From a0297e0e4eed868705741248c59fdcfddf34883c Mon Sep 17 00:00:00 2001 From: Jayson Grace Date: Thu, 2 Apr 2026 16:59:06 -0600 Subject: [PATCH] docs: update and reorganize documentation for DreadGOAD **Added:** - Added `CONTRIBUTING.md` with contribution guidelines, code style, testing, and issue reporting instructions - New provider guide for deploying on VMware Workstation from Windows hosts (`docs/mkdocs/docs/providers/vmware_windows.md`), including networking and Ansible setup **Changed:** - Refactored `README.md` to emphasize DreadGOAD-specific features, project differences from upstream GOAD, lab variants, quick start, and project structure; streamlined usage and installation instructions - Updated `docs/domains-and-users.md` to simplify host/IP/domain tables and clarify that domain admin passwords are set at provisioning time - Revised `docs/mkdocs/docs/index.md` to introduce DreadGOAD, highlight differences from upstream GOAD, and clarify vulnerability and safety warnings; added project acknowledgments - Updated provisioning documentation (`docs/mkdocs/docs/provisioning.md`) to include Docker-based Ansible provisioning, explicit Vagrant management commands, disable/re-enable vagrant user instructions, and clearer playbook sequencing - Updated `docs/validation.md` for improved instance ID redaction, troubleshooting, and script usage notes - Updated `docs/mkdocs/mkdocs.yml`: - Changed site metadata to DreadGOAD and updated repo URLs - Added navigation for new VMware on Windows provider guide - Updated social links to point to DreadGOAD repo **Removed:** - Removed outdated documentation in `docs/olddocs/` and legacy provider install guides to reduce confusion and avoid duplication with new documentation - Deleted `docs/FQDNs.md` and legacy architecture diagrams no longer referenced --- CONTRIBUTING.md | 66 + README.md | 318 +-- docs/FQDNs.md | 9 - docs/domains-and-users.md | 20 +- docs/mkdocs/docs/index.md | 35 +- docs/mkdocs/docs/providers/vmware_windows.md | 62 + docs/mkdocs/docs/provisioning.md | 79 +- docs/mkdocs/mkdocs.yml | 16 +- docs/olddocs/aws.drawio | 164 -- docs/olddocs/diagram.drawio | 2139 ------------------ docs/olddocs/install_with_aws.md | 127 -- docs/olddocs/install_with_azure.md | 120 - docs/olddocs/install_with_proxmox.md | 31 - docs/olddocs/install_with_virtualbox.md | 179 -- docs/olddocs/install_with_vmware.md | 202 -- docs/olddocs/install_with_vmware_Windows.md | 53 - docs/olddocs/install_with_vmware_esxi.md | 233 -- docs/olddocs/misc.md | 69 - docs/olddocs/provisioning.md | 163 -- docs/olddocs/troubleshoot.md | 350 --- docs/validation.md | 19 +- 21 files changed, 346 insertions(+), 4108 deletions(-) create mode 100644 CONTRIBUTING.md delete mode 100644 docs/FQDNs.md create mode 100644 docs/mkdocs/docs/providers/vmware_windows.md delete mode 100644 docs/olddocs/aws.drawio delete mode 100644 docs/olddocs/diagram.drawio delete mode 100644 docs/olddocs/install_with_aws.md delete mode 100644 docs/olddocs/install_with_azure.md delete mode 100644 docs/olddocs/install_with_proxmox.md delete mode 100644 docs/olddocs/install_with_virtualbox.md delete mode 100644 docs/olddocs/install_with_vmware.md delete mode 100644 docs/olddocs/install_with_vmware_Windows.md delete mode 100644 docs/olddocs/install_with_vmware_esxi.md delete mode 100644 docs/olddocs/misc.md delete mode 100644 docs/olddocs/provisioning.md delete mode 100644 docs/olddocs/troubleshoot.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 00000000..b0678fc3 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,66 @@ +# Contributing to DreadGOAD + +Thanks for your interest in contributing! DreadGOAD is a fork of +[GOAD](https://github.com/Orange-Cyberdefense/GOAD) and we welcome +contributions that improve the labs, tooling, and documentation. + +## Getting Started + +1. Fork the repository +2. Create a feature branch from `main` +3. Make your changes +4. Submit a pull request + +## What We're Looking For + +- New vulnerability scenarios or attack paths +- Improvements to existing Ansible roles +- Bug fixes in provisioning or the Go CLI +- New provider support or extension modules +- Documentation improvements +- Test coverage + +## Guidelines + +### Code + +- Follow the existing code style in each language (Go, Python, Ansible/YAML) +- Ansible roles should include a `README.md` describing the role's purpose and variables +- Test your changes against at least one provider before submitting + +### Ansible Roles + +- Place new roles under `ansible/roles/` +- Use the collection namespace `dreadnode.goad` for module references +- Include default variables in `defaults/main.yml` + +### Lab Configurations + +- Lab definitions live under `ad//` +- Use `ad/TEMPLATE/` as a starting point for new labs +- Document the lab's topology, users, and intended vulnerabilities in its `README.md` + +### Commits + +- Write clear, descriptive commit messages +- Keep commits focused -- one logical change per commit + +### Pull Requests + +- Describe what changed and why +- Reference any related issues +- Include testing details (which provider, which lab) + +## Reporting Issues + +Open an issue on GitHub with: + +- What you expected to happen +- What actually happened +- Steps to reproduce +- Provider and OS details + +## License + +By contributing, you agree that your contributions will be licensed under the +GPL-3.0-or-later license. diff --git a/README.md b/README.md index 4a7dfbed..cd845d5e 100644 --- a/README.md +++ b/README.md @@ -1,256 +1,132 @@ # DreadGOAD -Heavily modified fork of [GOAD (Game of Active Directory)](https://github.com/Orange-Cyberdefense/GOAD) -by Orange Cyberdefense. Deploys vulnerable Active Directory lab environments -for penetration testing and security research, with a Go CLI (`dreadgoad`), -Ansible collection, Packer/Vagrant provisioning, and Docker support. +A heavily modified fork of [GOAD (Game of Active Directory)](https://github.com/Orange-Cyberdefense/GOAD) +by Orange Cyberdefense. DreadGOAD deploys vulnerable Active Directory lab +environments for penetration testing and security research. ---- +> **Warning:** This lab is extremely vulnerable by design. Do not deploy it on +> the internet without proper network isolation, and do not reuse any of these +> configurations in production environments. -## Architecture Diagram +## What's Different from GOAD? -![Architecture](docs/architecture.svg) +DreadGOAD extends the upstream GOAD project with: -## Requirements +- **Go CLI (`dreadgoad`)** -- single binary for provisioning, health checks, trust verification, and vulnerability validation +- **AWS infrastructure automation** -- Terragrunt/Terraform modules for deploying labs in AWS with SSM-based management (no open ports) +- **Modular extension system** -- plug-in extensions for ELK, Exchange, Wazuh, Guacamole, and more +- **Variant generator** -- create graph-isomorphic lab copies with randomized entity names while preserving all attack paths +- **Ansible collection (`dreadnode.goad`)** -- 80+ roles packaged as a reusable collection +- **Multi-provider support** -- VirtualBox, VMware, Proxmox, AWS, Azure, and Ludus -- Ansible >= 2.15 -- Windows target hosts accessible via WinRM or AWS SSM - -### Collection Dependencies +## Lab Environments -- `ansible.windows` >= 2.5.0 -- `community.general` -- `community.windows` >= 2.3.0 -- `chocolatey.chocolatey` >= 1.5.3 -- `microsoft.ad` +| Lab | VMs | Forests | Domains | Description | +|-----|-----|---------|---------|-------------| +| [GOAD](ad/GOAD/) | 5 | 2 | 3 | Full lab -- the complete Game of Active Directory experience | +| [GOAD-Light](ad/GOAD-Light/) | 3 | 1 | 2 | Lighter variant for resource-constrained setups | +| [GOAD-Mini](ad/GOAD-Mini/) | 1 | 1 | 1 | Minimal single-DC lab | +| [MINILAB](ad/MINILAB/) | 2 | 1 | 1 | One DC + one workstation | +| [SCCM](ad/SCCM/) | 4 | 1 | 1 | MECM/SCCM attack scenarios | +| [NHA](ad/NHA/) | 5 | 2 | 3 | Ninja Hacker Academy -- challenge mode | +| [DRACARYS](ad/DRACARYS/) | 4 | 1 | 2 | Training challenge variant | ---- +All labs feature 50+ intentional vulnerabilities including Kerberoasting, AS-REP +roasting, ACL abuse chains, ADCS misconfigurations (ESC1-8), MSSQL attacks, +delegation abuse, and more. See [docs/GOAD-vulnerabilities-comprehensive.md](docs/GOAD-vulnerabilities-comprehensive.md) +for the full catalog. -## Installation +## Quick Start -### From source +### Prerequisites -```bash -ansible-galaxy collection build . -ansible-galaxy collection install dreadnode-goad-1.0.0.tar.gz -``` +- Ansible >= 2.15 +- Go 1.21+ (for building the CLI) +- A supported infrastructure provider (VirtualBox, VMware, Proxmox, AWS, Azure, or Ludus) -### Install dependencies +### Install ```bash +# Clone the repo +git clone https://github.com/dreadnode/DreadGOAD.git +cd DreadGOAD + +# Install Ansible dependencies ansible-galaxy collection install -r ansible/requirements.yml -``` ---- - -## Lab Environment - -The GOAD lab provides: - -- **3 domains**: `sevenkingdoms.local`, `north.sevenkingdoms.local`, - `essos.local` -- **2 forests** with cross-domain trusts -- **5-6 hosts**: Domain controllers + member servers (Windows Server 2016/2019) - ---- - -## Roles - -### Active Directory - -| Role | Description | -| ---- | ----------- | -| `domain_controller` | Promote server to domain controller | -| `domain_controller_slave` | Add replica domain controller | -| `child_domain` | Create child domain | -| `member_server` | Join server to domain | -| `ad` | Create AD users, groups, and OUs | -| `acl` | Configure AD ACLs and permissions | -| `adcs` | Install Active Directory Certificate Services | -| `adcs_templates` | Deploy ADCS certificate templates | -| `trusts` | Configure cross-domain trusts | -| `gmsa` | Configure group managed service accounts | -| `gmsa_hosts` | Configure gMSA host permissions | -| `password_policy` | Set domain password policies | -| `move_to_ou` | Move objects to organizational units | -| `groups_domains` | Configure cross-domain group membership | -| `dns_conditional_forwarder` | Configure DNS conditional forwarders | -| `dc_dns_conditional_forwarder` | Configure DC-specific DNS forwarders | -| `parent_child_dns` | Configure parent-child domain DNS | -| `sync_domains` | Synchronize domain data | -| `onlyusers` | Create AD users only | -| `disable_user` | Disable AD user accounts | -| `enable_user` | Enable AD user accounts | - -### Server Roles - -| Role | Description | -| ---- | ----------- | -| `common` | Base server configuration (DNS, proxy, modules) | -| `commonwkstn` | Workstation-specific configuration | -| `iis` | Install and configure IIS | -| `mssql` | Install and configure SQL Server | -| `mssql_link` | Configure SQL Server linked servers | -| `mssql_ssms` | Install SQL Server Management Studio | -| `mssql_reporting` | Install SQL Server Reporting Services | -| `mssql_audit` | Configure SQL Server audit logging | -| `elk` | Install Elasticsearch, Logstash, Kibana | -| `logs_windows` | Configure Windows event logging | -| `webdav` | Configure WebDAV server | -| `dhcp` | Configure DHCP server | -| `localusers` | Manage local user accounts | -| `fix_dns` | Fix DNS configuration issues | -| `ps` | Execute PowerShell scripts | - -### LAPS - -| Role | Description | -| ---- | ----------- | -| `laps_dc` | Install LAPS on domain controllers | -| `laps_server` | Install LAPS on member servers | -| `laps_verify` | Verify LAPS installation | -| `laps_permissions` | Configure LAPS permissions | - -### Settings - -| Role | Description | -| ---- | ----------- | -| `settings_hostname` | Set Windows hostname | -| `settings_admin_password` | Set local admin password | -| `settings_keyboard` | Configure keyboard layout | -| `settings_no_updates` | Disable Windows updates | -| `settings_updates` | Run Windows updates | -| `settings_windows_defender` | Enable/disable Windows Defender | -| `settings_copy_files` | Copy files to target hosts | -| `settings_adjust_rights` | Adjust local group membership | -| `settings_user_rights` | Configure user rights assignments | -| `settings_disable_nat_adapter` | Disable NAT network adapter | -| `settings_enable_nat_adapter` | Enable NAT network adapter | -| `settings_gpmc` | Install Group Policy Management Console | -| `settings_gpo_remove` | Remove Group Policy Objects | - -### Security - -| Role | Description | -| ---- | ----------- | -| `security_account_is_sensitive` | Mark accounts as sensitive | -| `security_asr` | Configure Attack Surface Reduction | -| `security_audit_policy` | Configure audit policies | -| `security_enable_run_as_ppl` | Enable RunAsPPL for LSASS | -| `security_ensure_kb_not_installed` | Ensure specific KBs not installed | -| `security_powershell_restrict` | Restrict PowerShell execution | -| `dc_audit_sacl` | Configure DC SACL auditing | -| `ldap_diagnostic_logging` | Configure LDAP diagnostic logging | - -### Vulnerabilities - -| Role | Description | -| ---- | ----------- | -| `vulns_disable_firewall` | Disable Windows Firewall | -| `vulns_credentials` | Plant credentials in various locations | -| `vulns_autologon` | Configure autologon credentials | -| `vulns_shares` | Create vulnerable file shares | -| `vulns_openshares` | Create open file shares | -| `vulns_directory` | Create vulnerable directories | -| `vulns_files` | Deploy vulnerable files | -| `vulns_enable_llmnr` | Enable LLMNR | -| `vulns_enable_nbt_ns` | Enable NBT-NS | -| `vulns_smbv1` | Enable SMBv1 | -| `vulns_ntlmdowngrade` | Downgrade NTLM settings | -| `vulns_enable_credssp_client` | Enable CredSSP client | -| `vulns_enable_credssp_server` | Enable CredSSP server | -| `vulns_anonymous_enum` | Enable anonymous enumeration | -| `vulns_administrator_folder` | Create vulnerable admin folders | -| `vulns_permissions` | Configure vulnerable permissions | -| `vulns_acls` | Configure vulnerable ACLs | -| `vulns_schedule` | Create vulnerable scheduled tasks | -| `vulns_mssql` | Configure MSSQL vulnerabilities | -| `vulns_adcs_templates` | Deploy vulnerable ADCS templates | - -### SCCM - -| Role | Description | -| ---- | ----------- | -| `sccm_install_prerequisites` | Install SCCM prerequisites | -| `sccm_install_iis` | Install IIS for SCCM | -| `sccm_install_adk` | Install Windows ADK | -| `sccm_install_wsus` | Install WSUS | -| `sccm_install_mecm` | Install MECM/SCCM | -| `sccm_config_discovery` | Configure SCCM discovery | -| `sccm_config_boundary` | Configure SCCM boundaries | -| `sccm_config_accounts` | Configure SCCM accounts | -| `sccm_config_client_push` | Configure client push installation | -| `sccm_config_client_install` | Install SCCM client | -| `sccm_config_naa` | Configure network access account | -| `sccm_config_pxe` | Configure PXE boot | -| `sccm_config_users` | Configure SCCM users | -| `sccm_pxe` | Configure PXE deployment | - ---- - -## Custom Modules - -| Module | Description | -| ------ | ----------- | -| `win_ad_dacl` | Manage AD ACL/DACL entries | -| `win_ad_object` | Create/modify AD objects | -| `win_gpo` | Create/modify Group Policy Objects | -| `win_gpo_link` | Link GPOs to OUs | -| `win_gpo_reg` | Manage GPO registry settings | -| `sccm_boundary` | Manage SCCM boundaries | -| `sccm_boundary_group` | Manage SCCM boundary groups | -| `sccm_boundary_to_boundarygroup` | Map boundaries to groups | - ---- - -## Usage - -```yaml ---- -- name: Deploy GOAD lab - hosts: all - collections: - - dreadnode.goad - - roles: - - role: dreadnode.goad.common - - role: dreadnode.goad.domain_controller +# Build the CLI +cd cli && go build -o dreadgoad . && cd .. ``` -For full orchestration, use the `dreadgoad` CLI: +### Deploy a Lab ```bash -# Build the CLI -cd cli && go build -o dreadgoad . - -# Provision the lab -dreadgoad provision --env staging +# Provision the full GOAD lab +./cli/dreadgoad provision # Health check all instances -dreadgoad health-check --env staging +./cli/dreadgoad health-check -# Verify domain trusts -dreadgoad verify-trusts --env staging +# Validate vulnerabilities are configured +./cli/dreadgoad validate --quick +``` + +For provider-specific setup instructions, see the [provider documentation](docs/mkdocs/docs/providers/). -# Quick vulnerability validation -dreadgoad validate --quick --env staging +### Generate a Variant -# Full vulnerability validation -dreadgoad validate --env staging +Create a randomized copy of any lab with unique names but identical attack paths: -# See all commands -dreadgoad --help +```bash +./cli/dreadgoad variant generate --source ad/GOAD --target ad/my-variant --name my-variant ``` ---- +See [tools/variant_generator/](tools/variant_generator/) for details. + +## Documentation + +- [CLI configuration](docs/cli.md) -- Viper-based config, environment variables, per-environment settings +- [Domains and users](docs/domains-and-users.md) -- full network topology, credentials, and attack paths +- [Vulnerability catalog](docs/GOAD-vulnerabilities-comprehensive.md) -- all 50+ vulnerabilities with exploitation techniques +- [Validation guide](docs/validation.md) -- automated vulnerability validation +- [Provider guides](docs/mkdocs/docs/providers/) -- VirtualBox, VMware, Proxmox, AWS, Azure, Ludus +- [Extension guides](docs/mkdocs/docs/extensions/) -- ELK, Exchange, Wazuh, hardened workstation +- [Architecture diagram](docs/architecture.svg) +- [Upstream GOAD docs](https://orange-cyberdefense.github.io/GOAD/) -- original project documentation + +## Project Structure + +```text +DreadGOAD/ +├── ad/ # Lab definitions (GOAD, GOAD-Light, MINILAB, SCCM, NHA, ...) +├── ansible/ # Ansible collection with 80+ roles and custom modules +├── cli/ # Go CLI source (dreadgoad) +├── docs/ # Documentation and architecture diagrams +├── extensions/ # Pluggable lab extensions (ELK, Exchange, Wazuh, ...) +├── modules/ # Terraform modules (AWS networking, instance factory) +├── packer/ # VM templating (Vagrant, Proxmox) +├── tools/ # Variant generator and utilities +└── template/ # Provider templates +``` -## License +## Contributing -GPL-3.0-or-later +Contributions are welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines. + +## Acknowledgments + +DreadGOAD is built on the excellent work of the [GOAD](https://github.com/Orange-Cyberdefense/GOAD) +project by [Mayfly](https://github.com/Mayfly277) and [Orange Cyberdefense](https://github.com/Orange-Cyberdefense). +If you find this useful, consider [sponsoring the original creator](https://github.com/sponsors/Mayfly277). + +Additional references and credits can be found in the [upstream documentation](https://orange-cyberdefense.github.io/GOAD/). + +## License ---- +GPL-3.0-or-later -- see [LICENSE](LICENSE). ## Disclaimer -This collection deploys intentionally vulnerable configurations for security -research and penetration testing. **Do not use in production environments.** +This project deploys intentionally vulnerable configurations for security +research and penetration testing training. **Do not use in production +environments.** Use at your own risk. diff --git a/docs/FQDNs.md b/docs/FQDNs.md deleted file mode 100644 index 379c9788..00000000 --- a/docs/FQDNs.md +++ /dev/null @@ -1,9 +0,0 @@ -# GOAD Staging FQDNs - -| FQDN | Private IP | Role | Domain | -|---|---|---|---| -| `kingslanding.sevenkingdoms.local` | 10.1.2.238 | DC | sevenkingdoms.local | -| `winterfell.north.sevenkingdoms.local` | 10.1.2.121 | DC | north.sevenkingdoms.local | -| `meereen.essos.local` | 10.1.2.211 | DC | essos.local | -| `castelblack.north.sevenkingdoms.local` | 10.1.2.17 | Server | north.sevenkingdoms.local | -| `braavos.essos.local` | 10.1.2.210 | Server | essos.local | diff --git a/docs/domains-and-users.md b/docs/domains-and-users.md index 24495caf..09527833 100644 --- a/docs/domains-and-users.md +++ b/docs/domains-and-users.md @@ -19,13 +19,13 @@ Trust: sevenkingdoms.local <──bidirectional──> essos.local ## Hosts & IP Addresses -| Host | Hostname | Domain | Private IP | Role | Instance ID | -| ------ | ---------- | -------- | ------------ | ------ | ------------- | -| DC01 | kingslanding | sevenkingdoms.local | 10.1.2.238 | Domain Controller (parent) | i-014ce68c3bdbf888e | -| DC02 | winterfell | north.sevenkingdoms.local | 10.1.2.121 | Domain Controller (child) | i-01ef190a91a23eab1 | -| DC03 | meereen | essos.local | 10.1.2.211 | Domain Controller | i-0f03ae2e9dd3332d7 | -| SRV02 | castelblack | north.sevenkingdoms.local | 10.1.2.17 | Member Server (IIS, MSSQL, WebDAV) | i-0bd336a4bd9090496 | -| SRV03 | braavos | essos.local | 10.1.2.210 | Member Server (MSSQL, WebDAV, ADCS) | i-0692242788b6cb839 | +| Host | Hostname | Domain | Role | +| ------ | ---------- | -------- | ------ | +| DC01 | kingslanding | sevenkingdoms.local | Domain Controller (parent) | +| DC02 | winterfell | north.sevenkingdoms.local | Domain Controller (child) | +| DC03 | meereen | essos.local | Domain Controller | +| SRV02 | castelblack | north.sevenkingdoms.local | Member Server (IIS, MSSQL, WebDAV) | +| SRV03 | braavos | essos.local | Member Server (MSSQL, WebDAV, ADCS) | ### Services per Host @@ -44,7 +44,7 @@ Trust: sevenkingdoms.local <──bidirectional──> essos.local **Forest:** sevenkingdoms.local **NetBIOS:** SEVENKINGDOMS **DC:** kingslanding (DC01) -**Domain Admin Password:** `ykRXQ@rWNV4znesz-h!c` (staging) +**Domain Admin Password:** Set during provisioning ### Users (sevenkingdoms) @@ -98,7 +98,7 @@ renly.baratheon ──WriteDACL──> OU=Crownlands **NetBIOS:** NORTH **DC:** winterfell (DC02) **Parent Domain:** sevenkingdoms.local -**Domain Admin Password:** `moydNed_wEKuP8KN6rUx` (staging) +**Domain Admin Password:** Set during provisioning ### Users (north) @@ -140,7 +140,7 @@ NT AUTHORITY\ANONYMOUS LOGON ──ReadProperty + GenericExecute──> DC=North **NetBIOS:** ESSOS **DC:** meereen (DC03) **Trust:** Bidirectional with sevenkingdoms.local -**Domain Admin Password:** `M!BbXzL48D9mH9dQzp*e` (staging) +**Domain Admin Password:** Set during provisioning ### Users (essos) diff --git a/docs/mkdocs/docs/index.md b/docs/mkdocs/docs/index.md index 74b05c7a..83324086 100644 --- a/docs/mkdocs/docs/index.md +++ b/docs/mkdocs/docs/index.md @@ -1,33 +1,32 @@ --- -title: Game Of Active Directory +title: DreadGOAD ---
GOAD
-Welcome to [GOAD](https://github.com/Orange-Cyberdefense/GOAD/) documentation ! - -Game Of Active Directory is a free pentest active directory LAB(s) project (1). -{ .annotate } - -1. GOAD is free if you use your own computer, obviously we will not pay your electricity bill and your cloud provider invoice ;) - -The purpose of this tool is to give pentesters a vulnerable Active directory environment ready to use to practice usual attack techniques. -The idea behind this project is to give you an environment where you can try and train your pentest skills without having the pain to build all by yourself. -This repository was build for pentest practice :slight_smile: +Welcome to **DreadGOAD** -- a heavily modified fork of [GOAD (Game of Active Directory)](https://github.com/Orange-Cyberdefense/GOAD/) by Orange Cyberdefense. +DreadGOAD deploys vulnerable Active Directory lab environments for penetration testing and security research. It extends the upstream GOAD project with a Go CLI, AWS infrastructure automation, a modular extension system, and a variant generator for creating randomized lab copies. !!! note - GOAD main labs (GOAD/GOAD-Light/SCCM) are not pro labs environments (like those you can find on HTB). These labs give you an environment to practice a lot of vulnerability and missconfig exploitations. Sure you can use them like pro labs, but it will certainly be too easy due to the number of vulns. Consider more GOAD like a DVWA but for Active Directory. If you want a chall deploy the lab NHA. + GOAD main labs (GOAD/GOAD-Light/SCCM) are not pro labs environments (like those you can find on HTB). These labs give you an environment to practice a lot of vulnerability and misconfiguration exploitations. Consider GOAD like a DVWA but for Active Directory. If you want a challenge, deploy the NHA lab. !!! warning - This lab is extremely vulnerable, do not reuse recipe to build your production environment and do not deploy this environment on internet without isolation (this is a recommendation, use it as your own risk). + This lab is extremely vulnerable. Do not reuse these configurations to build your production environment and do not deploy this environment on the internet without proper network isolation. Use at your own risk. !!! info "Windows Licenses" - This lab use free windows VM only (180 days). After that delay enter a license on each server or rebuild all the lab (may be it's time for an update ;)) + This lab uses free Windows VM evaluation images (180-day trial). After that period, enter a license on each server or rebuild the lab. + +## What's Different from GOAD? + +- **Go CLI (`dreadgoad`)** -- single binary for provisioning, health checks, trust verification, and vulnerability validation +- **AWS infrastructure automation** -- Terragrunt/Terraform modules for deploying labs in AWS with SSM-based management +- **Modular extension system** -- plug-in extensions for ELK, Exchange, Wazuh, Guacamole, and more +- **Variant generator** -- create graph-isomorphic lab copies with randomized entity names while preserving all attack paths +- **Ansible collection (`dreadnode.goad`)** -- 80+ roles packaged as a reusable collection + +## Acknowledgments -!!! example "" - **:heart: Sponsor**
- This lab is created and maintained mainly by his creator (Cyril Servières a.k.a @m4yfly) on personal time (~80% personal time / ~20% at Orange Cyberdefense). - If you like it maybe consider sponsoring me : [https://github.com/sponsors/Mayfly277](https://github.com/sponsors/Mayfly277) +DreadGOAD is built on the excellent work of the [GOAD](https://github.com/Orange-Cyberdefense/GOAD) project by [Mayfly](https://github.com/Mayfly277) (Cyril Servieres) and [Orange Cyberdefense](https://github.com/Orange-Cyberdefense). If you find this useful, consider [sponsoring the original creator](https://github.com/sponsors/Mayfly277). diff --git a/docs/mkdocs/docs/providers/vmware_windows.md b/docs/mkdocs/docs/providers/vmware_windows.md new file mode 100644 index 00000000..e2ce0650 --- /dev/null +++ b/docs/mkdocs/docs/providers/vmware_windows.md @@ -0,0 +1,62 @@ +# VMware on Windows + +This guide covers deploying GOAD labs using VMware Workstation on a **Windows host**, with Ansible running from a Kali or Ubuntu VM inside the same VMware instance. + +## Prerequisites + +### On the Windows host + +- [VMware Workstation Pro](https://www.vmware.com/products/workstation-pro.html) (Pro required -- Player does not support clone/snapshot) +- [Vagrant for Windows](https://developer.hashicorp.com/vagrant/install#Windows) +- [VMware Utility Driver](https://developer.hashicorp.com/vagrant/install/vmware) +- Vagrant plugins: + - `vagrant-reload` + - `vagrant-vmware-desktop` + +### Controller VM (Kali or Ubuntu) + +You need a Linux VM inside VMware Workstation to run Ansible. Configure it with **two network adapters**: + +1. **NAT or Bridged** -- for internet access +2. **Host-only** -- on the same subnet as the GOAD lab (`192.168.56.0/24`) + +Use VMware Workstation's Virtual Network Editor to configure the host-only network with subnet `192.168.56.0` and netmask `255.255.255.0`. + +Inside the controller VM, install dependencies: + +```bash +pip install --upgrade pip +pip install ansible-core pywinrm +sudo apt install sshpass lftp rsync openssh-client + +# Install Ansible requirements +cd DreadGOAD +ansible-galaxy collection install -r ansible/requirements.yml +``` + +## Create the VMs + +From a Windows PowerShell or cmd prompt: + +```powershell +cd ad\GOAD\providers\vmware +vagrant up +``` + +This pulls down and starts the lab VMs. Wait for it to complete before proceeding. + +## Provision with Ansible + +Once the VMs are running, switch to your Kali/Ubuntu controller VM and run the provisioning: + +```bash +cd DreadGOAD + +# Using the CLI +./cli/dreadgoad provision + +# Or using the legacy script +./goad.sh -t install -l GOAD -p vmware -m local -a +``` + +The `-a` flag skips interactive prompts and runs with defaults. diff --git a/docs/mkdocs/docs/provisioning.md b/docs/mkdocs/docs/provisioning.md index abea12ce..b78a7caf 100644 --- a/docs/mkdocs/docs/provisioning.md +++ b/docs/mkdocs/docs/provisioning.md @@ -67,7 +67,84 @@ The order is important as it determine the override order. hosts declarations ar roles_path = ./roles:../../../ansible/roles ``` -## labs build +## Running Ansible from Docker + +If you prefer not to install Ansible locally, you can provision from a Docker container: + +```bash +# Build the container +docker build -t goadansible . + +# Run provisioning +docker run -ti --rm --network host -h goadansible \ + -v $(pwd):/goad -w /goad/ansible goadansible \ + ansible-playbook \ + -i ../ad//data/inventory \ + -i ../ad//providers//inventory \ + main.yml +``` + +`--network host` is required so the container can reach the lab VMs on the host-only network (e.g. `192.168.56.0/24`). + +## Individual Playbooks + +The `main.yml` playbook runs all steps in sequence. For debugging or partial re-provisioning, you can run each playbook individually. The order matters: + +```bash +ANSIBLE_CMD="ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/virtualbox/inventory" +$ANSIBLE_CMD build.yml # Install prerequisites and prepare VMs +$ANSIBLE_CMD ad-servers.yml # Create main domains, child domain, enroll servers +$ANSIBLE_CMD ad-parent_domain.yml # Create parent domain +$ANSIBLE_CMD ad-child_domain.yml # Create child domain +sleep 5m # Allow replication to settle +$ANSIBLE_CMD ad-members.yml # Add child domain members +$ANSIBLE_CMD ad-trusts.yml # Create trust relationships +$ANSIBLE_CMD ad-data.yml # Import AD data (users, groups, OUs) +$ANSIBLE_CMD ad-gmsa.yml # Configure gMSA +$ANSIBLE_CMD laps.yml # Configure LAPS +$ANSIBLE_CMD ad-relations.yml # Set ACE/ACL and cross-domain group relations +$ANSIBLE_CMD adcs.yml # Install ADCS +$ANSIBLE_CMD ad-acl.yml # Configure ACL attack paths +$ANSIBLE_CMD servers.yml # Install IIS and MSSQL +$ANSIBLE_CMD security.yml # Configure security settings (Defender, etc.) +$ANSIBLE_CMD vulnerabilities.yml # Configure intentional vulnerabilities +$ANSIBLE_CMD reboot.yml # Reboot all VMs +``` + +!!! tip + If a playbook fails, you can usually just re-run it. Most transient failures are caused by Windows latency during installation. Wait a few minutes and retry. + +## Vagrant VM Management + +Common Vagrant commands for managing lab VMs: + +```bash +vagrant up # Start all VMs (or create if first run) +vagrant up # Start a specific VM +vagrant halt # Stop all VMs +vagrant destroy # Delete all VMs (irreversible) +vagrant snapshot push # Save a snapshot of all VMs +vagrant snapshot pop # Restore the last snapshot +``` + +!!! warning + `vagrant snapshot pop` can break domain trust relationships between servers. After restoring a snapshot, run the `fix_trust.yml` playbook to re-establish trusts. + +## Disabling the Vagrant User + +All VMs are deployed with default credentials `vagrant:vagrant` from the base templates. To remove this backdoor after provisioning: + +```bash +ansible-playbook -i ../ad//data/inventory -i ../ad//providers//inventory disable_vagrant.yml +``` + +To re-enable (e.g. for maintenance): + +```bash +ansible-playbook -i ../ad//data/inventory -i ../ad//providers//inventory enable_vagrant.yml +``` + +## Labs build - Instead of call a global main.yml playbook with all the different tasks to do the goad script call each playbook one by one. - In this way, there is a fallback mechanism to retry each playbook 3 times before consider it as failed. diff --git a/docs/mkdocs/mkdocs.yml b/docs/mkdocs/mkdocs.yml index d249caca..7ddb4cb8 100644 --- a/docs/mkdocs/mkdocs.yml +++ b/docs/mkdocs/mkdocs.yml @@ -1,7 +1,7 @@ -site_name: Game Of Active Directory -site_url: https://orange-cyberdefense.github.io/GOAD/ -repo_url: https://github.com/Orange-Cyberdefense/GOAD -site_author: mayfly +site_name: DreadGOAD +site_url: https://github.com/dreadnode/DreadGOAD +repo_url: https://github.com/dreadnode/DreadGOAD +site_author: Dreadnode nav: - GOAD: index.md - 🚀 Installation: @@ -12,6 +12,7 @@ nav: - index: providers/index.md - Virtualbox: providers/virtualbox.md - Vmware Workstation: providers/vmware.md + - Vmware on Windows: providers/vmware_windows.md - Vmware Esxi: providers/vmware_esxi.md - Aws: providers/aws.md - Azure: providers/azure.md @@ -83,13 +84,10 @@ extra: make our documentation better. social: - icon: fontawesome/brands/github - link: https://github.com/Orange-Cyberdefense/GOAD - - icon: fontawesome/brands/x-twitter - link: https://x.com/M4yFly - - icon: fontawesome/brands/discord - link: https://discord.gg/NYy7rsMf3u + link: https://github.com/dreadnode/DreadGOAD - icon: fontawesome/solid/heart link: https://github.com/sponsors/Mayfly277 + name: Sponsor the original GOAD creator markdown_extensions: - attr_list - md_in_html diff --git a/docs/olddocs/aws.drawio b/docs/olddocs/aws.drawio deleted file mode 100644 index b685158c..00000000 --- a/docs/olddocs/aws.drawio +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/olddocs/diagram.drawio b/docs/olddocs/diagram.drawio deleted file mode 100644 index 8749f4f8..00000000 --- a/docs/olddocs/diagram.drawio +++ /dev/null @@ -1,2139 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/docs/olddocs/install_with_aws.md b/docs/olddocs/install_with_aws.md deleted file mode 100644 index 791f6c7a..00000000 --- a/docs/olddocs/install_with_aws.md +++ /dev/null @@ -1,127 +0,0 @@ -# AWS setup - -The architecture is the same than the Azure deployment. - -![Architecture](img/azure_architecture.png) - -> **Warning** -> LLMNR, NBTNS and other poisoning network attacks will not work in AWS environment. -> Only network coerce attacks will work. - -## Prerequisites - -- [Terraform](https://www.terraform.io/downloads.html) -- [AWS CLI](https://aws.amazon.com/cli/?nc1=h_ls) - -## AWS configuration - -You need to configure AWS cli. Use a key with enough privileges on the tenant. - -```bash -aws configure -``` - -## Configuration - -Before installing, it is **mandatory** to modify the `ad/GOAD/providers/aws/terraform/values.tfvars` file in order to match your needs, specifically: - -- zone: where you want to deploy GOAD -- whitelist\_cidr: your own IP address range (usually /32). This will be used as a whitelist to allow access to the jumpbox. - -Other configurable variables are listed in the `variable.tf` file. - -## Automatic installation - -```bash -# Check prerequisites -./goad.sh -t check -l GOAD -p aws -# Install -./goad.sh -t install -l GOAD -p aws -``` - -![aws check](./img/aws_check.png) - -## Lab access - -The SSH key necessary to connect the jumpbox is generated in `ad/GOAD/providers/aws/ssh_keys`. - -```bash -ssh goad@$PUBLIC_IP -i ubuntu-jumpbox.pem -``` - -The credentials to access the Windows machines can be found in the usual inventory file. As a backup, an AWS key pair is provided, allows retrieving the administrator password in case the initial provisioning script fails. The local administrator for all servers is **goadmin**. - -## Manual installation - -### Build the infrastructure with Terraform - -1. Initialize Terraform - -```bash -cd terraform -terraform init -``` - -2. Generate the terraform plan with the password - -```bash -cd ad/GOAD/providers/aws/terraform -terraform plan -out tfplan -var-file="values.tfvars" -``` - -> Note: The plan is useful to check if the terraform configuration is correct - -3. Apply the terraform plan - -```bash -terraform apply tfplan -var-file="values.tfvars" -``` - -> Note: The terraform apply command will take a few minutes to complete - -At the end of the terraform apply, the output will show the public ip of the Ubuntu VM. This VM will be used to run the ansible playbook to provision the Windows VM. - -### Windows VM provisionning with Ansible - -0. Rsync source on Ubuntu VM - -```bash -cd ../../../../../ # to the repository root folder -CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -rsync -a --exclude-from='.gitignore' -e "ssh -i $CURRENT_DIR/ad/GOAD/providers/aws/ssh_keys/ubuntu-jumpbox.pem" "$CURRENT_DIR/" goad@$public_ip:~/GOAD/ -``` - -1. Run the setup.sh script to install Ansible and download GOAD on the Ubuntu VM - -```bash -ssh -i ad/GOAD/providers/aws/ssh_keys/ubuntu-jumpbox.pem goad@ 'bash -s' < scripts/setup_aws.sh -``` - -> Note: To get the public ip of the Ubuntu VM, you can run `terraform output` in the terraform directory - -2. Connect to the Ubuntu VM - -```bash -ssh -i ssh_keys/ubuntu-jumpbox.pem goad@ -``` - -3. Run the playbook to provision the Windows VM - -```bash -cd ansible -export ANSIBLE_COMMAND="ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/aws/inventory" -../scripts/provisionning.sh -``` - -- Details on the provisioning process are here : [provisioning.md](./provisioning.md) - -## Tips - -- To connect to the Windows VM, you can use proxychains and xfreerdp through the Ubuntu VM - -```bash -ssh -i ssh_keys/ubuntu-jumpbox.pem goad@ -D 1080 -proxychains xfreerdp /u:goadmin /p: /v: +clipboard /dynamic-resolution /cert-ignore -``` - -- Good to know: you can also configure a SSH tunnel directly in remmina! **Be careful**: you should have already accepted the public key of the jumpbox in order to connect using remmina, through a regular ssh connection. diff --git a/docs/olddocs/install_with_azure.md b/docs/olddocs/install_with_azure.md deleted file mode 100644 index 865fa11e..00000000 --- a/docs/olddocs/install_with_azure.md +++ /dev/null @@ -1,120 +0,0 @@ -# Azure setup - - -
- terraform - icon_azure - icon_ansible -
- -![Architecture](img/azure_architecture.png) - -> **Warning** -> LLMNR, NBTNS and other poisoning network attacks will not work in azure environment. -> Only network coerce attacks will work. - -## Prerequisites - -- [Terraform](https://www.terraform.io/downloads.html) -- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) - -## Azure configuration - -You need to login to Azure with the CLI. - -```bash -az login -``` - -## Automatic installation - -```bash -# check prerequisites -./goad.sh -t check -l GOAD -p azure -# Install -./goad.sh -t install -l GOAD -p azure -``` - -![azure check](./img/azure_check.png) - -## Manual installation - -### Build the infrastructure with Terraform - -1. Initialize Terraform - -```bash -cd terraform -terraform init -``` - -2. Generate the terraform plan with the password - -```bash -cd ad/GOAD/providers/azure/terraform -terraform plan -out tfplan -``` - -> Note: The plan is useful to check if the terraform configuration is correct - -3. Apply the terraform plan - -```bash -terraform apply tfplan -``` - -> Note: The terraform apply command will take a few minutes to complete - -At the end of the terraform apply, the output will show the public ip of the Ubuntu VM. This VM will be used to run the ansible playbook to provision the Windows VM. - -### Windows VM provisionning with Ansible - -0. Rsync source on Ubuntu VM - -```bash -cd ../../../../../ # to the repository root folder -CURRENT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -rsync -a --exclude-from='.gitignore' -e "ssh -i $CURRENT_DIR/ad/GOAD/providers/azure/ssh_keys/ubuntu-jumpbox.pem" "$CURRENT_DIR/" goad@$public_ip:~/GOAD/ -``` - - -1. Run the setup.sh script to install Ansible and download GOAD on the Ubuntu VM - -```bash -ssh -i ad/GOAD/providers/azure/ssh_keys/ubuntu-jumpbox.pem goad@ 'bash -s' < scripts/setup_azure.sh -``` - -> Note: To get the public ip of the Ubuntu VM, you can run `terraform output` in the terraform directory - -2. Connect to the Ubuntu VM - -```bash -ssh -i ssh_keys/ubuntu-jumpbox.pem goad@ -``` - -3. Run the playbook to provision the Windows VM - -```bash -cd ansible -export ANSIBLE_COMMAND="ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/azure/inventory" -../scripts/provisionning.sh -``` - -- Details on the provisioning process are here : [provisioning.md](./provisioning.md) - -## Tips - -- To connect to the Windows VM, you can use proxychains and xfreerdp through the Ubuntu VM - -```bash -ssh -i ssh_keys/ubuntu-jumpbox.pem goad@ -D 1080 -proxychains xfreerdp /u:goadmin /p: /v: +clipboard /dynamic-resolution /cert-ignore -``` - -> Note: The password is the one generated at step 2 of the terraform section - -- If the command `terraform destroy` fails, you can delete the resource group using the CLI - -```bash -az group delete --name GOAD -``` diff --git a/docs/olddocs/install_with_proxmox.md b/docs/olddocs/install_with_proxmox.md deleted file mode 100644 index cbf0ffc7..00000000 --- a/docs/olddocs/install_with_proxmox.md +++ /dev/null @@ -1,31 +0,0 @@ -# Proxmox setup - -
- terraform - terraform - icon_ansible -
- -- A complete guide to proxmox installation is available here : [https://mayfly277.github.io/categories/proxmox/](https://mayfly277.github.io/categories/proxmox/) - -## Prerequisites - -- [Packer](https://developer.hashicorp.com/packer/downloads?product_intent=packer) -- [Terraform](https://www.terraform.io/downloads.html) - -## Installation - -- Once you have prepared your provisioning vm (you can use the scripts/setup_proxmox.sh for prerequisites installation) -- And once your prerequisites are ready see [https://mayfly277.github.io/posts/GOAD-on-proxmox-part2-packer/](https://mayfly277.github.io/posts/GOAD-on-proxmox-part2-packer/) to prepare the template for proxmox - - -- You can run the automatic installation - -```bash -# check prerequisites -./goad.sh -t check -l GOAD -p proxmox -# Install -./goad.sh -t install -l GOAD -p proxmox -``` - -- Details on the provisioning process are here : [provisioning.md](./provisioning.md) diff --git a/docs/olddocs/install_with_virtualbox.md b/docs/olddocs/install_with_virtualbox.md deleted file mode 100644 index a0cbcaca..00000000 --- a/docs/olddocs/install_with_virtualbox.md +++ /dev/null @@ -1,179 +0,0 @@ -# Virtualbox setup - -
- vagrant - icon_virtualbox - icon_ansible -
- -## Prerequisites - -- Providing - - [Virtualbox](https://www.virtualbox.org/) - - [Vagrant](https://developer.hashicorp.com/vagrant/docs) - - Vagrant plugins: - - vagrant-reload - -- Provisioning with python - - Python3 (>=3.8) - - [ansible-core==2.12.6](https://docs.ansible.com/ansible/latest/index.html) - - pywinrm - -- Or provisioning With Docker - - [Docker](https://www.docker.com/) - - -## check dependencies - -- If you run ansible locally - -```bash -./goad.sh -t check -l GOAD -p virtualbox -m local -``` - -- If you run ansible with docker - -```bash -./goad.sh -t check -l GOAD -p virtualbox -m docker -``` - -## Install dependencies - -> If the check is not ok you will have to install the dependencies (no automatic install is provided as it depend of your package manager and distribution). Here some install command lines are given for ubuntu. - -### Install Virtualbox - -- **virtualbox** actually the vms are provided to be run on virtualbox so you need a working virtualbox environment on your computer. -- This is obvious but yes you need to first install it on your hosts if you want to use it. (on ubuntu `sudo apt install virtualbox` will do the work) - -```bash -sudo apt install virtualbox -``` - -### Install Vagrant - -- **vagrant** from their official site [vagrant](https://developer.hashicorp.com/vagrant/downloads). **The version you can install through your favorite package manager (apt, yum, ...) is probably not the latest one**. -- Install vagrant plugin vbguest if you want the guest addition: `vagrant plugin install vagrant-vbguest` (not mandatory) -- Vagrant installation is well describe in [the official vagrant page](https://developer.hashicorp.com/vagrant/downloads) (tests are ok on 2.3.4) -- Some github issues indicate vagrant got some issue on some version and work well with 2.2.19 (`apt install vagrant=2.2.19`) - -```bash -wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg -echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list -sudo apt update && sudo apt install vagrant -``` - -- on some recent versions (ubuntu 23.04), you should consider run also: - -```bash -gem install winrm winrm-fs winrm-elevated -``` - -### Install docker - -- If you want to run the ansible install from docker and don't install all the python dependencies just [install docker](https://docs.docker.com/engine/install/) - -### Or Install Ansible locally - -- If you want to play ansible from your host or a linux vm you should launch the following commands : - -- *Create a python >= 3.8 virtualenv* - -```bash -sudo apt install git -git clone git@github.com:Orange-Cyberdefense/GOAD.git -cd GOAD/ansible -sudo apt install python3.8-venv -python3.8 -m virtualenv .venv -source .venv/bin/activate -``` - -- Install ansible and pywinrm in the .venv - - **ansible** following the extensive guide on their website [ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). - - **Tested with ansible-core (2.12)** - - **pywinrm** be sure you got the pywinrm package installed - -```bash -python3 -m pip install --upgrade pip -python3 -m pip install ansible-core==2.12.6 -python3 -m pip install pywinrm -``` - -- Install all the ansible-galaxy requirements - - **ansible windows** - - **ansible community.windows** - - **ansible chocolatey** (not needed anymore) - - **ansible community.general** - -```bash -ansible-galaxy install -r ansible/requirements.yml -``` - -## Install - -### Launch installation automatically - -- This will launch vagrant up and the ansible playbooks -- If you run ansible locally - -```bash -./goad.sh -t install -l GOAD -p virtualbox -m local -``` - -- If you run ansible on docker - -```bash -./goad.sh -t install -l GOAD -p virtualbox -m docker -``` - -### Launch installation manually - -### Create the vms - -- To create the VMs just run - -```bash -cd ad/GOAD/providers/virtualbox -vagrant up -``` - -- At the end of the vagrantup you should have the vms created and running, like this : - -![virtualbox](./img/vbox.png) - -- Adapter 1 is set up as NAT (used to internet access during the provisioning) -- Adapter 2 is set up as host only adapter on the network 192.168.56.1/24 - - -### Launch provisioning with Docker - -- launch the provision script (launch ansible with failover on errors) - -```bash -sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible /bin/bash -c "ANSIBLE_COMMAND='ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/virtualbox/inventory' ../scripts/provisionning.sh" -``` - -- or launch ansible from docker directly - -```bash -sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/virtualbox/inventory main.yml -``` - -### Launch provisioning with Ansible - -- launch the provision script (launch ansible with failover on errors) - -```bash -cd ansible -export ANSIBLE_COMMAND="ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/virtualbox/inventory" -../scripts/provisionning.sh -``` - -- or launch ansible directly - -```bash -cd ansible/ -ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/virtualbox/inventory main.yml -``` - -- Details on the provisioning process are here : [provisioning.md](./provisioning.md) diff --git a/docs/olddocs/install_with_vmware.md b/docs/olddocs/install_with_vmware.md deleted file mode 100644 index 3f1a0963..00000000 --- a/docs/olddocs/install_with_vmware.md +++ /dev/null @@ -1,202 +0,0 @@ -# Vmware setup (aka "Virtualbox c'est no way") - -
- vagrant - icon_vwmare - icon_ansible -
- -## Prerequisites - -- Providing - - [Vmware workstation](https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html) - - [Vagrant](https://developer.hashicorp.com/vagrant/docs) - - [Vmware utility driver](https://developer.hashicorp.com/vagrant/downloads/vmware) - - Vagrant plugins: - - vagrant-reload - - vagrant-vmware-desktop - - on some distribution also the vagrant plugins : - - winrm - - winrm-fs - - winrm-elevated - -- Provisioning with python - - Python3 (>=3.8) - - [ansible-core==2.12.6](https://docs.ansible.com/ansible/latest/index.html) - - pywinrm - -- Or provisioning With Docker - - [Docker](https://www.docker.com/) - - -## check dependencies - -- If you run ansible locally - -```bash -./goad.sh -t check -l GOAD -p vmware -m local -``` - -- If you run ansible with docker - -```bash -./goad.sh -t check -l GOAD -p vmware -m docker -``` - -## Install dependencies - -> If the check is not ok you will have to install the dependencies (no automatic install is provided as it depend of your package manager and distribution). Here some install command lines are given for ubuntu. - -### Install Vmware workstation - -- Download and install vmware workstation and set your license key (or use the 30 days trial) [workstation-pro-evaluation](https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html) -- __Note that workstation-player can't manage clone and snapshot and will not work with vagrant you need to use the pro version__ -- You will also need to install VMware Utility driver (https://developer.hashicorp.com/vagrant/downloads/vmware) -(an install guide can be found here : https://developer.hashicorp.com/vagrant/docs/providers/vmware/vagrant-vmware-utility) - -```bash -cd /tmp -wget https://releases.hashicorp.com/vagrant-vmware-utility/1.0.21/vagrant-vmware-utility_1.0.21_linux_amd64.zip -sudo mkdir -p /opt/vagrant-vmware-desktop/bin -sudo unzip -d /opt/vagrant-vmware-desktop/bin vagrant-vmware-utility_1.0.21_linux_amd64.zip -sudo /opt/vagrant-vmware-desktop/bin/vagrant-vmware-utility certificate generate -sudo /opt/vagrant-vmware-desktop/bin/vagrant-vmware-utility service install -``` - -- Note that you will need to install the vmware-desktop plugin after the vagrant installation : - -```bash -vagrant plugin install vagrant-vmware-desktop -``` - -### Install Vagrant - -- __vagrant__ from their official site [vagrant](https://developer.hashicorp.com/vagrant/downloads). __The version you can install through your favorite package manager (apt, yum, ...) is probably not the latest one__. -- Install vagrant plugin vbguest if you want the guest addition: `vagrant plugin install vagrant-vbguest` (not mandatory) -- Vagrant installation is well describe in [the official vagrant page](https://developer.hashicorp.com/vagrant/downloads) (tests are ok on 2.3.4) -- Some github issues indicate vagrant got some issue on some version and work well with 2.2.19 (`apt install vagrant=2.2.19`) - -```bash -wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg -echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list -sudo apt update && sudo apt install vagrant -``` - -- on some recent versions (ubuntu 23.04), you should consider run also: - -```bash -gem install winrm winrm-fs winrm-elevated -``` - -### Install docker - -- If you want to run the ansible install from docker and don't install all the python dependencies just [install docker](https://docs.docker.com/engine/install/) - -### Or Install Ansible locally - -- If you want to play ansible from your host or a linux vm you should launch the following commands : - -- *Create a python >= 3.8 virtualenv* - -```bash -sudo apt install git -git clone git@github.com:Orange-Cyberdefense/GOAD.git -cd GOAD/ansible -sudo apt install python3.8-venv -python3.8 -m virtualenv .venv -source .venv/bin/activate -``` - -- Install ansible and pywinrm in the .venv - - __ansible__ following the extensive guide on their website [ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). - - __Tested with ansible-core (2.12)__ - - __pywinrm__ be sure you got the pywinrm package installed - -```bash -python3 -m pip install --upgrade pip -python3 -m pip install ansible-core==2.12.6 -python3 -m pip install pywinrm -``` - -- Install all the ansible-galaxy requirements - - __ansible windows__ - - __ansible community.windows__ - - __ansible chocolatey__ (not needed anymore) - - __ansible community.general__ - -```bash -ansible-galaxy install -r ansible/requirements.yml -``` - -## Install - -### Launch installation automatically - -- This will launch vagrant up and the ansible playbooks -- If you run ansible locally - -```bash -./goad.sh -t install -l GOAD -p vmware -m local -``` - -- If you run ansible on docker - -```bash -./goad.sh -t install -l GOAD -p vmware -m docker -``` - -### Launch installation manually - -### Create the vms - -- To create the VMs just run - -```bash -cd ad/GOAD/providers/vmware -vagrant up -``` - -*note: For some distributions, you may need to run additional commands to install WinRM gems* this can be done via the following commands: - -```bash -vagrant plugin install winrm -vagrant plugin install winrm-fs -vagrant plugin install winrm-elevated -``` - -- At the end of the vagrantup you should have the vms created and running - - -### Launch provisioning with Docker - -- launch the provision script (launch ansible with failover on errors) - -```bash -sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible /bin/bash -c "ANSIBLE_COMMAND='ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/vmware/inventory' ../scripts/provisionning.sh" -``` - -- or launch ansible from docker directly - -```bash -sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/vmware/inventory main.yml -``` - -### Launch provisioning with Ansible - -- launch the provision script (launch ansible with failover on errors) - -```bash -cd ansible -export ANSIBLE_COMMAND="ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/vmware/inventory" -../scripts/provisionning.sh -``` - -- or launch ansible directly - -```bash -cd ansible/ -ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/vmware/inventory main.yml -``` - - -- Details on the provisioning process are here : [provisioning.md](./provisioning.md) diff --git a/docs/olddocs/install_with_vmware_Windows.md b/docs/olddocs/install_with_vmware_Windows.md deleted file mode 100644 index cd5a35fa..00000000 --- a/docs/olddocs/install_with_vmware_Windows.md +++ /dev/null @@ -1,53 +0,0 @@ -To deploy on Windows we need a few steps over and above standard VMWare setup detailed in install_with_vmware.md. - -## Prerequisites - -- Tooling to install on Windows - - [Vmware workstation](https://www.vmware.com/products/workstation-pro/workstation-pro-evaluation.html) - - [Vagrant for Windows](https://developer.hashicorp.com/vagrant/install?product_intent=vagrant#Windows) - - [Vmware utility driver](https://developer.hashicorp.com/vagrant/install/vmware) - - Vagrant plugins: - - vagrant-reload - - vagrant-vmware-desktop -- Kali or Ubuntu VM, installed inside VMWare Workstation - - Ensure the VM has two NICs, one NAT/Bridged for Internet and a second in the same subnet as GOAD default setup which is `192.168.56.0` and `255.255.255.0` netmask via VMWare Workstation's Virtual Network Editor. - - Install Ansible and Dependencies - - ```bash - pip install --upgrade pip - pip install ansible-core==2.12.6 - pip install pywinrm - - sudo apt install sshpass lftp rsync openssh-client - git clone https://github.com/Orange-Cyberdefense/GOAD - ``` - - - Install Ansible requirements - - drop into `GOAD/ansible` on Ubuntu/Kali VM and execute: - `ansible-galaxy install -r ansible/requirements.yml` - - -## Setup VMs with Vagrant - -Once pre-reqs have been installed, next thing to do is to deploy the baseline VMs with vagrant from cmd/PowerShell. - -### Create the vms - -- To create the VMs just run - -```powershell -cd ad\GOAD\providers\vmware -vagrant up -``` - -This will proceed to run through pulling down the five GOAD virtual machines. Once complete you can proceed to the next step which is deploying ansible to configure the VMs. - -### Deploy Ansible to Build VMs - -Once VMs have all built with Vagrant, the next step is to hop into your Kali/Ubuntu VM and roll with running Ansible to configure them. To do this, navigate to the GOAD directory and run the goad.sh setup script as a standard user: - -```bash -./goad.sh -t install -l GOAD -p vmware -m local -a -``` - -Provided you've done all the pre-req setup stages, this will run through the setup of all the VMs and configure them to the GOAD Ansible YML file specs. diff --git a/docs/olddocs/install_with_vmware_esxi.md b/docs/olddocs/install_with_vmware_esxi.md deleted file mode 100644 index 0f39dec7..00000000 --- a/docs/olddocs/install_with_vmware_esxi.md +++ /dev/null @@ -1,233 +0,0 @@ -# VMware ESXi setup (aka "Virtualbox c'est no way") - -
- vagrant - icon_vwmare - icon_ansible -
- -## Prerequisites - -- Providing - - [VMWare ESXi](https://www.vmware.com/products/esxi-and-esx.html) - [no longer free](https://kb.vmware.com/s/article/2107518) - - [Vagrant](https://developer.hashicorp.com/vagrant/docs) - - Vagrant plugins: - - vagrant-reload - - vagrant-vmware-esxi - - vagrant-env - - on some distribution also the vagrant plugins : - - winrm - - winrm-fs - - winrm-elevated - - ovftool (https://developer.broadcom.com/tools/open-virtualization-format-ovf-tool/latest) - -- Provisioning with python - - Python3 (>=3.8) - - [ansible-core==2.12.6](https://docs.ansible.com/ansible/latest/index.html) - - pywinrm - -- Or provisioning With Docker - - [Docker](https://www.docker.com/) - - -## check dependencies - -- If you run ansible locally - -```bash -./goad.sh -t check -l GOAD -p vmware_esxi -m local -``` - -- If you run ansible with docker - -```bash -./goad.sh -t check -l GOAD -p vmware_esxi -m docker -``` - -## Install dependencies - -> If the check is not ok you will have to install the dependencies (no automatic install is provided as it depend of your package manager and distribution). Here some install command lines are given for ubuntu. - -### Install VMWare ESXi - -Consult their [docs](https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-esxi-installation/GUID-93D0227B-E5ED-40B0-B8E2-71141A32EB00.html) - -- Note that you will need to install the vmware-esxi plugin after the vagrant installation : - -```bash -vagrant plugin install vagrant-vmware-esxi -``` - -### Install Vagrant - -- **vagrant** from their official site [vagrant](https://developer.hashicorp.com/vagrant/downloads). **The version you can install through your favorite package manager (apt, yum, ...) is probably not the latest one**. -- Vagrant installation is well describe in [the official vagrant page](https://developer.hashicorp.com/vagrant/downloads) (tests are ok on 2.3.4) -- Some github issues indicate vagrant got some issue on some version and work well with 2.2.19 (`apt install vagrant=2.2.19`) - -```bash -wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg -echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list -sudo apt update && sudo apt install vagrant -``` - -- on some recent versions (ubuntu 23.04), you should consider run also: - -```bash -gem install winrm winrm-fs winrm-elevated -``` - -### Install docker - -- If you want to run the ansible install from docker and don't install all the python dependencies just [install docker](https://docs.docker.com/engine/install/) - -### Or Install Ansible locally - -- If you want to play ansible from your host or a linux vm you should launch the following commands : - -- *Create a python >= 3.8 virtualenv* - -```bash -sudo apt install git -git clone git@github.com:Orange-Cyberdefense/GOAD.git -cd GOAD/ansible -sudo apt install python3.8-venv -python3.8 -m virtualenv .venv -source .venv/bin/activate -``` - -- Install ansible and pywinrm in the .venv - - **ansible** following the extensive guide on their website [ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). - - **Tested with ansible-core (2.12)** - - **pywinrm** be sure you got the pywinrm package installed - -```bash -python3 -m pip install --upgrade pip -python3 -m pip install ansible-core==2.12.6 -python3 -m pip install pywinrm -``` - -- Install all the ansible-galaxy requirements - - **ansible windows** - - **ansible community.windows** - - **ansible chocolatey** (not needed anymore) - - **ansible community.general** - -```bash -ansible-galaxy install -r ansible/requirements.yml -``` - -## Install - -### Enter credentials - -Since ESXi server is remote you will need to provide the environment details of the ESXi server. Those are located inside the `ad//providers/vmware_esxi/.env` file. - -```text -GOAD_VAGRANT_ESXIHOSTNAME is the IP or hostname of your ESXi server -GOAD_VAGRANT_ESXIUSERNAME is the username for your ESXi server -GOAD_VAGRANT_ESXIPASSWORD is the password for your ESXi server -GOAD_VAGRANT_ESXINETNAT is the ESXi portgroup for a NAT network present that contains your ESXi server and the deployment server -GOAD_VAGRANT_ESXINETDOM is the ESXi portgroup that is isolated domain network for the lab -GOAD_VAGRANT_ESXISTORE is the ESXi datastore where all the LAB files will be stored -``` - -You can use this file either by sourcing it or if you followed the previous steps that is done automatically with `vagrant-env` plugin. - -Sourcing inside a bash shell can be done as: - -```bash -source ad//providers/vmware_esxi/.env -``` - -### Launch installation automatically - -- This will launch vagrant up and the ansible playbooks -- If you run ansible locally - -```bash -./goad.sh -t install -l GOAD -p vmware_esxi -m local -``` - -- If you run ansible on docker - -```bash -./goad.sh -t install -l GOAD -p vmware_esxi -m docker -``` - -### Launch installation manually - -### Create the vms - -- To create the VMs just run - -```bash -cd ad/GOAD/providers/vmware_esxi -vagrant up -``` - -*note: For some distributions, you may need to run additional commands to install WinRM gems* this can be done via the following commands: - -```bash -vagrant plugin install winrm -vagrant plugin install winrm-fs -vagrant plugin install winrm-elevated -``` - -- At the end of the vagrantup you should have the vms created and running - - -### Launch provisioning with Docker - -- launch the provision script (launch ansible with failover on errors) - -```bash -sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible /bin/bash -c "ANSIBLE_COMMAND='ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/vmware_esxi/inventory' ../scripts/provisionning.sh" -``` - -- or launch ansible from docker directly - -```bash -sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/vmware_esxi/inventory main.yml -``` - -### Launch provisioning with Ansible - -- launch the provision script (launch ansible with failover on errors) - -```bash -cd ansible -export ANSIBLE_COMMAND="ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/vmware_esxi/inventory" -../scripts/provisionning.sh -``` - -- or launch ansible directly - -```bash -cd ansible/ -ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/vmware_esxi/inventory main.yml -``` - - -- Details on the provisioning process are here : [provisioning.md](./provisioning.md) - -## Additional features supported for the vmware_esxi provider - -### snapshot - -It creates a snapshot for all Vagrant deployed boxes in a lab. - -Example usage: - -```bash -./goad.sh -t snapshot -l GOAD -p vmware_esxi -m local -``` - -### reset - -It reverts to a latest snapshot without deleting it for all Vagrant deployed boxes in a lab. - -Example usage: - -```bash -./goad.sh -t reset -l GOAD -p vmware_esxi -m local -``` diff --git a/docs/olddocs/misc.md b/docs/olddocs/misc.md deleted file mode 100644 index 72162973..00000000 --- a/docs/olddocs/misc.md +++ /dev/null @@ -1,69 +0,0 @@ -## MISC commands - -### Force replication (no more used) - -- On dragonstone play as domain admin user : - -```bash -repadmin /replicate kingslanding.sevenkingdoms.local dragonstone.sevenkingdoms.local dc=sevenkingdoms,dc=local /full -``` - -### vagrant useful commands (vm management) - -- start all lab vms : - -```bash -vagrant up -``` - -- start only one vm : - -```bash -vagrant up -``` - -- stop all the lab vm : - -```bash -vagrant halt -``` - -- drop all the lab vm (because you want to recreate all) (carrefull : this will erase all your lab instance) - -```bash -vagrant destroy -``` - -- snapshot the lab (https://www.vagrantup.com/docs/cli/snapshot) - -```bash -vagrant snapshot push -``` - -- restore the lab snapshot (this could break servers relationship, reset servers passwords with fix_trust.yml playbook) - -```bash -vagrant snapshot pop -``` - -### ansible commands (provisioning management) - -#### Play only an ansible part - -- only play shares of member_server.yml : - -```bash -ansible-playbook member_server.yml --tags "data,shares" -``` - -#### Play only on some server - -```bash -ansible-playbook -l dc2 domain_controller.yml -``` - -#### Add some vulns - -```bash -ansible-playbook vulnerabilities.yml -``` diff --git a/docs/olddocs/provisioning.md b/docs/olddocs/provisioning.md deleted file mode 100644 index f37b9173..00000000 --- a/docs/olddocs/provisioning.md +++ /dev/null @@ -1,163 +0,0 @@ -# Provisioning - -- Now you got all the VMS created, great! -- The next step is the provisioning with ansible. -- You can run ansible from : - - a docker container - - OR your linux host - - OR a linux VM with an host only adapter on the same network as the lab's vms. - -## Run ansible with docker - -- If you want to do the provisioning from a docker container you could launch the following command to prepare the container - -```bash -cd /opt/goad -sudo docker build -t goadansible . -``` - -- And launch the provisioning with : - -```bash -sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible ansible-playbook -i ../ad//data/inventory -i ../ad//providers//inventory main.yml -``` - -- This will launch ansible on the docker container. -- The --network host option will launch it on your host network so the vms should be accessible by docker for 192.168.56.1/24 -- The -v mount the local repository containing goad in the folder /goad of the docker container -- The -i indicate the global inventory to use with ansible (must not contains variables) -- The second -i indicate the provider inventory to use with ansible (must contains the variables) -- And than the playbook main.yml is launched -- Please note that the vms must be in a running state, so vagrant up must have been done and finished before launching the ansible playbook. - - -### Run ansible on your host (or from a linux vm in the same network as the lab) - -- If you want to play ansible from your host or a linux vm you should launch the following commands : - -- *Create a python >= 3.8 virtualenv* - -```bash -sudo apt install git -git clone git@github.com:Orange-Cyberdefense/GOAD.git -cd GOAD/ansible -sudo apt install python3.8-venv -python3.8 -m virtualenv .venv -source .venv/bin/activate -``` - -- Install ansible and pywinrm in the .venv - - **ansible** following the extensive guide on their website [ansible](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html). - - **Tested with ansible-core (2.12)** - - **pywinrm** be sure you got the pywinrm package installed - -```bash -python3 -m pip install --upgrade pip -python3 -m pip install ansible-core==2.12.6 -python3 -m pip install pywinrm -``` - -- Install all the ansible-galaxy requirements - - **ansible windows** - - **ansible community.windows** - - **ansible chocolatey** (not needed anymore) - - **ansible community.general** - -```bash -ansible-galaxy collection install -r ansible/requirements.yml -``` - -- And than you can launch the ansible provisioning with (note that the vms must be in a running state, so vagrant up must have been done before that) - -```bash -ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/virtualbox/inventory main.yml # this will configure the vms in order to play ansible when the vms are ready (for virtualbox provider and goad lab) -``` - -### Start / Setup / Run - -The default domain will be **sevenkingdoms.local**, on the subnet 192.168.56.1/24 and each machine has been allocated with 2CPU and 4GB of memory. If you want to change some of these performance settings you can modify the Vagrantfile (please note that with less RAM the install process sometimes crash, if it append just relaunch the ansible playbook). - -To have the lab up and running this is the commands you should do: - -- VMs start/creation if not exist - -```bash -pwd -/opt/GOAD # place yourself in the GOAD folder (where you cloned the project) -vagrant up # this will create the vms (this command must be run in the folder where the Vagrantfile is present) -``` - -- VMs provisioning - - in one command just play : - -```bash -ansible-playbook -i ../ad//data/inventory -i ../ad//providers//inventory main.yml # this will configure the vms in order to play ansible when the vms are ready -``` - -- To run the provisioning from the docker container run (you should be in the same folder as the Dockerfile): - -```bash -sudo docker run -ti --rm --network host -h goadansible -v $(pwd):/goad -w /goad/ansible goadansible ansible-playbook -i ../ad//data/inventory -i ../ad//providers//inventory main.yml -``` - -- Or you can run playbooks one by one (mostly for debug or if you get trouble during install) - - The main.yml playbook is build in multiples parts. each parts can be re-run independently but the play order must be keep in cas you want to play one by one : - -```python -ANSIBLE_COMMAND="ansible-playbook -i ../ad/GOAD/data/inventory -i ../ad/GOAD/providers/virtualbox/inventory" -$ANSIBLE_COMMAND build.yml # Install stuff and prepare vm -$ANSIBLE_COMMAND ad-servers.yml # create main domains, child domain and enroll servers -$ANSIBLE_COMMAND ad-parent_domain.yml # create parent domain -$ANSIBLE_COMMAND ad-child_domain.yml # create child domain -sleep 5m -$ANSIBLE_COMMAND ad-members.yml # add child members -$ANSIBLE_COMMAND ad-trusts.yml # create the trust relationships -$ANSIBLE_COMMAND ad-data.yml # import the ad data : users/groups... -$ANSIBLE_COMMAND ad-gmsa.yml # run gmsa -$ANSIBLE_COMMAND laps.yml # run laps -$ANSIBLE_COMMAND ad-relations.yml # set the rights and the group domains relations -$ANSIBLE_COMMAND adcs.yml # Install ADCS on essos -$ANSIBLE_COMMAND ad-acl.yml # set the ACE/ACL -$ANSIBLE_COMMAND servers.yml # Install IIS and MSSQL -$ANSIBLE_COMMAND security.yml # Configure some securities (adjust av enable/disable) -$ANSIBLE_COMMAND vulnerabilities.yml # Configure some vulnerabilities -$ANSIBLE_COMMAND reboot.yml # reboot all -``` - -- When you finish playing you could do : - -```bash -vagrant halt # will stop all the vm -``` - -- To just relaunch the lab (no need to replay ansible as you already do that in the first place) - -```bash -vagrant up # will start the lab -``` - -- If you got some errors see the troubleshooting section at the end of the document, but in most case if you get errors during install, don't think and just replay the main playbook (most of the errors which could came up are due to windows latency during installation, wait few minutes and replay the playbook) - -Additionally, all of the above features are nicelly wrapped into a `goad.sh` script that makes provisioning a breeze. Additionally there are `check.sh` script and various `setup.sh` scripts inside `scripts/` that makes preparing the environment easier. - -## Enabling and disabling default vagrant user - -*It is again important to mention that all the environments are deployed with default credentials of `vagrant:vagrant` because of the underlying templates. This is a lab environment which is inherently insecure.* - -However you might not want this default credentials to be available so there are no unintended solutions for the lab. This was made easier with ansible roles that disable this. - -```bash -ansible-playbook -i ../ad//data/inventory -i ../ad//providers//inventory disable_vagrant.yml -``` - -If you want again to manage the lab you can re-enable the user. - -```bash -ansible-playbook -i ../ad//data/inventory -i ../ad//providers//inventory enable_vagrant.yml -``` - -The same can be also achieved with the `goad.sh` wrapper for example: - -```bash -./goad.sh -t disablevagrant -l GOAD -p vmware_esxi -m local -``` diff --git a/docs/olddocs/troubleshoot.md b/docs/olddocs/troubleshoot.md deleted file mode 100644 index 1966f718..00000000 --- a/docs/olddocs/troubleshoot.md +++ /dev/null @@ -1,350 +0,0 @@ -## Troubleshooting - -- In most case if you get errors during install, don't think and just replay the main playbook (most of the errors which could came up are due to windows latency during installation, wait few minutes and replay the install) - -## vagrant up - WinRM - digest initialization failed : Initialization Error - -```text -DC01: WinRM username: vagrant -DC01: WinRM execution_time_limit: PT2H -DC01: WinRM transport: negotiate -An error occurred executing a remote WinRM command. - -Shell: Cmd -Command: hostname -Message: Digest initialization failed: initialization error -``` - -- solution 1: change vagrantfile to not use ssl (https://github.com/Orange-Cyberdefense/GOAD/issues/68) - - add this lines in vagrantfile to not use ssl : - - ```text - config.winrm.transport = "plaintext" - config.winrm.basic_auth_only = true - ``` - -- solution 2: allow legacy algorithm (https://github.com/Orange-Cyberdefense/GOAD/issues/11) - - add to /etc/ssl/openssl.conf : - - ```ini - [provider_sect] - default = default_sect - legacy = legacy_sect - - [default_sect] - activate = 1 - - [legacy_sect] - activate = 1 - ``` - -- solution 3: downgrade the vagrant version (`sudo apt install vagrant=2.2.19`) - -## vagrant up - cannot load - -```text -:85:in `require': cannot load such file -- winrm (LoadError) - from :85:in `require' - from /usr/share/rubygems-integration/all/gems/vagrant-2.3.4/plugins/communicators/winrm/shell.rb:9:in `block in ' - from /usr/share/rubygems-integration/all/gems/vagrant-2.3.4/lib/vagrant/util/silence_warnings.rb:8:in `silence!' -``` - -- solution : - - `gem install winrm` - - `gem install winrm-fs` - - -## vagrant up - cannot load such file -- winrm-elevated (LoadError) - -```text -:85:in `require': cannot load such file -- winrm-elevated (LoadError) - from :85:in `require' - from /usr/share/rubygems-integration/all/gems/vagrant-2.3.4/plugins/communicators/winrm/shell.rb:12:in `' - ... -``` - -- solution : `gem install winrm-elevated` - - -## ansible persistent "unreachable error" - -- Unreachable means ansible can't contact the vms. -- Maybe the vms didn't got the right ip? (try to connect with vagrant/vagrant on vm and look the ip) -- Or you got a firewall on the vm which do provisioning which block winrm connection ? -- or maybe it is a vagrant issue : https://github.com/Orange-Cyberdefense/GOAD/issues/12 -- You could try to switch on port 5985 to connect without ssl as suggest here : https://github.com/Orange-Cyberdefense/GOAD/issues/98 by uncomment the lines in the inventory file you use - -```bash -# ansible_winrm_transport=basic -# ansible_port=5985 -``` - -## The naming context specified for this replication operation is invalid - -```bash -TASK [groups_domains : synchronizes all domains] ******************************************************************************************************************************************************************************************************************************* -changed: [dc03] -changed: [dc01] -fatal: [dc02]: FAILED! => {"changed": true, "cmd": "repadmin /syncall /Ade", "delta": "0:00:01.090773", "end": "2023-10-18 09:30:26.016579", "msg": "non-zero return code", "rc": 1, "start": "2023-10-18 09:30:24.925805", "stderr": "", "stderr_lines": [], "stdout": "Syncing all NC's held on winterfell.\r\r\nSyncing partition: DC=north,DC=sevenkingdoms,DC=local\r\r\nCALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=WINTERFELL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sevenkingdoms,DC=local (network error): 1722 (0x6ba):\r\r\n The RPC server is unavailable.\r\r\n\r\r\nSyncAll exited with fatal Win32 error: 8440 (0x20f8):\r\r\n The naming context specified for this replication operation is invalid.\r\r\n", "stdout_lines": ["Syncing all NC's held on winterfell.", "", "Syncing partition: DC=north,DC=sevenkingdoms,DC=local", "", "CALLBACK MESSAGE: Error contacting server CN=NTDS Settings,CN=WINTERFELL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=sevenkingdoms,DC=local (network error): 1722 (0x6ba):", "", " The RPC server is unavailable.", "", "", "", "SyncAll exited with fatal Win32 error: 8440 (0x20f8):", "", " The naming context specified for this replication operation is invalid.", ""]} -``` - -- relaunch install - -## vagrant up - Vagrant can't use the requested machine because it is locked - -```text -==> GOAD-SRV03: Configuring and enabling network interfaces... -Vagrant can't use the requested machine because it is locked! This -means that another Vagrant process is currently reading or modifying -the machine. Please wait for that Vagrant process to end and try -again. Details about the machine are shown below: -``` - -- solution : relaunch the provisioning on the broken computer : -- example : - -```bash -cd ~/GOAD/ad/GOAD/providers/virtualbox -vagrant reload GOAD-SRV03 --provisioning -``` - -- and than relaunch the install script - -## The server has rejected the client credentials - -```text -An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.BeginProcessing() -failed: [dc02] (item={'key': 'AcrossTheSea', 'value': ['essos.local\\daenerys.targaryen']}) => {"ansible_loop_var": "item", "attempts": 3, "changed": false, "item": {"key": "AcrossTheSea", "value": ["essos.local\\daenerys.targaryen"]}, "msg": "Unhandled exception while executing module: The server has rejected the client credentials."} -``` - -- something go wrong with the trust, all the links are not fully establish -- wait several minutes and relaunch the install - -##  Groups domain error - -- something go wrong with the trust, all the links are not fully establish -- wait several minutes and relaunch the playbook -- i really don't know why this append time to time on installation, if you want to investigate and resolve the issue please tell me how. - -```bash -An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.BeginProcessing() -failed: [192.168.56.xx] (item={'key': 'DragonsFriends', 'value': ['sevenkingdoms.local\\tyron.lannister', 'essos.local\\daenerys.targaryen']}) => {"ansible_loop_var": "item", "attempts": 3, "changed": false, "item": {"key": "DragonsFriends", "value": ["north.sevenkingdoms.local\\jon.snow", "sevenkingdoms.local\\tyron.lannister", "essos.local\\daenerys.targaryen"]}, "msg": "Unhandled exception while executing module: Either the target name is incorrect or the server has rejected the client credentials."} -``` - -## Error Add-Warning - -- You got an "Add-Warning" error during the user installation. -- Upgrade to community.windows galaxy >= 1.11.0 -- relaunch the ansible playbooks. - -```bash -An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at , : line 475 -failed: [192.168.56.11] (item={'key': 'arya.stark', 'value': {'firstname': 'Arya', 'surname': 'Stark', -... -"msg": "Unhandled exception while executing module: The term 'Add-Warning' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."}+ -``` - -## A parameter cannot be found that matches parameter name 'AcceptLicense' - -- If you got this kind of error you got an ansible.windows version >= 1.11.0 -- This version add the parameter AcceptLicense but it is accepted only for PowerShellGet module >= 1.6.0 and this one is not embedded in the vms. -- Please keep version 1.11.0 and update the lab to get the fix for the PowerShellGet Module version. - -```bash -fatal: [xxx]: FAILED! => { - "changed": false, - "msg": "Problems installing XXXX module: A parameter cannot be found that matches parameter name 'AcceptLicense'.", - "nuget_changed": false, - "output": "", - "repository_changed": false -} -``` - -## old Ansible version - -```bash -ERROR! no action detected in task. This often indicates a misspelled module name, or incorrect module path. - -The error appears to have been in '/home/hrrb0032/Documents/mission/GOAD/roles/domain_controller/tasks/main.yml': line 8, column 3, but maybe elsewhere in the file depending on the exact syntax problem. - -The offending line appears to be: - -- name: disable enhanced exit codes -^ here -``` - -solution : upgrade Ansible - -### old ansible.windows version - -```bash -ERROR! couldn't resolve module/action 'win_powershell'. This often indicates a misspelling, missing collection, or incorrect module path. -``` - -- solution: reinstall ansible.windows module : - -```bash -ansible-galaxy collection install ansible.windows --force -``` - -## winrm - -```bash -PLAY [DC01 - kingslanding] ******************************************************* - - - -TASK [Gathering Facts] *********************************************************** -fatal: [192.168.56.10]: FAILED! => {"msg": "winrm or requests is not installed: No module named winrm"} - - - -PLAY RECAP *********************************************************************** -192.168.56.10 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 -``` - -solution : pip install pywinrm - - - -## winrm send input timeout - -```bash -TASK [Gathering Facts] **************************************************************************************************************************************************** -[WARNING]: ERROR DURING WINRM SEND INPUT - attempting to recover: WinRMOperationTimeoutError -ok: [192.168.56.11] -``` - -solution : wait or if crashed then re-run install - - - -## Domain controller : ensure Users are present - -```bash -TASK [domain_controller : Ensure that Users presents in ou=,dc=SEVENKINGDOMS,dc=local] *************************************************************************** -An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.ProcessRecord() -failed: [192.168.56.10] (item={u'key': u'lord.varys', u'value': {u'city': u"King's Landing", u'password': u'_W1sper_$', u'name': u'Lord Varys', u'groups': u'Small Council', u'path': u'OU=Users,OU=Crownlands,OU=kingdoms,DC=SEVENKINGDOMS,DC=local'}}) => {"ansible_loop_var": "item", "changed": false, "item": {"key": "lord.varys", "value": {"city": "King's Landing", "groups": "Small Council", "name": "Lord Varys", "password": "_W1sper_$", "path": "OU=Users,OU=Crownlands,OU=kingdoms,DC=SEVENKINGDOMS,DC=local"}}, "msg": "Unhandled exception while executing module: An unspecified error has occurred"} - -``` - - solution : re-run install - -## mssql : Unable to install SQL Server - -```bash -TASK [mssql : Install the database] -fatal: [192.168.56.22]: FAILED! => {"attempts": 3, "changed": true, "cmd": "c:\\setup\\mssql\\sql_installer.exe /configurationfile=c:\\setup\\mssql\\sql_conf.ini /IACCEPTSQLSERVERLICENSETERMS /MEDIAPATH=c:\\setup\\mssql\\media /QUIET /HIDEPROGRESSBAR", "delta": "0:00:34.891185", "end": "2022-08-17 21:26:53.976793", "msg": "non-zero return code", "rc": 2226323458, "start": "2022-08-17 21:26:19.085608", "stderr": "", "stderr_lines": [], "stdout": "Microsoft (R) SQL Server Installer\r\nCopyright (c) 2019 Microsoft. All rights reserved.\r\n\r\nDownloading install package...\r\n\r\n\r\nOperation finished with result: Failure\r\n\r\nOops...\r\n\r\nUnable to install SQL Server (setup.exe).\r\n\r\n Exit code (Decimal): -2068643838\r\n Exit message: No features were installed during the setup execution. The requested features may already be installed. Please review the summary.txt log for further details.\r\n\r\n SQL SERVER INSTALL LOG FOLDER\r\n c:\\Program Files\\Microsoft SQL Server\\150\\Setup Bootstrap\\Log\\20220817_142624\r\n\r\n", "stdout_lines": ["Microsoft (R) SQL Server Installer", "Copyright (c) 2019 Microsoft. All rights reserved.", "", "Downloading install package...", "", "", "Operation finished with result: Failure", "", "Oops...", "", "Unable to install SQL Server (setup.exe).", "", " Exit code (Decimal): -2068643838", " Exit message: No features were installed during the setup execution. The requested features may already be installed. Please review the summary.txt log for further details.", "", " SQL SERVER INSTALL LOG FOLDER", " c:\\Program Files\\Microsoft SQL Server\\150\\Setup Bootstrap\\Log\\20220817_142624", ""]} -``` - -solution : re-run installer - - -## vagrant: Not working on Ubuntu 22.04 - -I was using the version of Vagrant in the Ubuntu repo, and then tried to use the version 2.4.0 and 2.3.4 binaries from hashicorp, but kept on running into this error: - -```bash -The guest machine entered an invalid state while waiting for it -to boot. Valid states are 'starting, running'. The machine is in the -'poweroff' state. Please verify everything is configured -properly and try again. - -If the provider you're using has a GUI that comes with it, -it is often helpful to open that and watch the machine, since the -GUI often has more helpful error messages than Vagrant can retrieve. -For example, if you're using VirtualBox, run `vagrant up` while the -VirtualBox GUI is open. - -The primary issue for this error is that the provider you're using -is not properly configured. This is very rarely a Vagrant issue. -``` - -Solution : install vagrant from the hashicorp repo - -## proxmox: error creating VM: 403 Permission check failed (/sdn/zones/localnetwork/vmbr3/10, SDN.Use) - -The error may look similar to below: - -```text -==> proxmox-iso.windows: Error creating VM: error creating VM: 403 Permission check failed (/sdn/zones/localnetwork/vmbr3/10, SDN.Use), -error status: {"data":null} (params: ...... -``` - -It may be fixed by delegating the SDN.Use privilege to the packer user - -```bash -pveum role modify Packer -privs "VM.Config.Disk VM.Config.CPU VM.Config.Memory Datastore.AllocateTemplate Datastore.Audit Datastore.AllocateSpace Sys.Modify VM.Config.Options VM.Allocate VM.Audit VM.Console VM.Config.CDROM VM.Config.Cloudinit VM.Config.Network VM.PowerMgmt VM.Config.HWType VM.Monitor SDN.Use" -``` - -## proxmox: ==> proxmox-iso.windows: Error creating VM: error creating VM: unable to create VM 103 - unsupported format 'qcow2' - -The error may look similar to below: - -```text -root@goadprovisioning:~/GOAD/packer/proxmox# packer build -var-file=windows_server2019_proxmox_cloudinit.pkvars.hcl . -proxmox-iso.windows: output will be in this color. - -==> proxmox-iso.windows: Retrieving additional ISO -==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso -==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4 -==> proxmox-iso.windows: ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4 => /root/GOAD/packer/proxmox/iso/Autounattend_winserver2019_cloudinit.iso - proxmox-iso.windows: Uploaded ISO to local:iso/Autounattend_winserver2019_cloudinit.iso -==> proxmox-iso.windows: Creating VM -==> proxmox-iso.windows: No VM ID given, getting next free from Proxmox -==> proxmox-iso.windows: Error creating VM: error creating VM: unable to create VM 103 - unsupported format 'qcow2' at /usr/share/perl5/PVE/Storage/LvmThinPlugin.pm line 87., error status: (params: map[agent:1 args: boot: cores:2 cpu:kvm64 description:Packer ephemeral build VM hotplug: ide2:local:iso/windows_server_2019.iso,media=cdrom kvm:true machine: memory:4096 name:WinServer2019x64-cloudinit-qcow2 net0:virtio=5E:5D:24:C4:0F:DA,bridge=vmbr3,tag=10 numa:false onboot:false ostype:win10 pool:GOAD sata0:vms:40,discard=ignore,format=qcow2 scsihw:lsi sockets:1 startup: tags: vmid:103])...... -``` - -Filesystems such as ZFS (and others) do not support qcow2. From my reading the best approach is to use an ext4 filesystem and modify `config.auto.pkrvars.hcl` with the newly created ext4 volume. - -```text -root@goadprovisioning:~/GOAD/packer/proxmox# vi config.auto.pkrvars.hcl -... -proxmox_vm_storage = "ext4-qcow2" -... -root@goadprovisioning:~/GOAD/packer/proxmox# packer build -var-file=windows_server2019_proxmox_cloudinit.pkvars.hcl . -proxmox-iso.windows: output will be in this color. - -==> proxmox-iso.windows: Retrieving additional ISO -==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso -==> proxmox-iso.windows: Trying ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4 -==> proxmox-iso.windows: ./iso/Autounattend_winserver2019_cloudinit.iso?checksum=sha256%3A43857cb780de3a58696285f644034499d4b29608b3c511feb27e315832b696c4 => /root/GOAD/packer/proxmox/iso/Autounattend_winserver2019_cloudinit.iso - proxmox-iso.windows: Uploaded ISO to local:iso/Autounattend_winserver2019_cloudinit.iso -==> proxmox-iso.windows: Creating VM -==> proxmox-iso.windows: No VM ID given, getting next free from Proxmox -==> proxmox-iso.windows: Starting VM -``` - -- another solution is to switch to raw : `proxmox_vm_storage = "raw"` - -## proxmox - packer error creating vm : volume 'local:iso/windows_XXX.iso' does not exist - -```text -==> proxmox-iso.windows: Error creating VM: error creating VM: unable to create VM 116 - volume 'local:iso/windows_server2019_XXX_en-us.iso' does not exist, error status: (params: map[agent:1 args: boot: cores:2 cpu:kvm64 description:Packer ephemeral build VM hotplug -: ide2:local:iso/windows_server2019_XXX_en-us.iso,media=cdrom kvm:true machine: memory:4096 name:WinServer2019x64-cloudinit-qcow2-uptodate net0:virtio=DA:CB:EB:85:08:0E,bridge=vmbr3,tag=10,firewall=false onboot:false ostype:win10 pool:Templates sata0:local:80,format=q -cow2 scsihw:lsi sockets:1 startup: tags: vmid:116]) -``` - -verify your iso files inside proxmox and be sure the iso you want to use exist in proxmox - -## ansible adapter name error - -```text -No MSFT_NetAdapter objects found with property 'Name' equal to 'Ethernet' - -or - -No MSFT_NetAdapter objects found with property 'Name' equal to 'Ethernet2 ' -``` - -- connect to the vm and run ipconfig, verify the adapter name are the same as described in the inventory file. -- if not change them to match the inventory name in the vm. - -## unreachable - proxmox, ansible - -```text -fatal: [dc01]: UNREACHABLE! => {"changed": false, "msg": "ssl: HTTPSConnectionPool(host='192.168.10.40', port=5986): Max retries exceeded with url: /wsman -``` - -- may be the vm is not well ready after the terraform creation. retry the install. -- if you still get the error connect to the vm and verify the static ip is corresponding with the one expect. diff --git a/docs/validation.md b/docs/validation.md index d6dd368b..ce497758 100644 --- a/docs/validation.md +++ b/docs/validation.md @@ -117,11 +117,11 @@ Inventory: ./dev-inventory Output: /tmp/goad-validation-20241215-134500.json ℹ Discovering instances... -✓ Found DC01: i-028f18fd2e04f3ecc -✓ Found DC02: i-01fa0b5af9fef7c4c -✓ Found DC03: i-0045ac57f8e3d3a65 -✓ Found SRV02: i-05e32c1deb99b7aa7 -✓ Found SRV03: i-0dc7ce34249756c31 +✓ Found DC01: i-0123456789abcdef0 +✓ Found DC02: i-0123456789abcdef1 +✓ Found DC03: i-0123456789abcdef2 +✓ Found SRV02: i-0123456789abcdef3 +✓ Found SRV03: i-0123456789abcdef4 ========================================== 1. Credential Discovery Vulnerabilities @@ -241,7 +241,7 @@ Use this checklist to track validation progress: dreadgoad lab status # Verify SSM agent is running -aws ssm describe-instance-information --filters "Key=tag:Name,Values=*dreadgoad*" +aws ssm describe-instance-information --filters "Key=tag:Name,Values=*goad*" ``` #### 2. "Permission denied" errors @@ -269,7 +269,7 @@ aws sts get-caller-identity dreadgoad validate --env staging --no-fail --verbose # Option 2: Test AWS CLI connectivity first -time aws ec2 describe-instances --region us-west-1 --max-results 5 +time aws ec2 describe-instances --region --max-results 5 ``` **Note**: The script may take 1-2 minutes to complete due to multiple AWS API calls. This is normal. @@ -323,7 +323,6 @@ Use the validation script in your CI/CD pipeline: # Example GitHub Actions workflow - name: Validate GOAD Deployment run: | - cd apps/DreadGOAD dreadgoad validate --env staging continue-on-error: false ``` @@ -343,7 +342,7 @@ If automated validation fails, you can manually verify vulnerabilities: ### 1. SSM into a Domain Controller ```bash -aws ssm start-session --target i-028f18fd2e04f3ecc --region us-west-1 +aws ssm start-session --target --region ``` ### 2. Run PowerShell Checks @@ -398,4 +397,4 @@ For issues with validation: --- -**Last Updated**: December 15, 2024 +**Last Updated**: April 2026