After passing the OSCP, I was lucky enough to land a job as a penetration tester. While the OSCP and eLearn courses I’ve taken were great introductions into the world of pentesting, I noticed that I struggled at times with Active Directory enumeration and exploitation. My AD methodology wasn’t fully fleshed out and I relied on dropping an unobfuscated Mimikatz binary onto disk way too much. Needless to say, this isn’t going to work in the vast majority of engagements and I needed to up my game and understanding when it came to AD. This is where Attacking and Defending Active Directory, a course from Pentester Academy, comes into play.
I had heard great things about the course and its associated certification, the CRTP. At the cheap price point of $250, I purchased the course along with 30 days of access to the labs . I was able to pass the exam and obtain the CRTP certification after submitting a 30-page report. I thoroughly enjoyed the course and really improved my methodology when it comes to Active Directory enumeration and exploitation. Throughout the rest of this post, I’ll detail my thoughts about the course, lab and exam.
**Course Material**
The Attacking and Defending Active Directory course is taught by Nikhil Mittal, The creator of the Nishang framework. Needless to say, Nikhil is a highly respected expert in the field and is also a great teacher as shown throughout the course. The course comes with roughly 25 videos detailing various methods and means to enumerate and exploit misconfigurations in Active Directory. Along with the videos, the slides are provided in a PDF that you can use to reference or follow along with during the videos.
One thing that I appreciated about the course is you can choose when to start your lab time rather than it ticking down immediately upon purchase. I elected to have 30 days to go through the course materials and then start my lab time 30 days after purchase. Looking back, I probably only needed two weeks or so to go through the materials as I spent roughly 2 hours each night after work on the materials and a few hours each weekend and could have started my lab time sooner.
The course covers a variety of topics from enumeration using PowerView, Powershell, Bloodhound, Mimikatz, unconstrained and constrained delegation, AMSI bypasses and more. Not only does the course provide multiple ways on how to achieve an objective, but also provides the why. I found this to be really helpful when building out my methodology. The course content does a great job on starting with the basics and helping the student progress to more advanced topics later in the course.
While I already had a pretty good knowledge of AD from an administrative standpoint, I learned new things from every section in the course. I feel like the materials really upped my game as a pentester and I can see myself using the materials provided for months, if not years, to come as I hone my methodology for Active Directory environments.
**Lab**
The lab is a multi-domain environment with a handful of computers, servers, groups and users to enumerate and work through. Students can access the lab through a VPN or through their web browser which was really convenient. Rather than needing to exploit a machine to gain an initial foothold, the labs take an assumed breach perspective and provide the student with access to a Windows workstation with valid domain credentials.
At the end of each section in the course, the instructor provides learning objectives or tasks to complete to help solidify what was taught in that section. A typical objective could be, “using both PowerView and Powershell AD module, enumerate all users in the Domain Admin group” or “using Bloodhound, find misconfigurations in the student user group”. In the course materials, lab walkthroughs are provided in both PDF and video formats if you get stuck and to verify if you’ve taken the correct steps to complete the objectives. I found the course objectives completed in the lab to be really great in solidifying the concepts taught throughout the course. Even before taking the exam, I found myself incorporating things I learned in the lab into my security engagements for clients at work.
**The Exam**
The exam takes a hands on approach where the student is given access to a workstation in an assumed breach scenario and within 24 hours, is required to compromise the six servers in the forest and achieve Enterprise Admin rights. Another 24 hours is allocated after the assessment to write up a report.
I started the exam at 10 AM and was able to progress fairly quickly at the beginning and had my first comprised host in roughly an hour. This is where I ran into a pretty solid road block and it took me three to four hours to compromise the second host. Without giving away too much, I had missed some critical steps in my enumeration process and once I went back through my methodology, I found what I had missed. After compromising the second host, I was able to pivot and move through the rest of the domain, achieving Enterprise Admin rights in about four hours for a total of eight hours spent in the exam. I then went back through and made sure I had solid notes and screenshots for my report. I spent the rest of the evening finishing up the report and fired it off the Pentester Academy team. I heard back from them a week later, Christmas morning, that I had passed!
**Overall Thoughts**
I really enjoyed this course. The quality of the content and labs makes the $250 price point feel like a steal. I’ve already started to incorporate what I’ve learned into my assessments at work and it’s made a difference in the value I can bring to clients. I took the course in preparation of my next goal, the OSEP, but I was surprised with the value the course provided me. I’d highly recommend it to anyone who is looking to beef up their Active Directory pentesting knowledge.
