Mastering Active Directory Penetration Testing with GOAD

Active Directory (AD) is a critical Microsoft technology that organizes and manages computers, users, and devices within a network. It centralizes authentication and authorization, enabling administrators to control resource access, enforce security policies, and efficiently manage user accounts. As a cornerstone of Windows Server, AD is a fundamental component of corporate IT infrastructures.

For cybersecurity professionals, understanding AD is essential. Its centrality to enterprise environments makes it a prime target for attackers, as AD handles user accounts, groups, permissions, and devices. Internal penetration testing often involves identifying and exploiting AD vulnerabilities to strengthen security.

Enter the Game of Active Directory (GOAD) — a pentesting lab designed to simulate a vulnerable AD environment. GOAD provides a secure sandbox for cybersecurity practitioners and enthusiasts to hone their skills by exploring AD vulnerabilities and practicing attack techniques. The lab replicates real-world scenarios with configurations that include multiple domains, forests, and virtual machines.

GitHub - Orange-Cyberdefense/GOAD: game of active directory

GOAD is an invaluable resource, especially for those learning AD penetration testing. It’s free, versatile, and supports testing a wide range of attack techniques, including but not limited to:

• Network attacks (e.g., LLMNR/NBT-NS poisoning)
• Active Directory Certificate Services (AD CS) exploitation
• Kerberos delegation attacks
• Access Control List (ACL) abuse
• Abusing forest & domain trust relationships

You can also experiment with various credential dumping and lateral movement techniques. Additionally, you can practice bypassing Windows Defender and execute all attacks using open-source Command & Control (C2) frameworks, such as Mythic, Sliver, and Havoc. Furthermore, you can customize the domain configuration to test specific attack scenarios before launching them in your client environment.

This blog post will walk you through setting up GOAD on Windows using VMware Workstation Pro (now free) and Vagrant.

Recommended Specifications

To get started, the following are the recommended specifications for the full GOAD lab (5 virtual machines):

• CPU: 5 cores (1 each VM)
• Memory: 20 GB (4 GB each VM)
• Storage: 300 GB (60 GB each VM) + alpha for the snapshots

There are other labs available that require fewer VMs: https://github.com/Orange-Cyberdefense/GOAD?tab=readme-ov-file#available-labs

However, this blog post will focus on setting up the full GOAD lab, which includes 5 VMs.

Prerequisites

• Install Git: https://git-scm.com/downloads
• Install Python 3: https://www.python.org/downloads/
• Install Microsoft Visual C++: https://aka.ms/vs/17/release/vc_redist.x64.exe
• Install VMware Workstation Pro: https://support.broadcom.com/group/ecx/productdownloads?subfamily=VMware%20Workstation%20Pro&freeDownloads=true
• Install Vagrant (Windows AMD64): https://developer.hashicorp.com/vagrant/install
• Install Vagrant VMware Utility (Windows AMD64): https://developer.hashicorp.com/vagrant/install/vmware
• Install Vagrant plugins using the following command in cmd:

vagrant.exe plugin install vagrant-reload vagrant-vmware-desktop winrm winrm-fs winrm-elevated

Setup Steps

• Make sure to disable any VPNs (e.g., NordVPN) running on the host machine, along with their protections, as they may interfere with the downloads required by the installation script.
• Add Virtual Network (192.168.56.0/24):
  VMware Workstation Pro > Edit > Virtual Network Editor… > Change Settings (Administrator privileges required) > Add Network… (e.g., VMnet10)

• Clone GOAD repository:

cd {YOUR_DESIRED_DIRECTORY}
git clone https://github.com/Orange-Cyberdefense/GOAD
cd GOAD

• Install Python dependencies:

pip install -r noansible_requirements.yml

• Launch the installer and configure GOAD:

py goad.py -m vm
set_lab GOAD
set_ip_range 192.168.56
check

• Install and provision the lab:

install

• Once the installation and provisioning are complete, you should see something similar to the following:

Troubleshoot

If the installation stalls or fails on a specific VM, destroy it and retry:

destroy_vm {GOAD-DC01|GOAD-DC02|GOAD-DC03|GOAD-SRV02|GOAD-SRV03}
install

In most cases, running the install command again after destroying the specific VM you are having issues with will resolve the problem.

For more troubleshooting tips: https://orange-cyberdefense.github.io/GOAD/troobleshoot/

Snapshots

Once the installation is complete, take snapshots of all VMs (from VMware Workstation Pro), so you can revert the machines to their original states if needed. Keep in mind that snapshots will occupy additional disk space.

• Load VMs on VMware: VMware Workstation Pro > File > Scan for Virtual Machines… > Select location of the GOAD directory

• Shut down all 5 VMs and change hardware to 1 CPU and 4 GB RAM.

• Take snapshot: VMware Workstation Pro > VM > Snapshot > Take Snapshot…

Attacker Machine

For the attacker machine (Kali), from which you will be launching your attacks, 2 CPU and 4 GB RAM are recommended: https://www.kali.org/get-kali/#kali-virtual-machines

To reach the GOAD VMs (on VMnet10), add a new Network Adapter to the Kali VM. Keep the first Network Adapter set to NAT; otherwise, you will lose internet connectivity.

Remember to take a snapshot of the Kali VM as well.

Once the setup is complete, you can follow the attack paths designed by the creator of GOAD: https://mayfly277.github.io/categories/goad/

Happy hacking!