ADLab – Custom designed PowerShell Module To Setup An Full of life Record Lab Surroundings To Follow Penetration Trying out – CLAPPC

Breaking News



The purpose of this module is to automate the deployment of an Full of life Record lab for running against inside of penetration testing.

Credit score to Joe Helle and his PowerShell for Pentesters direction regarding the technology of the attack vectors.

Instructions

Preparation

Not obligatory alternatively in point of fact useful: Switch Module into PSModulePath

# Display PSModulePath
$env:PSModulePath.get a divorce(";")

# Switch module to path
Switch-Products .ADLab "C:Windowssystem32WindowsPowerShellv1.0Modules"

Import-Module

# Import world module
Import-Module ADLab

# Import local module
Import-Module .ADLab.psm1

Initial Lab Setup

Invoke-DCPrep

This function prepares the existing VM/computer to be used as a space controller for the new forest. It gadgets a static IP handle, gadgets the DNS server to be the localhost and renames the computer.

# Get able the existing VM with all default values while displaying verbose output
Invoke-DCPrep -Verbose

# Set custom designed hostname and use Google DNS for Internet get right of entry to
Invoke-DCPrep -Hostname "DC" -NewIPv4DNSServer "8.8.8.8"

# Use custom designed IP and default gateway and display verbose output
Invoke-DCPrep -Verbose -NewIPv4Address "192.168.1.99" -NewIPv4Gateway "192.168.1.1"

Invoke-ForestDeploy

The function installs the AD DS serve as and gadgets up a brand spanking new Full of life Record forest, without requiring anyone input. Restarts the computer upon completion.

# Installs a brand spanking new forest with FQDN of "bufu-sec.local" with default DSRM password of "Password!"
Invoke-ForestDeploy -Space bufu-sec.local

# Installs a brand spanking new forest with FQDN of "bufu-sec.local" with the DSRM password set to "[email protected]!" and displaying debug messages
Invoke-ForestDeploy -Space "bufu-sec.local" -DSRMPassword "[email protected]!" -Verbose

Invoke-DNSDeploy

The function begins by means of putting in place the DNS serve as. It then supplies the primary zone and configures the server forwarder.

# Arrange and configure DNS at this time host and display verbose output.
Invoke-DNSDeploy -Verbose -NetworkID 192.168.47.0/24 -ZoneFile "192.168.47.2.in-addr.arpa.dns" -ServerForwarder 1.1.1.1

Invoke-DHCPDeploy

The function begins by means of putting in place the DHCP serve as at this time machine. It then supplies the necesarry protection groups and authorizes the new DHCP server with the world controller. Finally, it configures the new DHCP scope with the supplied values.

# Arrange and configure DHCP on the local DC.
Invoke-DHCPDeploy -Verbose -ScopeName "Default" -ScopeID 192.168.47.0 -StartIP 192.168.47.100 -EndIP 192.168.47.200 -SubnetMask 255.255.255.0 -DNSServer 192.168.47.10 -Router 192.168.47.10

# Arrange and configure DHCP on the specified DC.
Invoke-DHCPDeploy -Verbose -ScopeName "Default" -ScopeID 192.168.47.0 -StartIP 192.168.47.100 -EndIP 192.168.47.200 -SubnetMask 255.255.255.0 -DNSServer 192.168.47.10 -Router 192.168.47.10 -DCFQDN DC01.bufu-sec.local

Content material subject matter

Invoke-ADLabFill

The function begins by means of rising the groups and OUs defined inside the world Groups variable. It then generates 10 individual pieces for every OU by means of default.

# Fill forest with pieces and display verbose output
Invoke-ADLabConfig -Verbose

# Create 50 shoppers for every OU and display verbose output
Invoke-ADLabConfig -Verbose -UserCount 50

Attack Vectors

Set-ASREPRoasting

The function gets a specific amount of random individual from the world and gadgets the DoesNotRequirePreAuth flag for every. Excludes default accounts like Administrator and krbtgt. Makes 5% of consumers ASREP-Roastable by means of default.

# Make 5% of consumers ASREP-Roastable and display verbose output
Set-ASREPRoasting -Verbose

# Make 10 random shoppers inside the space ASREP-Roastable
Set-ASREPRoasting -VulnerableUsersCount 10

# Make individual bufu ASREP-Roastable and display verbose output
Set-ASREPRoasting -Consumers bufu -Verbose

# Make supplied tick list of consumers ASREP-roastable and display verbose output
Set-ASREPRoasting -Consumers ("bufu", "pepe") -Verbose

Set-Kerberoasting

The function gets a specific amount of random individual from the world and offers a SPN for every. Excludes default accounts like Administrator and krbtgt. Makes 5% of consumers kerberoastable by means of default.

# Make 5% of consumers ASREP-Roastable and display verbose output
Set-Kerberoasting -Verbose

# Make 10 random shoppers inside the space ASREP-Roastable
Set-Kerberoasting -VulnerableUsersCount 10

# Make individual bufu ASREP-Roastable and display verbose output
Set-Kerberoasting -Consumers bufu -Verbose

# Make supplied tick list of consumers ASREP-roastable and display verbose output
Set-Kerberoasting -Consumers ("bufu", "pepe") -Verbose

Set-BadACLs

The function begins by means of granting the Chads team GenericAll rights on the Space Admins. It then grants the Degens team GenericALl rights on the Chads team. Finally, it grants GenericAll rights on some shoppers from the Degens team to a few shoppers of the Normies team.

<div elegance=”highlight highlight-source-powershell position-relative overflow-auto” data-snippet-clipboard-copy-content=”# Create vulnerable ACLs and display verbose output Set-BadACLs -Verbose “>

# Create vulnerable ACLs and display verbose output
Set-BadACLs -Verbose

The function first configures GPO to allow WinRM over TCP port 5985 to domain-joined strategies. It then permits PS Remoting by way of GPO.




Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X