GOAD Active Directory Lab Setup from a Windows host
In this blog post, I am going to explain how I set up the GOAD Active directory lab from my Windows host using VMware, along with a number of errors and how I fixed them.
GOAD (Game of Active Directory) lab is created by Orange Cyberdefense to provide pentesters a ready-to-use, vulnerable AD environment in which to practise common attack methods.
As described on the Github pages, “the lab is intended to be installed from a Linux host”, but it is still possible to successfully install the lab from a Windows host. I did not want to install the lab inside a virtual Ubuntu machine, as nested virtualisation would slow down performance too much.
How my setup will look like:
Windows host: with Vagrant installed to run the VMs on VMware.
VMware Pro: with Ubuntu 22.04 VM installed to run ansible playbooks to make the AD vulnerable.
In this environment, there are two different available labs:
• GOAD : 5 vms, 2 forests, 3 domains (full goad lab)
• GOAD-Light : 3 vms, 1 forest, 2 domains (smaller goad lab for those with a smaller pc)
I am going to install GOAD-Light with the following VMs:
- DC01 — kingslanding
- DC02 — winterfell
- SRV02 — castelblack
Requirements
We will need Vagrant to build all virtual machines I’ve mentioned above. I first started to install Vagrant VMware Utility on my Windows host.
If you do not have VMware, you can use Virtualbox and install Vagrant Virtualbox Utility.
When you successfully complete the Vagrant installation, you can check again whether the installation was successful via powershell or cmd:
vagrant --version
For the provisioning part, we have 3 ways to follow as they explained in this github page:
You can run ansible from :
- a docker container
- OR your linux host
- OR a linux VM with an host only adapter on the same network as the lab’s vms.
I will follow the third option and use the Ubuntu VM to run the ansible scripts from this VM. I needed to configure the network settings so that all VMs can access each other on the same network. I will show you the network configuration during installation.
I installed Ubuntu 22.04 Desktop on my VMware.
Installing VMs using Vagrant
If you downloaded the GOAD project from Github, we can now run vagrant to build VMs.
Run vagrant up on the ..\GOAD-main\ad\GOAD-Light\providers\vmware folder.
In case you want to install GOAD on Virtualbox, remember to change the location accordingly.
Well, I got my very first error saying that there is a collision on network interfaces trying to use the same IP:
I checked the Vagrant file in the current folder and realised that this configuration gives the following default IPs to 3 VMs:
- GOAD-DC01: 192.168.56.10
- GOAD-DC02: 192.168.56.11
- GOAD-SRV02: 192.168.56.22
Before changing the default IPs, I am going to check the host-only networks on my VMware settings to decide which IP address I should assign.
Let me first explain how the network configuration should be. We need to have 2 different network adapters:
- First network adapter to put 3 VMs and Ubuntu VM on a same host-only network.
- Second network adapter to put 3 VMs and Ubuntu VM on a NAT network.
Let’s create the second adapter (NAT) after building all VMs.
For the host-only network, go to: VMware > Edit > Virtual network editor and check the IP address of the host only network. If you don’t have a host-only network, create one.
In my case, VMnet1 is a host only network with 192.168.124.0/24 range.
Since I am going to put all VMs to the VMnet1 network, I am going to give random IPs to 3 VMs from this network:
I ran the vagrant up command to build VMs again, and it worked without any collision:
It takes some time to create the VMs and eventually I see that all machines are running. Even if they are actually running, you may not see these machines in your VMware Library. You can select “Open all background virtual machines” from the bottom right menu in the toolbar.
Now, it’s time to configure the network for all VMs. Go to VM settings of each machine and “Add” a new network adapter under Hardware tab.
- Set one network adapter as NAT.
- Set the second adapter as custom host-only network to put all on a same virtual private network.
Provisioning
Great! We have created all the virtual machines, now we need to have a vulnerable active directory environment before practicing the attack techniques!
Let’s switch to Ubuntu to start provisioning part and install all requirements before running ansible.
To install python virtual environment:
sudo apt install git
git clone git@github.com:Orange-Cyberdefense/GOAD.git
cd GOAD/ansible
sudo apt install python3.8-venv
python3.8 -m virtualenv .venv
source .venv/bin/activateTo install ansible pywinrm in the .venv:
python3 -m pip install --upgrade pip
python3 -m pip install ansible-core==2.12.6
python3 -m pip install pywinrmInstall all the ansible-galaxy requirements:
ansible-galaxy install -r requirements.yml
We will use the following command to run ansible playbooks for GOAD-Light on VMware provider.
ansible-playbook -i ../ad/GOAD-Light/data/inventory -i ../ad/GOAD-Light/providers/vmware/inventory main.yml
However, we first need to modify the ../ad/GOAD-Light/providers/vmware/inventory file and change the default IP addresses and replace the IPs we’ve set at the beginning.
Fixing all errors
Now it’s time to run the following command to run playbooks:
ansible-playbook -i ../ad/GOAD-Light/data/inventory -i ../ad/GOAD-Light/providers/vmware/inventory main.yml
Ok, looks like we have some problems :)
The Ubuntu VM can successfully reach DC01 and DC02, but SRV02 seems to be unreachable for some reason. The first thing I checked is whether the IP address is correctly assigned to this machine.
I noticed that the machine received a different IP than the one I set in the vagrant file.
I also checked the troubleshoot page of GOAD and found a solution to this problem.
I replaced the IP addresses of the SRV02 machine with the current IP address and removed the following lines in the ../ad/GOAD-Light/providers/vmware/inventory file.
# ansible_winrm_transport=basic
# ansible_port=5985
I was also unable to ping this machine to see if it was accessible from the Ubuntu VM. I then checked the firewall rules on SRV02 and compared all the rules with the other machines (DC01 and DC02). There were some differences in the rules that prevented me from sending a ping request. I enabled the file and printer sharing rules and made all the rules the same as the other machines.
Let’s run ansible-playbook again!
ansible-playbook -i ../ad/GOAD-Light/data/inventory -i ../ad/GOAD-Light/providers/vmware/inventory main.yml
All servers are reachable by Ubuntu now. You can ignore the error for DC03, if you want to setup GOAD-Light. We just need 2 DCs and 1 server for this setup.
All playbooks completed but we have another issues :
Ansible failed to;
- Set a password policy for DC02
- Add a domain user to local groups (invalid user?)
We ran the main.yml under ansible folder to run ALL playbooks. We can also run the playbooks one by one. I checked the inventory file that ad-data.yml file is trying to set password policy for DCs. Then I tried to run it again to fix the error:
ansible-playbook -i ../ad/GOAD-Light/data/inventory -i ../ad/GOAD-Light/providers/vmware/inventory ad-data.yml
I got the same error again and again.
I found this issue previously posted on github:
According to the recommended solution:
- We should check if the DNS server of DC02 is correctly set as the IP address of DC01.
- Disable the NAT network during domain installation.
I checked DNS server and disabled NAT networks on all VMs and ran the playbook again.
Unfortunately it did not work… I gave up setting it with ansible and decided to set it manually on the DC02.
First, I decided to check the password policy configuration on DC01 before setting DC02. I was able to run the following command on powershell of DC01 successfully.
Get-ADDefaultDomainPasswordPolicy
However, when I tried to check the password policy on DC02, I got this error: ADWS (Active Directory Web Services) is not running.
Then I understood why ansible did not work on Ubuntu. I checked “Services” and realised that ADWS was disabled and not running. Then, I changed the startup type to Automatic and started the service.
Now, we can try to run ansible playbook for setting the password policy again!
ansible-playbook -i ../ad/GOAD-Light/data/inventory -i ../ad/GOAD-Light/providers/vmware/inventory ad-data.yml
It worked!
I ran all playbooks to see the final table again and this was the recap table after running the main.yml:
Interestingly, the second error I mentioned above (invalid user) was gone but I had another error about installing the mssql database for SRV02.
I checked the inventory file to find the related ansible file for this error: server.yml
I realised that sometimes servers are not properly running while ansible playbooks are trying to configure the server. I constantly checked the servers and Server manager to fix the possible errors.
I ran this file again to fix the database error hopefully.
ansible-playbook -i ../ad/GOAD-Light/data/inventory -i ../ad/GOAD-Light/providers/vmware/inventory servers.yml
Finally it worked and all failed tasks were fixed successfully!
Double-check all playbooks with main.yml:
ansible-playbook -i ../ad/GOAD-Light/data/inventory -i ../ad/GOAD-Light/providers/vmware/inventory main.yml
Thanks for being patient and reading until the last step!
