GOAD: Vulnerable Active Directory environment for practicing attack techniques
Game of Active Directory (GOAD) is a free pentesting lab. It provides a vulnerable Active Directory environment for pen testers to practice common attack methods.
GOAD-Light: 3 vms, 1 forest, 2 domains
“When the Zerologon vulnerability surfaced, it highlighted our urgent need for a test lab at work. Furthermore, a training lab became essential to adequately prepare our new pentesters for internal assessments. It’s clear: necessity was the birthplace of this idea,” Mayfly, pentester at Orange Cyberdefense and creator of GOAD, told Help Net Security.
“The community’s feedback has been overwhelmingly positive. I’ve heard of educators in Australia and Brazil repurposing the lab for their classes — an opportunity I wish I’d had during my studies. Many, including my colleagues, utilize it to practice both classic and emerging attack techniques and to prep for specialized certifications like OSCP, CRTE, and OSEP, ”
Requirements and download
The total space needed for the lab is ~115 GB (and more if you take snapshots). GOAD is available for free on GitHub.
Important to keep in mind: GOAD is highly vulnerable. Refrain from reusing recipes to construct your environment and never deploy this setting on the internet without ensuring it’s isolated.
More open-source tools to consider:
- Mosint: Open-source automated email OSINT tool
- AWS Kill Switch: Open-source incident response tool
- PolarDNS: Open-source DNS server tailored for security evaluations
- k0smotron: Open-source Kubernetes cluster management
- Kubescape 3.0 elevates open-source Kubernetes security
- Logging Made Easy: Free log management solution from CISA
- Wazuh: Free and open-source XDR and SIEM
- Yeti: Open, distributed, threat intelligence repository
- BinDiff: Open-source comparison tool for binary files
- LLM Guard: Open-source toolkit for securing Large Language Models
- Velociraptor: Open-source digital forensics and incident response