For many (myself included), having a virtual home lab is possibly one of the most valuable pieces of technology to have at your disposal, especially if you are looking at expanding your knowledge of internal penetration testing or looking further afield for payload testing for red team engagements.
So after many months of excuses and delays, I’ve finally found myself with enough time to sit down and rebuild a home lab, offering a much needed break to the ol’ workhorse that has been abused to within an inch of its life.
Small beginnings
Initially, I only plan on configuring a small network and expanding it out as needed. Not only is this slightly less resource intensive in the long run, but it also provides an opportunity to write a long overdue blog post detailing the process for those who may have been on the fence for a while.
For now, I’ll work off of the plan that the following hosts will need to be configured:
- 1 x Primary Domain Controller (Windows Server 2025)
- 2 x Windows 10 Enterprise Workstations
In the long run, additional functionality will be added such as configuring a Security Information and Event Management (“SIEM”) solution alongside functionality such as Active Directory Certificate Services (“AD CS”).
For now though, let’s get into configuring the Primary Domain Controller. It is worth noting I will be configuring this lab on VMWare Workstation Pro, though the steps will be fairly similar regardless of the virtualisation stack.
At this point in the blog post I feel I should give a disclaimer that I am not a network engineer or system administrator, so the steps that I have detailed below, may not be the most efficient or optimal way of configuring a network. This is purely for educational purposes and to be used as a testing environment to develop tooling.
Installing Windows Server 2025
- Create a new virtual machine
- Select the Windows Server ISO for the installer disc image
- Select “Windows Server 2025” as the version to install
- Optional: Select Customize Hardware to increase resource allocation
- Start the virtual machine and click any key to begin the Windows installer
- Now select “Install Windows Server” and tick the check box to proceed with the install
- Now select the image for “Windows Server 2025 Standard Evaluation (Desktop Experience)”
- Now follow the remaining instructions and click the Install button
Once the installation has run its course, we can look to configure the Domain Controller.
Configuring the Domain Controller
Once the installer has completed, it will automatically boot into Windows Server 2025, prompting for an Administrator password.
Once logged in, we can configure this server to be a domain controller and setup our domain.
- Select “Add roles and features”
- Under Server Roles, select “Active Directory Domain Services”
- Now continue through the menus and select Install
- Once the installation has concluded, the alert flag will prompt to “Promote this server to a domain controller”
- Now select the “Add a new forest” radio button and enter a Root domain name e.g
NOXUS.local - Continue through the menus and click Install
- Once the installation is complete, it will restart and the Server will be configured as the primary Domain Controller
Creating Workstations
Setting up the workstations is relatively easy and can be done with the following steps
- Create a new virtual machine
- Select the Windows 10 ISO on your underlying host
- Customise the hardware as necessary. This time before you power up the workstation, remove the floppy disc, if you do not remove the disc, it will error and loop
- Continue through the menus and click install
- Once the installation has run its course, you’ll be greeted with a “Sign in with Microsoft” page. Click “Domain join instead”
Repeat this as many times as you like to add additional workstations.
Domain Joining
Now we have the workstation created, let’s go about domain joining it. For this you’ll require the Domain Controller IP address.
- Log in to the Workstation and search for “View Network Connections”
- Right-click the Ethernet0 interface and select “Internet Protocol Version 4 (TCP/IPv4), clicking Properties
- Select “Use the following DNS server addresses” and enter your Domain Controllers IP address
- Now search for “Advanced sharing settings” and set Network Discovery to “Turn on network discovery”
- Now you’ll be able to search for “Access work or school”, clicking the Connect button
- Select “Join this device to a local Active Directory domain and enter the domain name you have selected
- Enter credentials for a domain account and restart the workstation as instructed
Now at this stage, I’m going to introduce an SMB share that contains the domain administrator password for one of my users, in this case Swain, in a lot of cases when enumerating SMB shares you may come across sensitive information!
- Create a directory and save a
password.txtfile, the contents of course is the user credentials. - Right click the new directory and select “Properties > Sharing > Share”
- Now you can add “Domain Users” to the share making it world-readable
NOTE: You may need to go to Network and enable sharing and discovery
Introducing Vulnerabilities
For the time being, we’ve already introduced an exposed SMB share on one of the workstations, so let’s introduce a simple Kerberoasting attack.
We’ll first need to log onto the Domain Controller and add a service account, for this we can click “Tools” and then “Active Directory Users and Computers”
You’ll then be able to click Users and copy one of the domain administrator accounts, if one does not exist you’ll be able to create one now.
At this time I have copied a domain administrator and named it “sqlservice”, now we just need to set a Service Principal Name (“SPN”). This can be done with the following command in PowerShell:
setspn -a noxuc-prime/sqlservice.noxus.local:60111 NOXUS\SQLService
You can then validate that the SPN has been created with
setspn -T noxus.local -Q */*
Conclusion
Now we’ve reached an end for this blog post, so far the foundation of the homelab has been laid with 2 workstations and a domain controller. We’ve also introduced a couple of vulnerabilities into the domain in the shape of an SMB share with sensitive credential material hidden within and an SPN has been setup and is ready to be kerberoasted.
Going forward I’ll hopefully find some time to write a follow-up post introducing that introduces AD CS vulnerabilities to the domain and as previously mentioned; a SIEM solution to start testing payload detection and obfuscation.
Until next time! – Optional