Today we will talk about GOAD, from its creators:

GOAD is a pentest active directory LAB project. The purpose of this lab is to give pentesters a vulnerable Active directory environment ready to use to practice usual attack techniques.

This lab is extremely vulnerable, do not reuse recipe to build your environment and do not deploy this environment on internet without isolation (this is a recommendation, use it as your own risk). This repository was build for pentest practice.

It provides 4 lab configurations (if I may call it so):

1. GOAD
2. GOAD-Light
3. MINILAB
4. SCCM
5. NHA

For installation, you can check the documentation. I was interested in the GOAD lab and trying to install it on my laptop with VMWare workstation. I have 24GB RAM and 20 vCPU on my laptop, so I guessed there would be no issues. But, alas, I was wrong, very wrong.

My attempts to install it with following commands (on both Linux and Windows) failed (multiple times) :) .

1
2
3
4
5
6

git clone https://github.com/Orange-Cyberdefense/GOAD
cd GOAD
# Windows
py goad.py -m vm -p vmware
# Linux
./goad.sh -t install -p vmware -l GOAD -ip 192.168.100

CPU’s was not an issue, all the time, the load average was not more than 1 or 2 at most, however I was running out of RAM every time. I have lot of other applications running at the same time on this laptop, so I decided it was not worth stopping all the applications to run this lab (and it would have been very inconvenient as well).

So, what I can do to have something similar (currently I only needed one domain server with some vulnerabilities). I had 2 options after creating the Server VMs myself:

1. Configure the domain and all the vulnerabilities myself.
2. Use the good work done by contributors at GOAD.

In case of (1), either I will have to do all the work and create a work so I can create/recreate the environment as and when I want. Time consuming but probably worth it and if you have never done it before, you should try that. But most of it I have done in the past so not much incentive for me.

In case of (2), I have to just figure out what GOAD does and use it as is. Once the settings are done, if I need to do something else, I can always do that additionally. Good for me, it uses vagrant to create the 5 VMs for GOAD lab configuration (download and install with box files) and then ansible to configure the VM. Ah, that sounds like we can reuse it.

So, I started my journey to do this with the available scripts and here are the steps that finally allowed me to achieve my goals - Just configure one Server with GOAD ansible scripts :) .

First, I created a Server 2025 VM and installed the Server 2025 OS downloaded from Microsoft evaluation center. Once it was installed, I powered off the VM and set Enable Template Mode (to be used for cloning), by following the steps:

• PowerOff the VM
• Go to VM > Settings > Advanced
• Find the setting “Enable Template Mode (to be used for cloning) and enable it.

After adding this, I prefer to move the VM to a folder called Base VMs, so I never start these VMs. I only use these VMs to create new VM by cloning them. Easy access for future to create VMs.

Once this is done, I created a linked clone by clicking on the VM name and then Manage > Clone and follow the steps. I selected to create a linked clone and not a full clone (but this choice will not matter for your next steps).

Now, the interesting part since we are done with the mundane tasks. We will clone GOAD and use the ansible scripts to configure this VM with a domain and some vulnerabilities and customize it as well.

I am doing this from Fedora system so the commands are for those, but you can do something very similar from any other OS if you so wish.

Configure the Server vm for Remoting so ansible can configure it. So, you can copy the file ConfigureRemotingForAnsible.ps1 from vagrant folder and run it on the server. I was using some custom scripts to install my server so it did not have all the components, so I had to run the following commands as well:

1
2

Install-WindowsFeature -Name Server-Media-Foundation
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

and then restart the VM.

On the linux host, before we begin, we will install winrm from repos first:

1

sudo dnf install python3-winrm.noarch

and then clone the repo and install dependencies for python and ansible.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

git clone https://github.com/Orange-Cyberdefense/GOAD
cd GOAD

# Use  a venv for python dependencies
mkdir venv
python -m venv venv
source venv/bin/activate

## Install the dependencies
pip install -r requirements.yml
python3 -m pip install --upgrade pip

# Getting lot of issues with original dependencies so install some specific oens
python3 -m pip install ansible-core==2.12.6
python3 -m pip install pywinrm
pip install ansible==5.0.1
cd ansible

# ansible commands from the venv does not work for some reason
/usr/bin/ansible-galaxy install -r requirements.yml

This sets up our environment and dependencies. Now we can run ansible playbooks but before we do, we need to understand how it is going to identify the VMs and how to configure the username and customize it. Lets begin doing that now.

We need 2 inventory files, one of them is ad/GOAD/data/inventory (because we are using the GOAD lab. If you are using some other lab, then you can get the inventory file from that folder under ad folder. We will copy this to the top of GOAD folder where we cloned the git repo. The other is not available directly. While I was running the goad.sh script, it created that file in workspace/<UID> folder. I am sharing the one I have for one host. I saved it as inventory under the GOAD base folder.

1
2
3
4
5
6
7

[default]
; Note: ansible_host *MUST* be an IPv4 address or setting things like DNS
; servers will break.
; ------------------------------------------------
; sevenkingdoms.local
; ------------------------------------------------
dc01 ansible_host=IP dns_domain=dc01 dict_key=dc01

In this file, you need to update the IP with the IP address of your Windows Server VM, in my case Server 2025 vm. DO NOT CHANGE ANYTHING ELSE.

Now, we also need to modify the config file with the variables for ansible to connect and configure the environment. You can find this file at ad/GOAD/data/config.json. Open this file in editor or your choice and make the following changes, as required

• local_admin_password - Under each hostname, you will find this, modify to suit your needs.
• vulns - You can configure the vulns that you want on this server. You can see the list of subfolders under ansible/roles/vulns/ and configure them here. As of today, they are acls, adcs_templates, administrator_folder, autologon, credentials, directory, disable_firewall, enable_credssp_client, enable_credssp_server, enable_llmnr, enable_nbt-ns, files, mssql, ntlmdowngrade, openshares, permissions, schedule, shares, smbv1

Now, some more changes in the ad/GOAD/data/inventory file. You will need to change the following at least:

• ansible_user
• ansible_password

There are other values that you may want to change. If you do not remove dc02, dc03, srv02 and srv03, you will get error from ansible for these servers. But since that does not impact the configuration, I did not remove them. Finally we can run the ansible playbooks.

Question is which ones? If you check the playbooks.yml file in root of the GOAD repo, you can see the following for GOAD lab( under default):

• build.yml
• ad-servers.yml
• ad-parent_domain.yml
• ad-child_domain.yml
• wait5m.yml
• ad-members.yml
• ad-trusts.yml
• ad-data.yml
• ad-gmsa.yml
• laps.yml
• ad-relations.yml
• adcs.yml
• ad-acl.yml
• servers.yml
• security.yml
• vulnerabilities.yml

Lets get going with running them.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

cd ansible
/usr/bin/ansible-galaxy install -r requirements.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" build.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" ad-servers.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" ad-parent_domain.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" ad-child_domain.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" wait5m.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" ad-members.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" ad-trusts.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" ad-data.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" ad-gmsa.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" laps.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" ad-relations.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" adcs.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" ad-acl.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" servers.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" security.yml
/usr/bin/ansible-playbook -i ../inventory -i ../inventory2 -i ../globalsettings.ini --extra-vars "domain_name=GOAD" vulnerabilities.yml

I am not sure, if the extra-vars option is required or not but I added it anyway.

You can add all the ansible-palybook commands in a script and run the script to save you some time.

Hope you can use this too. And by the way, if you have more than 1 VM, you can just add it in the inventory2 file and everything should work.

Happy Hacking.

Related Articles:

• 2025/02/08   Using Burp with Containers In Docker
• 2024/11/10   Exploring MSC Files in Windows
• 2024/11/03   Understanding Login Types in Windows
• 2024/08/04   Windows msc files
• 2024/04/05   Preparation and Review of eMAPT (INE security FKA eLearnSecurity Mobile Application Penetration Tester