In this article, you will build your personal Active Directory lab, for free, to practice Active Directory hacking.
If you are a cyber security student or a pentester, you should definitely learn how Active Directory works and how to hack it. In fact, it is used by almost all the customers you will be serving in your career. Therefore, you will add a great value to your hacking skills.
Here is the problem: There is abundant Active Directory hacking knowledge on the internet, but very few good labs to develop and practice your skills.
Deploy your Active Directory lab
Some of you would tell me, just build your own Active Directory lab at home! I have tried it, and it’s a PAIN, especially when you are barely starting to learn this topic. Firstly, you need a beefy machine to host at least 3 machines, Then, you’d have to configure each one. Finally, you have to create a vulnerable situation to exploit, which drains all the fun out of it. And let’s not talk about troubleshooting the issues you will surely encounter during the lab development!
How this Active Directory lab solves those problems?
To address the issues previously stated, here is how this lab is unique:
- You don’t need to buy a high-performing machine: All the lab will be deployed on the Azure cloud with no costs thanks to the generous 13 months of trial access. If you are a student, you get to sign up without a credit card!
- You don’t need to configure anything: The lab comes with automated scripts that guarantee stable deployment and configuration of all the lab components. Plus, you can destroy the lab in minutes using only one command.
- You don’t need to configure an attack scenario: This Active Directory lab comes with BloodHound, which deploys a random Active Directory configuration full of attacks paths that you can discover and exploit. Every-time you deploy the lab, you get a totally different configuration. What a practice Eldorado!
Does it sound too good to be true? Well, here is how you can set it up right now!
Step 1: Create an Azure tenant and a resource group
Head over to the Azure portal. If you don’t have an account already, you can create one which gives you 200$ credit in the first month, and free services for the following 12 months. That’s more than a year of practice! And If you are a student, you are even luckier, because you can create an account without a credit card!
resource groups from the upper-left corner button, and create one. Let’s name it
AD_Tests. I already have mine created.
Step 2: Download the code for the Active Directory lab
For this step, you can either use your machine, or the Azure shell. I recommend the second because you don’t have to install any additional software.
It is literally one command.
git clone https://github.com/thehackerish/ADLab
This is a public repository I made available to you. I borrowed it from chvancooten’s awesome repository. The only difference is that I removed some blocks and added some adjustments. If you’d like to have Elastic search in your lab, feel free to clone his repository instead. The remaining steps should be the same.
Step 3: Configure your lab
We are only one step away. Change directory to
Terraform, and rename the file
terraform.tfvars.example to simply
This is where you specify the name of your lab, the size of the machines, and the whitelisted IP address.
Step 4: Deploy the lab
With literally 2 commands, you can deploy your lab. Under the Terraform directory, run:
terraform init terraform apply --auto-approve
This is where the magic happens.
Optional step : Get your coffee and understand the code
Let’s quickly understand how the magic happens. The lab leverages two technologies used in DevOps. Terraform deploys the machines, and Ansible configures them. That’s why the code conveniently has a folder for each one.
The Terraform folder contains tf files that define the state of the lab components, such as the network, the virtual machines, and deployment scripts. For instance, you can see we have a load balancer that distributes traffic to the right machine based on the port number. That’s why we have one IP address to connect to the lab, but the SSH port will give access to the hackbox, port 3389 to the windows 10 box, and port 80 to the web page on the web server.
The Ansible folder holds yaml files that define the configuration state of the machines. It was divided into roles for better code reuse and clarity. For instance, the domain role is responsible for creating the domain. It uses the ansible
win_domain module to achieve that. The
win10 role updates the workstation’s DNS configuration and joins it to the domain, much like we’ve manually done in a previous video. All these roles come together in the
cloudlabs.yml file, which runs each role depending on the machine.
And just like that, everything works perfectly together to give birth to the new lab. Again, many thanks to Cas Van Cooten for his awesome work.
Step 5: Start hacking your Active Directory lab
Once the lab is deployed, you will get the connection credentials along with the URL of the lab. From there, you can start your Active Directory hacking journey.
When you want to take a break, simply poweroff the VMs. And when you’re done with the lab, simply run
terraform destroy —auto-approve and everything will be deleted in a matter of minutes.
The next time you deploy the lab, you will get a totally different environment, with different attack paths you can explore and attack. How cool is that!
In the upcoming posts, I will attempt to hack this lab using the techniques I learned in the hands-on training I talked about in the Certified Red Team professional certification review, or as I prefer to call it: Initiation to AD hacking.
Until next time, stay curious, keep learning, and go find some bugs.