diff --git a/search/search_index.json b/search/search_index.json
index ab002172..f3f73829 100644
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Game Of Active Directory","text":"Welcome to GOAD (v3) documentation !
Game Of Active Directory is a free pentest active directory LAB(s) project (1).
GOAD is free if you use your own computer, obviously we will not pay your electricity bill and your cloud provider invoice ;) The purpose of this tool is to give pentesters a vulnerable Active directory environment ready to use to practice usual attack techniques. The idea behind this project is to give you an environment where you can try and train your pentest skills without having the pain to build all by yourself. This repository was build for pentest practice
Note
GOAD main labs (GOAD/GOAD-Light/SCCM) are not pro labs environments (like those you can find on HTB). Theses labs give you an environment to practice a lot of vulnerability and missconfig exploitations. Sure you can use them like pro labs, but it will certainly be too easy due to the number of vulns. Consider more GOAD like a DVWA but for Active Directory. If you want a chall deploy the lab NHA.
Warning
This lab is extremely vulnerable, do not reuse recipe to build your production environment and do not deploy this environment on internet without isolation (this is a recommendation, use it as your own risk).
Windows Licenses
This lab use free windows VM only (180 days). After that delay enter a license on each server or rebuild all the lab (may be it's time for an update ;))
"},{"location":"changelog/","title":"Road Map","text":" Password reuse between computer (PTH) Spray User = Password Password in description SMB share anonymous SMB not signed Responder Zerologon Windows defender ASREPRoast Kerberoasting AD Acl abuse Unconstraint delegation Ntlm relay Constrained delegation Install MSSQL MSSQL trusted link MSSQL impersonate Install IIS Upload asp app Multiples forest Anonymous RPC user listing Child parent domain Generate certificate and enable ldaps ADCS - ESC 1/2/3/4/6/8 Certifry Samaccountname/nopac Petitpotam unauthent Printerbug Drop the mic Shadow credentials Mitm6 Add LAPS GPO abuse Add Webdav Add RDP bot Add full proxmox integration Add Gmsa (receipe created) Add azure support Refactoring lab and providers Protected Users Account is sensitive Add PPL Add Gmsa Groups inside groups Shares with secrets (all, sysvol) ADCS add vulns Add Applocker Add optional EDR install on goad Add attackbox + guacamole and openvpn creation "},{"location":"changelog/#sccm","title":"SCCM","text":" Sccm (see SCCM lab) Wsus (not complete) "},{"location":"changelog/#extensions","title":"Extensions","text":" elk exchange ludus ws01 (need more tests) exchange bot attackbox linux VM enrolled VPN guacamole "},{"location":"provisioning/","title":"\ud83d\udee0\ufe0f provisioning","text":"\ud83d\udea7 TODO
"},{"location":"questions/","title":"Frequent asked questions","text":"How can i change the default keyboard layout
edit globalsettings.ini files and change the variable keyboard_layouts
I already got a lab installed with v2, is v3 will use it ?
Sorry no, the v3 of GOAD doesn't look for already installed lab. Best way to migrate is trash your old lab and build a new one.
Can i use goad to create a course for my student ?
Sure GOAD is a GPL project. Feel free to reuse it to give course.
"},{"location":"references/","title":"References","text":"\ud83d\udea7 TODO
"},{"location":"thx/","title":"Special Thanks to","text":" Julien Arrault (Azure recipes) Thomas Rollain (tests & some vulns writing) Quentin Galliou (tests) "},{"location":"thx/#enterprise","title":"Enterprise","text":""},{"location":"troobleshoot/","title":"troubleshoot","text":"Tip
In most case if you get errors during install, don't think. Select the failed instance \u0300load <instance_id> and just replay the install with provision_lab to relaunch all or provision_lab_from <playbook> if you know the last failed playbook (most of the errors which could came up are due to windows latency during installation, wait few minutes and replay the install)
\ud83d\udea7 TODO refresh me with new goad version :)
"},{"location":"troobleshoot/#vagrant-up-winrm-digest-initialization-failed-initialization-error","title":"vagrant up - WinRM - digest initialization failed : Initialization Error","text":"DC01: WinRM username: vagrant\nDC01: WinRM execution_time_limit: PT2H\nDC01: WinRM transport: negotiate\nAn error occurred executing a remote WinRM command.\n\nShell: Cmd\nCommand: hostname\nMessage: Digest initialization failed: initialization error\n<internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- winrm (LoadError)\n from <internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require'\n from /usr/share/rubygems-integration/all/gems/vagrant-2.3.4/plugins/communicators/winrm/shell.rb:9:in `block in <top (required)>'\n from /usr/share/rubygems-integration/all/gems/vagrant-2.3.4/lib/vagrant/util/silence_warnings.rb:8:in `silence!'\n solution : gem install winrmgem install winrm-fs "},{"location":"troobleshoot/#vagrant-up-cannot-load-such-file-winrm-elevated-loaderror","title":"vagrant up - cannot load such file -- winrm-elevated (LoadError)","text":"<internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- winrm-elevated (LoadError)\n from <internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require'\n from /usr/share/rubygems-integration/all/gems/vagrant-2.3.4/plugins/communicators/winrm/shell.rb:12:in `<top (required)>'\n ...\n solution : gem install winrm-elevated "},{"location":"troobleshoot/#ansible-persistent-unreachable-error","title":"ansible persistent \"unreachable error\"","text":""},{"location":"troobleshoot/#the-naming-context-specified-for-this-replication-operation-is-invalid","title":"The naming context specified for this replication operation is invalid","text":"TASK [groups_domains : synchronizes all domains] *******************************************************************************************************************************************************************************************************************************\nchanged: [dc03]\nchanged: [dc01]\nfatal: [dc02]: FAILED! => {\"changed\": true, \"cmd\": \"repadmin /syncall /Ade\", \"delta\": \"0:00:01.090773\", \"end\": \"2023-10-18 09:30:26.016579\", \"msg\": \"non-zero return code\", \"rc\": 1, \"start\": \"2023-10-18 09:30:24.925805\", \"stderr\": \"\", \"stderr_lines\": [], \"stdout\": \"Syncing all NC's held on winterfell.\\r\\r\\nSyncing partition: DC=north,DC=sevenkingdoms,DC=local\\r\\r\\nCALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=WINTERFELL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sevenkingdoms,DC=local (network error): 1722 (0x6ba):\\r\\r\\n The RPC server is unavailable.\\r\\r\\n\\r\\r\\nSyncAll exited with fatal Win32 error: 8440 (0x20f8):\\r\\r\\n The naming context specified for this replication operation is invalid.\\r\\r\\n\", \"stdout_lines\": [\"Syncing all NC's held on winterfell.\", \"\", \"Syncing partition: DC=north,DC=sevenkingdoms,DC=local\", \"\", \"CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=WINTERFELL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sevenkingdoms,DC=local (network error): 1722 (0x6ba):\", \"\", \" The RPC server is unavailable.\", \"\", \"\", \"\", \"SyncAll exited with fatal Win32 error: 8440 (0x20f8):\", \"\", \" The naming context specified for this replication operation is invalid.\", \"\"]}\n==> GOAD-SRV03: Configuring and enabling network interfaces...\nVagrant can't use the requested machine because it is locked! This\nmeans that another Vagrant process is currently reading or modifying\nthe machine. Please wait for that Vagrant process to end and try\nagain. Details about the machine are shown below:\nAn exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.BeginProcessing()\nfailed: [dc02] (item={'key': 'AcrossTheSea', 'value': ['essos.local\\\\daenerys.targaryen']}) => {\"ansible_loop_var\": \"item\", \"attempts\": 3, \"changed\": false, \"item\": {\"key\": \"AcrossTheSea\", \"value\": [\"essos.local\\\\daenerys.targaryen\"]}, \"msg\": \"Unhandled exception while executing module: The server has rejected the client credentials.\"}\n something go wrong with the trust, all the links are not fully establish wait several minutes and relaunch the install "},{"location":"troobleshoot/#groups-domain-error","title":"Groups domain error","text":" something go wrong with the trust, all the links are not fully establish wait several minutes and relaunch the playbook i really don't know why this append time to time on installation, if you want to investigate and resolve the issue please tell me how. An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.BeginProcessing()\nfailed: [192.168.56.xx] (item={'key': 'DragonsFriends', 'value': ['sevenkingdoms.local\\\\tyron.lannister', 'essos.local\\\\daenerys.targaryen']}) => {\"ansible_loop_var\": \"item\", \"attempts\": 3, \"changed\": false, \"item\": {\"key\": \"DragonsFriends\", \"value\": [\"north.sevenkingdoms.local\\\\jon.snow\", \"sevenkingdoms.local\\\\tyron.lannister\", \"essos.local\\\\daenerys.targaryen\"]}, \"msg\": \"Unhandled exception while executing module: Either the target name is incorrect or the server has rejected the client credentials.\"}\n You got an \"Add-Warning\" error during the user installation. Upgrade to community.windows galaxy >= 1.11.0 relaunch the ansible playbooks. An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at , : line 475\nfailed: [192.168.56.11] (item={'key': 'arya.stark', 'value': {'firstname': 'Arya', 'surname': 'Stark',\n...\n\"msg\": \"Unhandled exception while executing module: The term 'Add-Warning' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\"}+\n If you got this kind of error you got an ansible.windows version >= 1.11.0 This version add the parameter AcceptLicense but it is accepted only for PowerShellGet module >= 1.6.0 and this one is not embedded in the vms. Please keep version 1.11.0 and update the lab to get the fix for the PowerShellGet Module version. fatal: [xxx]: FAILED! => {\n \"changed\": false,\n \"msg\": \"Problems installing XXXX module: A parameter cannot be found that matches parameter name 'AcceptLicense'.\",\n \"nuget_changed\": false,\n \"output\": \"\",\n \"repository_changed\": false\n}\nERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path.\n\nThe error appears to have been in '/home/hrrb0032/Documents/mission/GOAD/roles/domain_controller/tasks/main.yml': line 8, column 3, but maybe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n- name: disable enhanced exit codes\n^ here\nsolution : upgrade Ansible
"},{"location":"troobleshoot/#old-ansiblewindows-version","title":"old ansible.windows version","text":"ERROR! couldn't resolve module/action 'win_powershell'. This often indicates a misspelling, missing collection, or incorrect module path.\nPLAY [DC01 - kingslanding] *******************************************************\n\n\n\nTASK [Gathering Facts] ***********************************************************\nfatal: [192.168.56.10]: FAILED! => {\"msg\": \"winrm or requests is not installed: No module named winrm\"}\n\n\n\nPLAY RECAP ***********************************************************************\n192.168.56.10 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 \nsolution : pip install pywinrm
"},{"location":"troobleshoot/#winrm-send-input-timeout","title":"winrm send input timeout","text":"TASK [Gathering Facts] ****************************************************************************************************************************************************\n[WARNING]: ERROR DURING WINRM SEND INPUT - attempting to recover: WinRMOperationTimeoutError\nok: [192.168.56.11]\nsolution : wait or if crashed then re-run install
"},{"location":"troobleshoot/#domain-controller-ensure-users-are-present","title":"Domain controller : ensure Users are present","text":"
TASK [domain_controller : Ensure that Users presents in ou=<kingdom>,dc=SEVENKINGDOMS,dc=local] ***************************************************************************\nAn exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()\nfailed: [192.168.56.10] (item={u'key': u'lord.varys', u'value': {u'city': u\"King's Landing\", u'password': u'_W1sper_$', u'name': u'Lord Varys', u'groups': u'Small Council', u'path': u'OU=Users,OU=Crownlands,OU=kingdoms,DC=SEVENKINGDOMS,DC=local'}}) => {\"ansible_loop_var\": \"item\", \"changed\": false, \"item\": {\"key\": \"lord.varys\", \"value\": {\"city\": \"King's Landing\", \"groups\": \"Small Council\", \"name\": \"Lord Varys\", \"password\": \"_W1sper_$\", \"path\": \"OU=Users,OU=Crownlands,OU=kingdoms,DC=SEVENKINGDOMS,DC=local\"}}, \"msg\": \"Unhandled exception while executing module: An unspecified error has occurred\"}\nTASK [mssql : Install the database]\nfatal: [192.168.56.22]: FAILED! => {\"attempts\": 3, \"changed\": true, \"cmd\": \"c:\\\\setup\\\\mssql\\\\sql_installer.exe /configurationfile=c:\\\\setup\\\\mssql\\\\sql_conf.ini /IACCEPTSQLSERVERLICENSETERMS /MEDIAPATH=c:\\\\setup\\\\mssql\\\\media /QUIET /HIDEPROGRESSBAR\", \"delta\": \"0:00:34.891185\", \"end\": \"2022-08-17 21:26:53.976793\", \"msg\": \"non-zero return code\", \"rc\": 2226323458, \"start\": \"2022-08-17 21:26:19.085608\", \"stderr\": \"\", \"stderr_lines\": [], \"stdout\": \"Microsoft (R) SQL Server Installer\\r\\nCopyright (c) 2019 Microsoft. All rights reserved.\\r\\n\\r\\nDownloading install package...\\r\\n\\r\\n\\r\\nOperation finished with result: Failure\\r\\n\\r\\nOops...\\r\\n\\r\\nUnable to install SQL Server (setup.exe).\\r\\n\\r\\n Exit code (Decimal): -2068643838\\r\\n Exit message: No features were installed during the setup execution. The requested features may already be installed. Please review the summary.txt log for further details.\\r\\n\\r\\n SQL SERVER INSTALL LOG FOLDER\\r\\n c:\\\\Program Files\\\\Microsoft SQL Server\\\\150\\\\Setup Bootstrap\\\\Log\\\\20220817_142624\\r\\n\\r\\n\", \"stdout_lines\": [\"Microsoft (R) SQL Server Installer\", \"Copyright (c) 2019 Microsoft. All rights reserved.\", \"\", \"Downloading install package...\", \"\", \"\", \"Operation finished with result: Failure\", \"\", \"Oops...\", \"\", \"Unable to install SQL Server (setup.exe).\", \"\", \" Exit code (Decimal): -2068643838\", \" Exit message: No features were installed during the setup execution. The requested features may already be installed. Please review the summary.txt log for further details.\", \"\", \" SQL SERVER INSTALL LOG FOLDER\", \" c:\\\\Program Files\\\\Microsoft SQL Server\\\\150\\\\Setup Bootstrap\\\\Log\\\\20220817_142624\", \"\"]}\nsolution : re-run installer
"},{"location":"troobleshoot/#vagrant-not-working-on-ubuntu-2204","title":"vagrant: Not working on Ubuntu 22.04","text":"I was using the version of Vagrant in the Ubuntu repo, and then tried to use the version 2.4.0 and 2.3.4 binaries from hashicorp, but kept on running into this error:
The guest machine entered an invalid state while waiting for it\nto boot. Valid states are 'starting, running'. The machine is in the\n'poweroff' state. Please verify everything is configured\nproperly and try again.\n\nIf the provider you're using has a GUI that comes with it,\nit is often helpful to open that and watch the machine, since the\nGUI often has more helpful error messages than Vagrant can retrieve.\nFor example, if you're using VirtualBox, run `vagrant up` while the\nVirtualBox GUI is open.\n\nThe primary issue for this error is that the provider you're using\nis not properly configured. This is very rarely a Vagrant issue.\nThe error may look similar to below:
==> proxmox-iso.windows: Error creating VM: error creating VM: 403 Permission check failed (/sdn/zones/localnetwork/vmbr3/10, SDN.Use), \nerror status: {\"data\":null} (params: ......\nIt may be fixed by delegating the SDN.Use privilege to the packer user
pveum role modify Packer -privs \"VM.Config.Disk VM.Config.CPU VM.Config.Memory Datastore.AllocateTemplate Datastore.Audit Datastore.AllocateSpace Sys.Modify VM.Config.Options VM.Allocate VM.Audit VM.Console VM.Config.CDROM VM.Config.Cloudinit VM.Config.Network VM.PowerMgmt VM.Config.HWType VM.Monitor SDN.Use\"\nThe error may look similar to below:
root@goadprovisioning:~/GOAD/packer/proxmox# packer build -var-file=windows_server2019_proxmox_cloudinit.pkvars.hcl .\nproxmox-iso.windows: output will be in this color.\n\n==> proxmox-iso.windows: Retrieving additional ISO\n==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso\n==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4\n==> proxmox-iso.windows: ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4 => /root/GOAD/packer/proxmox/iso/Autounattend_winserver2019_cloudinit.iso\n proxmox-iso.windows: Uploaded ISO to local:iso/Autounattend_winserver2019_cloudinit.iso\n==> proxmox-iso.windows: Creating VM\n==> proxmox-iso.windows: No VM ID given, getting next free from Proxmox\n==> proxmox-iso.windows: Error creating VM: error creating VM: unable to create VM 103 - unsupported format 'qcow2' at /usr/share/perl5/PVE/Storage/LvmThinPlugin.pm line 87., error status: (params: map[agent:1 args: boot: cores:2 cpu:kvm64 description:Packer ephemeral build VM hotplug: ide2:local:iso/windows_server_2019.iso,media=cdrom kvm:true machine: memory:4096 name:WinServer2019x64-cloudinit-qcow2 net0:virtio=5E:5D:24:C4:0F:DA,bridge=vmbr3,tag=10 numa:false onboot:false ostype:win10 pool:GOAD sata0:vms:40,discard=ignore,format=qcow2 scsihw:lsi sockets:1 startup: tags: vmid:103])......\nFilesystems such as ZFS (and others) do not support qcow2. From my reading the best approach is to use an ext4 filesystem and modify config.auto.pkrvars.hcl with the newly created ext4 volume.
root@goadprovisioning:~/GOAD/packer/proxmox# vi config.auto.pkrvars.hcl\n...\nproxmox_vm_storage = \"ext4-qcow2\"\n...\nroot@goadprovisioning:~/GOAD/packer/proxmox# packer build -var-file=windows_server2019_proxmox_cloudinit.pkvars.hcl .\nproxmox-iso.windows: output will be in this color.\n\n==> proxmox-iso.windows: Retrieving additional ISO\n==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso\n==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4\n==> proxmox-iso.windows: ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4 => /root/GOAD/packer/proxmox/iso/Autounattend_winserver2019_cloudinit.iso\n proxmox-iso.windows: Uploaded ISO to local:iso/Autounattend_winserver2019_cloudinit.iso\n==> proxmox-iso.windows: Creating VM\n==> proxmox-iso.windows: No VM ID given, getting next free from Proxmox\n==> proxmox-iso.windows: Starting VM\n another solution is to switch to raw : proxmox_vm_storage = \"raw\" "},{"location":"troobleshoot/#proxmox-packer-error-creating-vm-volume-localisowindows_xxxiso-does-not-exist","title":"proxmox - packer error creating vm : volume 'local:iso/windows_XXX.iso' does not exist","text":"==> proxmox-iso.windows: Error creating VM: error creating VM: unable to create VM 116 - volume 'local:iso/windows_server2019_XXX_en-us.iso' does not exist, error status: (params: map[agent:1 args: boot: cores:2 cpu:kvm64 description:Packer ephemeral build VM hotplug\n: ide2:local:iso/windows_server2019_XXX_en-us.iso,media=cdrom kvm:true machine: memory:4096 name:WinServer2019x64-cloudinit-qcow2-uptodate net0:virtio=DA:CB:EB:85:08:0E,bridge=vmbr3,tag=10,firewall=false onboot:false ostype:win10 pool:Templates sata0:local:80,format=q\ncow2 scsihw:lsi sockets:1 startup: tags: vmid:116]) \nverify your iso files inside proxmox and be sure the iso you want to use exist in proxmox
"},{"location":"troobleshoot/#ansible-adapter-name-error","title":"ansible adapter name error","text":"No MSFT_NetAdapter objects found with property 'Name' equal to 'Ethernet'\n\nor \n\nNo MSFT_NetAdapter objects found with property 'Name' equal to 'Ethernet2 '\n connect to the vm and run ipconfig, verify the adapter name are the same as described in the inventory file. if not change them to match the inventory name in the vm. "},{"location":"troobleshoot/#unreachable-proxmox-ansible","title":"unreachable - proxmox, ansible","text":"fatal: [dc01]: UNREACHABLE! => {\"changed\": false, \"msg\": \"ssl: HTTPSConnectionPool(host='192.168.10.40', port=5986): Max retries exceeded with url: /wsman\n may be the vm is not well ready after the terraform creation. retry the install. if you still get the error connect to the vm and verify the static ip is corresponding with the one expect. "},{"location":"vulnerabilities/","title":"Vulnerabilities","text":"vulnerabilities
"},{"location":"developpers/provisioning/","title":"Provisioning","text":""},{"location":"developpers/provisioning/#provisioning","title":"Provisioning","text":" The provisioning is always done with ansible, more detail on the ansible provisioning here : Ansible provisioning "},{"location":"developpers/structure/","title":"Structure","text":""},{"location":"developpers/structure/#lab-organization","title":"Lab organization","text":" The lab configuration is located on the ad/ folder Each Ad folder correspond to a lab and contains the following files : ad/\n labname/ # The lab name must be the same as the variable : domain_name from the data/inventory\n data/\n config.json # The json file containing all the variables and configuration of the lab\n inventory # The global lab inventory (provider independent) (this should no contains variables)\n files/ # This folder contains files you want to copy on your vms\n scripts/ # This folder contains ps1 scripts you want to play on your vm (Must be added in the \"scripts\" entries of your vms)\n providers/ # Your lab available provider\n vmware/\n inventory # specific vmware inventory\n Vagrantfile # specific vmware vagrantfile\n virtualbox/\n inventory # specific virtualbox inventory\n Vagrantfile # specific virtualbox vagrantfile\n proxmox/\n terraform/ # specific proxmox terraform recipe\n inventory # specific proxmox inventory\n azure/\n terraform/ # specific azure terraform recipe\n inventory # specific azure inventory\n exchange : Add an exchange to GOAD or GOAD-Light lab ws01 : Add an hardened workstation to GOAD or GOAD-Light lab wazuh : Add wazuh EDR to visualize alerts elk : Add an ELK to collect and read the logs "},{"location":"extensions/elk/","title":"elk","text":"\ud83d\udea7 TODO rewrite and retest for v3
"},{"location":"extensions/elk/#elk_1","title":"elk","text":" elk a kibana is configured on http://192.168.56.50:5601 to follow the lab events infos : log encyclopedia : https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ the elk is not installed by default due to resources reasons.
prerequistes:
you need sshpass for the elk installation
sudo apt install sshpass\n Chocolatey is needed to use elk. To install it run:
cd ansible-galaxy\nansible-galaxy collection install chocolatey.chocolatey \n "},{"location":"extensions/exchange/","title":"exchange","text":"Thanks!
Credits and huge thanks to aleemladha for his exchange role and his help to test the extension.
Extension name : exchange Compatibility : GOAD, GOAD-Light Providers : virtualbox/azure/vmware/aws/ludus/proxmox Add a machine : srv01 (the-eyrie.sevenkingdoms.local) (ip_range.21) resources
Exchange is really HUGE, it will add a vm with at least 12Gb of RAM be sure your computer support it before install
impacts
Modify the ad schema and add a computer (warning the exchange machine is really heavy)
"},{"location":"extensions/exchange/#prerequisites","title":"Prerequisites","text":" GOAD or GOAD-Light installation "},{"location":"extensions/exchange/#installation","title":"Installation","text":""},{"location":"extensions/wazuh/","title":"wazuh","text":"Thanks!
Credits and huge thanks to aleemladha for the ansible role. https://github.com/Orange-Cyberdefense/GOAD/pull/215
Extension name : wazuh Description : Add wazuh free EDR server and agent on all the domain computers + soc fortress rules (https://github.com/socfortress/Wazuh-Rules) Compatibility : * Providers : virtualbox/azure/vmware/aws/ludus Add a machine : wazuh (ip_range.51) impacts
add a wazuh machine and a wazuh agent on all windows machine\"
"},{"location":"extensions/wazuh/#prerequisites","title":"Prerequisites","text":""},{"location":"extensions/wazuh/#installation","title":"Installation","text":""},{"location":"extensions/ws01/","title":"ws01","text":"\ud83d\udea7 TODO
"},{"location":"installation/","title":"\ud83d\ude80 Installation","text":"In the last version, GOAD use no more bash for the installation/management script. The goad management script is now written in python to permit more flexibility and cover the needs to create a Windows WSL support.
First prepare you system for GOAD execution:
Installation depend of the provider you use, please follow the appropriate guide :
Install with Virtualbox Install with VmWare Install with Proxmox Install with Azure Install with Aws \ud83c\udfdf\ufe0f Install with Ludus "},{"location":"installation/#tldr-quick-install","title":"TLDR - quick install","text":"TLDR : ubuntu 22.04 quick install # Install vbox\nsudo apt install virtualbox\n\n# Install vagrant\nwget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg\necho \"deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main\" | sudo tee /etc/apt/sources.list.d/hashicorp.list\nsudo apt update && sudo apt install vagrant\n\n# Install Vagrant plugins\nvagrant plugin install vagrant-reload vagrant-vbguest winrm winrm-fs winrm-elevated\n\n# Add some dependencies\nsudo apt install sshpass lftp rsync openssh-client python3.10-venv\n\ngit clone https://github.com/Orange-Cyberdefense/GOAD.git\ncd GOAD\n# verify installation\n./goad.sh -t check -l GOAD -p virtualbox\n\n# install\n./goad.sh -t install -l GOAD -p virtualbox\n\n# launch goad in interactive mode\n./goad.sh\n Installation is in three parts :
Templating : this will create the template to use (needed only for proxmox and ludus) Providing : this will instantiate the virtual machines depending on your provider Provisioning : it is always made with ansible, it will install all the stuff to create the lab GOAD script cover the providing and provisioning part
The install script take multiple parameters:
-p : the provider to use (vmware/virtualbox/proxmox/ludus/azure/aws)-l : the lab to install (GOAD/GOAD-Light/SCCM/NHA/MINILAB)-m : the method of installation (local/runner/docker/remote), most of the time don't change it-ip : the ip range to use The easy way is just launch ./goad.sh and use help ?in the interactive prompt
"},{"location":"installation/#configuration-files","title":"Configuration files","text":""},{"location":"installation/#homegoadgoadini","title":"$HOME/.goad/goad.ini","text":" On the first launch goad create a global configuration file at : $HOME/.goad/goad.ini this file contains some default configuration and some parameters needed by some providers.
If you change the [default] config it will change the default selection when goad start
Others configurations are related to specific providers [default]\n; lab: goad / goad-light / minilab / nha / sccm\nlab = GOAD\n; provider : virtualbox / vmware / aws / azure / proxmox\nprovider = vmware\n; provisioner method : local / remote\nprovisioner = local\n; ip_range (3 first ip digits)\nip_range = 192.168.56\n\n[aws]\naws_region = eu-west-3\naws_zone = eu-west-3c\n\n[azure]\naz_location = westeurope\n\n[proxmox]\npm_api_url = https://192.168.1.1:8006/api2/json\npm_user = infra_as_code@pve\npm_node = GOAD\npm_pool = GOAD\npm_full_clone = false\npm_storage = local\npm_vlan = 10\npm_network_bridge = vmbr3\npm_network_model = e1000\n\n[proxmox_templates_id]\nwinserver2019_x64 = 102\nwinserver2016_x64 = 103\nwinserver2019_x64_utd = 104\nwindows10_22h2_x64 = 105\n\n[ludus]\n; api key must not have % if you have a % in it, change it by a %%\nludus_api_key = change_me\nuse_impersonation = yes\n Goad got a global configuration file : globalsettings.ini used by the ansible provisioning This file is an ansible inventory file. This file is always added at the end of the ansible inventory file list so you can override values here You can change it before running the installation to modify : keyboard_layouts proxy configuration add a route to the vm change the default dns_forwarder disable ssl for winrm communication "},{"location":"installation/linux/","title":"Linux","text":" First you will prepare your host for an hypervisor Second you will prepare your python environment "},{"location":"installation/linux/#prepare-your-hypervisor","title":"Prepare your hypervisor","text":"Virtualbox Vmware workstation Azure Aws Proxmox\ud83c\udfdf\ufe0f Ludus Disk space
The lab takes about 77GB (but you have to get the space for the vms vagrant images windows server 2016 (22GB) / windows server 2019 (14GB) / ubuntu 18.04 (502M)) The total space needed for the lab is ~115 GB (depend on the lab you use and it will take more space if you take snapshots), be sure you have enough disk space before install.
RAM
Depending on the lab you will need a lot of ram to run all the virtual machines. Be sure to have at least 20GB for GOAD-Light and 24GB for GOAD.
Tip
Vmware workstation is now free for personal use !
Vagrant
In order to download vm and create them on virtualbox you need to install vagrant https://developer.hashicorp.com/vagrant/install#linux Vmware workstation
Install vmware workstation https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware+Workstation+Pro Install vagrant vmware utility : https://developer.hashicorp.com/vagrant/install/vmware
Install the following vagrant plugins:
vagrant plugin install vagrant-reload vagrant-vmware-desktop winrm winrm-fs winrm-elevated\n Disk space
The lab takes about 77GB (but you have to get the space for the vms vagrant images windows server 2016 (22GB) / windows server 2019 (14GB) / ubuntu 18.04 (502M)) The total space needed for the lab is ~115 GB (depend on the lab you use and it will take more space if you take snapshots), be sure you have enough disk space before install.
RAM
Depending on the lab you will need a lot of ram to run all the virtual machines. Be sure to have at least 20GB for GOAD-Light and 24GB for GOAD.
Azure CLI Install azure cli https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux Connect to azure : az login\n Terraform The installation to Azure use terraform so you will have to install it: https://developer.hashicorp.com/terraform/install AWS CLI
Install aws cli https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html#getting-started-install-instructions Create an aws access key and secret for goad usage
credentials in plain text
Storing credentials in plain text is always a bad idea, but aws cli work like that be sure to restrain the right access to this file
Terraform
The installation to Aws use terraform so you will have to install it: https://developer.hashicorp.com/terraform/install Proxmox install is very complex and use a lot of steps A complete guide to proxmox installation is available here : https://mayfly277.github.io/categories/proxmox/ To add GOAD on Ludus please use goad directly on the server. By now goad can work only directly on the server and not from a workstation client.
Install Ludus : https://docs.ludus.cloud/docs/quick-start/install-ludus/
Be sure to create an administrator user and keep his api key
Once your installation is complete on ludus server (debian 12) and your user is created do :
git clone https://github.com/Orange-Cyberdefense/GOAD.git\ncd GOAD\nsudo apt install python3.11-venv\n./goad.sh\n...>exit\nvim ~/.goad/goad.ini # add the api_key in the config file (keep impersonate to yes and use an admin user)\n./goad.sh -p ludus\n...>set_lab XXX # GOAD/GOAD-Light/NHA/SCCM\n...>install\nsudo apt install python<version>-venv\nsudo apt install python3.10-venv\nPython version
Be sure to use a python version between python3.8 and python 3.11. Others python versions are not supported by now due to incompatibility with the fixed version in the requirements.
"},{"location":"installation/windows/","title":"Windows","text":"Info
To use GOAD on windows you will need WSL.
First you will prepare your windows host for an hypervisor Second you will install debian 12 with WSL to run goad install script "},{"location":"installation/windows/#prepare-windows-host","title":"Prepare Windows Host","text":"Virtualbox Vmware Workstation Aws Azure Promox\ud83c\udfdf\ufe0f Ludus If you want to use virtualbox as an hypervisor to create your vm.
VAGRANT
If you want to create the lab on your windows computer you will need vagrant. Vagrant will be responsible to automate the process of vm download and creation.
Download and install visual c++ 2019 : https://aka.ms/vs/17/release/vc_redist.x64.exe Install vagrant : https://developer.hashicorp.com/vagrant/install Virtualbox
vagrant.exe plugin install vagrant-reload vagrant-vbguest winrm winrm-fs winrm-elevated\n Disk space
The lab takes about 77GB (but you have to get the space for the vms vagrant images windows server 2016 (22GB) / windows server 2019 (14GB) / ubuntu 18.04 (502M)) The total space needed for the lab is ~115 GB (depend on the lab you use and it will take more space if you take snapshots), be sure you have enough disk space before install.
RAM
Depending on the lab you will need a lot of ram to run all the virtual machines. Be sure to have at least 20GB for GOAD-Light and 24GB for GOAD.
If you want to use vmware workstation as an hypervisor to create your vm.
Tip
Vmware workstation is now free for personal use !
VAGRANT
If you want to create the lab on your windows computer you will need vagrant. Vagrant will be responsible to automate the process of vm download and creation.
Download and install visual c++ 2019 : https://aka.ms/vs/17/release/vc_redist.x64.exe Install vagrant : https://developer.hashicorp.com/vagrant/install Vmware Workstation
Install vmware workstation : https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware+Workstation+Pro vmware workstation install bug
if you got an error about groups and permission during vmware workstation install consider running this in an administrator cmd prompt:
net localgroup /add \"Users\"\nnet localgroup /add \"Authenticated Users\"\nvagrant.exe plugin install vagrant-reload vagrant-vmware-desktop winrm winrm-fs winrm-elevated\n Disk space
The lab takes about 77GB (but you have to get the space for the vms vagrant images windows server 2016 (22GB) / windows server 2019 (14GB) / ubuntu 18.04 (502M)) The total space needed for the lab is ~115 GB (depend on the lab you use and it will take more space if you take snapshots), be sure you have enough disk space before install.
RAM
Depending on the lab you will need a lot of ram to run all the virtual machines. Be sure to have at least 20GB for GOAD-Light and 24GB for GOAD.
Nothing to prepare on windows host, install and prepare wsl and next follow linux install from your wsl console : see aws linux install
Nothing to prepare on windows host, install and prepare wsl and next linux install from your wsl console see azure linux install
Not supported, you will have to create a provisioning machine on your proxmox and run goad from then (see proxmox linux install)
Not supported, you will have to act from your ludus server (see ludus linux install)
"},{"location":"installation/windows/#prepare-wsl-environment","title":"Prepare WSL environment","text":"Now your host environment is ready for virtual machine creation. Now we will install WSL to run the goad installation script.
"},{"location":"installation/windows/#install-wsl","title":"Install WSL","text":" First install wsl on your environment https://learn.microsoft.com/en-us/windows/wsl/install Next go to the microsoft store and install debian (debian12) "},{"location":"installation/windows/#prepare-wsl-distribution","title":"Prepare WSL distribution","text":" cd /mnt/c/whatever_folder_you_want\ngit clone https://github.com/Orange-Cyberdefense/GOAD.git\ncd GOAD\n./goad.sh\n Practice lab(s) :
GOAD : 5 vms, 2 forests, 3 domains (full goad lab) GOAD-Light : 3 vms, 1 forest, 2 domains (smaller goad lab for those with a smaller pc) SCCM : 4 vms, 1 forest, 1 domain, with microsoft configuration manager installed Challenge lab :
NHA : A challenge with 5 vms and 2 domains. no schema provided, you will have to find out how break it. POC lab :
MINILAB: 2 vms, 1 forest, 1 domain (basic lab with one DC (windows server 2019) and one Workstation (windows 10)) "},{"location":"labs/GOAD-Light/","title":"GOAD-Light","text":"This is a light version of goad without the essos domain. This lab was build for computer with less performance (min ~20GB).
Missing scenarios:
cross forest exploitation (no more external forest) mssql trusted link some old computer vulnerabilities (zero logon, petitpotam unauthent,...) ESC4, ESC2/3 "},{"location":"labs/GOAD-Light/#servers","title":"Servers","text":"This lab is actually composed of five virtual machines:
domain : sevenkingdoms.local
kingslanding : DC01 running on Windows Server 2019 (with windefender enabled by default) domain : north.sevenkingdoms.local
winterfell : DC02 running on Windows Server 2019 (with windefender enabled by default) castelblack : SRV02 running on Windows Server 2019 (with windefender disabled by default) "},{"location":"labs/GOAD-Light/#usersgroups-and-associated-vulnerabilitesscenarios","title":"Users/Groups and associated vulnerabilites/scenarios","text":" You can find a lot of the available scenarios on https://mayfly277.github.io/categories/ad/ NORTH.SEVENKINGDOMS.LOCAL
STARKS: RDP on WINTERFELL AND CASTELBLACK arya.stark: Execute as user on mssql eddard.stark: DOMAIN ADMIN NORTH/ (bot 5min) LLMRN request to do NTLM relay with responder catelyn.stark: robb.stark: bot (3min) RESPONDER LLMR sansa.stark: brandon.stark: ASREP_ROASTING rickon.stark: theon.greyjoy: jon.snow: mssql admin / KERBEROASTING / group cross domain / mssql trusted link hodor: PASSWORD SPRAY (user=password) NIGHT WATCH: RDP on CASTELBLACK samwell.tarly: Password in ldap description / mssql execute as login GPO abuse (Edit Settings on \"STARKWALLPAPER\" GPO) jon.snow: (see starks) jeor.mormont: (see mormont) MORMONT: RDP on CASTELBLACK jeor.mormont: ACL writedacl-writeowner on group Night Watch AcrossTheSea : cross forest group SEVENKINGDOMS.LOCAL
LANISTERS tywin.lannister: ACL forcechangepassword on jaime.lanister jaime.lannister: ACL genericwrite-on-user joffrey.baratheon tyron.lannister: ACL self-self-membership-on-group Small Council cersei.lannister: DOMAIN ADMIN SEVENKINGDOMS BARATHEON: RDP on KINGSLANDING robert.baratheon: DOMAIN ADMIN SEVENKINGDOMS joffrey.baratheon: ACL Write DACL on tyron.lannister renly.baratheon: stannis.baratheon: ACL genericall-on-computer kingslanding / ACL writeproperty-self-membership Domain Admins SMALL COUNCIL : ACL add Member to group dragon stone / RDP on KINGSLANDING petyer.baelish: ACL writeproperty-on-group Domain Admins lord.varys: ACL genericall-on-group Domain Admins / Acrossthenarrossea maester.pycelle: ACL write owner on group Domain Admins DRAGONSTONE : ACL Write Owner on KINGSGUARD KINGSGUARD : ACL generic all on user stannis.baratheon AccorsTheNarrowSea: cross forest group "},{"location":"labs/GOAD-Light/#computers-users-and-group-permissions","title":"Computers Users and group permissions","text":" SEVENKINGDOMS
DC01 : kingslanding.sevenkingdoms.local (Windows Server 2019) (SEVENKINGDOMS DC) Admins : robert.baratheon (U), cersei.lannister (U) RDP: Small Council (G) NORTH
DC02 : winterfell.north.sevenkingdoms.local (Windows Server 2019) (NORTH DC)
Admins : eddard.stark (U), catelyn.stark (U), robb.stark (U) RDP: Stark(G) SRV02 : castelblack.essos.local (Windows Server 2019) (IIS, MSSQL, SMB share)
Admins: jeor.mormont (U) RDP: Night Watch (G), Mormont (G), Stark (G) IIS : allow asp upload, run as NT Authority/network MSSQL: admin : jon.snow impersonate : execute as login : samwel.tarlly -> sa execute as user : arya.stark -> dbo "},{"location":"labs/GOAD/","title":"GOAD","text":"GOAD is the first and main lab of this project. It contains 3 domains and 2 forest.
"},{"location":"labs/GOAD/#servers","title":"Servers","text":"This lab is actually composed of five virtual machines:
domain sevenkingdoms.local
kingslanding : DC01 running on Windows Server 2019 (with windefender enabled by default) domain north.sevenkingdoms.local
winterfell : DC02 running on Windows Server 2019 (with windefender enabled by default) castelblack : SRV02 running on Windows Server 2019 (with windefender disabled by default) domain essos.local
meereen : DC03 running on Windows Server 2016 (with windefender enabled by default) braavos : SRV03 running on Windows Server 2016 (with windefender enabled by default) "},{"location":"labs/GOAD/#writeup","title":"WRITEUP","text":" All the writeups of the Game Of Active Directory lab are available on mayfly's blog : https://mayfly277.github.io/categories/goad/ "},{"location":"labs/GOAD/#computers-users-and-group-permissions","title":"Computers Users and group permissions","text":""},{"location":"labs/GOAD/#usersgroups-and-associated-scenarios","title":"Users/Groups and associated scenarios","text":" Graph of some scenarios is available here : NORTH.SEVENKINGDOMS.LOCAL
STARKS: RDP on WINTERFELL AND CASTELBLACK arya.stark: Execute as user on mssql, pass on all share eddard.stark: DOMAIN ADMIN NORTH/ (bot 5min) LLMRN request to do NTLM relay with responder catelyn.stark: robb.stark: bot (3min) RESPONDER LLMR / lsass present user sansa.stark: keywalking password / unconstrained delegation brandon.stark: ASREP_ROASTING rickon.stark: pass spray WinterYYYY jon.snow: mssql admin / KERBEROASTING / mssql trusted link hodor: PASSWORD SPRAY (user=password) NIGHT WATCH: RDP on CASTELBLACK samwell.tarly: Password in ldap description / mssql execute as login GPO abuse (Edit Settings on \"STARKWALLPAPER\" GPO) jon.snow: (see starks) jeor.mormont: (see mormont) MORMONT: RDP on CASTELBLACK jeor.mormont: Admin castelblack, pass in sysvol script AcrossTheSea : cross forest group SEVENKINGDOMS.LOCAL
LANISTERS tywin.lannister: ACE forcechangepassword on jaime.lanister, password on sysvol cyphered jaime.lannister: ACE genericwrite-on-user joffrey.baratheon tyron.lannister: ACE self membership on small council cersei.lannister: DOMAIN ADMIN SEVENKINGDOMS BARATHEON: RDP on KINGSLANDING robert.baratheon: DOMAIN ADMIN SEVENKINGDOMS, protected user joffrey.baratheon: ACE Write DACL on tyron.lannister renly.baratheon: WriteDACL on container, sensitive user stannis.baratheon: ACE genericall-on-computer kingslanding SMALL COUNCIL : ACE add Member to group dragon stone / RDP on KINGSLANDING petyer.baelish: lord.varys: ACE genericall-on-group Domain Admins and sdholder maester.pycelle: DRAGONSTONE : ACE Write Owner on group KINGSGUARD KINGSGUARD : ACE generic all on user stannis.baratheon AccorsTheNarrowSea: cross forest group ESSOS.LOCAL
TARGERYEN missande : ASREP roasting, generic all on khal daenerys.targaryen: DOMAIN ADMIN ESSOS viserys.targaryen: ACE write property on jorah.mormont jorah.mormont: mssql execute as login / mssql trusted link / Read LAPS Password DOTHRAKI khal.drogo: mssql admin / GenericAll on viserys (shadow credentials) / GenericAll on ECS4 DragonsFriends: cross forest group Spys: cross forest group / Read LAPS password / ACL generic all jorah.mormont "},{"location":"labs/MINILAB/","title":"MINI lab","text":" The MINI lab is just a sample presented during an Article on the MISC magazine. This is just a simple basic LAB with one DC (windows server 2019) and one Workstation (windows 10) "},{"location":"labs/NHA/","title":"NINJA HACKER ACADEMY","text":" NINJA HACKER ACADEMY (NHA) is written as a training challenge where GOAD was written as a lab with a maximum of vulns. You should find your way in to get domain admin on the 2 domains (academy.ninja.lan and ninja.hack) Starting point is on srv01 : 192.168.58.21
Flags are disposed on each machine, try to grab all. Be careful all the machines are up to date with defender enabled.
Some exploits needs to modify path so this lab is not very multi-players compliant (unless you do it as a team ;)) Obviously do not cheat by looking at the passwords and flags in the recipe files, the lab must start without user to full compromise.
Install :
./goad.sh -t install -l NHA -p virtualbox -m docker\n Once install finish disable vagrant user to avoid using it : ./goad.sh -t disablevagrant -l NHA -p virtualbox -m docker\n Now do a reboot of all the machine to avoid unintended secrets stored : ./goad.sh -t stop -l NHA -p virtualbox -m docker\n./goad.sh -t start -l NHA -p virtualbox -m docker\nAnd you are ready to play ! :)
If you need to re-enable vagrant ./goad.sh -t enablevagrant -l NHA -p virtualbox -m docker\n If you want to create a write up of the chall, no problem, have fun. Please ping me on X (@M4yFly) or Discord, i will be happy to read it :) Tip
No bruteforce, if not in rockyou do not waste your time and your cpu/gpu cycle.
"},{"location":"labs/SCCM/","title":"SCCM lab","text":"Thanks!
Thanks a lot to my colleague Issam (@KenjiEndo15), who start the project and provide me a lot of ansible roles to start from !
"},{"location":"labs/SCCM/#servers","title":"Servers","text":"4 virtual machines with Windows Server 2019
DC : Domain Controler MECM : mecm primary site serer MSSQL : mecm sql server CLIENT : mecm client computer All vms got defender activated
"},{"location":"labs/SCCM/#prerequisites","title":"Prerequisites","text":" The prerequisites for the lab are the same as GOAD lab (virtualbox/vmware, python, ansible,...) The lab take 16GB for the vagrant image + 100GB for the 4 vms The installation take environ 2,5 hours (with fiber connection) The lab download multiple files during the install (windows iso, mecm installation package, mssql installation package, ...), be sure to have a good internet connection. "},{"location":"labs/SCCM/#writeup","title":"Writeup","text":" A writeup on SCCM exploitation is available here : https://mayfly277.github.io/categories/sccm/ "},{"location":"labs/SCCM/#proxmox-installation","title":"proxmox installation","text":" In order to use the proxmox provider follow this : 1) create a template with the windows_server2019_proxmox_cloudinit_uptodate.pkvars.hcl packer file (guide here: https://mayfly277.github.io/posts/GOAD-on-proxmox-part2-packer/) (note the id after the creation)
2) create the variable file (ad/SCCM/providers/proxmox/terraform/variables.tf) by coping the template (ad/SCCM/providers/proxmox/terraform/variables.tf.template) and change the value according to your proxmox environnement
3) on the provisioning computer :
./goad.sh -t check -l SCCM -p proxmox -m local\n./goad.sh -t install -l SCCM -p proxmox -m local\n4) if something goes wrong (restart of the vms during install, etc...), you can rerun only ansible with -a
./goad.sh -t install -l SCCM -p proxmox -m local -a\nThe architecture is slightly different depending on the provider. Please consult the provider you use to understand the behavior.
"},{"location":"providers/aws/","title":"Aws","text":"Thanks!
Thx to @ArnC_CarN for the initial work on the aws provider
The architecture is quite the same than the Azure deployment.
Warning
LLMNR, NBTNS and other poisoning network attacks will not work in aws environment. Only network coerce attacks will work.
"},{"location":"providers/aws/#prerequisites","title":"Prerequisites","text":""},{"location":"providers/aws/#aws-configuration","title":"AWS configuration","text":"You need to configre AWS cli. Use a key with enough privileges on the tenant.
aws configure\n Create an aws access key and secret for goad usage
credentials in plain text
Storing credentials in plain text is always a bad idea, but aws cli work like that be sure to restrain the right access to this file
"},{"location":"providers/aws/#goad-configuration","title":"Goad configuration","text":" The goad configuration file as some options for aws: # ~/.goad/goad.ini\n...\n[aws]\naws_region = eu-west-3\naws_zone = eu-west-3c\n If you want to use a different region and zone you can modify it. "},{"location":"providers/aws/#installation","title":"Installation","text":"# check prerequisites\n./goad.sh -t check -l GOAD -p aws\n# Install\n./goad.sh -t install -l GOAD -p aws\nor from the interactive console :
GOAD/aws/remote/192.168.56.X > install\n You can see the status of the lab with the command status You can also start and stop the lab with the command start and stop "},{"location":"providers/aws/#vms-ami","title":"VMs ami","text":" The vm used for goad are defined in the lab terraform file : ad/<lab>/providers/aws/windows.tf This file is containing information about each vm in use \"dc01\" = {\n name = \"dc01\"\n domain = \"sevenkingdoms.local\"\n windows_sku = \"2019-Datacenter\"\n ami = \"ami-018ebfbd6b0a4c605\"\n instance_type = \"t2.medium\"\n private_ip_address = \"{{ip_range}}.10\"\n password = \"8dCT-DJjgScp\"\n}\n On the installation goad script will create a folder into goad/workspaces/<instance_folder> This folder will contain the terraform scripts and some of the ansible inventories Goad will create the cloud infrastructure with terraform. The lab is created (not provisioned yet) and a \"jumpbox\" vm is also created Next the needed sources will be pushed to the jumpbox using ssh and rsync The jumpbox ssh_key is stored on goad/workspaces/<instance_folder>/ssh_keys The jumpbox is prepared to run ansible The provisioning is launch with ssh remotely on the jumpbox "},{"location":"providers/aws/#install-step-by-step","title":"Install step by step","text":"GOAD/aws/remote/192.168.56.X > create_empty # create empty instance\nGOAD/aws/remote/192.168.56.X > load <instance_id>\nGOAD/aws/remote/192.168.56.X (<instance_id>) > provide # play terraform\nGOAD/aws/remote/192.168.56.X (<instance_id>) > sync_source_jumpbox # sync jumpbox source\nGOAD/aws/remote/192.168.56.X (<instance_id>) > prepare_jumpbox # install dependencies on jumpbox\nGOAD/aws/remote/192.168.56.X (<instance_id>) > provision_lab # run ansible\n To connect to the jumpbox VM you can use ssh_jumpbox in the goad interactive console To setup a socks proxy you can use ssh_jumpbox_proxy <proxy_port> in the goad interactive console All aws elements are tagged with <lab_name>-<lab_instance_id> "},{"location":"providers/azure/","title":"Azure","text":"Thanks!
Thx to Julien Arault for the initial work on the azure provider
Warning
LLMNR, NBTNS and other poisoning network attacks will not work in azure environment. Only network coerce attacks will work.
"},{"location":"providers/azure/#prerequisites","title":"Prerequisites","text":""},{"location":"providers/azure/#azure-configuration","title":"Azure configuration","text":"You need to login to Azure with the CLI.
az login\n The goad configuration file as some options for azure: # ~/.goad/goad.ini\n...\n[azure]\naz_location = westeurope\n If you want to use a different location you can modify it. "},{"location":"providers/azure/#installation","title":"Installation","text":"# check prerequisites\n./goad.sh -t check -l GOAD -p azure\n# Install\n./goad.sh -t install -l GOAD -p azure\nor from the interactive console :
GOAD/azure/remote/192.168.56.X > install\n You can see the status of the lab with the command status You can also start and stop the lab with the command start and stop Info
The command stop use deallocate, it take a long time to run but it is not only stopping the vms, it will deallocate them. By doing that, you will stop paying from them (but you still paying storage) and can save some money.
"},{"location":"providers/azure/#vms-sku","title":"VMs sku","text":" The vm used for goad are defined in the lab terraform file : ad/<lab>/providers/azure/windows.tf This file is containing information about each vm in use \"dc01\" = {\n name = \"dc01\"\n publisher = \"MicrosoftWindowsServer\"\n offer = \"WindowsServer\"\n windows_sku = \"2019-Datacenter\"\n windows_version = \"17763.4377.230505\"\n private_ip_address = \"{{ip_range}}.10\"\n password = \"8dCT-DJjgScp\"\n size = \"Standard_B2s\"\n}\n On the installation goad script will create a folder into goad/workspaces/<instance_folder> This folder will contain the terraform scripts and some of the ansible inventories Goad will create the cloud infrastructure with terraform. The lab is created (not provisioned yet) and a \"jumpbox\" vm is also created Next the needed sources will be pushed to the jumpbox using ssh and rsync The jumpbox ssh_key is stored on goad/workspaces/<instance_folder>/ssh_keys The jumpbox is prepared to run ansible The provisioning is launch with ssh remotely on the jumpbox "},{"location":"providers/azure/#install-step-by-step","title":"Install step by step","text":"GOAD/azure/remote/192.168.56.X > create_empty # create empty instance\nGOAD/azure/remote/192.168.56.X > load <instance_id>\nGOAD/azure/remote/192.168.56.X (<instance_id>) > provide # play terraform\nGOAD/azure/remote/192.168.56.X (<instance_id>) > sync_source_jumpbox # sync jumpbox source\nGOAD/azure/remote/192.168.56.X (<instance_id>) > prepare_jumpbox # install dependencies on jumpbox\nGOAD/azure/remote/192.168.56.X (<instance_id>) > provision_lab # run ansible\n To connect to the jumpbox VM you can use ssh_jumpbox in the goad interactive console To setup a socks proxy you can use ssh_jumpbox_proxy <proxy_port> in the goad interactive console
If the command destroy or delete fails, you can delete the resource group using the CLI
az group delete --name GOAD\n "},{"location":"providers/ludus/","title":"\ud83c\udfdf\ufe0f Ludus","text":"Thanks!
Huge shootout to @badsectorlabs for Ludus and Erik for his support and tests during the ludus provider creation
Install on ludus server only
To add GOAD on Ludus please use goad directly on the server. By now goad can work only directly on the server and not from a workstation client.
git clone https://github.com/Orange-Cyberdefense/GOAD.git\ncd GOAD\nsudo apt install python3.11-venv\n./goad.sh\nexit\n The goad configuration file as some options for ludus: # ~/.goad/goad.ini\n...\n[ludus]\nludus_api_key = changeme\nuse_impersonation = yes\n change the api_key with the one of your admin user "},{"location":"providers/ludus/#install","title":"Install","text":"./goad.sh -p ludus\nGOAD/ludus/local > set_lab XXX # GOAD/GOAD-Light/NHA/SCCM\nGOAD/ludus/local > install\n The installation will create a new simple_user to generate the pool we will call him \"lab_user\" the id of this user will be lab_name<6alphanumeric_digit> Next this \"lab_user\" will be impersonate to launch all the ludus deployment command At the end the \"lab_user\" will share access to our user This way we can manage multiple lab instance with goad on the same ludus server. Info
On ludus the config ip_range is not used and is ignored. The ips will be setup automatically during the lab installation
"},{"location":"providers/proxmox/","title":"Proxmox","text":" A complete guide to proxmox installation is available here : https://mayfly277.github.io/categories/proxmox/ "},{"location":"providers/proxmox/#prerequisites","title":"Prerequisites","text":""},{"location":"providers/proxmox/#installation","title":"Installation","text":" # check prerequisites\n./goad.sh -t check -l GOAD -p proxmox\n# Install\n./goad.sh -t install -l GOAD -p proxmox\n Providing
Virtualbox Vagrant Vagrant plugins: vagrant-reload vagrant-vbguest winrm winrm-fs winrm-elevated Provisioning
Python3 (version between [3.8, 3.11]) goad requirements ansible-galaxy goad requirements "},{"location":"providers/virtualbox/#check-dependencies","title":"Check dependencies","text":"./goad.sh -p virtualbox\nGOAD/virtualbox/local/192.168.56.X > check\nInfo
If there is some missing dependencies goes to the installation chapter and follow the guide according to your os.
Note
check give mandatory dependencies in red and non mandatory in yellow (but you should be compliant with them too depending one your operating system)
"},{"location":"providers/virtualbox/#install","title":"Install","text":" To install run the goad script and launch install or use the goad script arguments ./goad.sh -p virtualbox\nGOAD/virtualbox/local/192.168.56.X > set_lab <lab> # here choose the lab you want (GOAD/GOAD-Light/NHA/SCCM)\nGOAD/virtualbox/local/192.168.56.X > set_ip_range <ip_range> # here choose the ip range you want to use ex: 192.168.56\nGOAD/virtualbox/local/192.168.56.X > install\n or all in command line with arguments ./goad.sh -t install -p virtualbox -l <lab> -ip <ip_range_to_use>\nQuote
\"Virtualbox c'est no way\" @mpgn
"},{"location":"providers/vmware/#prerequisites","title":"Prerequisites","text":" Providing
Vmware workstation Vagrant Vmware utility driver Vagrant plugins: vagrant-reload vagrant-vmware-desktop winrm winrm-fs winrm-elevated Provisioning
Python3 (version between [3.8, 3.11]) goad requirements ansible-galaxy goad requirements "},{"location":"providers/vmware/#check-dependencies","title":"check dependencies","text":"./goad.sh -p vmware\nGOAD/vmware/local/192.168.56.X > check\nInfo
If there is some missing dependencies goes to the installation chapter and follow the guide according to your os.
Note
check give mandatory dependencies in red and non mandatory in yellow (but you should be compliant with them too depending one your operating system)
"},{"location":"providers/vmware/#install","title":"Install","text":" To install run the goad script and launch install or use the goad script arguments ./goad.sh -p vmware\nGOAD/vmware/local/192.168.56.X > set_lab <lab> # here choose the lab you want (GOAD/GOAD-Light/NHA/SCCM)\nGOAD/vmware/local/192.168.56.X > set_ip_range <ip_range> # here choose the ip range you want to use ex: 192.168.56 (only the first three digits)\nGOAD/vmware/local/192.168.56.X > install\n or all in command line with arguments ./goad.sh -t install -p vmware -l <lab> -ip <ip_range_to_use>\n Launch goad.py script (or goad.sh wrapper) with arguments usage: goad.py [-h] [-t TASK] [-l LAB] [-p PROVIDER] [-ip IP_RANGE] [-m METHOD] [-i INSTANCE] [-e EXTENSIONS] [-a ANSIBLE_ONLY] [-r RUN_PLAYBOOK]\n\nDescription : goad lab management console.\n\noptional arguments:\n -h, --help show this help message and exit\n -t TASK, --task TASK tasks available : (install/start/stop/restart/destroy/status/show)\n -l LAB, --lab LAB lab to use (default: GOAD)\n -p PROVIDER, --provider PROVIDER\n provider to use (default: vmware)\n -ip IP_RANGE, --ip_range IP_RANGE\n ip range to use (default: 192.168.56)\n -m METHOD, --method METHOD\n deploy method to use (default: local)\n -i INSTANCE, --instance INSTANCE\n use a specific instance (use default if not selected)\n -e EXTENSIONS, --extensions EXTENSIONS\n extensions to use\n -a ANSIBLE_ONLY, --ansible_only ANSIBLE_ONLY\n run only provisioning (ansible) on instance (-i) (for task install only)\n -r RUN_PLAYBOOK, --run_playbook RUN_PLAYBOOK\n run only one ansible playbook on instance (-i) (for task install only)\n\nExample :\n - Install GOAD on virtualbox : python3 goad.py -t install -l GOAD -p virtualbox\n - Launch GOAD interactive console : python3 goad.py\nLaunch goad interactive mode
"},{"location":"usage/goad_console/#enter-interactive-mode","title":"Enter interactive mode","text":"To enter interactive mode just launch goad without the -t parameter
./goad.sh\n*** Lab Instances ***\ncheck ................................... check dependencies before creation\ninstall / create ........................ install the selected lab and create a lab instance\ncreate_empty ............................ prepare a lab instance folder without providing and provisioning\nlist .................................... list lab instances\nload <instance_id> ...................... load a lab instance\n\n*** Configuration ***\nconfig .................................. show current configuration\nlabs .................................... show all labs and available providers\nset_lab <lab> ........................... set the lab to use\nset_provider <provider> ................. set the provider to use\nset_provisioning_method <method> ........ set the provisioning method\nset_ip_range <range> .................... set the 3 first digit of the ip to use (ex: 192.168.56)\nWill check the lab dependencies
check\n
"},{"location":"usage/goad_console/#install","title":"install","text":"Install the lab with the current select config
install\n This will: create an instance folder into workspaces/ run vagrant/terraform/ludus depending on the provider to create the machines synchronize source to jumpbox if provider is aws or azure provision jumpbox if provider is aws or azure run the ansible provisioning
"},{"location":"usage/goad_console/#create_empty","title":"create_empty","text":"Create an empty instance folder (into the workspaces/ folder)
create_empty\n
"},{"location":"usage/goad_console/#list","title":"list","text":"List instances
alias : ls
list\n
"},{"location":"usage/goad_console/#load","title":"load","text":"Select an instance by his name
alias : use, cd
load <instance name>\n
"},{"location":"usage/goad_console/#config","title":"config","text":"show current configuration
config\n
"},{"location":"usage/goad_console/#labs","title":"labs","text":"show available labs
labs\n
"},{"location":"usage/goad_console/#set_lab","title":"set_lab","text":"Choose the lab to use (GOAD/GOAD-Light/NHA/SCCM/MINILAB)
set_lab <lab_name>\nChoose the provider to use (virtualbox/vmware/aws/azure/ludus/proxmox)
set_provider <lab_name>\nChoose the provisioning method (local/runner/docker/remote) (most of the time you don't have to change it)
set_provisioning <provisioning_method>\n local : launch ansible with subprocess (default for vbox/vmware/proxmox/ludus) runner : launch ansible with ansible runner remote : launch ansible through ssh using jumpbox (default for azure/aws) docker : user the docker container to launch ansible (docker container must be built first sudo docker build -t goadansible .) "},{"location":"usage/goad_console/#set_ip_range","title":"set_ip_range","text":"Set the ip range you want to use (Three first digit, example : 192.168.10)
set_ip_range <ip_range>\n*** Manage Lab instance commands ***\nstatus .................................. show current status\nstart ................................... start lab\nstop .................................... stop lab\ndestroy ................................. destroy lab\n\n*** Manage one vm commands ***\nstart_vm <vm_name> ...................... start selected virtual machine\nstop_vm <vm_name> ....................... stop selected virtual machine\nrestart_vm <vm_name> .................... restart selected virtual machine\ndestroy_vm <vm_name> .................... destroy selected virtual machine\n\n*** Extensions ***\nlist_extensions ......................... list extensions\ninstall_extension <extension> ........... install extension (providing + provisioning)\nprovision_extension <extension> ......... provision extension (provisioning only)\n\n*** JumpBox ***\nprepare_jumpbox ......................... install package on the jumpbox for provisioning\nsync_source_jumpbox ..................... sync source of the jumpbox\nssh_jumpbox ............................. connect to jump box with ssh\nssh_jumpbox_proxy <proxy_port> .......... connect to jump box with ssh and start a socks proxy\n\n*** Providing (Vagrant/Terrafom) ***\nprovide ................................. run only the providing (vagrant/terraform)\n\n*** Provisioning (Ansible) ***\nprovision <playbook> .................... run specific ansible playbook\nprovision_lab ........................... run all the current lab ansible playbooks\nprovision_lab_from <playbook> ........... run all the current lab ansible playbooks from specific playbook to the end\n\n*** Lab Instances ***\ncheck ................................... check dependencies before creation\ninstall ................................. install the current instance (provide + prepare_jumpbox + provision_lab\nset_as_default .......................... set instance as default\nupdate_instance_files ................... update lab instance files\nlist .................................... list lab instances\nload <instance_id> ...................... load a lab instance\n\n*** Configuration ***\nconfig .................................. show current configuration\nunload .................................. unload current instance\ndelete .................................. delete the currently selected lab instance\nGive the current lab status
status\nStart the current lab instance
start\nStop the current lab instance
stop\nDanger
Destroy the current lab instance vms
destroy\nStart a vm
start_vm <vm_name>\nStop a vm
stop_vm <vm_name>\nRestart a vm (start and stop)
restart_vm <vm_name>\nDanger
Destroy a vm
destroy_vm <vm_name>\nList available extensions
list_extensions\nAdd an extension to the lab (providing + provisioning)
Warning
An installed extension can be deleted
install_extension <extension_name>\nLaunch provisioning (ansible) for the extension
provision_extension <extension_name>\nPrepare jumpbox : run the preparation script on the jumpbox (install dependencies)
prepare_jumpbox\nRsync goad source with the jumpbox
sync_source_jumpbox\nSSH into the jumpbox
ssh_jumpbox\nSSH into the jumpbox with a socks proxy option (-D)
ssh_jumpbox_proxy <socks_proxy_port>\nLaunch providing (machine creation)
provide\nLaunch specific playbook (use playbook in ansible/ folder)
provision <playbook.yml>\nLaunch all the lab provisioning (install labs on machines with ansible)
provision_lab\nLaunch the lab provisioning from a specific playbook (use playbook in ansible/ folder)
Tip
useful if the install crash to not redo all the provisioning
provision_lab_from <playbook.yml>\nLaunch the check (same as without instance)
check\nLaunch the install (useful if you created an empty instance)
install\nSet the current instance as default (automatically loaded on goad start)
set_as_defualt\nRecreate the files inside the workspace folder
update_instance_files\nList instances
alias : ls
list\nSelect an instance by his name (here change the current instance)
alias : use, cd
load <instance name>\nShow current configuration
config\nUnload the instance (alias cd ..)
unload\nDanger
delete the current instance lab and vms
delete\nWelcome to GOAD (v3) documentation !
Game Of Active Directory is a free pentest active directory LAB(s) project (1).
GOAD is free if you use your own computer, obviously we will not pay your electricity bill and your cloud provider invoice ;) The purpose of this tool is to give pentesters a vulnerable Active directory environment ready to use to practice usual attack techniques. The idea behind this project is to give you an environment where you can try and train your pentest skills without having the pain to build all by yourself. This repository was build for pentest practice
Note
GOAD main labs (GOAD/GOAD-Light/SCCM) are not pro labs environments (like those you can find on HTB). Theses labs give you an environment to practice a lot of vulnerability and missconfig exploitations. Sure you can use them like pro labs, but it will certainly be too easy due to the number of vulns. Consider more GOAD like a DVWA but for Active Directory. If you want a chall deploy the lab NHA.
Warning
This lab is extremely vulnerable, do not reuse recipe to build your production environment and do not deploy this environment on internet without isolation (this is a recommendation, use it as your own risk).
Windows Licenses
This lab use free windows VM only (180 days). After that delay enter a license on each server or rebuild all the lab (may be it's time for an update ;))
"},{"location":"changelog/","title":"Road Map","text":" Password reuse between computer (PTH) Spray User = Password Password in description SMB share anonymous SMB not signed Responder Zerologon Windows defender ASREPRoast Kerberoasting AD Acl abuse Unconstraint delegation Ntlm relay Constrained delegation Install MSSQL MSSQL trusted link MSSQL impersonate Install IIS Upload asp app Multiples forest Anonymous RPC user listing Child parent domain Generate certificate and enable ldaps ADCS - ESC 1/2/3/4/6/8 Certifry Samaccountname/nopac Petitpotam unauthent Printerbug Drop the mic Shadow credentials Mitm6 Add LAPS GPO abuse Add Webdav Add RDP bot Add full proxmox integration Add Gmsa (receipe created) Add azure support Refactoring lab and providers Protected Users Account is sensitive Add PPL Add Gmsa Groups inside groups Shares with secrets (all, sysvol) ADCS add vulns Add Applocker Add optional EDR install on goad Add attackbox + guacamole and openvpn creation "},{"location":"changelog/#sccm","title":"SCCM","text":" Sccm (see SCCM lab) Wsus (not complete) "},{"location":"changelog/#extensions","title":"Extensions","text":" elk exchange ludus ws01 (need more tests) exchange bot attackbox linux VM enrolled VPN guacamole "},{"location":"instances/","title":"\ud83c\uddee instances","text":"When you create a lab, goad will create an instance folder. All the instances are stored in the workspace/ folder inside goad.
workspace/\n .\n \u251c\u2500\u2500 6caf1a-goad-light-azure # Instance ID\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 exchange_inventory # extension inventory\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 instance.json # instance json file (name, status, etc..)\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 inventory # provider inventory\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 provider # provider folder\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 jumpbox.tf\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 linux.tf\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 main.tf\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 network.tf\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 outputs.tf\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 terraform.tfstate\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 terraform.tfstate.backup\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u251c\u2500\u2500 variables.tf\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 windows.tf\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 ssh_keys # the keys generated by this instance\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 ubuntu-jumpbox.pem\n \u251c\u2500\u2500 7b12f1-goad-light-vmware # another instance\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 instance.json\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 inventory\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 inventory_disable_vagrant\n \u2502\u00a0\u00a0 \u251c\u2500\u2500 provider\n \u2502\u00a0\u00a0 \u2502\u00a0\u00a0 \u2514\u2500\u2500 Vagrantfile\n \u2502\u00a0\u00a0 \u2514\u2500\u2500 ssh_keys\n On instance folder creation (when you run install or create_empty), the provider files inside the template/ folder are copied into the instance. These files are merged with the datas inside ad/<lab>/providers/<provider>/ folder and the datas inside extensions/<extension>/providers/<provider>/ The merged result is present in the workspace/<instance_id>/provider/ folder and contain all the recipes to create the infrastructure
inventories files are also copied from ad/<lab>/provider/<provider>/inventory and extensions/<extension>/inventory (see provisioning for more information in provisioning)
"},{"location":"provisioning/","title":"\ud83d\udee0\ufe0f provisioning","text":"This page describe how the provisioning is done with goad. The provisioning of the LABS is done with Ansible for all providers.
First the GOAD install script create an instance folder in the workspace folder. "},{"location":"provisioning/#lab-data","title":"Lab data","text":"The data of each lab are stored in the json file : ad/<lab>/data/config.json, this file is loaded by each playbook to get all the lab variables (this is done by the data.yml playbook call by all the over playbooks)
"},{"location":"provisioning/#extension-data","title":"Extension data","text":"If an extension need data it will be stored in extensions/<extension>/data/config.json but the loading must be done by extension install.yml playbook.
Example with the exchange install.yml file : # read local configuration file\n- name: \"Read local config file\"\n hosts: domain:extensions\n connection: local\n vars_files:\n - \"../data/config.json\"\n tasks:\n - name: merge lab variable with local config\n set_fact:\n lab: \"{{ lab|combine(lab_extension, recursive=True) }}\"\nAnsible work with inventories. Inventories files contains all the hosts declaration and some variables.
The lab inventory file (ad/<lab>/data/inventory) is not modified/moved and contain all the main variables and hosts association, this file stay as this and is not modified. It contains the lab building logic.
The provider inventory file (ad/<lab>/provider/<provider>/inventory) is modified with the settings and copied into the workspace folder (workspace/<instance_id>/inventory) , this file contains variable specific to the provider and the host ip declaration
The extension(s) inventory file(s) (extensions/<extension>/inventory) is modified with the settings and copied into the workspace folder (workspace/<instance_id>/inventory_<extension>) , this file contains variable specific to the extension and the extension host ip declaration
The global inventory file globalsettings.inicontains some global variable with some user settings.
The inventory files are given to ansible in this order : - lab inventory file - workspace provider inventory file - workspace extension(s) inventory file(s) - globalsettings.ini file
The order is important as it determine the override order. hosts declarations are merged between all inventory and variables with the same name are override if the same variable is declared.
Example : if i setup dns_server_forwarder=8.8.8.8 in the lab inventory file and dns_server_forwarder=1.1.1.1 in the globalsettings.ini file, the final value for ansible wll be dns_server_forwarder=1.1.1.1 "},{"location":"provisioning/#playbooks","title":"playbooks","text":" Labs playbook are stored on the ansible/ folder Extension playbook is stored in extension/<extension>/ansible/install.yml The extension folder can call the main goad roles by using a special ansible.cfg file.
Example of the exchange ansible.cfg file
[defaults]\n...\n; add default roles folder into roles_path\nroles_path = ./roles:../../../ansible/roles\n "},{"location":"provisioning/#labs-build","title":"labs build","text":" Instead of call a global main.yml playbook with all the different tasks to do the goad script call each playbook one by one. In this way, there is a fallback mecanism to retry each playbook 3 times before consider it as failed. The list and order of the playbooks played are stored in the playbooks.yml file at the start of the project. "},{"location":"questions/","title":"Frequent asked questions","text":"How can i change the default keyboard layout
edit globalsettings.ini files and change the variable keyboard_layouts
I already got a lab installed with v2, is v3 will use it ?
Sorry no, the v3 of GOAD doesn't look for already installed lab. Best way to migrate is trash your old lab and build a new one.
Can i use goad to create a course for my student ?
Sure GOAD is a GPL project. Feel free to reuse it to give course.
"},{"location":"references/","title":"References","text":"\ud83d\udea7 TODO
"},{"location":"thx/","title":"Special Thanks to","text":" Julien Arrault (Azure recipes) Thomas Rollain (tests & some vulns writing) Quentin Galliou (tests) "},{"location":"thx/#enterprise","title":"Enterprise","text":""},{"location":"troobleshoot/","title":"troubleshoot","text":"Tip
In most case if you get errors during install, don't think. Select the failed instance \u0300load <instance_id> and just replay the install with provision_lab to relaunch all or provision_lab_from <playbook> if you know the last failed playbook (most of the errors which could came up are due to windows latency during installation, wait few minutes and replay the install)
\ud83d\udea7 TODO refresh me with new goad version :)
"},{"location":"troobleshoot/#vagrant-up-winrm-digest-initialization-failed-initialization-error","title":"vagrant up - WinRM - digest initialization failed : Initialization Error","text":"DC01: WinRM username: vagrant\nDC01: WinRM execution_time_limit: PT2H\nDC01: WinRM transport: negotiate\nAn error occurred executing a remote WinRM command.\n\nShell: Cmd\nCommand: hostname\nMessage: Digest initialization failed: initialization error\n<internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- winrm (LoadError)\n from <internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require'\n from /usr/share/rubygems-integration/all/gems/vagrant-2.3.4/plugins/communicators/winrm/shell.rb:9:in `block in <top (required)>'\n from /usr/share/rubygems-integration/all/gems/vagrant-2.3.4/lib/vagrant/util/silence_warnings.rb:8:in `silence!'\n solution : gem install winrmgem install winrm-fs "},{"location":"troobleshoot/#vagrant-up-cannot-load-such-file-winrm-elevated-loaderror","title":"vagrant up - cannot load such file -- winrm-elevated (LoadError)","text":"<internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require': cannot load such file -- winrm-elevated (LoadError)\n from <internal:/usr/lib/ruby/vendor_ruby/rubygems/core_ext/kernel_require.rb>:85:in `require'\n from /usr/share/rubygems-integration/all/gems/vagrant-2.3.4/plugins/communicators/winrm/shell.rb:12:in `<top (required)>'\n ...\n solution : gem install winrm-elevated "},{"location":"troobleshoot/#ansible-persistent-unreachable-error","title":"ansible persistent \"unreachable error\"","text":""},{"location":"troobleshoot/#the-naming-context-specified-for-this-replication-operation-is-invalid","title":"The naming context specified for this replication operation is invalid","text":"TASK [groups_domains : synchronizes all domains] *******************************************************************************************************************************************************************************************************************************\nchanged: [dc03]\nchanged: [dc01]\nfatal: [dc02]: FAILED! => {\"changed\": true, \"cmd\": \"repadmin /syncall /Ade\", \"delta\": \"0:00:01.090773\", \"end\": \"2023-10-18 09:30:26.016579\", \"msg\": \"non-zero return code\", \"rc\": 1, \"start\": \"2023-10-18 09:30:24.925805\", \"stderr\": \"\", \"stderr_lines\": [], \"stdout\": \"Syncing all NC's held on winterfell.\\r\\r\\nSyncing partition: DC=north,DC=sevenkingdoms,DC=local\\r\\r\\nCALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=WINTERFELL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sevenkingdoms,DC=local (network error): 1722 (0x6ba):\\r\\r\\n The RPC server is unavailable.\\r\\r\\n\\r\\r\\nSyncAll exited with fatal Win32 error: 8440 (0x20f8):\\r\\r\\n The naming context specified for this replication operation is invalid.\\r\\r\\n\", \"stdout_lines\": [\"Syncing all NC's held on winterfell.\", \"\", \"Syncing partition: DC=north,DC=sevenkingdoms,DC=local\", \"\", \"CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=WINTERFELL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sevenkingdoms,DC=local (network error): 1722 (0x6ba):\", \"\", \" The RPC server is unavailable.\", \"\", \"\", \"\", \"SyncAll exited with fatal Win32 error: 8440 (0x20f8):\", \"\", \" The naming context specified for this replication operation is invalid.\", \"\"]}\n==> GOAD-SRV03: Configuring and enabling network interfaces...\nVagrant can't use the requested machine because it is locked! This\nmeans that another Vagrant process is currently reading or modifying\nthe machine. Please wait for that Vagrant process to end and try\nagain. Details about the machine are shown below:\nAn exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.BeginProcessing()\nfailed: [dc02] (item={'key': 'AcrossTheSea', 'value': ['essos.local\\\\daenerys.targaryen']}) => {\"ansible_loop_var\": \"item\", \"attempts\": 3, \"changed\": false, \"item\": {\"key\": \"AcrossTheSea\", \"value\": [\"essos.local\\\\daenerys.targaryen\"]}, \"msg\": \"Unhandled exception while executing module: The server has rejected the client credentials.\"}\n something go wrong with the trust, all the links are not fully establish wait several minutes and relaunch the install "},{"location":"troobleshoot/#groups-domain-error","title":"Groups domain error","text":" something go wrong with the trust, all the links are not fully establish wait several minutes and relaunch the playbook i really don't know why this append time to time on installation, if you want to investigate and resolve the issue please tell me how. An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.BeginProcessing()\nfailed: [192.168.56.xx] (item={'key': 'DragonsFriends', 'value': ['sevenkingdoms.local\\\\tyron.lannister', 'essos.local\\\\daenerys.targaryen']}) => {\"ansible_loop_var\": \"item\", \"attempts\": 3, \"changed\": false, \"item\": {\"key\": \"DragonsFriends\", \"value\": [\"north.sevenkingdoms.local\\\\jon.snow\", \"sevenkingdoms.local\\\\tyron.lannister\", \"essos.local\\\\daenerys.targaryen\"]}, \"msg\": \"Unhandled exception while executing module: Either the target name is incorrect or the server has rejected the client credentials.\"}\n You got an \"Add-Warning\" error during the user installation. Upgrade to community.windows galaxy >= 1.11.0 relaunch the ansible playbooks. An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at , : line 475\nfailed: [192.168.56.11] (item={'key': 'arya.stark', 'value': {'firstname': 'Arya', 'surname': 'Stark',\n...\n\"msg\": \"Unhandled exception while executing module: The term 'Add-Warning' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.\"}+\n If you got this kind of error you got an ansible.windows version >= 1.11.0 This version add the parameter AcceptLicense but it is accepted only for PowerShellGet module >= 1.6.0 and this one is not embedded in the vms. Please keep version 1.11.0 and update the lab to get the fix for the PowerShellGet Module version. fatal: [xxx]: FAILED! => {\n \"changed\": false,\n \"msg\": \"Problems installing XXXX module: A parameter cannot be found that matches parameter name 'AcceptLicense'.\",\n \"nuget_changed\": false,\n \"output\": \"\",\n \"repository_changed\": false\n}\nERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path.\n\nThe error appears to have been in '/home/hrrb0032/Documents/mission/GOAD/roles/domain_controller/tasks/main.yml': line 8, column 3, but maybe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n- name: disable enhanced exit codes\n^ here\nsolution : upgrade Ansible
"},{"location":"troobleshoot/#old-ansiblewindows-version","title":"old ansible.windows version","text":"ERROR! couldn't resolve module/action 'win_powershell'. This often indicates a misspelling, missing collection, or incorrect module path.\nPLAY [DC01 - kingslanding] *******************************************************\n\n\n\nTASK [Gathering Facts] ***********************************************************\nfatal: [192.168.56.10]: FAILED! => {\"msg\": \"winrm or requests is not installed: No module named winrm\"}\n\n\n\nPLAY RECAP ***********************************************************************\n192.168.56.10 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 \nsolution : pip install pywinrm
"},{"location":"troobleshoot/#winrm-send-input-timeout","title":"winrm send input timeout","text":"TASK [Gathering Facts] ****************************************************************************************************************************************************\n[WARNING]: ERROR DURING WINRM SEND INPUT - attempting to recover: WinRMOperationTimeoutError\nok: [192.168.56.11]\nsolution : wait or if crashed then re-run install
"},{"location":"troobleshoot/#domain-controller-ensure-users-are-present","title":"Domain controller : ensure Users are present","text":"
TASK [domain_controller : Ensure that Users presents in ou=<kingdom>,dc=SEVENKINGDOMS,dc=local] ***************************************************************************\nAn exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord()\nfailed: [192.168.56.10] (item={u'key': u'lord.varys', u'value': {u'city': u\"King's Landing\", u'password': u'_W1sper_$', u'name': u'Lord Varys', u'groups': u'Small Council', u'path': u'OU=Users,OU=Crownlands,OU=kingdoms,DC=SEVENKINGDOMS,DC=local'}}) => {\"ansible_loop_var\": \"item\", \"changed\": false, \"item\": {\"key\": \"lord.varys\", \"value\": {\"city\": \"King's Landing\", \"groups\": \"Small Council\", \"name\": \"Lord Varys\", \"password\": \"_W1sper_$\", \"path\": \"OU=Users,OU=Crownlands,OU=kingdoms,DC=SEVENKINGDOMS,DC=local\"}}, \"msg\": \"Unhandled exception while executing module: An unspecified error has occurred\"}\nTASK [mssql : Install the database]\nfatal: [192.168.56.22]: FAILED! => {\"attempts\": 3, \"changed\": true, \"cmd\": \"c:\\\\setup\\\\mssql\\\\sql_installer.exe /configurationfile=c:\\\\setup\\\\mssql\\\\sql_conf.ini /IACCEPTSQLSERVERLICENSETERMS /MEDIAPATH=c:\\\\setup\\\\mssql\\\\media /QUIET /HIDEPROGRESSBAR\", \"delta\": \"0:00:34.891185\", \"end\": \"2022-08-17 21:26:53.976793\", \"msg\": \"non-zero return code\", \"rc\": 2226323458, \"start\": \"2022-08-17 21:26:19.085608\", \"stderr\": \"\", \"stderr_lines\": [], \"stdout\": \"Microsoft (R) SQL Server Installer\\r\\nCopyright (c) 2019 Microsoft. All rights reserved.\\r\\n\\r\\nDownloading install package...\\r\\n\\r\\n\\r\\nOperation finished with result: Failure\\r\\n\\r\\nOops...\\r\\n\\r\\nUnable to install SQL Server (setup.exe).\\r\\n\\r\\n Exit code (Decimal): -2068643838\\r\\n Exit message: No features were installed during the setup execution. The requested features may already be installed. Please review the summary.txt log for further details.\\r\\n\\r\\n SQL SERVER INSTALL LOG FOLDER\\r\\n c:\\\\Program Files\\\\Microsoft SQL Server\\\\150\\\\Setup Bootstrap\\\\Log\\\\20220817_142624\\r\\n\\r\\n\", \"stdout_lines\": [\"Microsoft (R) SQL Server Installer\", \"Copyright (c) 2019 Microsoft. All rights reserved.\", \"\", \"Downloading install package...\", \"\", \"\", \"Operation finished with result: Failure\", \"\", \"Oops...\", \"\", \"Unable to install SQL Server (setup.exe).\", \"\", \" Exit code (Decimal): -2068643838\", \" Exit message: No features were installed during the setup execution. The requested features may already be installed. Please review the summary.txt log for further details.\", \"\", \" SQL SERVER INSTALL LOG FOLDER\", \" c:\\\\Program Files\\\\Microsoft SQL Server\\\\150\\\\Setup Bootstrap\\\\Log\\\\20220817_142624\", \"\"]}\nsolution : re-run installer
"},{"location":"troobleshoot/#vagrant-not-working-on-ubuntu-2204","title":"vagrant: Not working on Ubuntu 22.04","text":"I was using the version of Vagrant in the Ubuntu repo, and then tried to use the version 2.4.0 and 2.3.4 binaries from hashicorp, but kept on running into this error:
The guest machine entered an invalid state while waiting for it\nto boot. Valid states are 'starting, running'. The machine is in the\n'poweroff' state. Please verify everything is configured\nproperly and try again.\n\nIf the provider you're using has a GUI that comes with it,\nit is often helpful to open that and watch the machine, since the\nGUI often has more helpful error messages than Vagrant can retrieve.\nFor example, if you're using VirtualBox, run `vagrant up` while the\nVirtualBox GUI is open.\n\nThe primary issue for this error is that the provider you're using\nis not properly configured. This is very rarely a Vagrant issue.\nThe error may look similar to below:
==> proxmox-iso.windows: Error creating VM: error creating VM: 403 Permission check failed (/sdn/zones/localnetwork/vmbr3/10, SDN.Use), \nerror status: {\"data\":null} (params: ......\nIt may be fixed by delegating the SDN.Use privilege to the packer user
pveum role modify Packer -privs \"VM.Config.Disk VM.Config.CPU VM.Config.Memory Datastore.AllocateTemplate Datastore.Audit Datastore.AllocateSpace Sys.Modify VM.Config.Options VM.Allocate VM.Audit VM.Console VM.Config.CDROM VM.Config.Cloudinit VM.Config.Network VM.PowerMgmt VM.Config.HWType VM.Monitor SDN.Use\"\nThe error may look similar to below:
root@goadprovisioning:~/GOAD/packer/proxmox# packer build -var-file=windows_server2019_proxmox_cloudinit.pkvars.hcl .\nproxmox-iso.windows: output will be in this color.\n\n==> proxmox-iso.windows: Retrieving additional ISO\n==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso\n==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4\n==> proxmox-iso.windows: ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4 => /root/GOAD/packer/proxmox/iso/Autounattend_winserver2019_cloudinit.iso\n proxmox-iso.windows: Uploaded ISO to local:iso/Autounattend_winserver2019_cloudinit.iso\n==> proxmox-iso.windows: Creating VM\n==> proxmox-iso.windows: No VM ID given, getting next free from Proxmox\n==> proxmox-iso.windows: Error creating VM: error creating VM: unable to create VM 103 - unsupported format 'qcow2' at /usr/share/perl5/PVE/Storage/LvmThinPlugin.pm line 87., error status: (params: map[agent:1 args: boot: cores:2 cpu:kvm64 description:Packer ephemeral build VM hotplug: ide2:local:iso/windows_server_2019.iso,media=cdrom kvm:true machine: memory:4096 name:WinServer2019x64-cloudinit-qcow2 net0:virtio=5E:5D:24:C4:0F:DA,bridge=vmbr3,tag=10 numa:false onboot:false ostype:win10 pool:GOAD sata0:vms:40,discard=ignore,format=qcow2 scsihw:lsi sockets:1 startup: tags: vmid:103])......\nFilesystems such as ZFS (and others) do not support qcow2. From my reading the best approach is to use an ext4 filesystem and modify config.auto.pkrvars.hcl with the newly created ext4 volume.
root@goadprovisioning:~/GOAD/packer/proxmox# vi config.auto.pkrvars.hcl\n...\nproxmox_vm_storage = \"ext4-qcow2\"\n...\nroot@goadprovisioning:~/GOAD/packer/proxmox# packer build -var-file=windows_server2019_proxmox_cloudinit.pkvars.hcl .\nproxmox-iso.windows: output will be in this color.\n\n==> proxmox-iso.windows: Retrieving additional ISO\n==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso\n==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4\n==> proxmox-iso.windows: ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4 => /root/GOAD/packer/proxmox/iso/Autounattend_winserver2019_cloudinit.iso\n proxmox-iso.windows: Uploaded ISO to local:iso/Autounattend_winserver2019_cloudinit.iso\n==> proxmox-iso.windows: Creating VM\n==> proxmox-iso.windows: No VM ID given, getting next free from Proxmox\n==> proxmox-iso.windows: Starting VM\n another solution is to switch to raw : proxmox_vm_storage = \"raw\" "},{"location":"troobleshoot/#proxmox-packer-error-creating-vm-volume-localisowindows_xxxiso-does-not-exist","title":"proxmox - packer error creating vm : volume 'local:iso/windows_XXX.iso' does not exist","text":"==> proxmox-iso.windows: Error creating VM: error creating VM: unable to create VM 116 - volume 'local:iso/windows_server2019_XXX_en-us.iso' does not exist, error status: (params: map[agent:1 args: boot: cores:2 cpu:kvm64 description:Packer ephemeral build VM hotplug\n: ide2:local:iso/windows_server2019_XXX_en-us.iso,media=cdrom kvm:true machine: memory:4096 name:WinServer2019x64-cloudinit-qcow2-uptodate net0:virtio=DA:CB:EB:85:08:0E,bridge=vmbr3,tag=10,firewall=false onboot:false ostype:win10 pool:Templates sata0:local:80,format=q\ncow2 scsihw:lsi sockets:1 startup: tags: vmid:116]) \nverify your iso files inside proxmox and be sure the iso you want to use exist in proxmox
"},{"location":"troobleshoot/#ansible-adapter-name-error","title":"ansible adapter name error","text":"No MSFT_NetAdapter objects found with property 'Name' equal to 'Ethernet'\n\nor \n\nNo MSFT_NetAdapter objects found with property 'Name' equal to 'Ethernet2 '\n connect to the vm and run ipconfig, verify the adapter name are the same as described in the inventory file. if not change them to match the inventory name in the vm. "},{"location":"troobleshoot/#unreachable-proxmox-ansible","title":"unreachable - proxmox, ansible","text":"fatal: [dc01]: UNREACHABLE! => {\"changed\": false, \"msg\": \"ssl: HTTPSConnectionPool(host='192.168.10.40', port=5986): Max retries exceeded with url: /wsman\n may be the vm is not well ready after the terraform creation. retry the install. if you still get the error connect to the vm and verify the static ip is corresponding with the one expect. "},{"location":"vulnerabilities/","title":"Vulnerabilities","text":"vulnerabilities
"},{"location":"developpers/provisioning/","title":"Provisioning","text":""},{"location":"developpers/provisioning/#provisioning","title":"Provisioning","text":" The provisioning is always done with ansible, more detail on the ansible provisioning here : Ansible provisioning "},{"location":"developpers/structure/","title":"Structure","text":""},{"location":"developpers/structure/#lab-organization","title":"Lab organization","text":" The lab configuration is located on the ad/ folder Each Ad folder correspond to a lab and contains the following files : ad/\n labname/ # The lab name must be the same as the variable : domain_name from the data/inventory\n data/\n config.json # The json file containing all the variables and configuration of the lab\n inventory # The global lab inventory (provider independent) (this should no contains variables)\n files/ # This folder contains files you want to copy on your vms\n scripts/ # This folder contains ps1 scripts you want to play on your vm (Must be added in the \"scripts\" entries of your vms)\n providers/ # Your lab available provider\n vmware/\n inventory # specific vmware inventory\n Vagrantfile # specific vmware vagrantfile\n virtualbox/\n inventory # specific virtualbox inventory\n Vagrantfile # specific virtualbox vagrantfile\n proxmox/\n terraform/ # specific proxmox terraform recipe\n inventory # specific proxmox inventory\n azure/\n terraform/ # specific azure terraform recipe\n inventory # specific azure inventory\n exchange : Add an exchange to GOAD or GOAD-Light lab ws01 : Add an hardened workstation to GOAD or GOAD-Light lab wazuh : Add wazuh EDR to visualize alerts elk : Add an ELK to collect and read the logs "},{"location":"extensions/elk/","title":"elk","text":"\ud83d\udea7 TODO rewrite and retest for v3
"},{"location":"extensions/elk/#elk_1","title":"elk","text":" elk a kibana is configured on http://192.168.56.50:5601 to follow the lab events infos : log encyclopedia : https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/ the elk is not installed by default due to resources reasons.
prerequistes:
you need sshpass for the elk installation
sudo apt install sshpass\n Chocolatey is needed to use elk. To install it run:
cd ansible-galaxy\nansible-galaxy collection install chocolatey.chocolatey \n "},{"location":"extensions/exchange/","title":"exchange","text":"Thanks!
Credits and huge thanks to aleemladha for his exchange role and his help to test the extension.
Extension name : exchange Compatibility : GOAD, GOAD-Light Providers : virtualbox/azure/vmware/aws/ludus/proxmox Add a machine : srv01 (the-eyrie.sevenkingdoms.local) (ip_range.21) resources
Exchange is really HUGE, it will add a vm with at least 12Gb of RAM be sure your computer support it before install
impacts
Modify the ad schema and add a computer (warning the exchange machine is really heavy)
"},{"location":"extensions/exchange/#prerequisites","title":"Prerequisites","text":" GOAD or GOAD-Light installation "},{"location":"extensions/exchange/#installation","title":"Installation","text":""},{"location":"extensions/wazuh/","title":"wazuh","text":"Thanks!
Credits and huge thanks to aleemladha for the ansible role. https://github.com/Orange-Cyberdefense/GOAD/pull/215
Extension name : wazuh Description : Add wazuh free EDR server and agent on all the domain computers + soc fortress rules (https://github.com/socfortress/Wazuh-Rules) Compatibility : * Providers : virtualbox/azure/vmware/aws/ludus Add a machine : wazuh (ip_range.51) impacts
add a wazuh machine and a wazuh agent on all windows machine\"
"},{"location":"extensions/wazuh/#prerequisites","title":"Prerequisites","text":""},{"location":"extensions/wazuh/#installation","title":"Installation","text":""},{"location":"extensions/ws01/","title":"ws01","text":"\ud83d\udea7 TODO
"},{"location":"installation/","title":"\ud83d\ude80 Installation","text":"In the last version, GOAD use no more bash for the installation/management script. The goad management script is now written in python to permit more flexibility and cover the needs to create a Windows WSL support.
First prepare you system for GOAD execution:
Installation depend of the provider you use, please follow the appropriate guide :
Install with Virtualbox Install with VmWare Install with Proxmox Install with Azure Install with Aws \ud83c\udfdf\ufe0f Install with Ludus "},{"location":"installation/#tldr-quick-install","title":"TLDR - quick install","text":"TLDR : ubuntu 22.04 quick install # Install vbox\nsudo apt install virtualbox\n\n# Install vagrant\nwget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg\necho \"deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main\" | sudo tee /etc/apt/sources.list.d/hashicorp.list\nsudo apt update && sudo apt install vagrant\n\n# Install Vagrant plugins\nvagrant plugin install vagrant-reload vagrant-vbguest winrm winrm-fs winrm-elevated\n\n# Add some dependencies\nsudo apt install sshpass lftp rsync openssh-client python3.10-venv\n\ngit clone https://github.com/Orange-Cyberdefense/GOAD.git\ncd GOAD\n# verify installation\n./goad.sh -t check -l GOAD -p virtualbox\n\n# install\n./goad.sh -t install -l GOAD -p virtualbox\n\n# launch goad in interactive mode\n./goad.sh\n Installation is in three parts :
Templating : this will create the template to use (needed only for proxmox and ludus) Providing : this will instantiate the virtual machines depending on your provider Provisioning : it is always made with ansible, it will install all the stuff to create the lab GOAD script cover the providing and provisioning part
The install script take multiple parameters:
-p : the provider to use (vmware/virtualbox/proxmox/ludus/azure/aws)-l : the lab to install (GOAD/GOAD-Light/SCCM/NHA/MINILAB)-m : the method of installation (local/runner/docker/remote), most of the time don't change it-ip : the ip range to use The easy way is just launch ./goad.sh and use help ?in the interactive prompt
"},{"location":"installation/#configuration-files","title":"Configuration files","text":""},{"location":"installation/#homegoadgoadini","title":"$HOME/.goad/goad.ini","text":" On the first launch goad create a global configuration file at : $HOME/.goad/goad.ini this file contains some default configuration and some parameters needed by some providers.
If you change the [default] config it will change the default selection when goad start
Others configurations are related to specific providers [default]\n; lab: goad / goad-light / minilab / nha / sccm\nlab = GOAD\n; provider : virtualbox / vmware / aws / azure / proxmox\nprovider = vmware\n; provisioner method : local / remote\nprovisioner = local\n; ip_range (3 first ip digits)\nip_range = 192.168.56\n\n[aws]\naws_region = eu-west-3\naws_zone = eu-west-3c\n\n[azure]\naz_location = westeurope\n\n[proxmox]\npm_api_url = https://192.168.1.1:8006/api2/json\npm_user = infra_as_code@pve\npm_node = GOAD\npm_pool = GOAD\npm_full_clone = false\npm_storage = local\npm_vlan = 10\npm_network_bridge = vmbr3\npm_network_model = e1000\n\n[proxmox_templates_id]\nwinserver2019_x64 = 102\nwinserver2016_x64 = 103\nwinserver2019_x64_utd = 104\nwindows10_22h2_x64 = 105\n\n[ludus]\n; api key must not have % if you have a % in it, change it by a %%\nludus_api_key = change_me\nuse_impersonation = yes\n Goad got a global configuration file : globalsettings.ini used by the ansible provisioning This file is an ansible inventory file. This file is always added at the end of the ansible inventory file list so you can override values here You can change it before running the installation to modify : keyboard_layouts proxy configuration add a route to the vm change the default dns_forwarder disable ssl for winrm communication "},{"location":"installation/linux/","title":"Linux","text":" First you will prepare your host for an hypervisor Second you will prepare your python environment "},{"location":"installation/linux/#prepare-your-hypervisor","title":"Prepare your hypervisor","text":"Virtualbox Vmware workstation Azure Aws Proxmox\ud83c\udfdf\ufe0f Ludus Disk space
The lab takes about 77GB (but you have to get the space for the vms vagrant images windows server 2016 (22GB) / windows server 2019 (14GB) / ubuntu 18.04 (502M)) The total space needed for the lab is ~115 GB (depend on the lab you use and it will take more space if you take snapshots), be sure you have enough disk space before install.
RAM
Depending on the lab you will need a lot of ram to run all the virtual machines. Be sure to have at least 20GB for GOAD-Light and 24GB for GOAD.
Tip
Vmware workstation is now free for personal use !
Vagrant
In order to download vm and create them on virtualbox you need to install vagrant https://developer.hashicorp.com/vagrant/install#linux Vmware workstation
Install vmware workstation https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware+Workstation+Pro Install vagrant vmware utility : https://developer.hashicorp.com/vagrant/install/vmware
Install the following vagrant plugins:
vagrant plugin install vagrant-reload vagrant-vmware-desktop winrm winrm-fs winrm-elevated\n Disk space
The lab takes about 77GB (but you have to get the space for the vms vagrant images windows server 2016 (22GB) / windows server 2019 (14GB) / ubuntu 18.04 (502M)) The total space needed for the lab is ~115 GB (depend on the lab you use and it will take more space if you take snapshots), be sure you have enough disk space before install.
RAM
Depending on the lab you will need a lot of ram to run all the virtual machines. Be sure to have at least 20GB for GOAD-Light and 24GB for GOAD.
Azure CLI Install azure cli https://learn.microsoft.com/en-us/cli/azure/install-azure-cli-linux Connect to azure : az login\n Terraform The installation to Azure use terraform so you will have to install it: https://developer.hashicorp.com/terraform/install AWS CLI
Install aws cli https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html#getting-started-install-instructions Create an aws access key and secret for goad usage
credentials in plain text
Storing credentials in plain text is always a bad idea, but aws cli work like that be sure to restrain the right access to this file
Terraform
The installation to Aws use terraform so you will have to install it: https://developer.hashicorp.com/terraform/install Proxmox install is very complex and use a lot of steps A complete guide to proxmox installation is available here : https://mayfly277.github.io/categories/proxmox/ To add GOAD on Ludus please use goad directly on the server. By now goad can work only directly on the server and not from a workstation client.
Install Ludus : https://docs.ludus.cloud/docs/quick-start/install-ludus/
Be sure to create an administrator user and keep his api key
Once your installation is complete on ludus server (debian 12) and your user is created do :
git clone https://github.com/Orange-Cyberdefense/GOAD.git\ncd GOAD\nsudo apt install python3.11-venv\n./goad.sh\n...>exit\nvim ~/.goad/goad.ini # add the api_key in the config file (keep impersonate to yes and use an admin user)\n./goad.sh -p ludus\n...>set_lab XXX # GOAD/GOAD-Light/NHA/SCCM\n...>install\nsudo apt install python<version>-venv\nsudo apt install python3.10-venv\nPython version
Be sure to use a python version between python3.8 and python 3.11. Others python versions are not supported by now due to incompatibility with the fixed version in the requirements.
"},{"location":"installation/windows/","title":"Windows","text":"Info
To use GOAD on windows you will need WSL.
First you will prepare your windows host for an hypervisor Second you will install debian 12 with WSL to run goad install script "},{"location":"installation/windows/#prepare-windows-host","title":"Prepare Windows Host","text":"Virtualbox Vmware Workstation Aws Azure Promox\ud83c\udfdf\ufe0f Ludus If you want to use virtualbox as an hypervisor to create your vm.
VAGRANT
If you want to create the lab on your windows computer you will need vagrant. Vagrant will be responsible to automate the process of vm download and creation.
Download and install visual c++ 2019 : https://aka.ms/vs/17/release/vc_redist.x64.exe Install vagrant : https://developer.hashicorp.com/vagrant/install Virtualbox
vagrant.exe plugin install vagrant-reload vagrant-vbguest winrm winrm-fs winrm-elevated\n Disk space
The lab takes about 77GB (but you have to get the space for the vms vagrant images windows server 2016 (22GB) / windows server 2019 (14GB) / ubuntu 18.04 (502M)) The total space needed for the lab is ~115 GB (depend on the lab you use and it will take more space if you take snapshots), be sure you have enough disk space before install.
RAM
Depending on the lab you will need a lot of ram to run all the virtual machines. Be sure to have at least 20GB for GOAD-Light and 24GB for GOAD.
If you want to use vmware workstation as an hypervisor to create your vm.
Tip
Vmware workstation is now free for personal use !
VAGRANT
If you want to create the lab on your windows computer you will need vagrant. Vagrant will be responsible to automate the process of vm download and creation.
Download and install visual c++ 2019 : https://aka.ms/vs/17/release/vc_redist.x64.exe Install vagrant : https://developer.hashicorp.com/vagrant/install Vmware Workstation
Install vmware workstation : https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware+Workstation+Pro vmware workstation install bug
if you got an error about groups and permission during vmware workstation install consider running this in an administrator cmd prompt:
net localgroup /add \"Users\"\nnet localgroup /add \"Authenticated Users\"\nvagrant.exe plugin install vagrant-reload vagrant-vmware-desktop winrm winrm-fs winrm-elevated\n Disk space
The lab takes about 77GB (but you have to get the space for the vms vagrant images windows server 2016 (22GB) / windows server 2019 (14GB) / ubuntu 18.04 (502M)) The total space needed for the lab is ~115 GB (depend on the lab you use and it will take more space if you take snapshots), be sure you have enough disk space before install.
RAM
Depending on the lab you will need a lot of ram to run all the virtual machines. Be sure to have at least 20GB for GOAD-Light and 24GB for GOAD.
Nothing to prepare on windows host, install and prepare wsl and next follow linux install from your wsl console : see aws linux install
Nothing to prepare on windows host, install and prepare wsl and next linux install from your wsl console see azure linux install
Not supported, you will have to create a provisioning machine on your proxmox and run goad from then (see proxmox linux install)
Not supported, you will have to act from your ludus server (see ludus linux install)
"},{"location":"installation/windows/#prepare-wsl-environment","title":"Prepare WSL environment","text":"Now your host environment is ready for virtual machine creation. Now we will install WSL to run the goad installation script.
"},{"location":"installation/windows/#install-wsl","title":"Install WSL","text":" First install wsl on your environment https://learn.microsoft.com/en-us/windows/wsl/install Next go to the microsoft store and install debian (debian12) "},{"location":"installation/windows/#prepare-wsl-distribution","title":"Prepare WSL distribution","text":" cd /mnt/c/whatever_folder_you_want\ngit clone https://github.com/Orange-Cyberdefense/GOAD.git\ncd GOAD\n./goad.sh\n Practice lab(s) :
GOAD : 5 vms, 2 forests, 3 domains (full goad lab) GOAD-Light : 3 vms, 1 forest, 2 domains (smaller goad lab for those with a smaller pc) SCCM : 4 vms, 1 forest, 1 domain, with microsoft configuration manager installed Challenge lab :
NHA : A challenge with 5 vms and 2 domains. no schema provided, you will have to find out how break it. POC lab :
MINILAB: 2 vms, 1 forest, 1 domain (basic lab with one DC (windows server 2019) and one Workstation (windows 10)) "},{"location":"labs/GOAD-Light/","title":"GOAD-Light","text":"This is a light version of goad without the essos domain. This lab was build for computer with less performance (min ~20GB).
Missing scenarios:
cross forest exploitation (no more external forest) mssql trusted link some old computer vulnerabilities (zero logon, petitpotam unauthent,...) ESC4, ESC2/3 "},{"location":"labs/GOAD-Light/#servers","title":"Servers","text":"This lab is actually composed of five virtual machines:
domain : sevenkingdoms.local
kingslanding : DC01 running on Windows Server 2019 (with windefender enabled by default) domain : north.sevenkingdoms.local
winterfell : DC02 running on Windows Server 2019 (with windefender enabled by default) castelblack : SRV02 running on Windows Server 2019 (with windefender disabled by default) "},{"location":"labs/GOAD-Light/#usersgroups-and-associated-vulnerabilitesscenarios","title":"Users/Groups and associated vulnerabilites/scenarios","text":" You can find a lot of the available scenarios on https://mayfly277.github.io/categories/ad/ NORTH.SEVENKINGDOMS.LOCAL
STARKS: RDP on WINTERFELL AND CASTELBLACK arya.stark: Execute as user on mssql eddard.stark: DOMAIN ADMIN NORTH/ (bot 5min) LLMRN request to do NTLM relay with responder catelyn.stark: robb.stark: bot (3min) RESPONDER LLMR sansa.stark: brandon.stark: ASREP_ROASTING rickon.stark: theon.greyjoy: jon.snow: mssql admin / KERBEROASTING / group cross domain / mssql trusted link hodor: PASSWORD SPRAY (user=password) NIGHT WATCH: RDP on CASTELBLACK samwell.tarly: Password in ldap description / mssql execute as login GPO abuse (Edit Settings on \"STARKWALLPAPER\" GPO) jon.snow: (see starks) jeor.mormont: (see mormont) MORMONT: RDP on CASTELBLACK jeor.mormont: ACL writedacl-writeowner on group Night Watch AcrossTheSea : cross forest group SEVENKINGDOMS.LOCAL
LANISTERS tywin.lannister: ACL forcechangepassword on jaime.lanister jaime.lannister: ACL genericwrite-on-user joffrey.baratheon tyron.lannister: ACL self-self-membership-on-group Small Council cersei.lannister: DOMAIN ADMIN SEVENKINGDOMS BARATHEON: RDP on KINGSLANDING robert.baratheon: DOMAIN ADMIN SEVENKINGDOMS joffrey.baratheon: ACL Write DACL on tyron.lannister renly.baratheon: stannis.baratheon: ACL genericall-on-computer kingslanding / ACL writeproperty-self-membership Domain Admins SMALL COUNCIL : ACL add Member to group dragon stone / RDP on KINGSLANDING petyer.baelish: ACL writeproperty-on-group Domain Admins lord.varys: ACL genericall-on-group Domain Admins / Acrossthenarrossea maester.pycelle: ACL write owner on group Domain Admins DRAGONSTONE : ACL Write Owner on KINGSGUARD KINGSGUARD : ACL generic all on user stannis.baratheon AccorsTheNarrowSea: cross forest group "},{"location":"labs/GOAD-Light/#computers-users-and-group-permissions","title":"Computers Users and group permissions","text":" SEVENKINGDOMS
DC01 : kingslanding.sevenkingdoms.local (Windows Server 2019) (SEVENKINGDOMS DC) Admins : robert.baratheon (U), cersei.lannister (U) RDP: Small Council (G) NORTH
DC02 : winterfell.north.sevenkingdoms.local (Windows Server 2019) (NORTH DC)
Admins : eddard.stark (U), catelyn.stark (U), robb.stark (U) RDP: Stark(G) SRV02 : castelblack.essos.local (Windows Server 2019) (IIS, MSSQL, SMB share)
Admins: jeor.mormont (U) RDP: Night Watch (G), Mormont (G), Stark (G) IIS : allow asp upload, run as NT Authority/network MSSQL: admin : jon.snow impersonate : execute as login : samwel.tarlly -> sa execute as user : arya.stark -> dbo "},{"location":"labs/GOAD/","title":"GOAD","text":"GOAD is the first and main lab of this project. It contains 3 domains and 2 forest.
"},{"location":"labs/GOAD/#servers","title":"Servers","text":"This lab is actually composed of five virtual machines:
domain sevenkingdoms.local
kingslanding : DC01 running on Windows Server 2019 (with windefender enabled by default) domain north.sevenkingdoms.local
winterfell : DC02 running on Windows Server 2019 (with windefender enabled by default) castelblack : SRV02 running on Windows Server 2019 (with windefender disabled by default) domain essos.local
meereen : DC03 running on Windows Server 2016 (with windefender enabled by default) braavos : SRV03 running on Windows Server 2016 (with windefender enabled by default) "},{"location":"labs/GOAD/#writeup","title":"WRITEUP","text":" All the writeups of the Game Of Active Directory lab are available on mayfly's blog : https://mayfly277.github.io/categories/goad/ "},{"location":"labs/GOAD/#computers-users-and-group-permissions","title":"Computers Users and group permissions","text":""},{"location":"labs/GOAD/#usersgroups-and-associated-scenarios","title":"Users/Groups and associated scenarios","text":" Graph of some scenarios is available here : NORTH.SEVENKINGDOMS.LOCAL
STARKS: RDP on WINTERFELL AND CASTELBLACK arya.stark: Execute as user on mssql, pass on all share eddard.stark: DOMAIN ADMIN NORTH/ (bot 5min) LLMRN request to do NTLM relay with responder catelyn.stark: robb.stark: bot (3min) RESPONDER LLMR / lsass present user sansa.stark: keywalking password / unconstrained delegation brandon.stark: ASREP_ROASTING rickon.stark: pass spray WinterYYYY jon.snow: mssql admin / KERBEROASTING / mssql trusted link hodor: PASSWORD SPRAY (user=password) NIGHT WATCH: RDP on CASTELBLACK samwell.tarly: Password in ldap description / mssql execute as login GPO abuse (Edit Settings on \"STARKWALLPAPER\" GPO) jon.snow: (see starks) jeor.mormont: (see mormont) MORMONT: RDP on CASTELBLACK jeor.mormont: Admin castelblack, pass in sysvol script AcrossTheSea : cross forest group SEVENKINGDOMS.LOCAL
LANISTERS tywin.lannister: ACE forcechangepassword on jaime.lanister, password on sysvol cyphered jaime.lannister: ACE genericwrite-on-user joffrey.baratheon tyron.lannister: ACE self membership on small council cersei.lannister: DOMAIN ADMIN SEVENKINGDOMS BARATHEON: RDP on KINGSLANDING robert.baratheon: DOMAIN ADMIN SEVENKINGDOMS, protected user joffrey.baratheon: ACE Write DACL on tyron.lannister renly.baratheon: WriteDACL on container, sensitive user stannis.baratheon: ACE genericall-on-computer kingslanding SMALL COUNCIL : ACE add Member to group dragon stone / RDP on KINGSLANDING petyer.baelish: lord.varys: ACE genericall-on-group Domain Admins and sdholder maester.pycelle: DRAGONSTONE : ACE Write Owner on group KINGSGUARD KINGSGUARD : ACE generic all on user stannis.baratheon AccorsTheNarrowSea: cross forest group ESSOS.LOCAL
TARGERYEN missande : ASREP roasting, generic all on khal daenerys.targaryen: DOMAIN ADMIN ESSOS viserys.targaryen: ACE write property on jorah.mormont jorah.mormont: mssql execute as login / mssql trusted link / Read LAPS Password DOTHRAKI khal.drogo: mssql admin / GenericAll on viserys (shadow credentials) / GenericAll on ECS4 DragonsFriends: cross forest group Spys: cross forest group / Read LAPS password / ACL generic all jorah.mormont "},{"location":"labs/MINILAB/","title":"MINI lab","text":" The MINI lab is just a sample presented during an Article on the MISC magazine. This is just a simple basic LAB with one DC (windows server 2019) and one Workstation (windows 10) "},{"location":"labs/NHA/","title":"NINJA HACKER ACADEMY","text":" NINJA HACKER ACADEMY (NHA) is written as a training challenge where GOAD was written as a lab with a maximum of vulns. You should find your way in to get domain admin on the 2 domains (academy.ninja.lan and ninja.hack) Starting point is on srv01 : 192.168.58.21
Flags are disposed on each machine, try to grab all. Be careful all the machines are up to date with defender enabled.
Some exploits needs to modify path so this lab is not very multi-players compliant (unless you do it as a team ;)) Obviously do not cheat by looking at the passwords and flags in the recipe files, the lab must start without user to full compromise.
Install :
./goad.sh -t install -l NHA -p virtualbox -m docker\n Once install finish disable vagrant user to avoid using it : ./goad.sh -t disablevagrant -l NHA -p virtualbox -m docker\n Now do a reboot of all the machine to avoid unintended secrets stored : ./goad.sh -t stop -l NHA -p virtualbox -m docker\n./goad.sh -t start -l NHA -p virtualbox -m docker\nAnd you are ready to play ! :)
If you need to re-enable vagrant ./goad.sh -t enablevagrant -l NHA -p virtualbox -m docker\n If you want to create a write up of the chall, no problem, have fun. Please ping me on X (@M4yFly) or Discord, i will be happy to read it :) Tip
No bruteforce, if not in rockyou do not waste your time and your cpu/gpu cycle.
"},{"location":"labs/SCCM/","title":"SCCM lab","text":"Thanks!
Thanks a lot to my colleague Issam (@KenjiEndo15), who start the project and provide me a lot of ansible roles to start from !
"},{"location":"labs/SCCM/#servers","title":"Servers","text":"4 virtual machines with Windows Server 2019
DC : Domain Controler MECM : mecm primary site serer MSSQL : mecm sql server CLIENT : mecm client computer All vms got defender activated
"},{"location":"labs/SCCM/#prerequisites","title":"Prerequisites","text":" The prerequisites for the lab are the same as GOAD lab (virtualbox/vmware, python, ansible,...) The lab take 16GB for the vagrant image + 100GB for the 4 vms The installation take environ 2,5 hours (with fiber connection) The lab download multiple files during the install (windows iso, mecm installation package, mssql installation package, ...), be sure to have a good internet connection. "},{"location":"labs/SCCM/#writeup","title":"Writeup","text":" A writeup on SCCM exploitation is available here : https://mayfly277.github.io/categories/sccm/ "},{"location":"labs/SCCM/#proxmox-installation","title":"proxmox installation","text":" In order to use the proxmox provider follow this : 1) create a template with the windows_server2019_proxmox_cloudinit_uptodate.pkvars.hcl packer file (guide here: https://mayfly277.github.io/posts/GOAD-on-proxmox-part2-packer/) (note the id after the creation)
2) create the variable file (ad/SCCM/providers/proxmox/terraform/variables.tf) by coping the template (ad/SCCM/providers/proxmox/terraform/variables.tf.template) and change the value according to your proxmox environnement
3) on the provisioning computer :
./goad.sh -t check -l SCCM -p proxmox -m local\n./goad.sh -t install -l SCCM -p proxmox -m local\n4) if something goes wrong (restart of the vms during install, etc...), you can rerun only ansible with -a
./goad.sh -t install -l SCCM -p proxmox -m local -a\nThe architecture is slightly different depending on the provider. Please consult the provider you use to understand the behavior.
"},{"location":"providers/aws/","title":"Aws","text":"Thanks!
Thx to @ArnC_CarN for the initial work on the aws provider
The architecture is quite the same than the Azure deployment.
Warning
LLMNR, NBTNS and other poisoning network attacks will not work in aws environment. Only network coerce attacks will work.
"},{"location":"providers/aws/#prerequisites","title":"Prerequisites","text":""},{"location":"providers/aws/#aws-configuration","title":"AWS configuration","text":"You need to configre AWS cli. Use a key with enough privileges on the tenant.
aws configure\n Create an aws access key and secret for goad usage
credentials in plain text
Storing credentials in plain text is always a bad idea, but aws cli work like that be sure to restrain the right access to this file
"},{"location":"providers/aws/#goad-configuration","title":"Goad configuration","text":" The goad configuration file as some options for aws: # ~/.goad/goad.ini\n...\n[aws]\naws_region = eu-west-3\naws_zone = eu-west-3c\n If you want to use a different region and zone you can modify it. "},{"location":"providers/aws/#installation","title":"Installation","text":"# check prerequisites\n./goad.sh -t check -l GOAD -p aws\n# Install\n./goad.sh -t install -l GOAD -p aws\nor from the interactive console :
GOAD/aws/remote/192.168.56.X > install\n You can see the status of the lab with the command status You can also start and stop the lab with the command start and stop "},{"location":"providers/aws/#vms-ami","title":"VMs ami","text":" The vm used for goad are defined in the lab terraform file : ad/<lab>/providers/aws/windows.tf This file is containing information about each vm in use \"dc01\" = {\n name = \"dc01\"\n domain = \"sevenkingdoms.local\"\n windows_sku = \"2019-Datacenter\"\n ami = \"ami-018ebfbd6b0a4c605\"\n instance_type = \"t2.medium\"\n private_ip_address = \"{{ip_range}}.10\"\n password = \"8dCT-DJjgScp\"\n}\n On the installation goad script will create a folder into goad/workspaces/<instance_folder> This folder will contain the terraform scripts and some of the ansible inventories Goad will create the cloud infrastructure with terraform. The lab is created (not provisioned yet) and a \"jumpbox\" vm is also created Next the needed sources will be pushed to the jumpbox using ssh and rsync The jumpbox ssh_key is stored on goad/workspaces/<instance_folder>/ssh_keys The jumpbox is prepared to run ansible The provisioning is launch with ssh remotely on the jumpbox "},{"location":"providers/aws/#install-step-by-step","title":"Install step by step","text":"GOAD/aws/remote/192.168.56.X > create_empty # create empty instance\nGOAD/aws/remote/192.168.56.X > load <instance_id>\nGOAD/aws/remote/192.168.56.X (<instance_id>) > provide # play terraform\nGOAD/aws/remote/192.168.56.X (<instance_id>) > sync_source_jumpbox # sync jumpbox source\nGOAD/aws/remote/192.168.56.X (<instance_id>) > prepare_jumpbox # install dependencies on jumpbox\nGOAD/aws/remote/192.168.56.X (<instance_id>) > provision_lab # run ansible\n To connect to the jumpbox VM you can use ssh_jumpbox in the goad interactive console To setup a socks proxy you can use ssh_jumpbox_proxy <proxy_port> in the goad interactive console All aws elements are tagged with <lab_name>-<lab_instance_id> "},{"location":"providers/azure/","title":"Azure","text":"Thanks!
Thx to Julien Arault for the initial work on the azure provider
Warning
LLMNR, NBTNS and other poisoning network attacks will not work in azure environment. Only network coerce attacks will work.
"},{"location":"providers/azure/#prerequisites","title":"Prerequisites","text":""},{"location":"providers/azure/#azure-configuration","title":"Azure configuration","text":"You need to login to Azure with the CLI.
az login\n The goad configuration file as some options for azure: # ~/.goad/goad.ini\n...\n[azure]\naz_location = westeurope\n If you want to use a different location you can modify it. "},{"location":"providers/azure/#installation","title":"Installation","text":"# check prerequisites\n./goad.sh -t check -l GOAD -p azure\n# Install\n./goad.sh -t install -l GOAD -p azure\nor from the interactive console :
GOAD/azure/remote/192.168.56.X > install\n You can see the status of the lab with the command status You can also start and stop the lab with the command start and stop Info
The command stop use deallocate, it take a long time to run but it is not only stopping the vms, it will deallocate them. By doing that, you will stop paying from them (but you still paying storage) and can save some money.
"},{"location":"providers/azure/#vms-sku","title":"VMs sku","text":" The vm used for goad are defined in the lab terraform file : ad/<lab>/providers/azure/windows.tf This file is containing information about each vm in use \"dc01\" = {\n name = \"dc01\"\n publisher = \"MicrosoftWindowsServer\"\n offer = \"WindowsServer\"\n windows_sku = \"2019-Datacenter\"\n windows_version = \"17763.4377.230505\"\n private_ip_address = \"{{ip_range}}.10\"\n password = \"8dCT-DJjgScp\"\n size = \"Standard_B2s\"\n}\n On the installation goad script will create a folder into goad/workspaces/<instance_folder> This folder will contain the terraform scripts and some of the ansible inventories Goad will create the cloud infrastructure with terraform. The lab is created (not provisioned yet) and a \"jumpbox\" vm is also created Next the needed sources will be pushed to the jumpbox using ssh and rsync The jumpbox ssh_key is stored on goad/workspaces/<instance_folder>/ssh_keys The jumpbox is prepared to run ansible The provisioning is launch with ssh remotely on the jumpbox "},{"location":"providers/azure/#install-step-by-step","title":"Install step by step","text":"GOAD/azure/remote/192.168.56.X > create_empty # create empty instance\nGOAD/azure/remote/192.168.56.X > load <instance_id>\nGOAD/azure/remote/192.168.56.X (<instance_id>) > provide # play terraform\nGOAD/azure/remote/192.168.56.X (<instance_id>) > sync_source_jumpbox # sync jumpbox source\nGOAD/azure/remote/192.168.56.X (<instance_id>) > prepare_jumpbox # install dependencies on jumpbox\nGOAD/azure/remote/192.168.56.X (<instance_id>) > provision_lab # run ansible\n To connect to the jumpbox VM you can use ssh_jumpbox in the goad interactive console To setup a socks proxy you can use ssh_jumpbox_proxy <proxy_port> in the goad interactive console
If the command destroy or delete fails, you can delete the resource group using the CLI
az group delete --name GOAD\n "},{"location":"providers/ludus/","title":"\ud83c\udfdf\ufe0f Ludus","text":"Thanks!
Huge shootout to @badsectorlabs for Ludus and Erik for his support and tests during the ludus provider creation
Install on ludus server only
To add GOAD on Ludus please use goad directly on the server. By now goad can work only directly on the server and not from a workstation client.
git clone https://github.com/Orange-Cyberdefense/GOAD.git\ncd GOAD\nsudo apt install python3.11-venv\n./goad.sh\nexit\n The goad configuration file as some options for ludus: # ~/.goad/goad.ini\n...\n[ludus]\nludus_api_key = changeme\nuse_impersonation = yes\n change the api_key with the one of your admin user "},{"location":"providers/ludus/#install","title":"Install","text":"./goad.sh -p ludus\nGOAD/ludus/local > set_lab XXX # GOAD/GOAD-Light/NHA/SCCM\nGOAD/ludus/local > install\n The installation will create a new simple_user to generate the pool we will call him \"lab_user\" the id of this user will be lab_name<6alphanumeric_digit> Next this \"lab_user\" will be impersonate to launch all the ludus deployment command At the end the \"lab_user\" will share access to our user This way we can manage multiple lab instance with goad on the same ludus server. Info
On ludus the config ip_range is not used and is ignored. The ips will be setup automatically during the lab installation
"},{"location":"providers/proxmox/","title":"Proxmox","text":" A complete guide to proxmox installation is available here : https://mayfly277.github.io/categories/proxmox/ "},{"location":"providers/proxmox/#prerequisites","title":"Prerequisites","text":""},{"location":"providers/proxmox/#installation","title":"Installation","text":" # check prerequisites\n./goad.sh -t check -l GOAD -p proxmox\n# Install\n./goad.sh -t install -l GOAD -p proxmox\n Providing
Virtualbox Vagrant Vagrant plugins: vagrant-reload vagrant-vbguest winrm winrm-fs winrm-elevated Provisioning
Python3 (version between [3.8, 3.11]) goad requirements ansible-galaxy goad requirements "},{"location":"providers/virtualbox/#check-dependencies","title":"Check dependencies","text":"./goad.sh -p virtualbox\nGOAD/virtualbox/local/192.168.56.X > check\nInfo
If there is some missing dependencies goes to the installation chapter and follow the guide according to your os.
Note
check give mandatory dependencies in red and non mandatory in yellow (but you should be compliant with them too depending one your operating system)
"},{"location":"providers/virtualbox/#install","title":"Install","text":" To install run the goad script and launch install or use the goad script arguments ./goad.sh -p virtualbox\nGOAD/virtualbox/local/192.168.56.X > set_lab <lab> # here choose the lab you want (GOAD/GOAD-Light/NHA/SCCM)\nGOAD/virtualbox/local/192.168.56.X > set_ip_range <ip_range> # here choose the ip range you want to use ex: 192.168.56\nGOAD/virtualbox/local/192.168.56.X > install\n or all in command line with arguments ./goad.sh -t install -p virtualbox -l <lab> -ip <ip_range_to_use>\nQuote
\"Virtualbox c'est no way\" @mpgn
"},{"location":"providers/vmware/#prerequisites","title":"Prerequisites","text":" Providing
Vmware workstation Vagrant Vmware utility driver Vagrant plugins: vagrant-reload vagrant-vmware-desktop winrm winrm-fs winrm-elevated Provisioning
Python3 (version between [3.8, 3.11]) goad requirements ansible-galaxy goad requirements "},{"location":"providers/vmware/#check-dependencies","title":"check dependencies","text":"./goad.sh -p vmware\nGOAD/vmware/local/192.168.56.X > check\nInfo
If there is some missing dependencies goes to the installation chapter and follow the guide according to your os.
Note
check give mandatory dependencies in red and non mandatory in yellow (but you should be compliant with them too depending one your operating system)
"},{"location":"providers/vmware/#install","title":"Install","text":" To install run the goad script and launch install or use the goad script arguments ./goad.sh -p vmware\nGOAD/vmware/local/192.168.56.X > set_lab <lab> # here choose the lab you want (GOAD/GOAD-Light/NHA/SCCM)\nGOAD/vmware/local/192.168.56.X > set_ip_range <ip_range> # here choose the ip range you want to use ex: 192.168.56 (only the first three digits)\nGOAD/vmware/local/192.168.56.X > install\n or all in command line with arguments ./goad.sh -t install -p vmware -l <lab> -ip <ip_range_to_use>\n Launch goad.py script (or goad.sh wrapper) with arguments usage: goad.py [-h] [-t TASK] [-l LAB] [-p PROVIDER] [-ip IP_RANGE] [-m METHOD] [-i INSTANCE] [-e EXTENSIONS] [-a ANSIBLE_ONLY] [-r RUN_PLAYBOOK]\n\nDescription : goad lab management console.\n\noptional arguments:\n -h, --help show this help message and exit\n -t TASK, --task TASK tasks available : (install/start/stop/restart/destroy/status/show)\n -l LAB, --lab LAB lab to use (default: GOAD)\n -p PROVIDER, --provider PROVIDER\n provider to use (default: vmware)\n -ip IP_RANGE, --ip_range IP_RANGE\n ip range to use (default: 192.168.56)\n -m METHOD, --method METHOD\n deploy method to use (default: local)\n -i INSTANCE, --instance INSTANCE\n use a specific instance (use default if not selected)\n -e EXTENSIONS, --extensions EXTENSIONS\n extensions to use\n -a ANSIBLE_ONLY, --ansible_only ANSIBLE_ONLY\n run only provisioning (ansible) on instance (-i) (for task install only)\n -r RUN_PLAYBOOK, --run_playbook RUN_PLAYBOOK\n run only one ansible playbook on instance (-i) (for task install only)\n\nExample :\n - Install GOAD on virtualbox : python3 goad.py -t install -l GOAD -p virtualbox\n - Launch GOAD interactive console : python3 goad.py\nLaunch goad interactive mode
"},{"location":"usage/goad_console/#enter-interactive-mode","title":"Enter interactive mode","text":"To enter interactive mode just launch goad without the -t parameter
./goad.sh\n*** Lab Instances ***\ncheck ................................... check dependencies before creation\ninstall / create ........................ install the selected lab and create a lab instance\ncreate_empty ............................ prepare a lab instance folder without providing and provisioning\nlist .................................... list lab instances\nload <instance_id> ...................... load a lab instance\n\n*** Configuration ***\nconfig .................................. show current configuration\nlabs .................................... show all labs and available providers\nset_lab <lab> ........................... set the lab to use\nset_provider <provider> ................. set the provider to use\nset_provisioning_method <method> ........ set the provisioning method\nset_ip_range <range> .................... set the 3 first digit of the ip to use (ex: 192.168.56)\nWill check the lab dependencies
check\n
"},{"location":"usage/goad_console/#install","title":"install","text":"Install the lab with the current select config
install\n This will: create an instance folder into workspaces/ run vagrant/terraform/ludus depending on the provider to create the machines synchronize source to jumpbox if provider is aws or azure provision jumpbox if provider is aws or azure run the ansible provisioning
"},{"location":"usage/goad_console/#create_empty","title":"create_empty","text":"Create an empty instance folder (into the workspaces/ folder)
create_empty\n
"},{"location":"usage/goad_console/#list","title":"list","text":"List instances
alias : ls
list\n
"},{"location":"usage/goad_console/#load","title":"load","text":"Select an instance by his name
alias : use, cd
load <instance name>\n
"},{"location":"usage/goad_console/#config","title":"config","text":"show current configuration
config\n
"},{"location":"usage/goad_console/#labs","title":"labs","text":"show available labs
labs\n
"},{"location":"usage/goad_console/#set_lab","title":"set_lab","text":"Choose the lab to use (GOAD/GOAD-Light/NHA/SCCM/MINILAB)
set_lab <lab_name>\nChoose the provider to use (virtualbox/vmware/aws/azure/ludus/proxmox)
set_provider <lab_name>\nChoose the provisioning method (local/runner/docker/remote) (most of the time you don't have to change it)
set_provisioning <provisioning_method>\n local : launch ansible with subprocess (default for vbox/vmware/proxmox/ludus) runner : launch ansible with ansible runner remote : launch ansible through ssh using jumpbox (default for azure/aws) docker : user the docker container to launch ansible (docker container must be built first sudo docker build -t goadansible .) "},{"location":"usage/goad_console/#set_ip_range","title":"set_ip_range","text":"Set the ip range you want to use (Three first digit, example : 192.168.10)
set_ip_range <ip_range>\n*** Manage Lab instance commands ***\nstatus .................................. show current status\nstart ................................... start lab\nstop .................................... stop lab\ndestroy ................................. destroy lab\n\n*** Manage one vm commands ***\nstart_vm <vm_name> ...................... start selected virtual machine\nstop_vm <vm_name> ....................... stop selected virtual machine\nrestart_vm <vm_name> .................... restart selected virtual machine\ndestroy_vm <vm_name> .................... destroy selected virtual machine\n\n*** Extensions ***\nlist_extensions ......................... list extensions\ninstall_extension <extension> ........... install extension (providing + provisioning)\nprovision_extension <extension> ......... provision extension (provisioning only)\n\n*** JumpBox ***\nprepare_jumpbox ......................... install package on the jumpbox for provisioning\nsync_source_jumpbox ..................... sync source of the jumpbox\nssh_jumpbox ............................. connect to jump box with ssh\nssh_jumpbox_proxy <proxy_port> .......... connect to jump box with ssh and start a socks proxy\n\n*** Providing (Vagrant/Terrafom) ***\nprovide ................................. run only the providing (vagrant/terraform)\n\n*** Provisioning (Ansible) ***\nprovision <playbook> .................... run specific ansible playbook\nprovision_lab ........................... run all the current lab ansible playbooks\nprovision_lab_from <playbook> ........... run all the current lab ansible playbooks from specific playbook to the end\n\n*** Lab Instances ***\ncheck ................................... check dependencies before creation\ninstall ................................. install the current instance (provide + prepare_jumpbox + provision_lab\nset_as_default .......................... set instance as default\nupdate_instance_files ................... update lab instance files\nlist .................................... list lab instances\nload <instance_id> ...................... load a lab instance\n\n*** Configuration ***\nconfig .................................. show current configuration\nunload .................................. unload current instance\ndelete .................................. delete the currently selected lab instance\nGive the current lab status
status\nStart the current lab instance
start\nStop the current lab instance
stop\nDanger
Destroy the current lab instance vms
destroy\nStart a vm
start_vm <vm_name>\nStop a vm
stop_vm <vm_name>\nRestart a vm (start and stop)
restart_vm <vm_name>\nDanger
Destroy a vm
destroy_vm <vm_name>\nList available extensions
list_extensions\nAdd an extension to the lab (providing + provisioning)
Warning
An installed extension can't be deleted
install_extension <extension_name>\nLaunch provisioning (ansible) for the extension
provision_extension <extension_name>\nPrepare jumpbox : run the preparation script on the jumpbox (install dependencies)
prepare_jumpbox\nRsync goad source with the jumpbox
sync_source_jumpbox\nSSH into the jumpbox
ssh_jumpbox\nSSH into the jumpbox with a socks proxy option (-D)
ssh_jumpbox_proxy <socks_proxy_port>\nLaunch providing (machine creation)
provide\nLaunch specific playbook (use playbook in ansible/ folder)
provision <playbook.yml>\nLaunch all the lab provisioning (install labs on machines with ansible)
provision_lab\nLaunch the lab provisioning from a specific playbook (use playbook in ansible/ folder)
Tip
useful if the install crash to not redo all the provisioning
provision_lab_from <playbook.yml>\nLaunch the check (same as without instance)
check\nLaunch the install (useful if you created an empty instance)
install\nSet the current instance as default (automatically loaded on goad start)
set_as_defualt\nRecreate the files inside the workspace folder
update_instance_files\nList instances
alias : ls
list\nSelect an instance by his name (here change the current instance)
alias : use, cd
load <instance name>\nShow current configuration
config\nUnload the instance (alias cd ..)
unload\nDanger
delete the current instance lab and vms
delete\nhttps://orange-cyberdefense.github.io/GOAD/changelog/
2024-10-08
+
+ https://orange-cyberdefense.github.io/GOAD/instances/
+ 2024-10-08
+
https://orange-cyberdefense.github.io/GOAD/provisioning/
2024-10-08
diff --git a/sitemap.xml.gz b/sitemap.xml.gz
index 5d279a08..72678d93 100644
Binary files a/sitemap.xml.gz and b/sitemap.xml.gz differ
diff --git a/thx/index.html b/thx/index.html
index aca5d51f..71014a9d 100644
--- a/thx/index.html
+++ b/thx/index.html
@@ -999,6 +999,26 @@
+
+
+
+
+
+ 🇮 instances
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/troobleshoot/index.html b/troobleshoot/index.html
index 709ad29d..1b59b841 100644
--- a/troobleshoot/index.html
+++ b/troobleshoot/index.html
@@ -1001,6 +1001,26 @@
+
+
+
+
+
+ 🇮 instances
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/usage/goad_args/index.html b/usage/goad_args/index.html
index 27b02d1a..0695b5b1 100644
--- a/usage/goad_args/index.html
+++ b/usage/goad_args/index.html
@@ -1013,6 +1013,26 @@
+
+
+
+
+
+ 🇮 instances
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/usage/goad_console/index.html b/usage/goad_console/index.html
index abd58b28..8f2693e0 100644
--- a/usage/goad_console/index.html
+++ b/usage/goad_console/index.html
@@ -16,7 +16,7 @@
+
+
+
+
+ 🇮 instances
+
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -2169,7 +2189,7 @@ install_extension
Add an extension to the lab (providing + provisioning)
Warning
-
An installed extension can be deleted
+
An installed extension can't be deleted
+
+
+
+
+ 🇮 instances
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/vulnerabilities/index.html b/vulnerabilities/index.html
index 72693ada..9ea4d076 100644
--- a/vulnerabilities/index.html
+++ b/vulnerabilities/index.html
@@ -997,6 +997,26 @@
+
+
+
+
+
+ 🇮 instances
+
+
+
+
+
+
+
+
+
+
+
+
+
+