├── ADGenerator.ps1 ├── Invoke-ForestDeploy.ps1 ├── README.md ├── coursewordlist ├── images ├── mayorsec.PNG └── test └── nameGen.ps1 /ADGenerator.ps1: -------------------------------------------------------------------------------- 1 | function ShowBanner { 2 | $banner = @() 3 | $banner+= $Global:Spacing + '' 4 | $banner+= $Global:Spacing + ' ___ ____ ______ __ ' 5 | $banner+= $Global:Spacing + ' / | / __ \ / ____/__ ____ ___ _________ _/ /_____ _____' 6 | $banner+= $Global:Spacing + ' / /| | / / / / / / __/ _ \/ __ \/ _ \/ ___/ __ `/ __/ __ \/ ___/' 7 | $banner+= $Global:Spacing + ' / ___ |/ /_/ / / /_/ / __/ / / / __/ / / /_/ / /_/ /_/ / / ' 8 | $banner+= $Global:Spacing + '/_/ |_/_____/ \____/\___/_/ /_/\___/_/ \__,_/\__/\____/_/ ' 9 | $banner+= $Global:Spacing + '' 10 | $banner+= $Global:Spacing + 'Vulnerable Active Directory Domain Generator by The Mayor' 11 | $banner+= $Global:Spacing + '' 12 | $banner | foreach-object { 13 | Write-Host $_ -ForegroundColor "Yellow" 14 | } 15 | } 16 | 17 | function Write-Good { param( $String ) Write-Host $Global:InfoLine $String $Global:InfoLine1 -ForegroundColor 'Green' } 18 | function Write-Info { param( $String ) Write-Host $Global:PlusLine $String -ForegroundColor 'Gray'} 19 | $Global:Spacing = "`t" 20 | $Global:PlusLine = "`t[+]" 21 | $Global:InfoLine = "`t[*]" 22 | $Global:InfoLine1 = "[*]" 23 | 24 | #Group Generation 25 | $Global:Senior = "Senior Management" 26 | $Global:ITAdmins = "IT Admins" 27 | $Global:Engineering = "Engineering" 28 | $Global:Sales = "Sales" 29 | 30 | 31 | #Domain Information 32 | $Global:Domain = ""; 33 | 34 | function promoteUser { 35 | $username = ((gwmi win32_computersystem).username).split('\')[1] 36 | Write-Good "Promoting $username to appropriate Domain Administrative roles required for the course." 37 | Write-Info "Promoting $username to Enterprise Administrator." 38 | net group "Enterprise Admins" $username /add /domain 39 | Write-Info "Promoting $username to Domain Administrator." 40 | net group "Domain Admins" $username /add /domain 41 | Write-Info "Promoting $username to Group Policy Creator Owners." 42 | net group "Group Policy Creator Owners" $username /add /domain 43 | Write-Info "Promoting $username to Local Administrator (error output may occur - this is expected)." 44 | net localgroup "administrators" $username /add 45 | } 46 | 47 | function renameDC { 48 | $username = whoami 49 | Write-Good "Renaming the domain controller to DC01" 50 | Rename-computer -NewName "DC01" -DomainCredential $username 51 | mkdir C:\Shared; new-smbshare -Name "Shared" -Path "C:\Shared" -ReadAccess "Users" 52 | wget https://github.com/dievus/ADGenerator/archive/refs/heads/main.zip -outfile C:\Shared\adgenerator.zip 53 | Expand-Archive -Path C:\Shared\adgenerator.zip -DestinationPath C:\Shared\adgenerator 54 | } 55 | 56 | function AddADGroup { 57 | $domainFront = $Global:domain.split('.')[0] 58 | $domainBack = $Global:domain.split('.')[1] 59 | Write-Good "Creating Domain Groups" 60 | New-ADGroup -name $Global:Senior -GroupScope Global 61 | Write-Info "Adding $Global:Senior to $Global:domain" 62 | New-ADGroup -name $Global:ITAdmins -GroupScope Global 63 | Write-Info "Adding $Global:ITAdmins to $Global:domain" 64 | New-ADGroup -name $Global:Engineering -GroupScope Global 65 | Write-Info "Adding $Global:Engineering to $Global:domain" 66 | New-ADGroup -name $Global:Sales -GroupScope Global 67 | Write-Info "Adding $Global:Sales to $Global:domain" 68 | Write-Good "Generating Organizational Units for the $Global:domain." 69 | New-ADOrganizationalUnit -Name "SeniorManagement" -Path "DC=$domainFront,DC=$domainBack" 70 | New-ADOrganizationalUnit -Name "ITAdmins" -Path "DC=$domainFront,DC=$domainBack" 71 | New-ADOrganizationalUnit -Name "Engineering" -Path "DC=$domainFront,DC=$domainBack" 72 | New-ADOrganizationalUnit -Name "Sales" -Path "DC=$domainFront,DC=$domainBack" 73 | Write-Info "Organizational Units added." 74 | } 75 | 76 | function AddADUser { 77 | Write-Good "Creating Domain Users" 78 | $firstname = "Aaron" 79 | $lastname = "Adams" 80 | $fullname = "{0} {1}" -f ($firstname, $lastname) 81 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 82 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 83 | $password = "C0nc0Rd1776!" 84 | $domainFront = $Global:domain.split('.')[0] 85 | $domainBack = $Global:domain.split('.')[1] 86 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Path "OU=SeniorManagement,DC=mayorsec,DC=local" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 87 | Write-Info "$samAccountName added" 88 | Write-Info "Adding $samAccountName to $Global:Senior Group" 89 | Add-ADGroupMember -Identity $Global:Senior -Members $samAccountName 90 | Write-Info "Adding $samAccountName to Domain Administrators Group" 91 | Add-ADGroupMember -Identity "Domain Admins" -Members $samAccountName 92 | $firstname = "Jonathon" 93 | $lastname = "Taylor" 94 | $fullname = "{0} {1}" -f ($firstname, $lastname) 95 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 96 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 97 | $password = "Lexington1776!" 98 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Path "OU=ITAdmins,DC=mayorsec,DC=local" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 99 | Write-Info "$samAccountName added" 100 | Write-Info "Adding $samAccountName to $Global:ITAdmins Group" 101 | Add-ADGroupMember -Identity $Global:ITAdmins -Members $samAccountName 102 | Add-ADGroupMember -Identity "Administrators" -Members $samAccountName 103 | $firstname = "Jillian" 104 | $lastname = "Anthony" 105 | $fullname = "{0} {1}" -f ($firstname, $lastname) 106 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 107 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 108 | $password = "H1dD3nV4ll3y!" 109 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Path "OU=Engineering,DC=mayorsec,DC=local" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 110 | Write-Info "$samAccountName added" 111 | Write-Info "Adding $samAccountName to $Global:Engineering Group" 112 | Add-ADGroupMember -Identity $Global:Engineering -Members $samAccountName 113 | $firstname = "Tabitha" 114 | $lastname = "Carter" 115 | $fullname = "{0} {1}" -f ($firstname, $lastname) 116 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 117 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 118 | $password = "AhArGuY5Nm7U3!@" 119 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Path "OU=Engineering,DC=mayorsec,DC=local" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 120 | Write-Info "$samAccountName added" 121 | Write-Info "Adding $samAccountName to $Global:Engineering Group" 122 | Add-ADGroupMember -Identity $Global:Engineering -Members $samAccountName 123 | $firstname = "Megan" 124 | $lastname = "Phillips" 125 | $fullname = "{0} {1}" -f ($firstname, $lastname) 126 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 127 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 128 | $password = "L4k3LiV3L0ve!" 129 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Path "OU=Engineering,DC=mayorsec,DC=local" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 130 | Write-Info "$samAccountName added" 131 | Write-Info "Adding $samAccountName to $Global:Engineering Group" 132 | Add-ADGroupMember -Identity $Global:Engineering -Members $samAccountName 133 | Add-ADGroupMember -Identity "Group Policy Creator Owners" -Members $samAccountName 134 | $firstname = "Richard" 135 | $lastname = "Smith" 136 | $fullname = "{0} {1}" -f ($firstname, $lastname) 137 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 138 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 139 | $password = "Baseball123!" 140 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Path "OU=Engineering,DC=mayorsec,DC=local" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 141 | Write-Info "$samAccountName added" 142 | Write-Info "Adding $samAccountName to $Global:Engineering Group" 143 | Add-ADGroupMember -Identity $Global:Engineering -Members $samAccountName 144 | $firstname = "Samantha" 145 | $lastname = "Chisholm" 146 | $fullname = "{0} {1}" -f ($firstname, $lastname) 147 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 148 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 149 | $password = "FallOutBoy1!" 150 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Path "OU=Sales,DC=mayorsec,DC=local" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 151 | Write-Info "$samAccountName added" 152 | Write-Info "Adding $samAccountName to $Global:Sales" 153 | Add-ADGroupMember -Identity $Global:Sales -Members $samAccountName 154 | $firstname = "Margaret" 155 | $lastname = "Seitz" 156 | $fullname = "{0} {1}" -f ($firstname, $lastname) 157 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 158 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 159 | $password = "Phi11i35@44" 160 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Path "OU=Engineering,DC=mayorsec,DC=local" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 161 | Write-Info "$samAccountName added" 162 | Write-Info "Adding $samAccountName to $Global:Engineering Group" 163 | Add-ADGroupMember -Identity $Global:Engineering -Members $samAccountName 164 | $firstname = "Aaron" 165 | $lastname = "Tarolli" 166 | $fullname = "{0} {1}" -f ($firstname, $lastname) 167 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 168 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 169 | $password = "Password123!" 170 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Path "OU=Sales,DC=mayorsec,DC=local" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 171 | Write-Info "$samAccountName added" 172 | Write-Info "Adding $samAccountName to $Global:Sales" 173 | Add-ADGroupMember -Identity $Global:Sales -Members $samAccountName 174 | $firstname = "Zane" 175 | $lastname = "Dickens" 176 | $fullname = "{0} {1}" -f ($firstname, $lastname) 177 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 178 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 179 | $password = "M0t0rH3Ad65^$#" 180 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Path "OU=Sales,DC=mayorsec,DC=local" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 181 | Write-Info "$samAccountName added" 182 | Write-Info "Adding $samAccountName to $Global:Sales" 183 | Add-ADGroupMember -Identity $Global:Sales -Members $samAccountName 184 | 185 | $firstname = "SearchField" 186 | $lastname = "Example" 187 | $fullname = "{0} {1}" -f ($firstname, $lastname) 188 | $SamAccountName = ("{0}.{1}" -f ($firstname.Substring(0,1), $lastname)).ToLower() 189 | $principalname = "{0}.{1}" -f ($firstname.Substring(0,1), $lastname) 190 | $password = "adsfASDFwq322!21" 191 | New-ADUser -Name "$firstname $lastname" -GivenName $firstname -Surname $lastname -SamAccountName $SamAccountName -UserPrincipalName $principalname@$Global:Domain -Description "Password - adsfASDFwq322!21" -AccountPassword (ConvertTo-SecureString $password -AsPlainText -Force) -PassThru | Enable-ADAccount 192 | } 193 | 194 | function ASREPRoasting { 195 | $asrepUser = "a.tarolli" 196 | Write-Good "Modifying pre-authentication privileges" 197 | Set-ADAccountControl -Identity $asrepUser -DoesNotRequirePreAuth 1 198 | Write-Info "ASREP privileges granted to $asrepUser" 199 | } 200 | 201 | function kerberoasting { 202 | $svc = "mssql_svc" 203 | #$spn = "mssqlserver" 204 | $kerb_pass = "Password123!" 205 | Write-Good "Adding Kerberoastable service account to domain" 206 | net user $svc $kerb_pass /add /domain 207 | #New-ADServiceAccount -Name $svc -ServicePrincipalNames "mssql_svc/mssqlserver.$Global:domain" -RestrictToSingleComputer -AccountPassword (ConvertTo-SecureString $kerb_pass -AsPlainText -Force) 208 | #Set-ADServiceAccount mssql_svc -PrincipalsAllowedToDelegateToAccount (Get-ADComputer Workstation-01) 209 | #Get-ADComputer -Identity Workstation-02 | Set-ADAccountControl -TrustedForDelegation $true 210 | #Write-Info "Workstation-02 granted unconstrained delegation rights on DC01." 211 | setspn -a DC01/$svc.$Global:Domain:60111 $domainFront\$svc 212 | Write-Info "mssql_svc service account added" 213 | } 214 | 215 | function AD-AddACL { 216 | [CmdletBinding()] 217 | param( 218 | [Parameter(Mandatory=$true)] 219 | [ValidateNotNullOrEmpty()] 220 | [string]$Destination, 221 | 222 | [Parameter(Mandatory=$true)] 223 | [ValidateNotNullOrEmpty()] 224 | [System.Security.Principal.IdentityReference]$Source, 225 | 226 | [Parameter(Mandatory=$true)] 227 | [ValidateNotNullOrEmpty()] 228 | [string]$Rights 229 | 230 | ) 231 | $ADObject = [ADSI]("LDAP://" + $Destination) 232 | $identity = $Source 233 | $adRights = [System.DirectoryServices.ActiveDirectoryRights]$Rights 234 | $type = [System.Security.AccessControl.AccessControlType] "Allow" 235 | $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "All" 236 | $ACE = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $identity,$adRights,$type,$inheritanceType 237 | $ADObject.psbase.ObjectSecurity.AddAccessRule($ACE) 238 | $ADObject.psbase.commitchanges() 239 | } 240 | 241 | function badAcls { 242 | Write-Good "Granting $Global:ITAdmins GenericAll rights on Domain Admins." 243 | $DestinationGroup = Get-ADGroup -Identity "$Global:ITAdmins" 244 | $SourceGroup = Get-ADGroup -Identity "Domain Admins" 245 | AD-AddACL -Source $DestinationGroup.sid -Destination $SourceGroup.DistinguishedName -Rights "GenericAll" 246 | Write-Info "$Global:ITAdmins group granted GenericAll permissions for the Domain Admins group." 247 | Write-Good "Adding misconfigured ACL rule for the $Global:Engineering group." 248 | $DestinationGroup = Get-ADGroup -Identity $Global:Engineering 249 | $SourceGroup = Get-ADGroup -Identity $Global:ITAdmins 250 | AD-AddACL -Source $DestinationGroup.sid -Destination $SourceGroup.DistinguishedName -Rights "GenericAll" 251 | Write-Info "Whoops! GenericAll rights granted to $Global:Engineering." 252 | Write-Good "Adding misconfigured ACL rule for Margaret Seitz." 253 | $vulnAclUser = Get-ADUser -Identity "m.seitz" 254 | $SourceUser = Get-ADUser -Identity "j.taylor" 255 | AD-AddACL -Source $vulnAclUser.sid -Destination $SourceUser.DistinguishedName -Rights "GenericAll" 256 | Write-Info "Whoops! GenericAll rights granted to m.seitz." 257 | Write-Good "Adding misconfigured ACL rule for the $Global:Sales group." 258 | $DestinationGroup = Get-ADGroup -Identity $Global:Sales 259 | $SourceGroup = Get-ADGroup -Identity $Global:Engineering 260 | AD-AddACL -Source $DestinationGroup.sid -Destination $SourceGroup.DistinguishedName -Rights "GenericAll" 261 | Write-Info "Whoops! GenericAll rights granted to $Global:Sales." 262 | 263 | } 264 | 265 | function PSRemote { 266 | Write-Good "Configuring some GPO policies required for the domain." 267 | import-module grouppolicy 268 | $domain = Get-ADDomain 269 | $forest = $domain.Forest 270 | $DN = $domain.DistinguishedName 271 | 272 | $FwRule = "Allow WinRM TCP 5985 To Domain Joined Systems" 273 | $GpoName = "WinRM Firewall TCP 5985" 274 | $TargetOU = $DN 275 | $PolicyStoreName = "$forest\" + $GpoName 276 | New-Gpo -Name $GpoName | New-Gplink -target $TargetOU 277 | $GpoSessionName = Open-NetGPO -PolicyStore $PolicyStoreName 278 | New-NetFirewallRule -DisplayName $FwRule -Profile Any -Direction Inbound -GPOSession $GpoSessionName -PolicyStore $GpoName -Protocol TCP -LocalPort 5985 279 | Save-NetGPO -GPOSession $GpoSessionName 280 | Write-Info "A GPO for PowerShell Remoting was created for authenticated users on the domain." 281 | } 282 | 283 | function Set-WinRMPolicy { 284 | Write-Good "Configuring GPO policies to enable PowerShell remoting on hosts." 285 | $domainGPO = Get-ADDomain 286 | $forest = $domainGPO.Forest 287 | $DN = $domainGPO.DistinguishedName 288 | $GpoName = "Enable PSRemoting Desktops" 289 | $TargetOU = $DN 290 | $PolicyStoreName = "$forest\" + $GpoName 291 | New-Gpo -Name $GpoName | New-Gplink -target $TargetOU 292 | 293 | $domain = (Get-ADDomain).forest 294 | $id = (Get-GPO -name $GpoName).id 295 | $RemotingParams = @{ 296 | Name=$GpoName; 297 | Key = 'HKLM\Software\Policies\Microsoft\Windows\WinRM\Service'; 298 | } 299 | 300 | try { 301 | Set-GPRegistryValue @RemotingParams -ValueName 'AllowAutoConfig' -Value 1 -Type DWord 302 | Set-GPRegistryValue @RemotingParams -ValueName 'IPv4Filter' -Value '*' -Type String 303 | Set-GPRegistryValue @RemotingParams -ValueName 'IPv6Filter' -Value '*' -Type String 304 | Write-Info "Registry setting for Powershell Remoting OK!" 305 | } 306 | catch { "Error enabling remoting policy" } 307 | 308 | $ServiceParams = @{ 309 | Name=$GpoName; 310 | Key = 'HKLM\SYSTEM\CurrentControlSet\Services\WinRM'; 311 | } 312 | 313 | try { 314 | Set-GPRegistryValue @ServiceParams -ValueName 'Start' -Value 2 -Type DWord 315 | Set-GPRegistryValue @ServiceParams -ValueName 'DelayedAutoStart' -Value 0 -Type DWord 316 | Write-Info "Service setting for Powershell Remoting OK!" 317 | } 318 | catch { "Error enabling remoting policy" } 319 | } 320 | 321 | function Invoke-ADGenerator { 322 | Param( 323 | [Parameter(Mandatory=$True)] 324 | [ValidateNotNullOrEmpty()] 325 | [System.String] 326 | $DomainName 327 | ) 328 | ShowBanner 329 | $Global:Domain = $DomainName 330 | promoteUser 331 | Write-Good "Administrative privilege delegation completed." 332 | renameDC 333 | Write-Good "Domain controller renamed." 334 | AddADGroup 335 | Write-Good "Group creation completed." 336 | AddADUser 337 | Write-Good "User creation completed" 338 | ASREPRoasting 339 | Write-Good "ASREP settings update completed." 340 | kerberoasting 341 | Write-Good "Kerberoastable service creation completed." 342 | badAcls 343 | Write-Good "ACL misconfigurations completed." 344 | PSRemote 345 | Write-Good "GPO configurations completed." 346 | Set-WinRMPolicy 347 | Write-Good "Domain-wide PowerShell Remoting GPO configuration completed." 348 | Write-Good "Some changes require a restart to take effect. Restarting your domain controller in 30 seconds." 349 | Start-Sleep -Seconds 30 350 | Restart-Computer 351 | } 352 | -------------------------------------------------------------------------------- /Invoke-ForestDeploy.ps1: -------------------------------------------------------------------------------- 1 | function ShowBanner { 2 | $banner = @() 3 | $banner+= $Global:Spacing + '' 4 | $banner+= $Global:Spacing + ' ______ __ ____ __ ' 5 | $banner+= $Global:Spacing + ' / ____/___ ________ _____/ /_ / __ \___ ____ / /___ __ __' 6 | $banner+= $Global:Spacing + ' / /_ / __ \/ ___/ _ \/ ___/ __/_____/ / / / _ \/ __ \/ / __ \/ / / /' 7 | $banner+= $Global:Spacing + ' / __/ / /_/ / / / __(__ ) /_/_____/ /_/ / __/ /_/ / / /_/ / /_/ / ' 8 | $banner+= $Global:Spacing + ' /_/ \____/_/ \___/____/\__/ /_____/\___/ .___/_/\____/\__, / ' 9 | $banner+= $Global:Spacing + ' /_/ /____/ ' 10 | $banner+= $Global:Spacing + 'Domain Deployment Script by TheMayor' 11 | $banner+= $Global:Spacing + '' 12 | $banner | foreach-object { 13 | Write-Host $_ -ForegroundColor "Yellow" 14 | } 15 | } 16 | 17 | function Write-Good { param( $String ) Write-Host $Global:InfoLine $String $Global:InfoLine1 -ForegroundColor 'Green' } 18 | function Write-Info { param( $String ) Write-Host $String -ForegroundColor 'Gray'} 19 | $Global:Spacing = "`t" 20 | $Global:PlusLine = "`t[+]" 21 | $Global:InfoLine = "`t[*]" 22 | $Global:InfoLine1 = "[*]" 23 | 24 | 25 | function addsInstall { 26 | Write-Good "Installing Windows AD Domain Services Toolset." 27 | Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools 28 | Write-Info "`n`nToolset installed.`n`n" 29 | } 30 | 31 | function forestDeploy { 32 | Write-Good "Generating the domain. Make note of the domain name for the ADGenerator Script to be ran after the controller is built." 33 | $DomainNetBiosName = $DomainName.split('.')[0] 34 | Install-ADDSForest -DomainName $DomainName -DomainNetBiosName $DomainNetBiosName -InstallDNS:$true 35 | Write-Info "`n`nRestart the controller if not instructed." 36 | } 37 | 38 | function Invoke-ForestDeploy { 39 | Param( 40 | [Parameter(Mandatory=$True)] 41 | [ValidateNotNullOrEmpty()] 42 | [System.String] 43 | $DomainName 44 | ) 45 | ShowBanner 46 | addsInstall 47 | forestDeploy 48 | } 49 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ![MayorSec](/images/mayorsec.PNG) 2 | [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/M4M03Q2JN) 3 | 4 | # ADGenerator 5 | 6 | This script will auto-generate the required users, groups, and permissions necessary for my Movement, Pivoting, and Persistence for Pentesters and Ethical Hackers Course. You can get it on TCM-Academy using my link at https://academy.tcm-sec.com/courses/movement-pivoting-and-persistence?affcode=770707_4ss-lc9h. 7 | # Instructions 8 | 9 | In order to generate a functional domain controller and active directory, the listed PowerShell scripts need to be executed in the following order: 10 | - Invoke-ForestDeploy.ps1 11 | 12 | ```. .\Invoke-ForestDeploy.ps1``` 13 | 14 | ```Invoke-ForestDeploy -DomainName mayorsec.local``` 15 | 16 | This will install the Windows Active Directory Domain Services toolset and generate the actual domain. Follow the instructions on screen, making note of the domain name used as this will be needed later. The scripts are hardcoded for mayorsec.local, and any deviation from that domain name will likely break the ADGenerator.ps1 functionality. Making any modifications are on you. 17 | 18 | - ADGenerator.ps1 19 | 20 | ```. .\ADGenerator.ps1``` 21 | 22 | ```Invoke-ADGenerator -DomainName mayorsec.local``` 23 | 24 | This will generate the appropriate users, groups, permissions, configurations, and misconfigurations needed for the actual course. 25 | 26 | Once all scripts are ran and the workstations are joined, the following needs to be ran on DC01 from an elevated Powershell terminal to generate the unconstrained delegation configuration. 27 | 28 | ```Get-ADComputer -Identity Workstation-02 | Set-ADAccountControl -TrustedForDelegation $true``` 29 | 30 | 31 | Instruction is provided in course on how to utilize the netGen.ps1 script. A later lesson covers cracking an NTLM hash which uses the included password file. 32 | -------------------------------------------------------------------------------- /coursewordlist: -------------------------------------------------------------------------------- 1 | Spring2017 2 | Spring2016 3 | Spring2015 4 | Spring2014 5 | Spring2013 6 | spring2017 7 | spring2016 8 | spring2015 9 | spring2014 10 | spring2013 11 | Summer2017 12 | Summer2016 13 | Summer2015 14 | Summer2014 15 | Summer2013 16 | summer2017 17 | summer2016 18 | summer2015 19 | summer2014 20 | summer2013 21 | Autumn2017 22 | Autumn2016 23 | Autumn2015 24 | Password123! 25 | Autumn2014 26 | Autumn2013 27 | autumn2017 28 | autumn2016 29 | autumn2015 30 | autumn2014 31 | autumn2013 32 | Winter2017 33 | Winter2016 34 | Winter2015 35 | Winter2014 36 | Winter2013 37 | Lexington1776! 38 | winter2017 39 | winter2016 40 | winter2015 41 | winter2014 42 | winter2013 43 | P@55w0rd 44 | P@ssw0rd! 45 | P@55w0rd! 46 | sqlsqlsqlsql 47 | SQLSQLSQLSQL 48 | Welcome123 49 | Welcome1234 50 | Welcome1212 51 | PassSql12 52 | network 53 | networking 54 | networks 55 | test 56 | testtest 57 | testing 58 | testing123 59 | testsql 60 | test-sql3 61 | sqlsqlsqlsqlsql 62 | bankbank 63 | default 64 | test 65 | testing 66 | password2 67 | 68 | password 69 | Password1 70 | Password1! 71 | P@ssw0rd 72 | password12 73 | Password12 74 | security 75 | security1 76 | security3 77 | secuirty3 78 | complex1 79 | complex2 80 | complex3 81 | sqlserver 82 | sql 83 | sqlsql 84 | password1 85 | password123 86 | complexpassword 87 | database 88 | server 89 | changeme 90 | change 91 | sqlserver2000 92 | sqlserver2005 93 | Sqlserver 94 | SqlServer 95 | Password1 96 | Password2 97 | P@ssw0rd 98 | P@ssw0rd! 99 | P@55w0rd! 100 | P@ssword! 101 | Password! 102 | password! 103 | sqlsvr 104 | sqlaccount 105 | account 106 | sasa 107 | sa 108 | administator 109 | pass 110 | sql 111 | microsoft 112 | sqlserver 113 | sa 114 | hugs 115 | sasa 116 | welcome 117 | welcome1 118 | welcome2 119 | march2011 120 | sqlpass 121 | sqlpassword 122 | guessme 123 | bird 124 | P@55w0rd! 125 | test 126 | dev 127 | devdev 128 | devdevdev 129 | qa 130 | god 131 | admin 132 | adminadmin 133 | admins 134 | goat 135 | sysadmin 136 | water 137 | dirt 138 | air 139 | earth 140 | company 141 | company1 142 | company123 143 | company1! 144 | company! 145 | secret 146 | secret! 147 | secret123 148 | secret1212 149 | secret12 150 | secret1! 151 | sqlpass123 152 | Summer2013 153 | Summer2012 154 | Summer2011 155 | Summer2010 156 | Summer2009 157 | Summer2008 158 | Winter2013 159 | Winter2012 160 | Winter2011 161 | Winter2010 162 | Winter2009 163 | Winter2008 164 | summer2013 165 | summer2012 166 | summer2011 167 | summer2010 168 | summer2009 169 | summer2008 170 | winter2013 171 | winter2012 172 | winter2011 173 | winter2010 174 | winter2009 175 | winter2008 176 | 123456 177 | abcd123 178 | abc 179 | burp 180 | private 181 | unknown 182 | wicked 183 | alpine 184 | trust 185 | microsoft 186 | sql2000 187 | sql2003 188 | sql2005 189 | sql2008 190 | vista 191 | xp 192 | nt 193 | 98 194 | 95 195 | 2003 196 | 2008 197 | someday 198 | sql2010 199 | sql2011 200 | sql2009 201 | complex 202 | goat 203 | changelater 204 | rain 205 | fire 206 | snow 207 | unchanged 208 | qwerty 209 | 12345678 210 | football 211 | baseball 212 | basketball 213 | abc123 214 | 111111 215 | 1qaz2wsx 216 | dragon 217 | master 218 | monkey 219 | letmein 220 | login 221 | princess 222 | solo 223 | qwertyuiop 224 | starwars 225 | -------------------------------------------------------------------------------- /images/mayorsec.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/dievus/ADGenerator/9e31f9c67ca19e65605ce8f538b7a0efe43d662b/images/mayorsec.PNG -------------------------------------------------------------------------------- /images/test: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /nameGen.ps1: -------------------------------------------------------------------------------- 1 | # This PS1 script is used to generate the appropriate name for your workstations, i.e. Workstation-01 or Workstation-02. Not for use on your Domain Controller. 2 | # Run this script from an elevated command prompt and enter your credentials when prompted. The computer will be renamed at the DC and a file share will be 3 | # generated on the Workstation created for you to use across the exercises. 4 | 5 | function renamePC { 6 | $username = whoami 7 | Rename-computer -NewName $ComputerName -DomainCredential $username 8 | } 9 | 10 | function Share { 11 | mkdir C:\Shared; new-smbshare -Name "Shared" -Path "C:\Shared" -FullAccess "Users" 12 | } 13 | 14 | function enableRDPRemoting { 15 | Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 16 | Enable-NetFirewallRule -DisplayGroup "Remote Desktop" 17 | } 18 | 19 | function executeScript { 20 | Param( 21 | [Parameter(Mandatory=$True)] 22 | [ValidateNotNullOrEmpty()] 23 | [System.String] 24 | $ComputerName 25 | ) 26 | renamePC 27 | Share 28 | } 29 | --------------------------------------------------------------------------------