Create a vulnerable active directory that's allowing you to test most of active directory attacks in local lab
- Randomize Attacks
- Full Coverage of the mentioned attacks
- you need run the script in DC with Active Directory installed
- Some of attacks require client workstation
- Abusing ACLs/ACEs
- Kerberoasting
- AS-REP Roasting
- Abuse DnsAdmins (...)
- Password in AD User comment
- Password Spraying
- DCSync (...)
- Silver Ticket (...)
- Golden Ticket (...)
- Pass-the-Hash (...)
- Pass-the-Ticket (...)
- SMB Signing Disabled
- Bad WinRM permission
- Anonymous LDAP query
- Public SMB Share
- Zerologon (Check version)
Now includes a writeup in the wiki section.
Install-WindowsFeature -Name AD-Domain-Services
Install-ADDSForest -CreateDnsDelegation:$false -DatabasePath "C:\\Windows\\NTDS" -DomainMode "7" -DomainName "bypazs.local" -DomainNetbiosName "bypazs" -ForestMode "7" -InstallDns:$true -LogPath "C:\\Windows\\NTDS" -NoRebootOnCompletion:$false -SysvolPath "C:\\Windows\\SYSVOL" -Force:$true
- Enable Windows Defender
IEX((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/bypazs/vulnerable-AD-plus/master/vulnadplus.ps1"));
- Disable Windows Defender
IEX((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/bypazs/vulnerable-AD-plus/master/vulnadplusv1.1.ps1"));
Invoke-VulnAD -UsersLimit 20 -DomainName "bypazs.local"