Skip to content
/ ad-lab Public

Active Directory lab in Azure for security testing

License

Notifications You must be signed in to change notification settings

dejisec/ad-lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

1 Commit
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

AD Lab

Python 3.11+ Terraform Azure License: MIT

Overview

Infrastructure as Code (IaC) solution for deploying a complete Active Directory testing environment in Azure for testing, training, or development purposes.

Architecture

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                         Azure Cloud                           β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚                                                               β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚                Virtual Network (10.0.0.0/16)            β”‚  β”‚
β”‚  β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€  β”‚
β”‚  β”‚                                                         β”‚  β”‚
β”‚  β”‚       β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”        β”‚  β”‚
β”‚  β”‚       β”‚    10.0.1.0/24    β”‚  β”‚   10.0.2.0/24   β”‚        β”‚  β”‚
β”‚  β”‚       β”‚     DC Subnet     β”‚  β”‚   Workstation   β”‚        β”‚  β”‚
β”‚  β”‚       β”‚                   β”‚  β”‚   Subnet        β”‚        β”‚  β”‚
β”‚  β”‚       β”‚                   β”‚  β”‚                 β”‚        β”‚  β”‚
β”‚  β”‚       β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜        β”‚  β”‚
β”‚  β”‚                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                  β”‚  β”‚
β”‚  β”‚                    β”‚   10.0.4.0/24   β”‚                  β”‚  β”‚
β”‚  β”‚                    β”‚     Server      β”‚                  β”‚  β”‚
β”‚  β”‚                    β”‚     Subnet      β”‚                  β”‚  β”‚
β”‚  β”‚                    β”‚                 β”‚                  β”‚  β”‚
β”‚  β”‚                    β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                  β”‚  β”‚
β”‚  β”‚                                                         β”‚  β”‚
β”‚  β”‚      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚  β”‚
β”‚  β”‚      β”‚         Jumpbox Subnet (10.0.3.0/24)        β”‚    β”‚  β”‚
β”‚  β”‚      β”‚                                             β”‚    β”‚  β”‚
β”‚  β”‚      β”‚         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”             β”‚    β”‚  β”‚
β”‚  β”‚      β”‚         β”‚     Jumpbox         β”‚             β”‚    β”‚  β”‚
β”‚  β”‚      β”‚         β”‚   Ubuntu 22.04      │◄────────────┼────┼──┼─────── SSH (Your IP)
β”‚  β”‚      β”‚         β”‚   Ansible + Tools   β”‚             β”‚    β”‚  β”‚
β”‚  β”‚      β”‚         β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜             β”‚    β”‚  β”‚
β”‚  β”‚      β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Prerequisites

Required Tools

  • Python 3.11+ - For the orchestration CLI
  • Terraform 1.0+ - For infrastructure provisioning
  • Azure CLI - For Azure authentication
  • SSH Key Pair - For jumpbox access
  • Poetry - Python dependency management

Azure Requirements

  • Active Azure subscription
  • Sufficient quota for:
    • vCPUs: 2 per VM
    • Public IPs: 1 (jumpbox only)
    • Storage: ~128GB

Quick Start

1. Clone the Repository

git clone https://github.com/dejisec/ad-lab.git
cd ad-lab

2. Install Dependencies

# Install Poetry if not already installed
curl -sSL https://install.python-poetry.org | python3 -

# Install Python dependencies
poetry install

3. Configure Azure Authentication

# Login to Azure
az login

# Set your subscription (if you have multiple)
az account set --subscription "Your-Subscription-Name"

4. Configure Environment

# Run the setup script
./setup.sh

# Edit the configuration
vim .env

Key configuration options:

# Azure Configuration
LOCATION="West US"
RESOURCE_GROUP_NAME="ad-lab-rg"

# Domain Configuration
DOMAIN_NAME="company.local"
DOMAIN_NETBIOS_NAME="COMPANY"
ADMIN_USERNAME="ad-lab-admin"
ADMIN_PASSWORD="SecurePassword123!"  # Change this!

# Network Configuration
SOURCE_SSH_IP="YOUR.PUBLIC.IP.HERE"  # Your public IP for SSH access

# VM Configuration
DOMAIN_CONTROLLER_COUNT=1
WORKSTATION_COUNT=2
USE_SPOT_INSTANCES=false  # Set to true for cost savings

5. Deploy the Lab

# Deploy with confirmation prompts
poetry run python -m ad_lab.cli deploy

# Or deploy without prompts
poetry run python -m ad_lab.cli deploy -y

6. Connect to the Environment

After deployment, you'll see connection instructions:

# Get connection information
poetry run python -m ad_lab.cli connect

# SSH to jumpbox
ssh azureuser@<jumpbox-public-ip>

# RDP to Domain Controller via SSH tunnel
ssh -L 3389:10.0.1.10:3389 azureuser@<jumpbox-public-ip>
# Then RDP to: localhost:3389

# RDP to Workstations via SSH tunnel
ssh -L 3390:10.0.2.5:3389 azureuser@<jumpbox-public-ip>  # PC01
ssh -L 3391:10.0.2.4:3389 azureuser@<jumpbox-public-ip>  # PC02
# Then RDP to: localhost:3390 or localhost:3391

# RDP to Server via SSH tunnel
ssh -L 3340:10.0.4.5:3389 azureuser@<jumpbox-public-ip>  # Server01
ssh -L 3341:10.0.4.4:3389 azureuser@<jumpbox-public-ip>  # Server02
# Then RDP to: localhost:3340 or localhost:3341

Commands

Core Commands

Command Description Options
deploy Deploy the complete AD environment -y (skip confirmation)
destroy Destroy all resources and clean up -y (skip confirmation)
status Show current deployment status -
connect Display connection instructions -
validate Validate configuration and prerequisites -

Advanced Usage

# Deploy with custom configuration file
poetry run python -m ad_lab.cli --config-file custom.env deploy

# Deploy with debug logging
poetry run python -m ad_lab.cli --log-level DEBUG deploy

# Deploy with logging to file
poetry run python -m ad_lab.cli --log-file deployment.log deploy

Configuration

VM Sizing

Configure VM sizes in .env:

# Primary VM sizes
DC_VM_SIZE="Standard_B2s"
WORKSTATION_VM_SIZE="Standard_B2s"
JUMPBOX_VM_SIZE="Standard_B1s"

# Fallback sizes (automatic failover)
DC_VM_SIZE_PRIORITY='["Standard_B2s", "Standard_B2ms", "Standard_D2s_v3"]'

Scaling

Adjust the number of VMs:

DOMAIN_CONTROLLER_COUNT=2  # HA domain controllers
WORKSTATION_COUNT=5        # Multiple workstations
SERVER_COUNT=3             # Additional servers
SERVER_ROLES='["web", "database", "file"]'  # Server roles

Network Customization

VNET_ADDRESS_SPACE="10.0.0.0/16"
DC_SUBNET_PREFIX="10.0.1.0/24"
WORKSTATION_SUBNET_PREFIX="10.0.2.0/24"
JUMPBOX_SUBNET_PREFIX="10.0.3.0/24"
SERVER_SUBNET_PREFIX="10.0.4.0/24"

Troubleshooting

Common Issues

1. Azure Quota Errors

# Check your quota
az vm list-usage --location "East US" --output table

# Solution: Use different VM sizes or regions

2. Deployment Failures

# Check detailed logs
poetry run python -m ad_lab.cli --log-level DEBUG deploy

# Manual cleanup if needed
cd terraform
terraform destroy -auto-approve

Cost Optimization

Estimated Costs (Monthly)

Configuration Estimated Cost
Basic (1 DC, 2 Workstations) ~$150-200
With Spot Instances ~$50-75
Extended (2 DCs, 5 Workstations) ~$350-450

Cost Saving Tips

  1. Use Spot Instances: Set USE_SPOT_INSTANCES=true for up to 70% savings
  2. Destroy When Not Needed: Always run poetry run python -m ad_lab.cli destroy after testing

Security Considerations

  • Isolated Network: All VMs are in a private network, accessible only via jumpbox
  • NSG Rules: Strict firewall rules limit access to necessary ports only
  • SSH Key Authentication: Jumpbox uses SSH keys, not passwords
  • Source IP Restriction: SSH access limited to your configured IP
  • No Public IPs: Only the jumpbox has a public IP address

Contributing

Contributions are welcome! Please:

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/amazing-feature)
  3. Commit your changes (git commit -m 'Add amazing feature')
  4. Push to the branch (git push origin feature/amazing-feature)
  5. Open a Pull Request

License

This project is licensed under the MIT License - see the LICENSE file for details.

About

Active Directory lab in Azure for security testing

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published