# Proxmox Home Lab: Building an Active Directory Lab
## Preamble
This begins as a desire to set up a home lab where I could practice, and later, teach this style of setup and Active Directory Penetration Testing. Inspiration came from DerronC's [video](https://youtu.be/ael3g9RIX-U?si=Ah3n0HE54tBXFh4C). The initial plan was to install ESXi as a VM on VMware Workstation and then virtualise the AD cyber range in ESXi using DerronC's topography.
However, ESXi proved to be challenging in terms of compatiblity with detecing storage, storage drivers and other options (I probably shouldn't be using a decade-old SATA HDD... but still🤪). After 2 days of mucking about with ESXi (since the networking aspect seemed easy -> **Foreshadowing!**) I decided to switch over and try Proxmox. *Little did I know that this would lead me to learning a lot more than I initially planned to - not a bad thing.*
With Proxmox, I decided to install it on bare-metal, just the way nature intended it. And after some finagling that greyed more than a few hairs (I didn't know that getting multiple networks up within Proxmox was going to be an absolute pain in the ass), we ended up with a network that looks somewhat like this (After following a good number of [0xBEN](https://benheater.com/)'s walkthroughs):
The greatest thing about this network diagram is that I forgot to save it. Lucky me. On the [bright side](https://www.youtube.com/watch?v=L2Wx230gYJw), this means I can make a better network diagram for the next time (Probably around now as I do this writeup). Also, although a great learning experience, this was not the network topography I would need to build the Active Directory lab I initially set out to do.
After realising that this document was growing beyond a reasonable size (and that I didn't want to pay compensation for the undue wear-and-tear I am sure to cause to the mouse scroll wheel of the tens of people who might chance acros this documentation) I have organised the different phases ~~I suffered through~~ into these links:
## Steps
| No. | Link |
| :--- | :--- |
| 1 | [Networking Setup](/RmB8dTZ-RbqSScQ8ILFmdQ)|
| 2 | [Some Notes on Windows Setup ](/eiQwG2ieQhGEFdK78R45BQ)|
| 3 | <table> <thead> <tr> Vulnerable Client Setup Options </thead> <tbody> <tr> <td><table> <thead> <tr> Windows 10 Options </thead> <tbody> <tr> <td>[Windows 10 Client VM Template Basic Setup](/KJ_YgcrBQMGRfoX66UWHkw)</td></tr> <tr> <td>[Win10 Vuln Client Setup (WC1)](/L2wGVc8NR0CXLPJPv5lMfA)</td> </tr> </tbody> </table><table> <thead> <tr> Windows 11 </thead> <tbody> <tr> <td>[Windows 11 Client VM Template Basic Setup](/QEjClmZYTTevfFOY8fsvyw)</td> </tr> <tr> <td>[Win11 Vuln Client Setup (WC1) - Incomplete, but steps same as Win10](/swrq9YdnRXyBwNoVCI2a9w)</td> </tr> </tbody> </table></td> </tr> </tbody> </table>|
| 4 |[Vulnerable Software Setup](/FFAyC_zGSnCE_A33vTH70g)|
| 5 | [Domain Controller Basic Install and Setup](/l_4cRqKHQqmOQ3R3qhb01w)|
| 6 |[Adding and Configuring Users on the Domain](/XzwgBztHTXWo7I4Nn5GVcg)|
| 7 |[Windows 10 Client 2 (WC2)](/rEzw4vuWQz-651YMGCeTsA)|
| 8 |[Finishing Touches and Housekeeping](/nNIHQkCuStWHoONVBHmDEw)|
| 9 |[Testing the whole setup using DerronC's Active Directory Attack Path 1 guide](/P5Rcm5I_Q2-d7tQy3ILmWA)|
| 10 |[Sources](/7u1oOmGQRAeLps5kW7Ad5A)|
<!---| a |[Windows 10 Client VM Template Basic Setup](/KJ_YgcrBQMGRfoX66UWHkw)|
| b |[Win10 Vuln Client Setup](/L2wGVc8NR0CXLPJPv5lMfA)|
| c |[Windows 11 Client VM Template Basic Setup ](/QEjClmZYTTevfFOY8fsvyw)|
| d |[Win11 Vuln Client Setup](/swrq9YdnRXyBwNoVCI2a9w)|--->
## Future Plans:
1. Attempt other attack paths as demonstrated by DerronC
2. Build my own attack paths
3. Use Windows 11 clients instead
4. Figure out Proxmox's inbuilt SDN functionality
5. Get the OpenVPN Access Server thing working because using Kali on noVNC is a unique kind of pain.
6. Actually come back and check off some of these items on the list.
7. Find myself in a fulfilling relationship
8. Get revenge on Mercury for being in retrograde all the time
## Updates:
### Network Diagram as of 22nd April 2024
### 24th April 2024
Blurred out the bits that aren't part of the lab because my ADHD ass found them too distracting
<!---
## Some Key Adaptations
### Learning Proxmox
Due to the differences between Proxmox an VMware (both Workstation and ESXi) I had to learn how to create virtual subnets. Hvaing been pampered by the VMware products, I had no idea this would be a lot more tedious in Proxmox and required the usage of Open vSwitch (OVS). Most of my Proxmox education came through the following of 0xBEN's writeups on creating a homelab (links below).
### Differences between Proxmox and VMware networking
Life would have probably been easier had I chosen to learn how to use zones within Proxmox and used the SDNs instead of relearning how to create isolated networks in pfSense - however, that process was also greatly appreciated for it's educational value, even if it made my hair-regrowth shampoo work overtime.
*(Update: Tried to get SDN's to work, accidentally locked myself out of the proxmox webUI, ALMOST wanted to employ scorched-earth policy and just reinstall proxmox, but managed to restore some old network settings, and then spent the better part of the day resetting it all and building it up from scratch HAHA. GG me. That network diagram above? I hope you weren't too attached to it because most of that is [dead and gone, dead and gone](https://youtu.be/6mEx9FtuN0k?si=BOzwUkV3hNbLZ1Vu) )*
So, the main difference is that I used pfSense to create the necessary isolated networks and have pfSense function as the DHCP server for the "Outside network".
## Proxmox Networking Setup
First to make a backup of the initial networking setup
`cat /etc/network/interface > interface.bak`
This way, if I mess it up (I did), I can always restore it to the original networking setup using `cat interface.back > interface` while in the /etc/network folder, and then issuing the `ifreload -a` command.
Then we delete the initial Linux Bridge vmbr0 and replace it with the OVS Bridge vmbr0 instead.
In the image we can see that vmbr0_mgmt is listed as a bridge port - this will happen later after we create the vmbr_mgmt IntPort, which we do like so:
- We need to supply the IPv4/CIDR address of the Proxmox WebUI (the same ip address that was assigned to it by our router/DHCP server to that we don't lose connection to the WebUI)
- Also, the ip address of our router as the gateway
**OVS Bridges = Switches
OVS IntPorts = A way to create VLANs**
We then create the following two VLANs
## pfSense Setup
We create a VM with the following settings.
- Also, login to the home router and assign a Static IP to the pfSense for it's WAN (In this case, I will be using the MAC address attached to vmbr0)
Install pfSense as usual
- Y to setting up vlans after install - like so
- Assign the interfaces
- Finally end up with this
- Enable DHCP Server on both LAN and OPT1
- LAN IP Address Pool: 10.10.10.100 - 10.10.10.200
- OPT1 IP Address Pool: 172.16.66.100 - 172.16.66.200
- OPT2 won't have DHCP enabled as the DC will be the DHCP for that VLAN
- Once we set everything up, then we should have a network that is like this - yes, indeed, this is the new network diagram.:
- e.g Kali in:
- vmbr1
- vmbr1_666
Now that the network zones *(**NOTE**: I'm using the term zones a little more collquially here. "Zones" in Proxmox is a very specific term within its networking functionalities, but as mentioned they have been a real pain in the ass, so I'm reclaiming the term.)* have been established it's time to get on to setting up the windows clients and Domain Controller.
-->
<!---
## Initial Windows System setup
For this, I'm going to be synthesising the steps from both DerronC's video guide and 0xBEN's writeups. I am doing this for a few reasons
- DerronC's guide is not for Proxmox, but 0xBEN's guide is.
- 0xBEN's initial guide for adding Window's VMs have best practices such as installing the VirtIO drivers for optimised performance.
- https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso
- 0xBEN's later guides for setting up the Active Directory forest go over how to use sysprep to create a VM template
> "We want to run `sysprep` on to create a template VM, so that when we clone the VM, the Windows systems will always have a unique SID when joining to the domain."
- 0xBEN's AD guide uses a script to introduce a host of vulnerabilties to the DC - I am NOT a fan of this - though as he himself admits, his goal was to get an AD Lab environment up and running efficiently (which he does most excellently)
- DerronC's guide has allows for more control over what vulnerabilities we are introducing into the environment.
- 0xBEN's guide uses Windows Server 2019, and I wished to experiment with 2022 instead
- 0xBEN's guide uses Proxmox 6.7 (if I remember correctly) while I am using Proxmox 8.1
- The difference is largely minimal save for some defaults such as when picking a CPU Type for guests.
With all that said, where possible, I will credit which guide I am following at which stage.
### Proxmox Resource Pool Setup
This bit is an unnecessary step, but including such bits of, perhaps futile, organisation is me proverbially biting my proverbial thumb at my ADHD.
I created a Resource Pool within Proxmox to put organise the machines I would be using for this lab.
-->
<!---
### Domain Controller
#### VM Setup - 0xBEN
1. General
2. OS (including VirtIO)
3. System
4. Disks
5. CPU
6. [Memory](https://youtu.be/mdBVJbzkoqo?si=nsa09rkJXtXf0wtW&t=44)
7. Network
Before I even start this up I am going to convert this to a template and then work on a clone instead
#### Install - 0xBEN
1. Language, Timezone/Region, Keyboard
2. OS Type
3. The thing we all say we read but never read.
4. Custom install
5. This is where we load the necessary drivers from VirtIO. And we have to load them 1 by 1. Amazing *(Sarcastic)*.
- Ballooning memory driver
- NIC Driver
- SCSI Driver
- I am not too sure about the compatibility of this last driver, but it hasn't posed problems so far
6. We wait for this installation to complete
7. Set a password for the local administrator account (don't get too attached to this account - it doesn't make it to the end of the movie.)
8. Log in
#### DC Setup (Initial)
##### Network Interface Configuration - 0xBEN & DerronC
1. Click the network interface
- Network & Internet Settings
- Change Adapter Options
2. Ethernet > Properties
3. Disable IPv6, then double-click on IPv4
4. Use the following settings
- Recall that in the VLAN zone we are in (tag 999), and that the Network address for this zone is 192.168.99.0/24
- Set a static IP Address: 192.168.99.2
- Set the network mask
- Set the default gateway to be the IP address of pfSense within this network: 192.168.99.1
- Set the preferred DNS server to the address of this machine, we can also use the loopback address 127.0.0.1
> - For the DNS servers, the following will happen:
- First, check with the DNS server running on the domain controller (we will install this a bit later)
- If the DNS server doesn't know the answer, it will forward the DNS query to the default gateway and pfSense will resolve it
5. Say yes to this:
##### Optional Steps - 0xBEN
6. (Optional) Rename the machine
- I later renamed the machine again because DomainController1 was simply too long. It is now DC01
7. Restart now > Other(Unplanned)
8. Take a snapshot of the server before we promote it to a DC - Is this necessary? No. Will it potentially make your life a hell of a lot easier in the future? Absolutely!
- Taking snapshots is a great habit.
- Snapshot management is a good skill to have.
##### Install Active Directory Domain Services - 0xBEN
1. Manage > Add Roles and Features
2. Installation Type: Role-based or feature-based installation
3. Server Selection
4. Server Roles
5. Features > Use defaults
6. AD DS > click next
7. Confirmation > Install
##### Promote to Domain Controller - 0xBen & DerronC
1. Promote
2. Deployment Configuration
3. Domain Controller Options
4. DNS Options - we can ignore this and click Next
5. Additional Options: NetBIOS verification - Accept default and click next
6. Paths - Accept default
7. Review options - Next
8. Prerequisite Checks -> Install
9. You will be signed out as the Server is restarted
- And the local Administrator account has been shifted to a domain admin role.
- Local accounts will not be able to sign in anymore
##### Configure GPO to stop Automatic Updates - DerronC
1. Tools > Group Policy Management
2. Forest:oscp.lab > Domains > oscp.lab - right-click, create a GPO...
3. Name it
4. Edit policy (right-click policy and select 'Edit')
5. Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update
6. Double-click Configure Automatic Updates
7. Disable
##### Configure GPO to Disable Real-Time (Bypassing Antivirus is not within scope of OSCP, but within scope of OSCE) - DerronC
1. Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus (Previously Windows Defender Antivirus) > Real-Time Protection
2. Enable "Turn off real-time protection"
##### Configure Active Directory Certificate Services - 0xBEN
> Active Directory Certificate Services will be installed to enable LDAPS.
###### Installation
1. Manage > Add Roles and Features
2. Installation Type: Role-based or feature-based installation
3. Server Selection
4. Active Directory Certificate Services
5. AD CS > Next
6. Role Services: Certificate Authority
7. Confirmation: Restart automatically if required, then Install
###### Post-Deployment Configuration
1. Click the alert and select the option
2. Credentials > next
3. Role Services
- Select Certificate Authority
- Next
4. Setup Type: Enterprise CA
5. CA Type - Default
6. Private Key - Default
7. Cryptography - Default
8. CA Name - Default
9. Validity period - Default
10. Certificate Database - Default
11. Confirmation - Configure
12. Complete
##### Configure DNS Forwarders - 0xBEN
> The DNS server running on the domain controller will act as a resolver for the ad.lab domain (or whichever local domain you chose). We need a forwarder for any DNS query for which the DNS server does not know the answer.
>>
> We can use the pfSense default gateway as a downstream DNS server that the domain controller can pass queries to for any unknown hostnames.
1. Look for DNS in Start Menu
2. Edit Forwarders
3. Input Local IP address of pfSense
- It won't be able to resolve, but that's okay
##### Add and Configure DHCP Server - 0xBEN
###### Installation
1. Manage > Add Roles and Features
2. Installation Type: Role-based or feature-based installation
3. Server Selection
4. Server Roles: DHCP Server
5. Features - Default
6. DHCP Server - Next
7. Confirmation - Install
###### Post-Install Configuration
1. Complete DHCP Configuration
2. Description
3. Authorisation
4. Commit
5. Summary
6. Start Menu > DHCP
7. IPv4 > New Scope
8. Start WIzard, Next, Name Scope
9. Provide Scope parameters
10. Set Lease Duration for 1 year
11. Yes, Configure Now
12. Add default gateway address (pfSense)
13. Domain Name and DNS Servers - Default
14. WINS Servers - none present so just click next
15. Yes, I want to activate this scope now
-->
<!--
### Building VM Template for Windows Enterprise Clients - 0xBEN
#### VM Setup
1. General
2. OS (Including VirtIO)
3. System
4. Disks
5. CPU
6. Memory
7. Network - putting them in the 999 vlan first
#### OS Install
1. Language, Timezone/Region, Keyboard
2. The thing we all say we read but never read.
3. Custom install
4. This is where we load the necessary drivers from VirtIO. And we have to load them 1 by 1. Amazing *(Sarcastic)*.
- Ballooning memory driver
- NIC Driver
- SCSI Driver
- I am not too sure about the compatibility of this last driver, but it hasn't posed problems so far
6. We wait for this installation to complete
7. Select Region and Keyboard Layout
8. Setup Local User account
9. We don't need these - turn them all off
#### Sysprep & Convert to template
1. Open Administrator Powershell and run command
- `C:\Windows\System32\Sysprep\sysprep.exe`
- Select Out-Of-Box-Experience
- Shutdown options: Shutdown
2. Convert to Template
-->
<!---
### Setup MS01 (Vulnerable machine)
We will be setting up this machine that sits on two vlans first
1. Clone from template
### Adding Users to Domain - DerronC's method
I used this script written by DerronC - which adds some users and indicates whether their passwords can be found in rock you
```!
#not in rockyou
New-AdUser -Name "Emmet Brickowski" -GivenName "Emmet" -Surname "Brickowski" -SamAccountName "emmet" -UserPrincipalName "emmet@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "R3xRul3z!" -Force) -Enabled $true
# in rockyou
New-AdUser -Name "Wyldstyle" -GivenName "Wyldstyle" -Surname "" -SamAccountName "wyldstyle" -UserPrincipalName "wyldstyle@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Awesome24!" -Force) -Enabled $true
# in rockyou
New-AdUser -Name "Batman" -GivenName "Batman" -Surname "" -SamAccountName "batman" -UserPrincipalName "batman@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "#1BlackBelt" -Force) -Enabled $true
#not in rockyou
New-AdUser -Name "Vitruvius" -GivenName "Vitruvius" -Surname "" -SamAccountName "vitruvius" -UserPrincipalName "vitruvius@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Bl0ckM@g!c" -Force) -Enabled $true
#not in rockyou
New-AdUser -Name "Benny" -GivenName "Benny" -Surname "" -SamAccountName "benny" -UserPrincipalName "benny@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Sp@c3Sh1p!" -Force) -Enabled $true
#not in rockyou
New-AdUser -Name "Uni-Kitty" -GivenName "Uni" -Surname "Kitty" -SamAccountName "uni-kitty" -UserPrincipalName "uni-kitty@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Un!K!tty!!" -Force) -Enabled $true
#not in rockyou
New-AdUser -Name "MetalBeard" -GivenName "Metal" -Surname "Beard" -SamAccountName "metalbeard" -UserPrincipalName "metalbeard@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Metal_9488!" -Force) -Enabled $true
#not in rockyou
New-AdUser -Name "Lord Business" -GivenName "Lord" -Surname "Business" -SamAccountName "lord_business" -UserPrincipalName "lord_business@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "TAKOstuesday!" -Force) -Enabled $true
# in rockyou
New-AdUser -Name "IIS Service" -GivenName "IIS" -Surname "Service" -SamAccountName "svc_iis" -UserPrincipalName "svc_iis@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "Portland7@" -Force) -Enabled $true
#New-AdUser -Name "" -GivenName "" -Surname "" -SamAccountName "" -UserPrincipalName "@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "" -Force) -Enabled $true
#New-AdUser -Name "" -GivenName "" -Surname "" -SamAccountName "" -UserPrincipalName "@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "" -Force) -Enabled $true
# in rockyou
#New-AdUser -Name "" -GivenName "" -Surname "" -SamAccountName "" -UserPrincipalName "@derronc.lab" -AccountPassword (ConvertTo-SecureString -AsPlainText "" -Force) -Enabled $true
```
Since the file is on my kali machine, I need to transfer it over to the DC. I'll be doing this using impacket's smb share functionality (Although any other way of doing it is also fine)
1. Put Kali on the same network
2. Start smb share inside folder with script
<!---
## Instructionals and Sources
Here be the different sources I used that led to success in what I wanted to achieve.
- [TechHut's Pi-Hole Tutorial](https://youtu.be/xtMFcVx3cHU?si=3IHajDBYzHgumCSq)
- <a name="CloudflareSetup">[NetworkChuck's CloudFlare tutorial](https://youtu.be/ey4u7OUAF3c?si=wvFg59-zgbtORCtr)
- Some things are outdated, like where cloudflare has their Zero Trust options. But the main idea is still the same.</a>
- Various videos from Learn Linux TV's great [Proxmox Full Course](https://youtube.com/playlist?list=PLT98CRl2KxKHnlbYhtABg6cF50bYa8Ulo&si=SAecMC7oYrJA5dWL)
- The single best resource that answered most of my problems was this series of guides by [0xBEN](https://benheater.com/) - Answered all my issues with subnetting and vlans and bridging ❤️❤️❤️.
- [Proxmox VE 8: Converting a Laptop into a Bare Metal Server](https://benheater.com/bare-metal-proxmox-laptop/)
- [Creating a pfSense Firewall for our lab](https://benheater.com/proxmox-lab-pfsense-firewall/)
- [Creating a Kali Linux VM](https://benheater.com/proxmox-lab-kali-linux-vm/)
- [Proxmox Troubleshooting](https://benheater.com/proxmox-lab-troubleshooting-proxmox/)
- [Running Windows Guests in Proxmox](https://benheater.com/proxmox-lab-windows-guest-best-practices/)
- [Adding an Active Directory Forest to Our Proxmox Lab](https://benheater.com/proxmox-lab-active-directory-lab/)
- [Hacking the AD Lab](https://benheater.com/hack-your-proxmox-ad-lab/)
-->
Sign in with Wallet
Connect another wallet