ADLab – Custom designed PowerShell Module To Setup An Energetic Record Lab Setting To Apply Penetration Trying out – CLAPPC

Breaking News



The purpose of this module is to automate the deployment of an Energetic Record lab for coaching inner penetration checking out.

Credit score to Joe Helle and his PowerShell for Pentesters direction regarding the generation of the attack vectors.

Instructions

Preparation

No longer necessary alternatively advisable: Switch Module into PSModulePath

# Display PSModulePath
$env:PSModulePath.lower up(";")

# Switch module to path
Switch-Products .ADLab "C:Windowssystem32WindowsPowerShellv1.0Modules"

Import-Module

# Import global module
Import-Module ADLab

# Import local module
Import-Module .ADLab.psm1

Initial Lab Setup

Invoke-DCPrep

This function prepares the existing VM/laptop to be used as a space controller for the new wooded space. It devices a static IP deal with, devices the DNS server to be the localhost and renames the computer.

# Get in a position the existing VM with all default values while showing verbose output
Invoke-DCPrep -Verbose

# Set custom designed hostname and use Google DNS for Internet get admission to
Invoke-DCPrep -Hostname "DC" -NewIPv4DNSServer "8.8.8.8"

# Use custom designed IP and default gateway and display verbose output
Invoke-DCPrep -Verbose -NewIPv4Address "192.168.1.99" -NewIPv4Gateway "192.168.1.1"

Invoke-ForestDeploy

The function installs the AD DS feature and devices up a brand spanking new Energetic Record wooded space, without requiring any shopper input. Restarts the computer upon final touch.

# Installs a brand spanking new wooded space with FQDN of "bufu-sec.local" with default DSRM password of "Password!"
Invoke-ForestDeploy -Space bufu-sec.local

# Installs a brand spanking new wooded space with FQDN of "bufu-sec.local" with the DSRM password set to "[email protected]!" and showing debug messages
Invoke-ForestDeploy -Space "bufu-sec.local" -DSRMPassword "[email protected]!" -Verbose

Invoke-DNSDeploy

The function begins by the use of putting in place the DNS feature. It then supplies the main zone and configures the server forwarder.

# Arrange and configure DNS at the moment host and display verbose output.
Invoke-DNSDeploy -Verbose -NetworkID 192.168.47.0/24 -ZoneFile "192.168.47.2.in-addr.arpa.dns" -ServerForwarder 1.1.1.1

Invoke-DHCPDeploy

The function begins by the use of putting in place the DHCP feature at the moment gadget. It then supplies the necesarry protection groups and authorizes the new DHCP server with the world controller. In the end, it configures the new DHCP scope with the supplied values.

# Arrange and configure DHCP on the local DC.
Invoke-DHCPDeploy -Verbose -ScopeName "Default" -ScopeID 192.168.47.0 -StartIP 192.168.47.100 -EndIP 192.168.47.200 -SubnetMask 255.255.255.0 -DNSServer 192.168.47.10 -Router 192.168.47.10

# Arrange and configure DHCP on the specified DC.
Invoke-DHCPDeploy -Verbose -ScopeName "Default" -ScopeID 192.168.47.0 -StartIP 192.168.47.100 -EndIP 192.168.47.200 -SubnetMask 255.255.255.0 -DNSServer 192.168.47.10 -Router 192.168.47.10 -DCFQDN DC01.bufu-sec.local

Content material subject material

Invoke-ADLabFill

The function begins by the use of growing the groups and OUs defined inside the global Groups variable. It then generates 10 shopper pieces for every OU by the use of default.

# Fill wooded space with pieces and display verbose output
Invoke-ADLabConfig -Verbose

# Create 50 consumers for every OU and display verbose output
Invoke-ADLabConfig -Verbose -UserCount 50

Attack Vectors

Set-ASREPRoasting

The function gets a specific amount of random shopper from the world and devices the DoesNotRequirePreAuth flag for every. Excludes default accounts like Administrator and krbtgt. Makes 5% of shoppers ASREP-Roastable by the use of default.

# Make 5% of shoppers ASREP-Roastable and display verbose output
Set-ASREPRoasting -Verbose

# Make 10 random consumers inside the space ASREP-Roastable
Set-ASREPRoasting -VulnerableUsersCount 10

# Make shopper bufu ASREP-Roastable and display verbose output
Set-ASREPRoasting -Consumers bufu -Verbose

# Make supplied record of shoppers ASREP-roastable and display verbose output
Set-ASREPRoasting -Consumers ("bufu", "pepe") -Verbose

Set-Kerberoasting

The function gets a specific amount of random shopper from the world and gives a SPN for every. Excludes default accounts like Administrator and krbtgt. Makes 5% of shoppers kerberoastable by the use of default.

# Make 5% of shoppers ASREP-Roastable and display verbose output
Set-Kerberoasting -Verbose

# Make 10 random consumers inside the space ASREP-Roastable
Set-Kerberoasting -VulnerableUsersCount 10

# Make shopper bufu ASREP-Roastable and display verbose output
Set-Kerberoasting -Consumers bufu -Verbose

# Make supplied record of shoppers ASREP-roastable and display verbose output
Set-Kerberoasting -Consumers ("bufu", "pepe") -Verbose

Set-BadACLs

The function begins by the use of granting the Chads staff GenericAll rights on the Space Admins. It then grants the Degens staff GenericALl rights on the Chads staff. In the end, it grants GenericAll rights on some consumers from the Degens staff to a few consumers of the Normies staff.

<div elegance=”highlight highlight-source-powershell position-relative overflow-auto” data-snippet-clipboard-copy-content=”# Create vulnerable ACLs and display verbose output Set-BadACLs -Verbose “>

# Create vulnerable ACLs and display verbose output
Set-BadACLs -Verbose

The function first configures GPO to allow WinRM over TCP port 5985 to domain-joined techniques. It then lets in PS Remoting via GPO.




Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X