Add ansible provisioning with a docker container method, fix issues about the 1.11.0 community.windows ansible library and the associated impact on the build
The purpose of this lab is to give pentesters a vulnerable Active directory environement ready to use to practice usual attack techniques.
7
+
The purpose of this lab is to give pentesters a vulnerable Active directory environment ready to use to practice usual attack techniques.
8
8
9
9
## warning
10
-
This lab is extremly vulnerable, do not reuse receipe to build your environement and do not deploy this environment on internet (this is a recommendation, use it as your own risk)
10
+
This lab is extremely vulnerable, do not reuse recipe to build your environment and do not deploy this environment on internet (this is a recommendation, use it as your own risk)
11
11
This repository is for pentest practice only.
12
12
13
-
## licences
14
-
This lab use free windows VM only (180 days). After that delay enter a licence on each server or rebuild all the lab (may be it's time for an update ;))
13
+
## licenses
14
+
This lab use free windows VM only (180 days). After that delay enter a license on each server or rebuild all the lab (may be it's time for an update ;))
15
15
16
16
## Installation
17
+
18
+
- Installation is in two part :
19
+
20
+
1. providing : it is made with vagrant, it download and run empty windows box.
21
+
2. provisioning : it is made with ansible, it will install all the stuff to make the lab running like an active directory network
22
+
23
+
### tldr;
24
+
25
+
- You are on linux, you already got virtualbox, vagrant and docker installed on your host and you know what you are doing, just run :
So far the lab has only been tested on a linux machine, but it should work as well on macOS. Ansible has some problems with Windows hosts so I don't know about that.
19
39
skipped 1 lines
21
41
22
42
#### Virtualbox
23
43
24
-
- **virtualbox** actually the vms are provided to be run on virtualbox so you need a working virtualbox environement on your computer
44
+
- **virtualbox** actually the vms are provided to be run on virtualbox so you need a working virtualbox environment on your computer
25
45
26
46
#### Vagrant
27
-
- **vagrant** from their official site [vagrant](https://www.vagrantup.com/downloads). The version you can install through your favourite package manager (apt, yum, ...) is probably not the latest one.
47
+
- **vagrant** from their official site [vagrant](https://www.vagrantup.com/downloads). The version you can install through your favorite package manager (apt, yum, ...) is probably not the latest one.
- If you want to do the provisioning from a docker container you could launch the following command to prepare the container
61
+
62
+
```bash
63
+
sudo docker build -t goadansible .
64
+
```
65
+
66
+
#### Ansible on your host
67
+
68
+
- If you want to play ansible from your host you should launch the following commands :
69
+
39
70
- *Create a python >= 3.8 virtualenv*
40
71
41
72
```bash
skipped 29 lines
71
102
72
103
### V2 breaking changes
73
104
- If you previously install the v1 do not try to update as a lot of things have changed. Just drop your old lab and build the new one (you will not regret it)
74
-
- Chocolatey is no more used and basic tools like git or notepad++ are no more installed by default (as chocolatey regulary crash the install due to hiting rate on multiples builds)
75
-
- ELK is no more installed by default to save ressources but you still can install it separately (see the blueteam/elk part)
76
-
- Dragonstone vm as disapear and there is no more DC replication in the lab to save resources
77
-
- Wintefell is now a domain controler for the subdomain north of the sevenkingdoms.local domain
105
+
- Chocolatey is no more used and basic tools like git or notepad++ are no more installed by default (as chocolatey regularly crash the install due to hitting rate on multiples builds)
106
+
- ELK is no more installed by default to save resources but you still can install it separately (see the blueteam/elk part)
107
+
- Dragonstone vm as disappear and there is no more DC replication in the lab to save resources
108
+
- Wintefell is now a domain controller for the subdomain north of the sevenkingdoms.local domain
78
109
79
110
### Space use
80
111
- the lab take environ 77GB (but you have to get the space for the vms vagrant images windows server 2016 (22GB) / windows server 2019 (14GB) / ubuntu 18.04 (502M))
skipped 12 lines
93
124
vagrant up # this will create the vms (this command must be run in the folder where the Vagrantfile is present)
94
125
```
95
126
96
-
- VMs provisionning
127
+
- VMs provisioning
97
128
- in one command just play :
98
129
99
130
```bash
100
131
ansible-playbook main.yml # this will configure the vms in order to play ansible when the vms are ready
101
132
```
102
133
103
-
- Or you can run playbooks one by one (mostely for debug or if you get trouble during install)
134
+
- To run the provisioning from the docker container run (you should be in the same folder as the Dockerfile):
- Or you can run playbooks one by one (mostly for debug or if you get trouble during install)
104
141
- The main.yml playbook is build in multiples parts. each parts can be re-run independently but the play order must be keep in cas you want to play one by one :
105
142
106
143
```
skipped 21 lines
128
165
vagrant up # will start the lab
129
166
```
130
167
131
-
- if you got some errors see the troobleshooting section at the end of the document, but in most case if you get errors during install, don't think and just replay the main playbook (most of the errors which could came up are due to windows latency during installation, wait few minutes and replay the main.yml playbook)
168
+
- if you got some errors see the troubleshooting section at the end of the document, but in most case if you get errors during install, don't think and just replay the main playbook (most of the errors which could came up are due to windows latency during installation, wait few minutes and replay the main.yml playbook)
132
169
```
133
170
ansible-playbook main.yml
134
171
```
skipped 251 lines
386
423
```
387
424
388
425
### Ansible-playbook
426
+
427
+
#### Groups domain error
428
+
429
+
- something go wrong with the trust, all the links are not fully establish
430
+
- wait several minutes and relaunch the playbook
431
+
- i really don't know why this append time to time on installation, if you want to investigate and resolve the issue please tell me how.
432
+
433
+
```bash
434
+
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at Microsoft.ActiveDirectory.Management.Commands.ADCmdletBase`1.BeginProcessing()
435
+
failed: [192.168.56.xx] (item={'key': 'DragonsFriends', 'value': ['sevenkingdoms.local\\tyron.lannister', 'essos.local\\daenerys.targaryen']}) => {"ansible_loop_var": "item", "attempts": 3, "changed": false, "item": {"key": "DragonsFriends", "value": ["north.sevenkingdoms.local\\jon.snow", "sevenkingdoms.local\\tyron.lannister", "essos.local\\daenerys.targaryen"]}, "msg": "Unhandled exception while executing module: Either the target name is incorrect or the server has rejected the client credentials."}
436
+
```
437
+
438
+
#### Error Add-Warning
439
+
440
+
- You got an "Add-Warning" error during the user installation.
441
+
- Upgrade to community.windows galaxy >= 1.11.0
442
+
- relaunch the ansible playbooks.
443
+
444
+
```bash
445
+
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: at , : line 475
"msg": "Unhandled exception while executing module: The term 'Add-Warning' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again."}+
449
+
```
450
+
451
+
#### A parameter cannot be found that matches parameter name 'AcceptLicense'
452
+
453
+
- If you got this kind of error you got an ansible.windows version >= 1.11.0
454
+
- This version add the parameter AcceptLicense but it is accepted only for PowerShellGet module >= 1.6.0 and this one is not embededded in the vms.
455
+
- Please keep version 1.11.0 and update the lab to get the fix for the PowerShellGet Module version.
456
+
457
+
```bash
458
+
fatal: [xxx]: FAILED! => {
459
+
"changed": false,
460
+
"msg": "Problems installing XXXX module: A parameter cannot be found that matches parameter name 'AcceptLicense'.",