIGURE 1.0: Virtualized Attack Surface Configuration. The Lab is configured in VirtualBox.

With the network configured, the next step is to verify that our Attack Box (Kali) can communicate with the target domain. I used a tool called NetExec on this part.

:: INFRASTRUCTURE STATUS
[CLIENT01] Internal Domain Connectivity Check
PS C:\Users\Administrator> Test-NetConnection -ComputerName DC01 -CommonTCPPort SMB
ComputerName     : DC01
RemoteAddress    : 10.0.2.4
RemotePort       : 445
InterfaceAlias   : Ethernet
SourceAddress    : 10.0.2.5
TcpTestSucceeded : True
[ATTACKER VM] Connectivity Check (NetExec)
NetExec SMB Scan Results

With connectivity established and services responding, the environment is ready for the enumeration phase.

:: MISSION ARSENAL

To successfully compromise and audit the domain, we need a specific set of tooling. This lab relies on standard offensive security tools found in Kali Linux, with a focus on network enumeration and protocol abuse.

NetExec (NXC)

v1.4.0

The "Smooth Operator." The modern fork of CrackMapExec. It is the swiss-army knife for enumerating AD protocols (SMB, LDAP, MSSQL, WinRM).

ENUMERATION SPRAYING

Impacket

LIBRARY

A collection of Python classes for working with network protocols. Essential for executing attacks like SecretsDump, GetNPUsers, and SMBRelay.

EXPLOITATION KERBEROS

BloodHound

VISUALIZATION

Uses graph theory to reveal hidden relationships and attack paths within an Active Directory environment (e.g., shortest path to Domain Admin).

AUDIT MAPPING

VirtualBox

HYPERVISOR

Hosting the infrastructure. Configured with "NAT Network" to allow internal routing between the DC and Clients while maintaining internet access.

INFRASTRUCTURE
:: TOOL VERIFICATION CHECK: PASS

Verifying the installation of NetExec on the attack box (Kali Linux). The tool is initialized and ready for SMB protocol database interactions.

NetExec Terminal Output
root@kali:~$ nxc --version
Codename: SmoothOperator
:: OPERATION ROADMAP SYNCING...
[COMPLETE]
Phase I: Infrastructure Deployment Target Deployment & Connectivity Verification
[QUEUED]
Phase II: Foothold & Enumeration

Objective: Exploit misconfigurations to gain initial domain user access.
> Enumeration | AS-REP Roasting | Password Cracking | Local Admin

[LOCKED]
Phase III: Lateral Movement & Dominance

Objective: Escalate privileges to Domain Admin via protocol abuse.
> Service Hijacking | Mimikatz | LSA Secrets | Persistence

:: MISSION UPDATE AVAILABLE NEXT STAGE UNLOCKED
INITIATE PHASE II: ENUMERATION & FOOTHOLD

Infrastructure deployed. Proceed to Enumeration & Initial Access operations.

Active Directory, Lab-Setup
active directory lab virtualbox hacking pentesting netexec bloodhound impacket networking nat
All rights reserved. Any use of my content is strictly prohibited!