This is a post that’s been a long time coming. I originally intended on pushing this out some time last year (or was it the year before? Damn you COVID!). Anyway, we’re here now so “Chewie, stick it in hyperdrive!”

The goal here will be to guide you through how I set up various pentest labs. This one specifically will cater to those looking to build a lab on-prem. This includes using ex-enterprise server hardware, beefy PC’s and laptops. How much of this lab will run on your hardware will depend largely on the amount of RAM you’ve got available, the number of cores your CPU has as well as the type and speed of your storage (please for the love of all things holy, don’t use a mechanical drive for this lab!)

We begin our journey by laying the foundations…

The Foundations Are Laid

The first thing we’ll do is draw out what we want our lab to look like when it’s all built and working. I like to use draw.io, but other tools are available. Pro Tip: Make your drawing and then take a screenshot of it.

What we’ll be architecting

As you can see, the lab will loosely follow a typical enterprise domain layout. We’ve got two Domain Controllers, a mix of desktops and a bunch of servers designated for different functions.
Full disclosure: this is not in any way a guide on how to build a “best practice” domain. What we’re building here is a penetration testing lab, so we’ll be a bit more maverick with the guidelines.

This is what I call a target-rich environment.

Lets take our first step towards pentest labby goodness by downloading the ISOs of the Operating Systems we’ll be using. I’m using the following:

  • Windows Server 2019
  • Windows Server 2016
  • Windows 10 (x64)
  • Windows 8.1 (x64)
  • Windows 7 (x64)

Head over to the Evaluation Centre and grab a copy of the necessary Windows Server ISO’s. Choose the “ISO” radio button and fill in the information required:

I don’t hate it. I just don’t like it at all and it’s terrible.

Then onto the Desktop OS’s. If you’re on a Windows machine and you want to download the Windows 10 ISO, you’ll find Microsoft insist on you creating Windows 10 installation media. However, I’m using a User-Agent Switcher in Firefox to get around this.

Add the following add-on to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher/

Head to the Microsoft Software Download page here:
https://www.microsoft.com/en-gb/software-download/windows10

Notice the Media creation prompt:

To get around this, open the User Agent Switcher, and choose the following:

Set the User Agent to us Safari and MacOS. Pick any one from the list.

Click “Apply (container on window)” and the press the “Refresh Tab” button…

And now we get the option to select our edition for download!

Grab the latest version. At the time of writing, we’re playing with the Windows 10 May 2021 Update. Get both x64 and x32 versions while you’re here.

With our OS’s downloaded, we’re ready to continue laying the foundations. Our next step is to create the Windows folder structure below on whichever drive you’re storing your lab on.

Create this folder structure in Windows.

A quick word on hardware. I’m using an Intel i7-10700K with 64GB DDR4 RAM and a 1TB NVMe M.2.

Fire Up the HyperVisor!

Let get into the next part of the lab build by firing up the hypervisor. I’m using VMWare Workstation Pro but the guide should translate to other hypervisors easily enough.

Here’s the folder structure we want to create. Golden Images should have two subfolders inside it; Server and Client.
Then we want a folder for the Domain itself. Name this whatever you want. Within that Domain folder, create the following; Domain Controllers, Clients and Servers.

What we’ll end up with

We now want to create a virtual adapter which all our VMs will use to create an isolate environment. Head up to the Edit tab and choose “Virtual Network Editor”. You’ll need to press the “Change Settings” button to enable the administrative permissions required to make the changes we’re about to make.

Click the Change Settings button, bottom right.
Choose a VMnet network from the drop down list and press OK.
Rename the Virtual Network to match your domain name if you wish.
Set the Subnet IP, Subnet Mask and press OK. I’m using 10.10.10.0 here.

With our Virtual Adapter configured, we can start building our Golden Images. I’ll show you how I have the VM’s set up, but this bit will depend on how much juice your lab hardware has.

Eagle eyed readers might have noticed the folder structure I show here doesn’t match the one of the Windows folder structure I showed earlier. This is fine, as within VMWare we are free to create folders however we want. They are independent of Windows.

What we’ll end up with

I will be using the following IP addresses for my lab VM’s. I suggest you make a note of what addresses you’ve assigned to each VM to make life easier later on:

  • DC01 (10.10.10.5)
  • DC02 (10.10.10.6)
  • WEB01 (10.10.10.51)
  • APP01 (10.10.10.52)
  • FILE01 (10.10.10.53)
  • MAIL01 (10.10.10.54)
  • DESKTOP01 (10.10.10.70)
  • DESKTOP02 (10.10.10.71)
  • DESKTOP03 (10.10.10.72)

Buildeth Thy VMs

Choose Custom
Leave all the inputs blank for now. Just change the Full name and choose the Standard Desktop Experience version of Windows.
Set the Location to the Golden Images folder we created on Windows and go one folder down into Server 2019.
I set 4 cores, but this will vary depending on your hardware.
Again, the limitation here will be your hardware.

Set NAT for now, but we’ll change this later.
Store as a single file.
Again, set the folder to the same Server 2019 folder inside the Golden Images directory.
Click Finish to complete the VM build process

This gives us a freshly build Windows Server 2019 image. Repeat this process for the other VMs on the list. Remember to store the VM in the correct Windows directory within the Golden Images folder.

Once we’ve got the Golden Images built, the next step is to change the network adapter to the one we created earlier. This is a simple task. Click on “Edit Virtual Machine Settings” and change the Network Adapter, like this:

Choose the virtual adapter we created earlier on.

Installing the OS

With all our Golden Image VMs created, we now need to go through the process of installing the OS. Power on the VMs and go through the installation process. You might need to do a few VMs at a time depending on how much RAM you have available.

Once the OS is installed, we need to sysprep the machines. A quick overview of what sysprep (System Preparation) does: it removes PC specific information and “generalises” the OS installation. The process of sysprepping a machine is pretty quick. Follow this process:

Bring up a Run prompt and type “sysprep”.
Double click on “sysprep” to launch.
Configure as above.

Once the VMs have all been sysprepped, we’re ready for the next part of the lab build. A word to the wise, DO NOT power on the Golden Image versions of the VMs. Leave them in a shutdown state.

Clone Wars

Let’s recap what we’ve achieved so far:

  • Downloaded copies of all the OS’s we’ll need for the domain
  • Created a folder structure in Windows
  • Created a folder structure in our hypervisor
  • Built Golden Image VMs
  • Installed the operating system on each VM
  • Sysprepped each VM and left it in a shutdown state

Next, we want to create linked clones of each Golden Image to satisfy the architecture design we saw earlier:

I’m going to use Server 2019 for the DC’s, WEB01 and APP01. Server 2016 will be used for the MAIL01 and FILE01 servers.
The clients will be as they are labelled.

Before we start cloning VMs, lets create a folder structure in Windows that looks like this:

To begin cloning the server, left-click on the Server 2019 VM first. Once the VM window opens, right-click the VM name in the Library panel and choose Manage > Clone.

Press Next at the initial window, and then choose “The current state of the virtual machine”.

Press Next, and choose “Create a linked clone”

Name the VM “DC01” and place it in the DC01 folder we just created.

Press Finish and then Close to complete the cloning process.
Repeat this for each of the other VMs in the list.
Once you have created all the required linked clones, organise them into a suitable folder structure within Workstation Pro (or whichever hypervisor you’re using)

Building the Domain

We will begin building out our pentest lab by building the first Domain Controller (DC01). Fire up the DC01 virtual machine and let’s begin!

At the initial launch, you’ll see a window prompting you to confirm your regional and language settings:

Set your language/regional preferences here and click Next.

Accept the Licence Terms on the next page by clicking the Accept button.

And now set a password for the default Administrator account. This is a lab environment so I won’t bother with a typically strong password, but the usually advice about using strong passwords in real world deployments is still valid here. Click Finish to complete the first time setup tasks.

Log in as the Administrator account and lets get to work building the domain.

We begin by carrying out a few rudimentary admin tasks. Click the “Configure this local server” link in the Server Manager window that opens automatically after login:

Configure this local server.

Click the link next to the Computer name (WIN-D3M28326GIR shown here, yours will be called something different, but will be in the same place). At the System Properties window that pops up, click the Change button and set the Computer name to DC01.

Rename the computer as DC01.

Click OK, and OK again to acknowledge the prompt about restarting the server. Click Close and choose “Restart Later” at the popup.

Bring up a Run prompt and type “ncpa.cpl” to bring up the Network Connections window.

Network Connections.

Right click the Ethernet0 adapter and choose Properties

Change the properties of Ethernet0.

Highlight the IP V4 line and click Properties:

Select IP v4.

Set the IP address that fits the range we defined earlier. As we’ll be using the DC’s as DNS servers too (not best practice but we’re not building a best practice lab so f**k it right?), I’m setting DC01 to be its own DNS server, and then jumping ahead a little by setting the IP address for DC02. I have already decided which IP addresses I’ll be using for the Domain Controllers. Click OK to apply the settings and then choose Close and exit the Network Connections window.

Set the IP address for DC01 as well as the DNS settings.

But, wait! There’s more…

What if I told you we could user PowerShell instead?

We could also have used PowerShell to achieve the same thing.

Open a PowerShell window. Let’s find all our IPv4 adapters and see what we’re working with, using this one-liner:

Get-NetIPAddress | Where-Object {$_.AddressFamily -eq ‘IPv4’}

List all our IPv4 adapters.

We can see from the output that we have two IPv4 adapters. One is the loopback adapter, so we can ignore that for now. The other one is pulling an IP address (10.10.10.14) from the range we set earlier during the creation of the Virtual Network Adapter. This is the one we will target with our next bit of PowerShell wizardry.

PowerShell Wizardry…

Use these PowerShell one-liners next to target our Ethernet0 adapter and set the following:

  • IP: 10.10.10.5
  • Subnet mask: 255.255.255.0
  • Gateway: 10.10.10.1
  • DNS 1: 127.0.0.1
  • DNS 2: 10.10.10.6

New-NetIPAddress -InterfaceAlias “Ethernet0” -IPAddress “10.10.10.5” -PrefixLength 24 -DefaultGateway “10.10.10.1”

Set the IP address.

Set-DNSClientServerAddress -InterfaceAlias “Ethernet0” -ServerAddress 127.0.0.1, 10.10.10.6

Set the DNS server IP addresses.

Reboot the server so that some of changes like the rename can take effect. Use this Run command: “shutdown -s -t 0”

Reboot like a Pro.

Once DC01 has rebooted, we’re onto the next crucial step in creating our pentest lab; creating the domain!

Build a Domain They Said. It’ll be Fun They Said!

What we want to do is add the Active Directory Domain Services role/features to DC01. I have prepared a GitHub repo which contains a “Build-Domain” PowerShell script. This can be found here:

https://github.com/Knightsbr1dge/PenTestLab

Now, we have a slight issue. With our current Virtual Network Adapter being set to Host-only, we won’t have an internet connection from our DC01 VM (or any of our VMs in fact). Whilst in a real-world scenario you would never want your DC’s to have an internet connection, we’re going to add an internet connection so we can download that awesome GitHub repo!

Right-click the name of the virtual machine in the Library panel and choose Setting. From here, we want to click the “Add” button and add another Network Adapter. Click Finish.
With our second network adapter showing in the device list, click on it and change the “Network connection” to Bridged. Click OK and let the VM configure itself.

Adding an internet connection to the VM

Open the web browser from your DC01 VM and head to GitHub to download the Repo as a .zip. I would download Firefox first and use that because Internet Explorer is worthless and should have been killed with fire a long time ago.

Download the repo as a ZIP.

Once the repo has downloaded, disable the second network adapter in the Network Connections control panel (run ncpa.cpl again to get there).

Let’s have a look at the code for the first file we’ll be using; Build-Domain.ps1 (get into the habit of reading any code you’ll be executing, especially if it’s not something you wrote yourself, no matter what the author tells you it does!). A high level overview of what this script is doing:

  • Set out our parameters at the start of the script
  • Declare a variable called DomainName and prompt the user for input
  • Run some basic checks using if and ifelse statements
  • Declare a variable called NetBIOS and prompt the user for input
  • Set the password in a variable called Password
  • Install the AD Domain Services feature
  • Set up the local Administrator account
  • Configure the domain options and install the AD Forest
  • Ask the user if they want to reboot the server
The Build Domain script

Now that we know what we’re executing, let’s go ahead and run the PowerShell script:

For the purposes of getting a screenshot of the terminal, I chose not to reboot. However, when you run this script I would just reboot at the prompt.

With the Forest root now created, lets log in using the Administrator account and the password set in the script (Passw0rd1! unless you tweaked it yourself)

You can use the “\Domain-Name\” option to specify the domain we want to log into.

Once logged in, Server Manager confirms that we are now domain joined:

We are on the training.lab domain now.

And that completes the crucial step of creating our Forest Root. We can now start building out the rest of the domain.

Expansion, expansion, expansion

Taking a quick look back at our VMWare folder structure, we now need to get to work configuring and joining the rest of the servers to the domain we just created:

The list of VMs we’re building.

DC 02

Start the DC 02 VM and log in as the Administrator account you configured when we created the linked clone earlier.

Carry out the following tasks. Refer to earlier in the guide if you get stuck. These are all things we have already done on DC01:

  • Set a static IP address (I used 10.10.10.5 for DC01 and 10.10.10.6 for DC 02. Just make sure the IP address is in the range we specified when we created the Virtual Network Adapter at the start!)
  • Rename the server to “DC02”
  • Don’t reboot yet

We then want to join the server to the domain. We can do this by first going to Server Manager, and clicking the link that says “WORKGROUP”:

Bring up the System Properties window.

From here we want to click the Change button to allow us to change the “Member of” details:

Going from Workgroup to Domain. Exciting!

Click the radio button next to the Domain label and enter the name of your domain (training.lab in this example).
When done, click OK, and enter the login details of the Administrator account used to create the domain earlier.
Then, click OK to acknowledge the pending restart, and reboot the server.

When the server comes back up, we’ll be DC02 on the training.lab domain however, we won’t actually be a domain controller.

Our next step is to turn DC02 from just another Windows 2019 Server into a Domain Controller. From the github repo you downloaded earlier, run the “Additional DCs.ps1” script:

Adding a second Domain Controller.

Reboot the server once the script finishes running. We should now be able to log in as “\training\Administrator” using the password set in the script.

We now have a domain with two Domain Controllers and are ready to join the rest of the servers to the domain too!

For WEB01, FILE01, MAIL01 and APP01, the process is somewhat simpler as those servers won’t be Domain Controllers.

Here’s a list of what you need to get done:

  • Set a static IP address in the 10.10.10.X range (or whatever range you decided to use)
  • Rename the server to the appropriate name (WEB01, FILE01, etc…)
  • Join the domain (using the same steps we went through earlier with the WORKGROUP link on the Server Manager page)
  • Reboot

Once you have done that on all the remaining servers, and they have been domain-joined, we can press on with the rest of the lab build.

FILE01

FILE01 will act as our file server (no sh1t) and so we will begin by installing the File Server roles/features. We will use a PowerShell one-liner to accomplish this, from an administrative PowerShell terminal:

Install-WindowsFeature -Name FS-FileServer,FS-Resource-Manager,FS-DFS-Namespace.FS-DFS-Replication,FS-NFS-Service

Install the File Server services.

With our role and feature now installed, we can move on to creating some shares. Let’s add a second drive to the FILE01 to house the shares we’re about to create. Go to the Settings of the VM and press Add. Select “Hard Disk” from the list and press Next.
Next click through the options until you arrive at the “Specify Disk Capacity” window and choose “Store virtual disk as a single file”.
Click Next and choose “Browse”. Navigate to the folder containing the FILE01 VM and save the disk file as FILE01-Storage.vmdk.
Click Finish and then OK.

Open Server Manager if it isn’t already running and head to “File and Storage Services”

File and Storage Services

Now click on “Disks”. Note our second disk is now showing up in the list but has a status of “Offline”. Let’s fix that now.

Disk is offline

Right-click on Disk 1 (the one that says Offline next to it). Choose “Bring Online” and acknowledge the warning by pressing Yes at the prompt.

Disk 1 is now Online

We can see the disk is now Online. Let’s create a new volume so we can then use it. Right click on Disk 1 and choose “New Volume”.

New Volume Wizard

Choose Next, Next, OK, Next. Now choose a drive letter, press Next. Leave the defaults but change the Volume Label to SHARES. Press Next and then press Create to complete the process. Press Close when you reach the Completion screen below:

The finished process.

Now click on the Shares tab on the left:

Let’s make some shares!

Click the link that says “To create a file share…” to bring up the New Share Wizard. Choose “SMB Share – Quick” and press Next:

New Share Wizard

Change the volume to D: and press Next:

Be sure to change the Volume

Name the share “Software” and press Next, Next, Next and then Create. Press close to exit the wizard.

A share called software…

I went ahead and created a couple of different shares using the same process:

  • Sales
  • Execs

That’s all we’ll be doing with FILE01 for now. Time to take a look at the APP01 server!

APP01

The APP server will be where we download our applications and some of our more nefarious applications will run. The following needs to be done on APP01, which I will leave to you to get done. We’ve covered all these point in this guide so far, so there’s nothing new here that should throw you:

  • Set a static IP address in the lab range
  • Rename the server to APP01
  • Join the domain
  • Reboot
  • Add a second network adapter with a “Bridged” network connection

With all of the above completed, APP01 should be on the domain, with two network adapters (one providing us with an internet connection).

Our next task is to access the Software share we set up on FILE01 earlier. This can be done by click on “Map network drive”:

Click here…

From here we want to choose a drive letter (any letter that’s available is fair game) and then type “\\FILE01\” and press Browse.
This should bring up the “Browse For Folder” window which will show us a list of shares discovered on FILE01. Choose Software and press OK and then Finish. Make sure “Reconnect at sign-in” is checked:

Choose Software for now

We now have access to the share and will leave APP01 here for now.

WEB01

WEB01 will be running Microsoft IIS and Apache (via XAMPP) amongst other web applications which we will come to shortly.
First up, let’s get WEB01 configured just like we did for FILE01. Get these tasks done before we carry on with setting up IIS:

  • Set a static IP address in the lab range
  • Rename the server to WEB01
  • Join WEB01 to the domain
  • Reboot the server
  • Map a network drive to the Software share on FILE01

We can install IIS using PowerShell:
Install-WindowsFeature -Name Web-Server,Web-Mgmt-Tools

Install IIS

We will leave WEB01 here for now and move on to getting MAIL01 configured as the last server in our domain.

MAIL01

You know the drill. Get this done:

  • Set a static IP address (in the lab range)
  • Rename the server to MAIL01
  • Join MAIL01 to the domain
  • Reboot the server

We will be installing SMTP and Telnet on MAIL01, using the following PowerShell command:
Install-WindowsFeature -Name SMTP-Server,Telnet-Client

SMTP and Telnet

This brings us to the end of the Windows Server aspect of the domain build. I will revisit these servers in future posts where I’ll show you how to introduce specific vulnerabilities and lab out the exploits for them (SMB Ghost, Eternal Blue, ShellShock, to name a few!). For now, we move on to setting up the desktops.

Client-Side Stuff – Windows 10

The approach for the desktops is fairly simple:

  • Rename following the DESKTOPXX schema (XX being 01, 02, 03, etc…)
  • Set a static IP address (in the lab range)
  • Join the domain

The process for joining a desktop to the domain is slightly different in Windows 10 compared to previous versions, so let’s run through that now:

From the Windows 10 desktop, head over to the start menu and go to Settings. Choose “Accounts” and then click “Access work or school”.

Accounts, form the Settings panel.
Access work or school

Press “Connect” and click the link that says “Join this device to a local Active Directory domain”.

Click the link, bottom left.

Enter the domain name and press Next.

Enter the domain name

At the prompt, enter the Administrator account username and password for the domain Admin user.

Enter the domain Administrator account details here.

Leave the defaults at the Add an Account screen and press Skip.
Reboot the desktop.

The process for older versions of Windows is the same as it is on the Servers.

End Scene

That brings us to the end of this lab build guide. There are several further tasks to carry out from here, for which I will be writing up more guides. The next one will likely be about hydrating our domain with users and groups.

From there, we will walk through where to find vulnerable apps, how to set them up in our lab and what to do once we have them up and running.

In the mean time, think about what you want to gain from this lab and the questions you’re trying to answer.

Until next time!