added initial setup for domain controller

author: heqnx <root@heqnx.com> 2025-07-11 21:55:20 +0300
committer: heqnx <root@heqnx.com> 2025-07-11 21:55:20 +0300
commit: 6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7 (patch)
tree: d975569e35991a02c73706ce81c0fc1f2e92405c /ansible/scripts/populate-ad.ps1
parent: 742fa0d51cd384ea3d856438861bb86738fdabb8 (diff)
download: ansible-active-directory-range-6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7.tar.gz
ansible-active-directory-range-6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7.zip
1 files changed, 318 insertions, 0 deletions
diff --git a/ansible/scripts/populate-ad.ps1 b/ansible/scripts/populate-ad.ps1
new file mode 100644
index 0000000..0b57c77
--- /dev/null
+++ b/ansible/scripts/populate-ad.ps1
@@ -0,0 +1,318 @@
+param
+(
+    [string]$DomainName          = "contoso.com",
+    [string]$FunctionalLevel     = "WinThreshold",
+    [string]$UserPassword        = "User1234!",
+    [string]$ServiceUserPassword = "Svc1234!"
+)
+$scriptName = $MyInvocation.MyCommand.Name
+$logFile = "C:\Logs\${scriptName}_log.txt"
+Start-Transcript -Path $logFile -Append
+
+$DomainNameDN        = "DC=$($DomainName.Split(".")[0]),DC=$($DomainName.Split(".")[1])"
+$DomainOU            = $DomainName.Split(".")[0]
+$UsersOU             = "Users"
+$ComputersOU         = "Computers"
+$ServiceAccountsOU   = "Service Accounts"
+
+Function Get-RandomObject {
+    [CmdletBinding()]
+    param(
+        [Parameter()]
+        [switch]$User,
+        [Parameter()]
+        [switch]$Computer
+    )
+
+    if ($User) {
+        return (Get-ADUser -Filter 'Description -notlike "*"' -SearchBase "OU=$UsersOU,OU=$DomainOU,$DomainNameDN" -Properties Description | Get-Random)
+    }
+
+    if ($Computer) {
+        return (Get-ADComputer -Filter 'Description -notlike "*"' -SearchBase "OU=$ComputersOU,OU=$DomainOU,$DomainNameDN" -Properties Description | Get-Random)
+    }
+}
+
+Function SetAcl($for, $to, $right, $inheritance)
+{
+    Set-Location AD:
+    $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $for).SID
+    $objOU = ($to).DistinguishedName
+    $objAcl = get-acl $objOU
+    $adRight =  [System.DirectoryServices.ActiveDirectoryRights] $right
+    $type =  [System.Security.AccessControl.AccessControlType] "Allow"
+    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance
+    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$inheritanceType
+    $objAcl.AddAccessRule($ace)
+    Set-Acl -AclObject $objAcl -path $objOU
+    Set-ADObject $for -Description "$right on $($to | Select-Object -ExpandProperty Name)"
+    Set-ADObject $to -Description "$($for | Select-Object -ExpandProperty Name) has $right on this object"
+}
+
+Function SetAclExtended($for, $to, $right, $extendedRightGUID, $inheritance)
+{
+    Set-Location AD:
+    $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $for).SID
+    $objOU = ($to).DistinguishedName
+    $objAcl = get-acl $objOU
+    $adRight =  [System.DirectoryServices.ActiveDirectoryRights] $right
+    $type =  [System.Security.AccessControl.AccessControlType] "Allow"
+    $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance
+    $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$extendedRightGUID,$inheritanceType
+    $objAcl.AddAccessRule($ace)
+    Set-Acl -AclObject $objAcl -path $objOU
+    Set-ADObject $for -Description "$right, $extendedRightGUID on $($to | Select-Object -ExpandProperty Name)"
+    Set-ADObject $to -Description "$($for | Select-Object -ExpandProperty Name) has $right, $extendedRightGUID on this object"
+}
+
+Write-Host "[INFO] Setting weak NTLM compatibility level"
+Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 1 -Force
+
+If (-Not (Get-ADOrganizationalUnit -SearchBase "$DomainNameDN" -Filter "Name -like '$DomainOU'")) {
+    New-ADOrganizationalUnit -Name "$DomainOU" -Path "$DomainNameDN"
+}
+
+if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$UsersOU'")) {
+    New-ADOrganizationalUnit -Name "$UsersOU" -Path "OU=$DomainOU,$DomainNameDN"
+}
+
+if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$ComputersOU'")) {
+    New-ADOrganizationalUnit -Name "$ComputersOU" -Path "OU=$DomainOU,$DomainNameDN"
+}
+
+if (-Not (Get-ADOrganizationalUnit -SearchBase "OU=$DomainOU,$DomainNameDN" -Filter "Name -like '$ServiceAccountsOU'")) {
+    New-ADOrganizationalUnit -Name "$ServiceAccountsOU" -Path "OU=$DomainOU,$DomainNameDN"
+}
+
+$users = @("michael","christopher","jessica","matthew","ashley","jennifer","joshua","amanda","daniel","david","james","robert","john","joseph","andrew","ryan","brandon","jason","justin","sarah","william","jonathan","stephanie","brian","nicole","nicholas","anthony","heather","eric","elizabeth","adam","megan","melissa","kevin","steven","thomas","timothy","christina","kyle","rachel","laura","lauren","amber","brittany","danielle","richard","kimberly","jeffrey","amy","crystal","michelle","tiffany","jeremy","benjamin","mark","emily","aaron","charles","rebecca","jacob","stephen","patrick","sean","erin","zachary","jamie","kelly","samantha","nathan","sara","dustin","paul","angela","tyler","scott","katherine","andrea","gregory","erica","mary","travis","lisa","kenneth","bryan","lindsey","kristen","jose","alexander","jesse","katie","lindsay","shannon","vanessa","courtney","christine","alicia","cody","allison","bradley","samuel")
+
+$created_users = @()
+ForEach ($user in $users) {
+    try {
+        New-ADUser -Name "$user" `
+            -SamAccountName "$user" `
+            -EmailAddress "$user@$($DomainName.ToLower())" `
+            -Path "OU=$UsersOU,OU=$DomainOU,$DomainNameDN" `
+            -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $UserPassword) `
+            -Enabled $true `
+            -PasswordNeverExpires $true
+        $created_users += $user
+    } catch {
+        Write-Host "[ERR] Failed to create user $user"
+    }
+}
+
+Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" }
+Get-RandomObject -User | % { Add-ADGroupMember -Identity "Domain Admins" -Members $_; Set-ADUser -Identity $_ -Description "domain admin" }
+
+Write-Host "[INFO] Created users: $($created_users -Join ', ')"
+
+$created_computers = @()
+1..20 | % {
+    $servers = @("srv", "sql", "smb")
+    ForEach ($server in $servers) {
+        try {
+            New-ADComputer -SamAccountName "$server$_" -Name "$server$_" -DNSHostName "$server$_.$DomainName" -Path "OU=$ComputersOU,OU=$DomainOU,$DomainNameDN"
+            $created_computers += $server
+        } catch {
+            Write-Host "[ERR] Failed to create server $server$_"
+        }
+    }
+}
+
+Write-Host "[INFO] Created computers: $($created_computers -Join ', ')"
+
+$svc_users = @{
+    "svc_mssql01"           = @{"type" = "spn"; "value" = "MSSQLSVC"}
+    "svc_mssql02"           = @{"type" = "spn"; "value" = "MSSQLSVC"}
+    "svc_cifs01"            = @{"type" = "spn"; "value" = "CIFS"}
+    "svc_cifs02"            = @{"type" = "spn"; "value" = "CIFS"}
+    "svc_iis01"             = @{"type" = "spn"; "value" = "HTTP"}
+    "svc_iis02"             = @{"type" = "spn"; "value" = "HTTP"}
+    "svc_backup01"          = @{"type" = "group"; "value" = "Backup Operators"}
+    "svc_backup02"          = @{"type" = "group"; "value" = "Backup Operators"}
+    "svc_dns01"             = @{"type" = "group"; "value" = "DnsAdmins"}
+    "svc_dns02"             = @{"type" = "group"; "value" = "DnsAdmins"}
+    "svc_srvoperator01"     = @{"type" = "group"; "value" = "Server Operators"}
+    "svc_srvoperator02"     = @{"type" = "group"; "value" = "Server Operators"}
+    "svc_evtvwr01"          = @{"type" = "group"; "value" = "Event Log Readers"}
+    "svc_evtvwr02"          = @{"type" = "group"; "value" = "Event Log Readers"}
+    "svc_acctoperator01"    = @{"type" = "group"; "value" = "Account Operators"}
+    "svc_acctoperator02"    = @{"type" = "group"; "value" = "Account Operators"}
+    "svc_printoperator01"   = @{"type" = "group"; "value" = "Print Operators"}
+    "svc_printoperator02"   = @{"type" = "group"; "value" = "Print Operators"}
+    "svc_mgmtuser01"        = @{"type" = "group"; "value" = "Remote Management Users"}
+    "svc_mgmtuser02"        = @{"type" = "group"; "value" = "Remote Management Users"}
+}
+
+$created_svc_users = @()
+ForEach ($user in $svc_users.keys) {
+    $type   = $svc_users[$user]["type"]
+    $value  = $svc_users[$user]["value"]
+
+    Switch ("$type") {
+        "spn" {
+            try {
+                $comp = (Get-RandomObject -Computer | Select-Object -ExpandProperty DNSHostName)
+                $u = New-ADUser -Name "$user" `
+                    -SamAccountName "$user" `
+                    -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $ServiceUserPassword) `
+                    -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" `
+                    -Enabled $true `
+                    -PasswordNeverExpires $true `
+                    -PassThru
+                Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add="$value/$comp"}
+                Set-ADObject $u -Description "SPN on $value/$comp"
+
+                $created_svc_users += "$user ($value/$comp)"
+            } catch {
+                Write-Host "[ERR] Failed to create $value/$comp for $user"
+            }
+        }
+        "group" {
+            try {
+                $u = New-ADUser -Name "$user" `
+                    -SamAccountName "$user" `
+                    -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $UserPassword) `
+                    -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" `
+                    -Enabled $true `
+                    -PasswordNeverExpires $true `
+                    -PassThru
+                Add-ADGroupMember -Identity "$value" -Members $u
+                Set-ADObject $u -Description "member of $value"
+                
+                $created_svc_users += "$user ($value)"
+            } catch {
+                Write-Host "[ERR] Failed to add $user to $value"
+            }
+        }
+    }
+}
+
+Write-Host "[INFO] Created svc users: $($created_svc_users -Join ', ')"
+
+$dcsync_user = Get-RandomObject -User
+$acl = Get-Acl -Path "AD:$DomainNameDN"
+$sid = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $dcsync_user).SID
+$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
+    -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, [System.Security.AccessControl.AccessControlType]::Allow, [Guid]"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2")))
+$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
+    -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight, [System.Security.AccessControl.AccessControlType]::Allow, [Guid]"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2")))
+Set-Acl -Path "AD:$DomainNameDN" -AclObject $acl
+Set-ADObject $dcsync_user -Description "DCSync rights on $DomainName"
+
+$adminsdholder_user = Get-RandomObject -User
+$adminsdholder = "CN=AdminSDHolder,CN=System,$DomainNameDN"
+$acl = Get-Acl -Path "AD:$adminsdholder"
+$sid = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $adminsdholder_user).SID
+$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule `
+    -ArgumentList @($sid, [System.DirectoryServices.ActiveDirectoryRights]::GenericAll, [System.Security.AccessControl.AccessControlType]::Allow)))
+Set-Acl -Path "AD:$adminsdholder" -AclObject $acl
+Set-ADObject $adminsdholder_user -Description "GenericAll on AdminSDHolder"
+
+Write-Host "[INFO] Configuring anonymous LDAP binding via dsHeuristics for contoso.com"
+$rootDSE = Get-ADRootDSE
+$configNC = $rootDSE.ConfigurationNamingContext
+$directoryServicePath = "CN=Directory Service,CN=Windows NT,CN=Services,$configNC"
+$directoryService = Get-ADObject -Identity $directoryServicePath -Properties dsHeuristics
+$currentHeuristics = $directoryService.dsHeuristics
+$newHeuristics = "0000002"
+Write-Host "[INFO] Overwriting dsHeuristics with '0000002'"
+Set-ADObject -Identity $directoryServicePath `
+    -Replace @{"dsHeuristics" = $newHeuristics} `
+    -Description "Anonymous LDAP enabled for contoso.com" `
+    -ErrorAction Stop
+Write-Host "[INFO] Successfully set dsHeuristics to '$newHeuristics'"
+
+Set-ADDomain -Identity $DomainName -Replace @{"ms-DS-MachineAccountQuota"=50}
+
+$dc = (Get-ADDomainController | Select-Object -ExpandProperty HostName)
+$u = New-ADUser -Name "svc_iis03" `
+    -SamAccountName "svc_iis03" `
+    -Path "OU=$ServiceAccountsOU,OU=$DomainOU,$DomainNameDN" `
+    -AccountPassword (ConvertTo-SecureString -AsPlainText -Force $ServiceUserPassword) `
+    -Enabled $true `
+    -PasswordNeverExpires $true `
+    -PassThru
+Set-ADUser -Identity "$u" -ServicePrincipalNames @{Add="HTTP/web01"}
+Set-ADObject $u -Description "SPN on HTTP/web01"
+
+$genericAllUserSrc = Get-RandomObject -User
+$genericAllUserTgt = Get-RandomObject -User
+SetAcl $genericAllUserSrc $genericAllUserTgt "GenericAll" "None"
+Set-ADObject $genericAllUserSrc -Description "User with GenericAll rights over $($genericAllUserTgt.Name)"
+
+$genericAllDomainAdminsSrc = Get-RandomObject -User
+$domainAdminsGroup = Get-ADGroup "Domain Admins"
+SetAcl $genericAllDomainAdminsSrc $domainAdminsGroup "GenericAll" "None"
+Set-ADObject $genericAllDomainAdminsSrc -Description "User with GenericAll rights over Domain Admins group"
+
+$genericAllComputerSrc = Get-RandomObject -User
+$genericAllComputerTgt = Get-RandomObject -Computer
+SetAcl $genericAllComputerSrc $genericAllComputerTgt "GenericAll" "None"
+Set-ADObject $genericAllComputerSrc -Description "User with GenericAll rights over computer $($genericAllComputerTgt.Name)"
+
+$writePropertyDomainAdminsSrc = Get-RandomObject -User
+SetAcl $writePropertyDomainAdminsSrc $domainAdminsGroup "WriteProperty" "All"
+Set-ADObject $writePropertyDomainAdminsSrc -Description "User with WriteProperty rights over Domain Admins group (all properties)"
+
+$selfDomainAdminsSrc = Get-RandomObject -User
+SetAclExtended $selfDomainAdminsSrc $domainAdminsGroup "Self" "bf9679c0-0de6-11d0-a285-00aa003049e2" "None"
+Set-ADObject $selfDomainAdminsSrc -Description "User with Self membership control over Domain Admins group"
+
+$writePropertyExtDomainAdminsSrc = Get-RandomObject -User
+SetAclExtended $writePropertyExtDomainAdminsSrc $domainAdminsGroup "WriteProperty" "bf9679c0-0de6-11d0-a285-00aa003049e2" "All"
+Set-ADObject $writePropertyExtDomainAdminsSrc -Description "User with WriteProperty rights to modify Domain Admins group membership"
+
+$forceChangePwdSrc = Get-RandomObject -User
+$forceChangePwdTgt = Get-RandomObject -User
+SetAclExtended $forceChangePwdSrc $forceChangePwdTgt "ExtendedRight" "00299570-246d-11d0-a768-00aa006e0529" "None"
+Set-ADObject $forceChangePwdSrc -Description "User with ForceChangePassword rights over $($forceChangePwdTgt.Name)"
+
+$writeOwnerDomainAdminsSrc = Get-RandomObject -User
+SetAcl $writeOwnerDomainAdminsSrc $domainAdminsGroup "WriteOwner" "None"
+Set-ADObject $writeOwnerDomainAdminsSrc -Description "User with WriteOwner rights to take ownership of Domain Admins group"
+
+$genericWriteUserSrc = Get-RandomObject -User
+$genericWriteUserTgt = Get-RandomObject -User
+SetAcl $genericWriteUserSrc $genericWriteUserTgt "GenericWrite" "None"
+Set-ADObject $genericWriteUserSrc -Description "User with GenericWrite rights over $($genericWriteUserTgt.Name)"
+
+$writeDaclDomainAdminsSrc = Get-RandomObject -User
+SetAcl $writeDaclDomainAdminsSrc $domainAdminsGroup "WriteDacl" "None"
+Set-ADObject $writeDaclDomainAdminsSrc -Description "User with WriteDacl rights to modify Domain Admins group permissions"
+
+$asreproast_user = Get-RandomObject -User
+Set-ADAccountControl -Identity $asreproast_user -DoesNotRequirePreAuth $True
+Set-ADObject $asreproast_user -Description "DoesNotRequirePreAuth"
+
+$kerberoast_user = Get-RandomObject -User
+$kerberoast_spn = Get-RandomObject -Computer
+Set-ADUser -Identity "$kerberoast_user" -ServicePrincipalNames @{Add="HTTP/$($kerberoast_spn)"}
+Set-ADObject $kerberoast_user -Description "$($kerberoast_user | Select-Object -ExpandProperty Name) is kerberoastable on http/$($kerberoast_spn | Select-Object -ExpandProperty Name):80"
+
+$unconstrained_delegation_comp = Get-RandomObject -Computer
+$unconstrained_delegation_comp | Set-ADAccountControl -TrustedForDelegation $true
+Set-ADObject $unconstrained_delegation_comp -Description "TrustedForDelegation"
+
+$constrained_delegation_comp1 = Get-RandomObject -Computer 
+$constrained_delegation_comp2 = Get-RandomObject -Computer
+Set-ADObject -Identity $constrained_delegation_comp1 -Add @{'msDS-AllowedToDelegateTo'=@("HOST/$($constrained_delegation_comp2)/example")}
+Set-ADAccountControl -Identity $constrained_delegation_comp1 -TrustedForDelegation $false -TrustedToAuthForDelegation $true
+Set-ADObject $constrained_delegation_comp1 -Description "msDS-AllowedToDelegateTo to $($constrained_delegation_comp2 | Select-Object -ExpandProperty Name)"
+
+Write-Host "[INFO] Created vulnerable ACLs, delegation, and Kerberos configurations"
+
+@"
+Domain content
+--------------
+"@ | Out-File C:\README.txt
+
+Get-AdObject `
+    -SearchBase "OU=$DomainOU,$DomainNameDN" `
+    -Filter {ObjectClass -ne "OrganizationalUnit"} `
+    -Properties Name, ObjectClass, Description `
+        | Select-Object Name, ObjectClass, Description `
+        | Format-Table -AutoSize `
+        | Out-File -Append C:\README.txt
+Stop-Transcript
author	heqnx <root@heqnx.com>	2025-07-11 21:55:20 +0300
committer	heqnx <root@heqnx.com>	2025-07-11 21:55:20 +0300
commit	6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7 (patch)
tree	d975569e35991a02c73706ce81c0fc1f2e92405c /ansible/scripts/populate-ad.ps1
parent	742fa0d51cd384ea3d856438861bb86738fdabb8 (diff)
download	ansible-active-directory-range-6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7.tar.gz ansible-active-directory-range-6ec2eb61a02f9e55ef5b8d22a5ca61ca53ca05e7.zip