Building a Vulnerable Active Directory Lab for Penetration Testing: A Practical Walkthrough

Why You Should Learn Active Directory

Active Directory is the backbone of identity and access control in most enterprise environments. For penetration testers, defenders, and sysadmins, understanding AD, including its authentication flows, delegated rights, and common misconfigurations, is essential, and the best way to learn AD is to build it yourself. When I first started learning AD back in 2022, it was a nightmare for me, but now AD is my favourite.

Before We Start

Writing this article took me four days, and I’ve done my best to make it both easy to follow and informative. My next blog will focus on attacking this lab, and I’ll also provide a downloadable version of the environment. Make sure to follow so you don’t miss new content. If you run into any issues or have questions, feel free to reach out.

If you are new to Active Directory, I recommend reading my previous blog.

Master Active Directory: A Complete Beginner’s to Intermediate Guide

A practical walkthrough of Active Directory’s core components, authentication system, and administrative functions.

medium.com

Overview

In this guide, I’ll walk you through building an isolated, vulnerable Active Directory lab that shows how attacks are crafted, how to mitigate them, and what to do when you find these issues in the wild. By the end of this, you’ll have a deep understanding of AD, and you’ll start to love it like I do

Vulnerable Active Directory Lab Flowchart

The flowchart below shows the user, the attacks, the machines, and the flow from initial access through to gaining admin rights on the Domain Controller.

Note: The user Harry can abuse the ESC1 vulnerability to gain administrator rights on the Domain Controller (DC). However, for the sake of learning, we’ll focus on abusing GenericAll rights and then dumping hashes to perform a Pass-the-Hash attack to gain access to the DC.

Prereuiqists

I will be using VirtualBox for the labs. There will be two Windows machines and a Kali instance.

• Domain Controller (Windows Server 2019)
• One Windows 10 Enterprise (User Machines)
• Kali Linux (Our Attacking Machines)
• 60GB — 80GB Storage & 16GB — 34GB RAM

Setting Up Windows Server 2019

You can download VirtualBox and start installing Windows Server 2019 by attaching the ISO to a new VM and following the installer prompts. I’ll skip a step-by-step walkthrough of the Windows installation itself. We’ll be using 4GB RAM, 2 CPUs for the domain controller.

When prompted to select Operating System, select Windows Server 2019 Standard Evaluation (Desktop Experience).

When prompted for the Administrator password, use Admin#90

Configuring NAT Network

After the installation is done. We will create a NAT Network for our lab. I named my Nat Network “Nebula Network” with 10.10.10.0/24 IPv4 Prefix. Check the Enable DHCP option.

Once the configuration is done, click Apply, and our NAT Network will be ready to use. Open the settings of our Domain Controller VM and switch to the Network tab, and select NAT Network. Click Ok, and the changes will be saved.

Assigning a Static IPv4 Address

Once our Server is powered on. Log in and open IPv4 settings from the control panel, and assign the following IPv4 settings for DC01. Click OK, and our settings will be saved.

Renaming Our DC

I renamed my domain controller’s Pc name Nebula-DC It’ll help us identify it more easily. We’ll need to restart our PC after renaming it.

Configuring Domain Controller

We will use Server Manager for configuring and managing Active Directory. Server Manager is the built-in Windows Server console that gives us a quick dashboard of server roles, features, and basic health. We can use it to add roles (for example, install Active Directory Domain Services), promote a server to a domain controller, view installed features, and manage multiple servers from one pane. It’s ideal when we’re learning because the Add Roles and Features wizard walks us through the steps, and the Dashboard shows us what’s installed.

Enabling Active Directory Domain Services

AD Domain Services is a Microsoft service that provides a centralized, hierarchical directory for managing network resources like users, computers, and groups. It authenticates users and controls access to resources using security protocols, making it a core component of identity and access management for Windows networks. Key features include a structured data store, a replication system for redundancy, and tools like Group Policy Objects for central administration

Click Manage from the menu on the top-right and select “Add Roles and Features”.

• Click Next on “Before you begin”.
• Click Next on “Installation Type” with the default options.
• Click Next on “Server Selection” with the default options.
• From there, select “Active Directory Domain Services”.

• Click on “Add Features” and then click Next.

• Click Next on “Features” with the default options.
• Click Next on “Active Directory Domain Services”.
• Now click Install, and it’ll be installed in a few minutes.

Promoting Our Server to a Domain Controller

Once the installation is done, hit close, and we’ll notice a flag before the Manage option on the top-right. Click on Promote this server to a domain controller.

The following Deployment Configuration page will pop up. Select Add a new forest and type the domain. We’ll be using NEBULA.local domain for this lab. Click Next.

On “Domain Controller Options” type in the password. I used Admin#90 for this lab. Click Next.

• Click Next on “DNS Options” with the default options.
• Click Next on “Additional Options” with the default settings.
• Click Next on “Paths”.
• Click Next on “Review Options”.
• Click Install on “Prerequisites Check”. It’ll install the prerequisites and then reboot.

Once it reboots, we’ll notice our Nebula\Administrator account for Active Directory is created. We can now use our password Admin#90 to log in.

Enabling Active Directory Certificate Services

AD Certificate Services is a Windows Server role that provides public key infrastructure (PKI) to issue and manage digital certificates for secure communication, authentication, and encryption within an organization.

Now, for some LDAP attacks, we will enable Active Directory Certificate Services. Click on “Manage” from the menu on the top-right and select “Add Roles and Features” like we did earlier, and click next until we reach the “Select Server Roles” page.

Now, check the “Active Directory Certificate Services” option and click Add Features.

Now, click next until we reach “Confirm Installation Selections” and check the “Restart the destination server automatically if required” and click yes on the “Add Roles and Features” pop-up.

Click Install, and it’ll install the selected services.

Once it’s done, hit close, and we’ll notice the flag again before the Manage options on the top-right. Click on Configure Active Directory Certificate Services….

Click Next on “Credentials” and check the “Certification Authority” options, and click Next.

Click Next on all the pages and continue with the default options. I changed the validity period on the “Validity Period” page to 100 years, just so it never expires. Continue clicking Next, and then click “Configure” on the confirmation page. Reboot the DC to reflect the changes.

Creating Users

Click on Tools from the top right corner and click on “Active Directory Users and Computers”.

Click on the dropdown and click on Users, and all the users will be displayed on the right. Only the Administrator user is the real user, and all the other are security groups. The arrow in the Guest account shows it’s disabled.

Let’s create an Organizational Unit and move security groups into that OU. Right-click on NEBULA.local and hover over “New” and click on “Organizational Unit” name it Groups and click Ok.

Now, select all the security groups, leaving the user Administrator & Guest, and move them to the Groups OU we just created.

Click yes on the pop-up, and they’ll be moved to the newly created OU. Now, to create a new user, we can either use the GUI or use PowerShell. For the GUI, you can right-click below the users list and hover over “New”, and click on “User”.

Type in the name Mike Ross and logon name mike.ross and click Next.

Type in the password Roses#870 and check “Password never expires”, click Next, and Finish.

We will create another user svc-filesmgr with the password Secure#4045 and “Password Never Expires”.

Now create the following users with the same properties.

• Helpdesk Harper h.harper:Harp3r!2
• Harry John h.john:Jhonny!40s
• Nebula Admin n.admin:N3bul4!

Enabling AS-REP Roasting on Mike Ross

In AS-REP, an attacker sends an AS-REQ for a target user. Because pre-authentication is disabled, the DC sends back an AS-REP response (containing data encrypted with the user’s password hash) without verifying the user’s identity.

Right-click on the newly created user and click on “Properties”. Under “Account options” scroll all the way to the bottom and check “Do not require Kerberos preauthentication”. Click Apply and close.

Adding AD LDAP Services & Enabling Anonymous Logon

Click on Manage from the top-right menu and click on Add Roles and Features. Keep clicking Next and check “Active Directory Lightweight Services” when you reach the “Select server roles” page. Follow the installation steps and click on the flag icon like we did earlier, and follow the installation steps again.

Click on the Tools option from the top-right menu and click “ADSI Edit”, and click “Connect to…”

Select “Configuration” from the “Select a well-known naming context” dropdown list and click OK.

Right-click on Configuration and expand the following, like the screenshot below, and right-click on CN=Directory Service and click on properties.

From properties, click on dSHeuristics and click on edit. Type the Value 0000002 and click Ok, apply, and close.

Click on the Tool from the top-right menu in Server Manager, and click on AD Users and Computers. Click on View from the menu and check the “Advanced Features” options.

Right-click on Users OU and click on properties. Click on Add and type in ANONYMOUS LOGON Click on “Check Name” and then let it populate and click on OK.

Select ANONYMOUS LOGON user and check the Read as Allow, apply, and then close.

Enabling Kerberoating on Files Manager

Open a PowerShell on Nebula-DC as an administrator and type in the following command. It will convert the svc-filesmgr to a service account.

setspn -a Nebula-DC/svc-filesmgr.nebula.local NEBULA\svc-filesmgr

Setting up User Machine MS01

Install Windows 10 Enterprise using the ISO file on VirtualBox. Once the installation is done, select “Domain join instead” when prompted to log in. Use the user h.harper:Harp3r!2 and fill in the security questions and login.

Set the static IP 10.10.10.20 and set the DNS as the IP of the domain controller, which in our case is 10.10.10.10

Rename this PC as MS01 and restart.

Adding MS01 to Active Directory

After logging into MS01, search “Access work or school” and open settings. Click on connect.

Click “Join this device to a local Active Directory domain”.

Type the domain name NEBULA.local and click Next.

Type in the credentials of Helpdesk Harper h.harper:Harp3r!2 and click OK, and then click Next and select “Administrator” from the Account Type dropdown, and then “Restart Now”.

Our MS01 is now joined to the domain and is part of the Active Directory.

Enabling SMB Shares

In the context of Active Directory (AD), SMB (Server Message Block) is a network file-sharing protocol that is crucial for core AD functions, but also presents security vulnerabilities.

Create a new folder named Nebula on MS01.

Right-click on the Nebula folder, hover on “Give access to” and click on “Specific people…”.

Click on the dropdown button and click “Find People…”.

Type in the object name svc-filesmgr and click on “Check Names” and it’ll populate the field like in the screenshot below.

Click on the dropdown button next to the permission of Files Manager and select the Read/Write options. Click Share and then Done.

Adding Schedule Task to Trigger LNK File on SMB Share

We will now create a scheduled task as h.harper user, it’ll run on system startup. The script will trigger the latest .lnk file on the SMB share every minute and clear the folder.

Save the script below at C:\Users\h.harper\lnk-trigger.ps1

while ($true) {
    $folder = "C:\Nebula"
    $latest = Get-ChildItem -Path $folder -Filter "*.lnk" | Sort-Object LastWriteTime -Descending | Select-Object -First 1
    if ($latest) {
        Start-Process $latest.FullName
    }
    Start-Sleep -Seconds 60
    Remove-Item -Path "C:\Nebula\*" -Recurse -Force
}

• Press Win + R and Type taskschd.msc and press enter.
• Click on “Create Task” and name the task LNK TRIGGER.
• Check the “Run whether the user is logged on or not” option and “Run with highest privileges”. Select Windows 10 from the Configure for dropdown.

• Switch to the Triggers tab and add a “New trigger”.
• Select “At startup” from the Begin the task dropdown.
• Make sure to match the Advanced Settings, like in the screenshot below.

• Switch to the “Actions” tab and add a new Action.
• Select the Action as “Start a program”, click browse, and select powershell.exe
• Paste in the following Argument -ExecutionPolicy Bypass -WindowStyle Hidden -File “C:\Users\h.harper\lnk-trigger.ps1” and click Ok.

• Switch to the Conditions tab and uncheck “Start the task only if the Computer is on AC power”.
• Switch to the Settings tab and uncheck “Stop the task if it runs longer”.

Adding ESC1 Vulnerability in AD Certificate Services

ESC1 stands for Enterprise Security Configuration 1, a type of cybersecurity attack that exploits misconfigured Active Directory (AD) certificate templates to gain higher privileges. It allows an attacker to request a certificate that can be used to impersonate other users or accounts, leading to a potential full compromise of a network.

• Press Win + R and type certtmpl.msc and press enter.
• Click on Certificate Templates… and right-click on User and click “Duplicate Template”.

• Switch to the General tab and rename the template to Nebula ESC and set the expiry years to 100 & 75, like in the screenshot below.

• Switch to the security tab and add h.harper and enable Enroll.

• Switch to Subject Name and select the Supply in the name request.
• Clicky apply and close.

• Press Win + R and type certsrv.msc and press enter.
• Right-click Certificate Template, hover on New, and click on “Certificate Template to Issue”.

• Select Nebula ESC and click ok.

Giving GenericALL to Harry Over User Nebula

• Click on Tools from the top right corner and click on “Active Directory Users and Computers”.
• Click on View and check the Advanced Features option.
• Click on Groups OU and right-click on DNSAdmins and switch to the members tab, and add the n.admin user.
• Click on Users OU, right-click on Nebula Admin, and enable the user if disabled. Right-click again and click on properties, switch to the security tab, and add h.john user and check the Full Control option.

• Once done, click apply and close.

Adding Nebula Admin to Remote Management Users Group

We will add n.admin user to the Remote Management Users group, so we can perform a Pass the Hash attack and log in via WinRM.

Open Server Manager on DC and click on Tools, and then AD Users and Computers. Open Builtin and right-click on Remote Management Users and click on properties.

Switch to members, click on add, and type n.admin Click on the check name button like we did earlier and apply, and with that, our fully vulnerable lab setup is complete.

What We Learned

We learned to set up a Domain Controller, including creating users, OUs, groups, and configuring basic policies. We also learned to add and manage domain-joined machines, simulating a realistic corporate network with MS01 and DC01. We created and managed SMB shares, set permissions. We installed and configured Active Directory Certificate Services (AD CS) and created a vulnerable ESC1 certificate template.

One important lesson I learned is that you must be clear about your design before building a vulnerable lab. Trying to plan the lab while setting it up leads to confusion, inconsistent configurations, and extra rework. A well-defined plan upfront saves time and makes the entire learning process smoother and more effective.

Before You Go

By completing this setup, you now have a solid and realistic foundation for learning how attacks unfold inside an Active Directory environment. In the next blog, we’ll dive into exploiting this lab step-by-step and understanding how each misconfiguration can be leveraged by an attacker. Until then, feel free to experiment, break things, and rebuild. That’s the best way to truly understand AD. Thanks for reading, and stay tuned for the next part.