A powerful combination of Terraform and Ansible scripts designed to instantly deploy an Azure Active Directory Lab for penetration testing and security learning purposes.
This project was developed as part of the Azure Cloud Security blog post (more detailed description found there):
How to deploy an Azure AD Pentest Lab with Terraform & Ansible
You can apply the techniques found at Active Directory Pentest Technqiues
- Automated OpenVPN Installation: Seamlessly access your lab environment from your host machine.
- Fully Configured Windows Active Directory Environment: Includes server and domain-joined client VMs.
- Secure Azure Bastion Access: No need to expose VMs directly to the public internet.
- Customizable Deployment: Easily tweak variables and configurations to suit your needs.
- Integration with Ansible: Automates post-deployment tasks like user creation, domain configuration, and security setup.
- Configure pfSense as outward-facing firewall
- Configure Suricata as IDS
- Configure OSSEC as EDR
This lab environment is intended for educational purposes only. It is not suitable for production use due to simplified configurations, such as unencrypted WinRM and password / SSH key reuse.
Feel free to modify the variables or scripts as needed to align with your requirements.
Bastion can be commented out to take deployment from around 17 minutes to 7 mintues.
Ensure the following tools are installed and configured:
-
Terraform:
-
Ansible:
-
Azure CLI: Ensure your CLI is authenticated with sufficient permissions.
Follow these steps to set up the lab environment:
git clone https://github.com/logoscruz/azure-ad-pentest-lab.git
cd azure-ad-pentest-labEdit variables.tf to customize the lab deployment parameters:
vim Terraform/variables.tfaz vm image terms accept --publisher kali-linux --offer kali --plan kali-2024-3This is required for accessing Linux VMs:
ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsacd Terraform
terraform init -upgrade
terraform apply- After deployment, retrieve the password for all Windows VMs:
terraform output vm_password
Switch to the Ansible folder and edit variables as needed:
cd Ansible
vim vars.ymlSecurely store sensitive information:
ansible-vault create secrets.ymlsecrets.yml content example (replace <vm_password> with the output from Terraform):
domain_admin_password: <vm_password>
safe_mode_password: <vm_password>
ansible_password_dc: <vm_password>
ansible_password_ad_users: <vm_password>Provision the Active Directory environment:
ansible-playbook --ask-vault-pass -i hosts ADLab.yml- Access the Lab: Use OpenVPN or Azure Bastion to connect to the deployed resources.
- RDP/SSH to VMs: Credentials and connection details are provided in Terraform outputs.
- Test Scenarios: Use the configured Active Directory environment to practice penetration testing techniques found at Active Directory Pentest Technqiues
azure-ad-pentest-lab/
│
├── Terraform/
│ ├── main.tf # Core Terraform configurations
│ ├── variables.tf # Input variables for customization
│ ├── network_security.tf # Config file for network & security
│ ├── VMs.tf # Config file for VMs
│ └── outputs.tf # Outputs such as VM credentials
│
├── Ansible/
│ ├── ADLab.yml # Ansible playbook for AD configuration
│ ├── vars.yml # Customizable variables for Ansible
│ └── hosts # Inventory file for target systems
│
├── Architecture_Diagram.png # Digram Image
└── README.md # Project documentation