Breaking News



The aim of this module is to automate the deployment of an Vigorous Document lab for working in opposition to inside penetration trying out.

Credit score ranking to Joe Helle and his PowerShell for Pentesters course in regards to the era of the assault vectors.

Directions

Preparation

Now not necessary on the other hand really helpful: Transfer Module into PSModulePath

# Show PSModulePath
$env:PSModulePath.break up(";")

# Transfer module to trail
Transfer-Merchandise .ADLab "C:Windowssystem32WindowsPowerShellv1.0Modules"

Import-Module

# Import international module
Import-Module ADLab

# Import native module
Import-Module .ADLab.psm1

Preliminary Lab Setup

Invoke-DCPrep

This serve as prepares the present VM/laptop for use as a house controller for the brand new woodland. It devices a static IP maintain, devices the DNS server to be the localhost and renames the pc.

# Get ready the present VM with all default values whilst exhibiting verbose output
Invoke-DCPrep -Verbose

# Set customized hostname and use Google DNS for Web get right to use
Invoke-DCPrep -Hostname "DC" -NewIPv4DNSServer "8.8.8.8"

# Use customized IP and default gateway and show verbose output
Invoke-DCPrep -Verbose -NewIPv4Address "192.168.1.99" -NewIPv4Gateway "192.168.1.1"

Invoke-ForestDeploy

The serve as installs the AD DS function and devices up a brand new Vigorous Document woodland, with out requiring any person enter. Restarts the pc upon crowning glory.

# Installs a brand new woodland with FQDN of "bufu-sec.native" with default DSRM password of "Password!"
Invoke-ForestDeploy -House bufu-sec.native

# Installs a brand new woodland with FQDN of "bufu-sec.native" with the DSRM password set to "[email protected]!" and exhibiting debug messages
Invoke-ForestDeploy -House "bufu-sec.native" -DSRMPassword "[email protected]!" -Verbose

Invoke-DNSDeploy

The serve as starts by way of putting in the DNS function. It then provides the main zone and configures the server forwarder.

# Prepare and configure DNS at the moment host and show verbose output.
Invoke-DNSDeploy -Verbose -NetworkID 192.168.47.0/24 -ZoneFile "192.168.47.2.in-addr.arpa.dns" -ServerForwarder 1.1.1.1

Invoke-DHCPDeploy

The serve as starts by way of putting in the DHCP function at the moment gadget. It then provides the necesarry coverage teams and authorizes the brand new DHCP server with the sector controller. In the end, it configures the brand new DHCP scope with the provided values.

# Prepare and configure DHCP at the native DC.
Invoke-DHCPDeploy -Verbose -ScopeName "Default" -ScopeID 192.168.47.0 -StartIP 192.168.47.100 -EndIP 192.168.47.200 -SubnetMask 255.255.255.0 -DNSServer 192.168.47.10 -Router 192.168.47.10

# Prepare and configure DHCP at the specified DC.
Invoke-DHCPDeploy -Verbose -ScopeName "Default" -ScopeID 192.168.47.0 -StartIP 192.168.47.100 -EndIP 192.168.47.200 -SubnetMask 255.255.255.0 -DNSServer 192.168.47.10 -Router 192.168.47.10 -DCFQDN DC01.bufu-sec.native

Content material subject matter material

Invoke-ADLabFill

The serve as starts by way of emerging the teams and OUs outlined within the international Teams variable. It then generates 10 person items for each and every OU by way of default.

# Fill woodland with items and show verbose output
Invoke-ADLabConfig -Verbose

# Create 50 customers for each and every OU and show verbose output
Invoke-ADLabConfig -Verbose -UserCount 50

Assault Vectors

Set-ASREPRoasting

The serve as will get a certain amount of random person from the sector and devices the DoesNotRequirePreAuth flag for each and every. Excludes default accounts like Administrator and krbtgt. Makes 5% of customers ASREP-Roastable by way of default.

# Make 5% of customers ASREP-Roastable and show verbose output
Set-ASREPRoasting -Verbose

# Make 10 random customers within the house ASREP-Roastable
Set-ASREPRoasting -VulnerableUsersCount 10

# Make person bufu ASREP-Roastable and show verbose output
Set-ASREPRoasting -Shoppers bufu -Verbose

# Make provided checklist of customers ASREP-roastable and show verbose output
Set-ASREPRoasting -Shoppers ("bufu", "pepe") -Verbose

Set-Kerberoasting

The serve as will get a certain amount of random person from the sector and provides a SPN for each and every. Excludes default accounts like Administrator and krbtgt. Makes 5% of customers kerberoastable by way of default.

# Make 5% of customers ASREP-Roastable and show verbose output
Set-Kerberoasting -Verbose

# Make 10 random customers within the house ASREP-Roastable
Set-Kerberoasting -VulnerableUsersCount 10

# Make person bufu ASREP-Roastable and show verbose output
Set-Kerberoasting -Shoppers bufu -Verbose

# Make provided checklist of customers ASREP-roastable and show verbose output
Set-Kerberoasting -Shoppers ("bufu", "pepe") -Verbose

Set-BadACLs

The serve as starts by way of granting the Chads group GenericAll rights at the House Admins. It then grants the Degens group GenericALl rights at the Chads group. In the end, it grants GenericAll rights on some customers from the Degens group to a couple of customers of the Normies group.

<div class=”spotlight highlight-source-powershell position-relative overflow-auto” data-snippet-clipboard-copy-content=”# Create inclined ACLs and show verbose output Set-BadACLs -Verbose “>

# Create inclined ACLs and show verbose output
Set-BadACLs -Verbose

The serve as first configures GPO to permit WinRM over TCP port 5985 to domain-joined methods. It then allows PS Remoting by the use of GPO.




Leave a Reply

Your email address will not be published. Required fields are marked *

Donate Us

X