// the find
Orange-Cyberdefense/GOAD
game of active directory
GOAD is an intentionally vulnerable Active Directory lab you spin up locally (or in AWS/Azure/Proxmox) to practice real AD attack techniques — Kerberoasting, AS-REP roasting, NTLM relay, GPO abuse, ADCS ESC1, unconstrained delegation, SID history abuse, and more. It targets security practitioners who need a safe, legal target to run tools like Impacket, BloodHound, or CrackMapExec against without touching production. Six lab variants let you scale from a 2-VM MINILAB on a laptop to a full 5-VM, 2-forest GOAD.
Multi-provider from day one: the same lab definition deploys to VirtualBox, VMware, Proxmox, AWS, or Azure via Terraform + Ansible, so you're not locked into a hypervisor. The attack scripts are right there in the repo — `asrep_roasting.ps1`, `ntlm_relay.ps1`, `sidhistory.ps1` — functioning reference implementations you can read while you run them. The challenge labs (NHA, DRACARYS) strip out the network map and force you to enumerate blind, which is closer to a real engagement than a guided walkthrough. Active maintenance (last push March 2026) with a v3 rewrite means it hasn't been abandoned like most lab projects.
Windows licenses are the elephant in the room — the free evaluation period is 180 days, after which you either pay or rebuild everything from scratch; this is baked into the README as a known problem with no real solution. Setup complexity is non-trivial: you need Vagrant or Terraform plus Ansible plus the right provider plugins all working together, and first-time failures on provider-specific edge cases are common and poorly documented. The Ansible provisioning takes 30–90 minutes and is not idempotent — partial failures often require a full teardown rather than a re-run. Binary DLLs committed directly into the repo (the entire Roslyn compiler toolchain under `wwwroot/bin/roslyn`) make `git clone` heavier than it needs to be and is a supply-chain concern if you're pulling updates.