Skip to content

Create a vulnerable active directory that's allowing you to test most of the active directory attacks in a local lab

License

Notifications You must be signed in to change notification settings

sujitawake/vulnerable-AD

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Vulnerable-AD

Create a vulnerable active directory that's allowing you to test most of active directory attacks in local lab

Main Features

  • Randomize Attacks
  • Full Coverage of the mentioned attacks
  • you need run the script in DC with Active Directory installed
  • Some of attacks require client workstation

Supported Attacks

  • Abusing ACLs/ACEs
  • Kerberoasting
  • AS-REP Roasting
  • Abuse DnsAdmins
  • Password in Object Description
  • User Objects With Default password (Changeme123!)
  • Password Spraying
  • DCSync
  • Silver Ticket
  • Golden Ticket
  • Pass-the-Hash
  • Pass-the-Ticket
  • SMB Signing Disabled

Example

# if you didn't install Active Directory yet , you can try 
Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\\Windows\\NTDS" -DomainMode "7" -DomainName "cs.org" -DomainNetbiosName "cs" -ForestMode "7" -InstallDns:$true -LogPath "C:\\Windows\\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\\Windows\\SYSVOL" -Force:$true
# if you already installed Active Directory, just run the script !
[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
IEX((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/sujit/vulnerable-AD/master/vulnad.ps1"));
Invoke-VulnAD -UsersLimit 50 -DomainName "lab.local"

Script output

PS C:\Users\Administrator> [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
PS C:\Users\Administrator> IEX((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/sujit/vulnerable-AD/master/vulnad.ps1"));
PS C:\Users\Administrator> Invoke-VulnAD -UsersLimit 50 -DomainName "lab.local"
        [*] Creating dorri.gabbey User
        [*] Creating lynnet.odele User
        [*] Creating effie.karrie User
        [*] Creating corine.anjanette User
        [*] Creating susi.adella User
        [*] Creating gabey.brittne User
        [*] Creating olva.gwen User
        [*] Creating blisse.ardine User
        [*] Creating elfreda.kenton User
        [*] Creating bell.arlinda User
        [*] Creating concordia.gayle User
        [*] Creating gisele.audrie User
        [*] Creating marti.alyssa User
        [*] Creating ag.linette User
        [*] Creating lefty.agnes User
        [*] Creating celina.lurline User
        [*] Creating darla.celestyn User
        [*] Creating noelyn.grethel User
        [*] Creating fallon.kathrine User
        [*] Creating justine.kelsi User
        [*] Creating susi.dorena User
        [*] Creating janaye.hana User
        [*] Creating madalyn.susi User
        [*] Creating chere.ann User
        [*] Creating dolorita.elsy User
        [*] Creating joanna.lind User
        [*] Creating marilyn.stafani User
        [*] Creating odella.mame User
        [*] Creating amalita.emili User
        [*] Creating frank.sidoney User
        [*] Creating jeannette.raven User
        [*] Creating bertha.erda User
        [*] Creating oralia.christabel User
        [*] Creating cornelia.mireille User
        [*] Creating mandy.dody User
        [*] Creating ilise.mignon User
        [*] Creating liza.cindi User
        [*] Creating ophelia.atalanta User
        [*] Creating kacy.janice User
        [*] Creating lori.pierrette User
        [*] Creating jacklin.aggi User
        [*] Creating page.lind User
        [*] Creating corrina.rebecca User
        [*] Creating beret.shane User
        [*] Creating jillene.christel User
        [*] Creating nessa.darleen User
        [*] Creating flory.ava User
        [*] Creating collette.kimberli User
        [*] Creating gennie.kessia User
        [*] Creating luce.elisa User
        [+] Users Created
        [*] Creating Office Admin Group
        [*] Adding bell.arlinda to Office Admin
        [*] Adding olva.gwen to Office Admin
        [*] Adding oralia.christabel to Office Admin
        [*] Adding marilyn.stafani to Office Admin
        [*] Adding chere.ann to Office Admin
        [*] Creating IT Admins Group
        [*] Adding fallon.kathrine to IT Admins
        [*] Adding flory.ava to IT Admins
        [*] Adding ilise.mignon to IT Admins
        [*] Adding olva.gwen to IT Admins
        [*] Creating Executives Group
        [*] Adding justine.kelsi to Executives
        [*] Adding elfreda.kenton to Executives
        [*] Adding fallon.kathrine to Executives
        [*] Adding marti.alyssa to Executives
        [*] Adding flory.ava to Executives
        [*] Adding page.lind to Executives
        [*] Adding odella.mame to Executives
        [*] Adding ophelia.atalanta to Executives
        [+] Office Admin IT Admins Executives Groups Created
        [*] Creating Senior management Group
        [*] Adding jillene.christel to Senior management
        [*] Adding lynnet.odele to Senior management
        [*] Adding cornelia.mireille to Senior management
        [*] Adding elfreda.kenton to Senior management
        [*] Adding luce.elisa to Senior management
        [*] Adding dolorita.elsy to Senior management
        [*] Adding lori.pierrette to Senior management
        [*] Adding amalita.emili to Senior management
        [*] Creating Project management Group
        [*] Adding gisele.audrie to Project management
        [+] Senior management Project management Groups Created
        [*] Creating marketing Group
        [*] Adding liza.cindi to marketing
        [*] Adding chere.ann to marketing
        [*] Adding concordia.gayle to marketing
        [*] Creating sales Group
        [*] Adding liza.cindi to sales
        [*] Adding ophelia.atalanta to sales
        [*] Adding cornelia.mireille to sales
        [*] Creating accounting Group
        [*] Adding concordia.gayle to accounting
        [+] marketing sales accounting Groups Created
        [*] BadACL GenericAll marketing to Senior management
        [*] BadACL GenericWrite accounting to Senior management
        [*] BadACL WriteOwner sales to Senior management
        [*] BadACL WriteDACL marketing to Senior management
        [*] BadACL Self marketing to Project management
        [*] BadACL WriteProperty marketing to Senior management
        [*] BadACL GenericAll Senior management to Executives
        [*] BadACL GenericWrite Senior management to Office Admin
        [*] BadACL WriteOwner Project management to Executives
        [*] BadACL WriteDACL Senior management to Executives
        [*] BadACL Self Senior management to Executives
        [*] BadACL WriteProperty Senior management to IT Admins
        [*] BadACL WriteProperty marti.alyssa and sales
        [*] BadACL WriteProperty susi.adella and accounting
        [*] BadACL WriteProperty noelyn.grethel and IT Admins
        [*] BadACL WriteOwner lori.pierrette and Senior management
        [*] BadACL GenericAll dorri.gabbey and Project management
        [*] BadACL WriteDACL odella.mame and Project management
        [*] BadACL GenericWrite amalita.emili and IT Admins
        [+] BadACL Done
        [*] Kerberoasting http_svc httpserver


DistinguishedName : CN=http_svc,CN=Managed Service Accounts,DC=lab,DC=local
Enabled           : True
Name              : http_svc
ObjectClass       : msDS-ManagedServiceAccount
ObjectGUID        : b9d4d8c9-fc8d-4341-9373-a87de02bdef9
SamAccountName    : http_svc$
SID               : S-1-5-21-1815723666-3108362439-3967060310-1172
UserPrincipalName :

        [*] Creating mssql_svc services account
DistinguishedName : CN=mssql_svc,CN=Managed Service Accounts,DC=lab,DC=local
Enabled           : True
Name              : mssql_svc
ObjectClass       : msDS-ManagedServiceAccount
ObjectGUID        : b3911d9d-4a22-446b-9056-755de9c49152
SamAccountName    : mssql_svc$
SID               : S-1-5-21-1815723666-3108362439-3967060310-1173
UserPrincipalName :

        [*] Creating exchange_svc services account
DistinguishedName : CN=exchange_svc,CN=Managed Service Accounts,DC=lab,DC=local
Enabled           : True
Name              : exchange_svc
ObjectClass       : msDS-ManagedServiceAccount
ObjectGUID        : 642615ab-f598-44d7-886c-05e4e693f8b8
SamAccountName    : exchange_svc$
SID               : S-1-5-21-1815723666-3108362439-3967060310-1174
UserPrincipalName :

        [+] Kerberoasting Done
        [*] AS-REPRoasting blisse.ardine
        [*] AS-REPRoasting nessa.darleen
        [+] AS-REPRoasting Done
        [*] DnsAdmins : dorri.gabbey
        [*] DnsAdmins : beret.shane
        [*] DnsAdmins Nested Group : Senior management
        [+] DnsAdmins Done
        [+] Password In Object Description Done
        [+] Default Password Done
        [*] Same Password (Password Spraying) : darla.celestyn
        [*] Same Password (Password Spraying) : lynnet.odele
        [+] Password Spraying Done
        [*] Giving DCSync to : dorri.gabbey
        [+] DCSync Done
        [+] SMB Signing Disabled


PS C:\Users\Administrator>

TODO

  • Play with workstations !
  • Click close issue button on github

About

Create a vulnerable active directory that's allowing you to test most of the active directory attacks in a local lab

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • PowerShell 100.0%