Welcome! This tutorial will guide you through setting up Game of Active Directories (GOAD) on Proxmox. Continue reading here:

• Partie 2 - provisioning
• Partie 3 - OpenVPN + Trapster

There is also an added additional challenge of trying to avoid detection by Trapster, our Honeypot solution with open source code available here: https://github.com/0xBallpoint/trapster-community

This guide is heavily inspired by two great tutorials, created by 0xBEN and Mayfly:

• https://benheater.com/proxmox-lab-goad-environment-setup/
• https://mayfly277.github.io/posts/GOAD-on-proxmox-part1-install/

We followed these tutorials to get started, but encountered some compatibility issues. That's why we decided to create a tutorial to explain our steps.

Start - After creating a server and installing proxmox

This tutorial starts after you’ve successfully created your server and installed Proxmox. 

Log in to Proxmox and make sure to change your password. Then you can connect to your server by ssh using ssh root@<your_ip>

We end up on our Proxmox dashboard. I named my node toad, for Trapster + GOAD but you can put whatever name you want :

Network

Before starting to set up the network, lets verify that there will be no IP conflicts with the lab network we are about to build. Specifically, that there are no routes already leading to 192.168.10.0 which is going to be our GOAD network. 

Use the command route to verify that there is nothing else already on 192.168.10.0. If there are, you may have to change the domain 192.168.10.0/24 in the following steps to avoid problems later. If this is the case, just replace 192.168.10.0 by a subnet like 192.168.30.0/24 for all future steps.

Create Network

We will follow the same network setup as explained in MayFly's tutorial for Proxmox

• Wan : 10.0.0.0/30 (10.0.0.1-10.0.0.2) - Proxmox host + pfSense
• Lan network : 192.168.1.1/24 (192.168.1.1-192.168.1.254) - this will be the LAN network for the pfSense and the provisioning machine
• VLAN1 : 192.168.10.1/24 (192.168.10.1-192.168.10.254) - our GOAD network
• VLAN2 : 192.168.20.1/24 (192.168.20.1-192.168.20.254) - not used in this lab but we will set up in case you want to go further with GOAD
• OpenVPN : 10.10.10.0/24 (10.10.10.0-10.10.10.254) -  to connect to the lab

To create the bridges : 

• Go to your Proxmox dashboard
• Click onto your Node (toad)
• Network > Create > Linux Bridge
• Create 3 Linux Bridges following the examples given

vmbr1 : WAN

vmbr2 : LAN

vmbr3 : vlans –  Make sure to set VLAN Aware

Create The two VLANs

Now create two Linux VLANs following these examples :

vlan10 : Vlan raw device is vmbr3, This will be for the network 192.168.10.1/24

vlan20 : Vlan raw device is vmbr3

Then apply Configuration, and you should end up with this :

Install pfSense

In this section of the tutorial we will set up pfSense which will be our firewall and router between the networks in our lab.

We can download pfSense directly onto our machine using the Proxmox interface. You can find the link for the latest version of pfSense here : https://repo.ialab.dsu.edu/pfsense/

Find the most recent version, for me its pfSense-CE-2.7.1-RELEASE-amd64.iso.gz, and copy the download link.

Go to Local -> ISO Images -> Download from URL and Paste this URL

Wait for it to download :

Create a virtual machine for pfSense

Go to Create VM in the top right corner on proxmox -> select the ISO image we just downloaded for pfSense

Give 

• 4096 for the RAM
• 2 CPu 
• Add the bridge vmbr1 for the network

After creation we will give access to the two other bridges to have pfSense connected to all of our networks and allow routing between them.

Click on the created VM -> Hardware -> Add -> Network Device and select vmbr2 for the bridge

Repeat for vmbr3 so that in the end have vmbr1, vmbr2, vmbr3 all connected as network devices

pfSense Installer

Once the VM is created we can start it and follow the installation process for pfsense : I followed the Guided Root-on-ZFS

I chose stripe for the disks and then reboot into the installed system once finished.

Set up PFsense

From within the pfSense console we can set the interfaces.

When prompted:

• Should VLANs be set up now [y|n] : n

When prompted : 

• for the WAN interface: vtnet0
• for the LAN interface: vtnet1
• for the OPT1 interface: vtnet2

Then say yes to proceed and it should start configuring the interfaces

Start setting the interface IP addresses

Once you reach the Welcome to pfSense section, select option 2) Set Interface(s) IP address in the pfsense terminal

Start by setting WAN: 1

• Configure IPv4 address WAN interface via DHCP? n
• Enter the new WAN IPv4 address : 10.0.0.2
• Give the subnet bit count: 30
• set the new WAN IPv4 upstream gateway address: 10.0.0.1
• Should this gateway be set as the default gateway? n
• Configure IPv6 address WAN interface via DHCP6? n
• Enter the new WAN Ipv6 address: <ENTER> to give none: <ENTER>
• Do you want to enable the DHCP server on WAN? n
• Do you want to revert to HTTP as the webConfigurator protocol? y

Now we can set up LAN

• Configure Ipv4 address LAN interface via DHCP: n
• Enter the nex LAN Ipv4 address: 192.168.1.2
• Enter the nex lan ipv4 subnet bit count: 24
• For a WAN, enter the nex lan Ipv4 upstream gateway address. For a LAN, press <ENTER> for none : <ENTER>
• Configure IPv6 address LAn interface via DHCP6? n
• Enter the nex LAN IPv6 address. Press <ENTER> for none: <ENTER>
• Do you want to enable the DHCP server on LAN? y
• Enter the start address of the IPV4 client address range: 192.168.1.100
• Enter the end address of the IPv4 client address range: 192.168.1.254

We are notified we can now access the pfsense webConfigurator at http://192.168.1.2 

Set up SSH access

We forward access to http://192.168.1.2 to modify through the pfsense web GUI. We haven't set up the provisioning vm yet but we can go ahead and create the ssh shortcut now

Modify ~/.ssh/config to add the following:

Host goadproxmox
    User root
    Hostname XXX.XXX.XXX.XXX
    Port 22
    IdentityFile ~/.ssh/id_rsa_goad
    LocalForward 8082 192.168.1.2:80

Host goadprovisioning
    User root
    Hostname 192.168.1.3
    Port 22
    IdentityFile ~/.ssh/id_rsa_goad
    Proxyjump goadproxmox

Now run ssh goadproxmox and you can connect at http://127.0.0.1:8082/

PFsense Wizard Setup

We are working on the pfsense homepage that we linked using ssh goadproxmox. Your page should be at http://127.0.0.1:8082

At the login for pfsense use: 

• username: admin
• password: pfsense

Now follow the wizard for pfsense setup

• The WAN interface configuration should match what you've already inputted, leave that as IP Address 10.0.0.2 /30
• Uncheck Block RFC1918 Private Networks but Block bogon networks
• Leave LAN as 192.168.1.2/24
• Change the admin password
• Click reload to save the configurations

Go to system > advanced > networking: click to disable hardware checksum offloading, note that the system has to be rebooted to change this setting

Firewall

I am following all of  Mayfly's rules here for the firewalls. 

Firewall -> Rules -> WAN

Allow ipv4 tcp traffic from 10.0.0.1 to LAN address port 80 to give access to the pfsense GUI .

Change the iptables rules on the ssh connection to proxmox

I had some issues with this part, if in the future your proxmox isn't correctly routing packets, try deleting the rules and rerunning these commands

Run ssh goadproxmox to connect to the proxmox and run the following :

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -i vmbr0 -p icmp -j ACCEPT
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 8006 -j ACCEPT
iptables -t nat -A PREROUTING -i vmbr0 -j DNAT --to 10.0.0.2
iptables -t nat -A POSTROUTING -o vmbr0 -j SNAT -s 10.0.0.0/30 --to-source MYPUBLICIP_HERE

I recommend running 'apt-install net-tools' to check if the routes are correct as shown in the following photo :

apt install net-tools
route

Then save the iptable rules:

iptables-save | sudo tee /etc/network/save-iptables
vim /etc/network/interfaces 
post-up iptables-restore < /etc/network/save-iptables

Set up VLANs

We will now add the two VLANs, go to Interfaces -> VLANs -> Add

• VLAN10 : 
• Parent Interface = opt1
• VLAN tag 10
• Description: VLAN10

VLAN20 :

Parent Interface = opt1

VLAN tag 20

Description : VLAN20

Go to Interfaces -> Interface Assignments and add VLAN10 and VLAN20 to the available network ports.

Modify OPT2(vtnet2.10) by clicking Interfaces > OPT2(vtnet2.10)

• Description: VLAN10
• Select enable interface
• ipv4 configuration type = static IPv4
• Ipv4 address = 192.168.10.1/24
• Block bogon networks

Modify OPT3(vtnet2.120) 

OPT3(vtnet2.20)

• description: VLAN20
• Select enable interface
• ipv4 configuration type = static IPv4
• Ipv4 address = 192.168.20.1/24
• Block bogon networks

Add DHCP to VLANs

For GOAD, several ips are reserved and static so we start the dhcpserver at ip 192.168.10.100-192.168.10.254

• Services -> DHCP server -> VLAN10
• Enable DHCP server on VLAN10 Interface
• Address pool range : 192.168.1.100 to 192.168.10.254
• Do the same for VLAN20 with range 192.168.20.100 to 192.168.10.254

Add Firewall

*note: in mayfly's tutorial he uses LAN NET which doesn't exist in this version - use LAN subnet instead

Create an alias:

Firewall > Aliases > Edit

Name: INTERNAL

Network:

192/168.1.1/16, 10.0.0.1/30, 10.10.10./2

Allow only these networks

Add a rule to allow ssh to the future provisioning ct

Continue reading:

• Partie 2 - provisioning
• Partie 3 - OpenVPN + Trapster