Proxmox Lab: Game of Active Directory - Environment Setup

In this module, we'll be taking steps to set up the initial environment and prepare to deploy Game of Active Directory (GOAD) in our existing Proxmox environment.
Proxmox Lab: Game of Active Directory - Environment Setup
In: Proxmox, Home Lab, Active Directory, Game of Active Directory, Windows, Attack

About this Project

ℹ️
This module is part of a larger project on setting up Game of Active Directory (GOAD) on Proxmox alongside our existing lab infrastructure. Click here to be taken back to the project landing page.
⚠️
This project also assumes that you've already built out the original Proxmox lab environment, as you'll need to lay some foundational network topologies before configuring GOAD here



Objectives for this Step

  • Add the VLAN to our existing Proxmox and pfSense Setup
  • Add DHCP scopes and add or update firewall rules
  • Create a Linux Container and install tools that will be used to automate provisioning and configuration of resources



Updating the Network

Add the GOAD VLAN

ℹ️
I'm going to keep things brief here, because I've already demonstrated multiple times in the main lab guide how to add / remove VLANs to / from the lab configuration.
Create OVS IntPort
Click Create
Log into pfSense and go to Interfaces > Assignments
Click on VLANs > Click + Add
Fill out and click Save
Click Interface Assignments
Choose the VLAN, click Add,and click Save



Configure the pfSense Interface

Click on your new interface -- OPT9 in my case
Click Save



Configure the DHCP Server

ℹ️
Typically, I'd have the DHCP server running on the Domain Controller, alongside DNS, but due to the size of the GOAD project and all of the various pieces, I'm going to stick with the creator's original design
Go to Services > DHCP Server > GOAD
Click Save



Configure the Firewall Rules

Floating Rule Updates

ℹ️
Note, that in the original lab guide, we've created various aliases and firewall rules that will be referenced here, so refer back to the original pfSense setup for more information
Go Firewall > Rules > Floating
Edit on the original floating rule here we created to block firewall management access
Add GOAD to the list of interfaces and click Save



GOAD Rules

💡
We're going to take a little bit of a shortcut here and borrow the rules that already exist for the AD_LAB interface
Select all the rules and click "Copy"
Disregard the Wazuh_Servers rule in the screenshot, as that is out of the scope of the original lab guide and this lab guide
Fill out accordingly and click "Paste"
You should now see your GOAD rules are filled out accordingly. Click "Apply Changes" at the top.



Stage the Provisioning Host

This is the Linux Container that we'll log into and run Packer, Terraform, and Ansible to build and configure resources for the environment.

⚠️
Since the environment we've created in this Proxmox lab differs quite a bit from the one Mayfly -- the original author -- created this Infrastructure-as-Code (IaC) in, please pay careful attention to changes we'll be making to certain documents.

Create the Container

Click on "Datacenter"
Click on "Pools
Click "Create" and fill out the form to your preference, then click OK
Right-click on your PVE node and choose >_ Shell
pveam update

Update the Linux Container template database

Click on your PVE node, click on "CT Templates", click on the "Templates" button
I'm going to use 22.04 version of Ubuntu, click "Download"
Right-click on your PVE node and choose "Create CT"
I'm going to authenticate using SSH keys, so my password field is empty
Choose your CT template
I'll start off with a 10 GiB disk, as it's trivial to add more storage later
2048 MiB RAM should be sufficient
Putting the LXC on vmbr1 will put the LXC on the pfSense internal LAN (10.0.0.0/24)
⚠️
If you haven't already done so, you'll want to add a static route on your home router, so that you can SSH into your provisioning LXC from your home network side
This will provide DNS setting to the container, so that it uses the pfSense local domain and default gateway as the DNS resolver
ℹ️
I'm going to take the MAC address from the container's settings, now that it's created, log into my pfSense VM on vmbr1, and allocate a DHCP reservation to this container, so that it is always at the same IP address. This is better for crafting firewall rules later.
When ready, you may start the container



Install the Automation Tooling

Log into your provisioning container via SSH key or password to open a terminal.

ℹ️
The ssh client application is available on all current versions of Windows and of course, has been available on Linux for ages
⚠️
If you're tying to SSH into the container, remember that the container is on vmbr1 behind pfSense on the default LAN -- 10.0.0.0/24 with Kali. If you haven't added a static route into the LAN, please do so in order to reach it via SSH.
ssh -i id_rsa root@10.0.0.3

Authenticating via SSH key. I gave my LXC a DHCP reservation of 10.0.0.3 in my pfSense VM.



Install and Upgrade Prerequisites

apt clean && apt update && apt upgrade -y

Upgrade existing packages

apt install -y git curl gnupg software-properties-common mkisofs

Install some pre-requisite packages



Install HashiCorp Packer and Terraform

wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg

Add HashiCorp's GPG key, so we can verify their apt repos

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list

Add the HashiCorp apt repo to /etc/apt/sources.list.d/hashicorp.list

apt update && apt install -y packer terraform



Install Ansible

apt install -y python3-pip
python3 -m pip install --upgrade pip
python3 -m pip install ansible-core
python3 -m pip install pywinrm

Install and upgrade pip, then install the Ansible packages



Clone the GOAD Project Repo

cd /root
git clone https://github.com/Orange-Cyberdefense/GOAD.git



Current State of the Project

You should now have a provisioning CT with all of the deployment tools installed, as well as all of the VLANs, DHCP scope, and firewall rules configured





Next Step

Proxmox Lab: Game of Active Directory - Creating VM Templates
In this module, we’ll be taking steps to create some Windows Server 2016 and Windows Server 2019 templates using Packer for use in the Proxmox Game of Active Directory lab
More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.