Initial commit

.gitignore

@@ -0,0 +1 @@
+*.tfvars

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 Cas van Cooten (@chvancooten)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,29 @@
+# Cloud Labs AD
+
+Provisioning scripts for an Active Directory lab environment. Designed to be deployed to Azure using the Azure cloud shell. Very alpha.
+
+## Setup
+
+## Labs
+
+The idea is as follows:
+
+- Windows Server 2016 DC
+- Windows Server 2019
+    - ADCS enabled
+    - IIS with simple vuln application (webshell?)
+- Windows 10 Client
+    - Defender and logging best practices enabled (sysmon?)
+    - Some EDR?
+- Kali Linux attacker box
+
+At a later point I might add the following:
+- Exchange
+
+## Access
+
+One public IP is exposed for the whole lab. The IP ranges defined in the `ip-whitelist` are allowed to access the following ports on this IP address, which are bound to the following:
+
+- Port 22   -> Kali attacker box SSH
+- Port 80   -> Windows Server 2019 IIS web server
+- Port 3389 -> Windows 10 Client RDP

Terraform/main.tf

@@ -0,0 +1,170 @@
+#
+# INITIALIZATION
+#
+
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 2.98.0"
+    }
+  }
+
+  required_version = ">= 1.1.5"
+}
+
+provider "azurerm" {
+  skip_provider_registration = true
+  features {}
+}
+
+# Get a reference to the existing resource group
+data "azurerm_resource_group" "cloudlabs-rg" {
+  name = var.rg
+}
+
+
+#
+# NETWORKING
+#
+
+# Create a virtual network within the resource group
+resource "azurerm_virtual_network" "cloudlabs-vnet" {
+  name                = "CloudLabs-vnet"
+  resource_group_name = azurerm_resource_group.cloudlabs-rg.name
+  location            = azurerm_resource_group.cloudlabs-rg.region
+  address_space       = ["10.0.0.0/8"]
+}
+
+# Create a subnet within the virtual network
+resource "azurerm_subnet" "cloudlabs-subnet" {
+  name                 = "CloudLabs-subnet"
+  resource_group_name  = azurerm_resource_group.cloudlabs-rg.name
+  virtual_network_name = azurerm_virtual_network.cloudlabs-vnet.name
+  address_prefixes     = ["10.13.37.0/24"]
+}
+
+# Create a network security group for the subnet
+resource "azurerm_network_security_group" "cloudlabs-nsg" {
+  name                = "CloudLabs-nsg"
+  location            = azurerm_resource_group.cloudlabs-rg.region
+  resource_group_name = azurerm_resource_group.cloudlabs-rg.name
+
+  security_rule {
+    name                       = "SSH"
+    priority                   = 1001
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "22"
+    source_address_prefixes    = var.ip-whitelist
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "HTTP"
+    priority                   = 1002
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "80"
+    source_address_prefixes    = var.ip-whitelist
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "RDP"
+    priority                   = 1003
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "3389"
+    source_address_prefixes    = var.ip-whitelist
+    destination_address_prefix = "*"
+  }
+
+  security_rule {
+    name                       = "Internal"
+    priority                   = 1004
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "*"
+    source_address_prefix      = "10.13.37.0/24"
+    destination_address_prefix = "*"
+  }
+}
+
+resource "azurerm_subnet_network_security_group_association" "cloudlabs-nsga" {
+  subnet_id                 = azurerm_subnet.cloudlabs-subnet.id
+  network_security_group_id = azurerm_network_security_group.cloudlabs-nsg.id
+}
+
+# Create a public IP address for the lab
+resource "azurerm_public_ip" "cloudlabs-ip" {
+  name                = "CloudLabs-ip"
+  location            = azurerm_resource_group.cloudlabs-rg.region
+  resource_group_name = azurerm_resource_group.cloudlabs-rg.name
+  allocation_method   = "Static"
+  domain_name_label   = "cloudlabs"
+}
+
+# Create a load balancer on the public IP
+resource "azurerm_lb" "cloudlabs-lb" {
+  name                = "CloudLabs-lb"
+  location            = azurerm_resource_group.cloudlabs-rg.region
+  resource_group_name = azurerm_resource_group.cloudlabs-rg.name
+
+  frontend_ip_configuration {
+    name                 = "CloudLabs-lb-ip-public"
+    public_ip_address_id = azurerm_public_ip.cloudlabs-ip.id
+  }
+}
+
+# resource "azurerm_lb_backend_address_pool" "cloudlabs-lb-backend" {
+#   name            = "CloudLabs-lb-backend"
+#   loadbalancer_id = data.azurerm_lb.cloudlabs-lb.id
+# }
+
+# resource "azurerm_lb_backend_address_pool_address" "cloudlabs-lb-backend-ip" {
+#   name                    = "CloudLabs-lb-backend-ip"
+#   backend_address_pool_id = data.azurerm_lb_backend_address_pool.cloudlabs-lb-backend.id
+#   virtual_network_id      = data.azurerm_virtual_network.cloudlabs-vnet.id
+#   ip_address              = "10.0.0.250"
+# }
+
+resource "azurerm_lb_nat_rule" "cloudlabs-lb-nat-ssh" {
+  resource_group_name            = azurerm_resource_group.cloudlabs-rg.name
+  loadbalancer_id                = azurerm_lb.cloudlabs-lb.id
+  name                           = "SSHAccess"
+  protocol                       = "Tcp"
+  frontend_port                  = 22
+  backend_port                   = 22
+  frontend_ip_configuration_name = "CloudLabs-lb-ip-public"
+}
+
+# Create NAT gateway for outbound internet access?
+# https://docs.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal
+
+#
+# WINDOWS SERVER 2016 - DC [10.13.37.10]
+# 
+
+
+#
+# WINDOWS SERVER 2019 - CA and IIS [10.13.37.100]
+#
+
+
+#
+# WINDOWS 10 WORKSTATION [10.13.37.150]
+# 
+
+
+#
+# KALI LINUX ATTACKER BOX [10.13.37.200]
+#

Terraform/terraform.tfvars.example

@@ -0,0 +1,2 @@
+resource-group = "resourcegroupname"
+ip-whitelist   = ["1.2.3.4/32"] 

Terraform/variables.tf

@@ -0,0 +1,10 @@
+variable "resource-group" {
+    type = string
+    description = "The name of the sandbox resource group"
+}
+
+variable "ip-whitelist" {
+  description = "A list of CIDRs that will be allowed to access the instances"
+  type        = list(string)
+  default     = [""]
+}