A comprehensive Active Directory testing environment with 150+ intentional security vulnerabilities for penetration testing, security tool validation, and defensive training.
THIS ENVIRONMENT INTENTIONALLY CREATES SEVERE SECURITY VULNERABILITIES
- β FOR LAB/TESTING ENVIRONMENTS ONLY
- β NEVER RUN IN PRODUCTION
- β DO NOT USE ON LIVE SYSTEMS
- β CONTAINS KNOWN EXPLOITABLE ATTACK VECTORS
By using this lab, you acknowledge:
- This is for authorized testing only in isolated environments
- You understand the security risks involved
- You will NOT use this in production or on systems you don't own
- You accept full responsibility for any consequences
C:\AD-Security-Lab\
βββ π Scripts\ # Core PowerShell scripts
β βββ Populate-AD-GlobalCorp.ps1 # Main population script (277 KB, 5000+ lines)
β βββ Delete-GlobalCorp.ps1 # Cleanup script
β
βββ π Documentation\ # Complete documentation
β βββ README.md # Full feature documentation
β βββ QUICK-START.md # 5-minute setup guide
β βββ DETECTION-GUIDE.md # PowerShell detection commands
β βββ VULNERABILITIES.md # Complete vulnerability catalog
β βββ CHANGELOG.md # Version history
β
βββ π Reports\ # Auto-generated reports (created at runtime)
β βββ .gitkeep
β
βββ π Examples\ # Ready-to-use examples
β βββ example-small-lab.ps1 # 1K users, 5 min
β βββ example-standard-lab.ps1 # 12K users, 20 min (RECOMMENDED)
β βββ example-enterprise-lab.ps1 # 50K users, 90 min
β
βββ π Tools\ # Utility scripts (future)
βββ (coming soon)
- Windows Server 2016+ with Active Directory
- PowerShell 5.1+ (PowerShell 7 compatible)
- Domain Admin privileges
- 2+ GB free disk space
# 1. Navigate to scripts directory
cd C:\AD-Security-Lab\Scripts
# 2. Run the standard lab example (RECOMMENDED)
.\Populate-AD-GlobalCorp.ps1 `
-TotalUsers 12000 `
-UltraVulnUsers 7 `
-TotalComputers 1000 `
-DefaultPassword "Welcome2024!" `
-Confirm
# 3. Wait 15-20 minutes...
# 4. View the HTML report (auto-opens)
# Location: C:\ADPopulate_Reports\AD_Population_YYYYMMDD_HHMMSS.htmlThat's it! Your vulnerable AD is ready for testing.
π For detailed setup: See Documentation/QUICK-START.md
- 100 to 50,000 users distributed across 20 global metropolises
- Up to 5,000 computer objects (desktops, laptops, VDI)
- 350+ organizational units (continents β cities β departments)
- 95+ security groups with dangerous configurations
- 16 departments with 4-tier management hierarchy
- Service accounts with realistic SPNs and misconfigurations
- ADCS (ESC1-11): All certificate template attacks
- DCSync Rights: Non-admin users with replication rights
- Exchange PrivExchange: CVE-2019-1166 WriteDACL on domain
- GPO Passwords: MS14-025 passwords in SYSVOL
- Unconstrained Delegation: Kerberos delegation abuse
- Obsolete OS: Windows XP, Server 2003/2008
- Credential Exposure: Passwords in descriptions, reversible encryption
- Kerberoasting: SPNs on user accounts
- AS-REP Roasting: Pre-auth disabled
- RBCD: Resource-Based Constrained Delegation
- ACL Abuse: GenericAll, WriteDACL, WriteOwner
- Service Accounts: In Domain Admins, old passwords
- SMBv1: MS17-010 EternalBlue vulnerable
- Kerberoasting β Domain Admin
- AS-REP β Admin Group
- ACL Chain β Domain Admin
- GPO Modification β Code Execution
- ADCS Template β Certificate-based Escalation
- And 5 more documented paths...
- HTML Dashboard: Interactive report with charts and statistics
- CSV Export: Complete user/computer inventory
- Execution Log: Detailed timestamped logs
- Detection Commands: PowerShell commands for each vulnerability
| Lab Size | Users | Computers | Time | Use Case |
|---|---|---|---|---|
| Small | 1,000 | 100 | 5 min | Quick testing, demos |
| Standard β | 12,000 | 1,000 | 20 min | Recommended for training |
| Enterprise | 50,000 | 5,000 | 90 min | Performance testing, benchmarks |
β Recommended: Standard lab provides the best balance of features and performance.
- β Validate vulnerability scanners (BloodHound, PingCastle, Purple Knight)
- β Test offensive tools (Impacket, Rubeus, Certipy)
- β Practice exploitation techniques
- β Benchmark detection capabilities
- β AD attack/defense training
- β SOC analyst exercises
- β Red team/Blue team drills
- β Security awareness demonstrations
- β Test AD security tools
- β Develop detection rules
- β Validate remediation scripts
- β Benchmark performance at scale
| Document | Description |
|---|---|
| QUICK-START.md | Start here - 5-minute setup guide |
| DETECTION-GUIDE.md | PowerShell commands to find all vulnerabilities |
| VULNERABILITIES.md | Complete catalog of 150+ vulnerability types |
| README.md | Full feature documentation |
| CHANGELOG.md | Version history and updates |
# Small lab (5 minutes)
.\Examples\example-small-lab.ps1
# Standard lab (recommended)
.\Examples\example-standard-lab.ps1
# Enterprise lab (90 minutes)
.\Examples\example-enterprise-lab.ps1# Delete everything
.\Scripts\Delete-GlobalCorp.ps1
# Verify cleanup
Get-ADOrganizationalUnit -Filter "Name -eq 'GlobalCorp'"
# Should return nothing# Find Kerberoastable accounts
Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName
# Find AS-REP Roastable accounts
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}
# Find DCSync rights
(Get-Acl "AD:DC=aza-me,DC=cc").Access | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|WriteDacl"}
# See DETECTION-GUIDE.md for 100+ more commands-
ADCS Certificate Services (11)
- ESC1 through ESC11 attacks
- Vulnerable templates, weak ACLs, dangerous flags
-
Kerberos Attacks (15)
- AS-REP Roasting, Kerberoasting
- Unconstrained/Constrained/RBCD delegation
-
Privilege Escalation (20)
- ACL abuse (GenericAll, WriteDACL)
- Nested groups, Operators groups
- Exchange PrivExchange
-
Credential Attacks (18)
- Password spraying vectors
- GPO passwords in SYSVOL
- Weak/old passwords
-
Computer Vulnerabilities (24)
- Obsolete OS (XP, 2003, 2008, Vista)
- SMBv1, No BitLocker, LAPS issues
-
Service Accounts (5)
- Kerberoastable SPNs
- Privileged accounts, old passwords
-
Attack Paths (10)
- Complete documented chains to DA
-
Advanced (17)
- Shadow Credentials, AdminSDHolder
- DCSync, Protected Groups abuse
- Hashtable-based lookups: O(1) manager hierarchy assignment
- Batch processing: Efficient user/group creation
- Progress logging: Track execution every 500 users
- Memory efficient: Handles 50K+ users without issues
- 1,000 users: ~5 minutes
- 12,000 users: ~20 minutes
- 50,000 users: ~90 minutes
- BloodHound: Attack path visualization
- PingCastle: Comprehensive AD audit
- Purple Knight: Security assessment
- Adalanche: Attack path analysis
- Impacket: GetUserSPNs.py, GetNPUsers.py, secretsdump.py
- Rubeus: Kerberos attack toolkit
- Certipy: ADCS exploitation
- PowerView: AD enumeration
- Splunk: Log analysis and detection
- Defender for Identity: Attack detection
- Sysmon: Endpoint monitoring
Typical standard lab (12K users, 1K computers):
- ~11,788 user accounts (distributed by population)
- ~1,200 vulnerabilities total
- Critical: ~150
- High: ~400
- Medium: ~500
- Low: ~150
- 7 ultra-vulnerable honeypots (70-210 vulns each)
- 350 organizational units
- 95 security groups
- 10 documented attack paths
- Known exploitable vulnerabilities (CVE references included)
- Weak passwords (default: "Welcome2024!")
- Dangerous ACL configurations
- Credential exposure in multiple forms
- Certificate misconfigurations
- Outdated/vulnerable systems
- Production environments
- Live customer networks
- Systems with real data
- Internet-facing systems
- Systems you don't own/control
- Isolated lab network (no internet)
- Dedicated test domain
- Snapshot/backup before running
- Firewall rules to prevent lateral movement to production
This is a security research and training tool. Contributions welcome:
- New vulnerability types
- Detection improvements
- Documentation enhancements
- Performance optimizations
- Bug fixes
Test thoroughly in isolated environments before submitting.
See CHANGELOG.md for detailed version history.
Current Version: 4.1.0 (January 2026)
- Added 35+ new vulnerabilities
- ADCS ESC1-11 complete coverage
- Attack path documentation
- Service account vulnerabilities
- Performance optimizations
- Quick Start: QUICK-START.md
- Detection Guide: DETECTION-GUIDE.md
- Full Docs: Documentation/README.md
- Examples: See
Examples/folder
Authors: Fuskerrs, Claude Code (Anthropic) Version: 4.1.0 Last Updated: January 2026 License: Educational and authorized testing use only
FOR EDUCATIONAL AND AUTHORIZED TESTING ONLY
This tool intentionally creates severe security vulnerabilities. The authors are not responsible for misuse or damage. By using this:
- You confirm this is for authorized testing in isolated lab environments only
- You understand the security risks
- You will NOT use this in production or on systems you don't own
- You accept full responsibility for any consequences
Unauthorized use may be illegal in your jurisdiction.
Ready to build your vulnerable AD lab?
- β Read the Quick Start Guide
- β Choose your lab size (we recommend Standard: 12K users)
- β
Run:
.\Examples\example-standard-lab.ps1 - β Test your security tools!
- β Practice detection with DETECTION-GUIDE.md
Happy Testing! ππ