GOAD_Provisioning_ActiveDirectory
2025-03-02
1563 words
8 mins read
Today we will talk about GOAD, from its creators:
GOAD is a pentest active directory LAB project. The purpose of this lab is to give pentesters a vulnerable Active directory environment ready to use to practice usual attack techniques.
This lab is extremely vulnerable, do not reuse recipe to build your environment and do not deploy this environment on internet without isolation (this is a recommendation, use it as your own risk). This repository was build for pentest practice.
It provides 4 lab configurations (if I may call it so):
- GOAD
- GOAD-Light
- MINILAB
- SCCM
- NHA
For installation, you can check the documentation. I was interested in the GOAD lab and trying to install it on my laptop with VMWare workstation. I have 24GB RAM and 20 vCPU on my laptop, so I guessed there would be no issues. But, alas, I was wrong, very wrong.
My attempts to install it with following commands (on both Linux and Windows) failed (multiple times) :) .
|
|
CPU’s was not an issue, all the time, the load average was not more than 1 or 2 at most, however I was running out of RAM every time. I have lot of other applications running at the same time on this laptop, so I decided it was not worth stopping all the applications to run this lab (and it would have been very inconvenient as well).
So, what I can do to have something similar (currently I only needed one domain server with some vulnerabilities). I had 2 options after creating the Server VMs myself:
- Configure the domain and all the vulnerabilities myself.
- Use the good work done by contributors at GOAD.
In case of (1), either I will have to do all the work and create a work so I can create/recreate the environment as and when I want. Time consuming but probably worth it and if you have never done it before, you should try that. But most of it I have done in the past so not much incentive for me.
In case of (2), I have to just figure out what GOAD does and use it as is. Once the settings are done, if I need to do something else, I can always do that additionally. Good for me, it uses vagrant to create the 5 VMs for GOAD lab configuration (download and install with box files) and then ansible to configure the VM. Ah, that sounds like we can reuse it.
So, I started my journey to do this with the available scripts and here are the steps that finally allowed me to achieve my goals - Just configure one Server with GOAD ansible scripts :) .
First, I created a Server 2025 VM and installed the Server 2025 OS downloaded from Microsoft evaluation center. Once it was installed, I powered off the VM and set Enable Template Mode (to be used for cloning), by following the steps:
- PowerOff the VM
- Go to VM > Settings > Advanced
- Find the setting “Enable Template Mode (to be used for cloning) and enable it.
After adding this, I prefer to move the VM to a folder called Base VMs, so I never start these VMs. I only use these VMs to create new VM by cloning them. Easy access for future to create VMs.
Once this is done, I created a linked clone by clicking on the VM name and then Manage > Clone and follow the steps. I selected to create a linked clone and not a full clone (but this choice will not matter for your next steps).
Now, the interesting part since we are done with the mundane tasks. We will clone GOAD and use the ansible scripts to configure this VM with a domain and some vulnerabilities and customize it as well.
I am doing this from Fedora system so the commands are for those, but you can do something very similar from any other OS if you so wish.
Configure the Server vm for Remoting so ansible can configure it. So, you can
copy the file ConfigureRemotingForAnsible.ps1
from vagrant folder and run it
on the server. I was using some custom scripts to install my server so it did
not have all the components, so I had to run the following commands as well:
|
|
and then restart the VM.
On the linux host, before we begin, we will install winrm from repos first:
|
|
and then clone the repo and install dependencies for python and ansible.
|
|
This sets up our environment and dependencies. Now we can run ansible playbooks but before we do, we need to understand how it is going to identify the VMs and how to configure the username and customize it. Lets begin doing that now.
We need 2 inventory files, one of them is ad/GOAD/data/inventory
(because we are using
the GOAD lab. If you are using some other lab, then you can get the inventory
file from that folder under ad
folder. We will copy this to the top of GOAD
folder where we cloned the git repo. The other is not available directly. While
I was running the goad.sh
script, it created that file in workspace/<UID>
folder. I am sharing the one I have for one host. I saved it as inventory
under the GOAD base folder.
|
|
In this file, you need to update the IP with the IP address of your Windows Server VM, in my case Server 2025 vm. DO NOT CHANGE ANYTHING ELSE.
Now, we also need to modify the config file with the variables for ansible to
connect and configure the environment. You can find this file at
ad/GOAD/data/config.json
. Open this file in editor or your choice and make the
following changes, as required
- local_admin_password - Under each hostname, you will find this, modify to suit your needs.
- vulns - You can configure the vulns that you want on this server. You can see
the list of subfolders under
ansible/roles/vulns/
and configure them here. As of today, they areacls, adcs_templates, administrator_folder, autologon, credentials, directory, disable_firewall, enable_credssp_client, enable_credssp_server, enable_llmnr, enable_nbt-ns, files, mssql, ntlmdowngrade, openshares, permissions, schedule, shares, smbv1
Now, some more changes in the ad/GOAD/data/inventory
file. You will need to
change the following at least:
- ansible_user
- ansible_password
There are other values that you may want to change. If you do not remove dc02, dc03, srv02 and srv03, you will get error from ansible for these servers. But since that does not impact the configuration, I did not remove them. Finally we can run the ansible playbooks.
Question is which ones? If you check the playbooks.yml
file in root of the
GOAD repo, you can see the following for GOAD lab( under default):
- build.yml
- ad-servers.yml
- ad-parent_domain.yml
- ad-child_domain.yml
- wait5m.yml
- ad-members.yml
- ad-trusts.yml
- ad-data.yml
- ad-gmsa.yml
- laps.yml
- ad-relations.yml
- adcs.yml
- ad-acl.yml
- servers.yml
- security.yml
- vulnerabilities.yml
Lets get going with running them.
|
|
I am not sure, if the extra-vars
option is required or not but I added it
anyway.
You can add all the ansible-palybook commands in a script and run the script to save you some time.
Hope you can use this too. And by the way, if you have more than 1 VM, you can
just add it in the inventory2
file and everything should work.
Happy Hacking.
Related Articles:
- 2025/02/08 Using Burp with Containers In Docker
- 2024/11/10 Exploring MSC Files in Windows
- 2024/11/03 Understanding Login Types in Windows
- 2024/08/04 Windows msc files
- 2024/04/05 Preparation and Review of eMAPT (INE security FKA eLearnSecurity Mobile Application Penetration Tester

Authored By Amit Agarwal
Amit Agarwal, Linux and Photography are my hobbies.Creative Commons Attribution 4.0 International License.