Two months ago, I have seen many people in InfoSec field from Linkedin have enrolled for Redteam hacking course. Most of them recommend me to jump into Pentest Academy course. I try to read the others review for lab and cerfication, and see most of them have positive in feedback.
Since I have less knowledge in Active Directory security, I think it would be great if I can raise my skillset in this part from hands-on lab practice. That’s why I decided to jump into this course. If you interest in this course, I hope my review would be useful for you guys.
[0x00] Introduction :
Attacking and Defending Active Directory is one of Windows Red Team Labs from Pentester Academy which about to teach the attendees to understand Active Directory security. They will provide Active Directory security knowledges from zero. Not only for attack simulation part, they will guide you how to mitigate, monitor or how to prevent from mis-configuration issue. The course will provide you around 14 hours video content and lab material. It is very beginner FRIENDLY. The attendees can walkthrough the video and the lab themselves without any hints from the lab support team. They need to pass hands-on examination to complete the course and get Certified Red Team Professional certificate.
[0x01] Course Objective :
This course provides you LOTS of Active Directory knowledges. I REALLY recommend to anyone who need to know about Active Directory security. No kernel exploitation need here, just only Active Directory mis-configuration only. Attendees are allow to gain knowledge about :
1. Basic of Active Directory components (such as GPOs, ACLs, Domain and Forest)
2. Active Directory Enumeration
3. Bypass AMSI
4. Credential Dumping
5. ACLs Abuse
6. Windows Local Privilege Escalation
7. Lateral Movement
8. MSSQL Server Abuse
9. Domain Privilege Escalation
10. Domain Persistence Techniques
11. Domain Trust Abuse
12. Cross Domain / Forest Attack Privilege Escalation Abuse
13. Forest Persistence Techniques
You are to attack in case of “Assume Breach Mindset” from internal access and perform an adversary on Active Directory environment lab.
Even you have got Red-team techniques, you are also able to gain Blue-team knowledge from the instructor too. This course will provide you about defense methodology you need to know such as how to monitor their attack methodology or how to prevent them to abuse the Active Directory. In my own opinion, it would be profit for Blue-teamers to know every techniques in this course in order to realize how to monitor the threat events.
[0x02] Lab Overview :
There are few domains in the lab. The attendees will begin with low privileged domain user with their own computer client. Objective of the lab is they want the attendees to escalate themselves from low privileged domain user to Enterprise Admin level. The attendees need to find the way to pass child-domain, escalate to Domain Admin, abuse domain trust and finally gain Enterprise Admin from cross-domain abuse.
In my opinion, the greatest section of the lab is about persistence techniques. Most of pentester is focusing on how to gain Domain Admin privilege and then they can end the game. But for Red-teamer or threat actor mindset, it just only the beginning part since they gain Domain Admin. You need to focus on how to “stealth” or “hiding” from defender to caught you, then try to move laterally to gain juicy data from victims and exfiltrate the value information to C&C. The lab teaches you several ways to persistence on the domain / forest after you have compromised Domain Admin / Enterprise Admin account.
[0x03] Exam Challenge :
If you have passed OSCP, it would be similar. They provide you 24 hours for fully hands-on examination. I can’t disclose too much detail in this section here. Your tasks are to compromise all of 5 servers (not including your own client from the start) in the exam environment with any of command execution privilege (Yeah, you don’t need to impersonate to administrator privilege. Only normal user with proof of command execution screenshot should be fine). The attendees can use any tools they want in the exam but need to clarify how to use and what it use for in exam report. I found it is some tricky parts in the beginning of the exam. I spent 3 hours for pure enumeration with cannot exploit or abuse anything, then when I realized how it can abuse the first box. All of the rest are pretty straight forward.
After exam period is expired, you have 48 hours to write your report from whatever report template you need. You need to provide step-to-step walkthrough from beginning in the report with proof screenshot of command execution in each servers you have got in your exam period. And fill-in details of how to mitigate or prevent security issues you have found in each servers.
From course outline, they said you can pass the exam even you only got 3 servers. But your report must have “great quality” enough. There is no guarantee points of reporting part, it is depend on exam instructor judgement only.
And after submitted the exam report. All you can do is to sit back, drink the coffee, and wait around 48 hours. If the exam condition is met in your report, you will centainly get congratulation e-mail with your credential certificate like me.
[0x04] Resources :
In this section, I will provide some essential tools and some blogs / websites I really recommend to read for as below.
Essential tools :
- BloodHound
- PowerView (harmj0y — Will Schroeder)
- Mimikatz
- PrivescCheck (itm4n — Clement Labro)
- PowerUpSQL
- Nishang (The instructor of this course — Nikhil Mittal)
- Kerberoast
- PowerCat
- Kekeo
Resources :
- adsecurity.org (Sean Metcalf)
- harmj0y blog (Will Schroeder)
- www.stealthbits.com
- ired.team
[0x05] FAQs :
Q : Is it worth the money?
A : Exactly yes.
Q : Is it okay if I have never know about Active Directory security?
A : It would be fine, but at least you need to familiar or know basic of Windows hacking methodology and Offensive PowerShell will be advantage. No Linux knowledge is required in this course.
Q : Which package or how many days package should I enroll?
A : It is depend on your situation and base knowledge. To be honest, I think 30 days would be fine and enough if you have 2–3 hours/day to study it.
Q : How to prepare for this course?
A : Study and do research from blogs / websites in my resources section. You will gain lots of pre-requisite knowledges to continue in the course.
[0x06] Pros and Cons :
Pros :
- Completely hands-on lab and examination
- Very beginner friendly step-by-step walkthrough
- Realistic attack simulation scenario
- Quick response from Lab Support Team
Cons :
- Not much challenge in the lab (if compare to PWK of OSCP)
- That’s all for CRTP. Until the next time -
P.S. : If you have any further questions, you can dm to on my twitter (https://mobile.twitter.com/vanitasnk)
