Pentester Academy - Certified Red Team Professional Cert & Exam Review
In March of 2020, I signed up for the Attacking and Defending Active Directory red team labs course by Pentester Academy. I’ve been doing red teams for a couple years so I wanted to fine-tune and improve those skills further for Active Directory attack techniques.
This is the first red team course by Pentester Academy as part of their initiative to create red team labs and certs. The course covers everything from tools and techniques, AD environments and fundamentals, Kerberos, persistence, Domain and Enterprise Admin attacks and more. It is a technical course and certification which is fully hands on and is tons of fun since you get your hands dirty with all sorts of complex AD attacks. The Course
You can sign up for the course lab for 30, 60 or 90 days with extensions if needed. Upon signing up and paying I got access to the lab and content within a day or two. The content is all in PDF and video format and taught by Nikhil Mittal. He is the creator of multiple AD attack-related tools and he’s spoken and taught at conferences like Blackhat and Defcon.
The general idea of the course is to emulate an adversary who already has internal access to a network (aka the “assumed breach” phase of a red team). There is no actual exploitation of vulnerabilities in the course - only abuse of functionalities and normal configurations in AD. The lab gives you a good understanding of an example AD environment with multiple domain forests and trusts and several Domain Controllers and different types of machines to target.
The course content generally covers:
- PowerShell and AD
- Domain trusts and domain enumeration
- Credential replay attacks
- Privilege escalations
- Credential dumping
- Kerberos attacks
- Cross-forest trust attacks
- Delegation issues and AD persistence techniques
- SQL server trusts
- Defending and detecting against attacks
The course tools are VERY heavy on PowerShell, PowerView, Microsoft’s AD module, Bloodhound and some other tools but those are the critical ones. By the end of it I was able to run tools and commands as if it were second nature.
The lab is a good size but not too big and may only take a a couple weeks to a month depending on your time commitment and motivation. I’d highly recommend understanding the material and exploitation techniques in order to properly learn the content instead of just copy/pasting commands. It really helps in the exam to know the actual technical fundamentals and understandings of the tools, attacks, what they do and why they work in order to pass.
After 2 months of lab I was ready for the exam. I had gone over all the videos and content several times, practiced with various tools and tactics used, and owned all machines multiple times using the course book and on my own.
I had reviewed some key content before the exam to prep which included:
- Enumeration, enumeration and enumeration!!! Trust me when I say to know your enumeration tools, commands and what you’re looking at in the output!
- Credential dumping with Mimikatz
- Credential replaying with Mimikatz
- Kerberoasting
- SQL server attacks
The Exam
The exam is somewhat like the OSCP except you don’t have to exploit anything. It is definitely tricky and mean to deter you. Similar to the OSCP, you have to enumerate EVERYTHING. I definitely spent the most time enumerating and the remainder exploiting, taking notes and then writing the report.
The exam itself is 24 hours and then you will have the following 48 hours to produce your pentest report with detailed findings and recommendations. The more details/references/steps/screenshots/links/recommendations the better.
Similar to the course, the goal is to take advantage of misconfigurations and valid functionality in AD in order to own all systems. There are 5 machines total in the exam to own. You may still pass if you only own 3 or 4 and produce a high-quality report, and if you own everything then my understanding is the report can be somewhat less thorough. However, exploitation steps should be well detailed with thorough recommendations if you want to guarantee your chances of passing like I did.
Some general tools I found very helpful in the exam:
- PowerView
- AD Module
- Invoke-Mimikatz
- Invoke-Kerberoast
- PowerUp
- PowerUpSQL
- Rubeus
- Bloodhound
After spending hours and hours enumerating a ton, once I figured out the first few attack paths and mapped the entire network I was able to pop the first couple machines. After that, all the machines started to drop like flies as I owned them one by one. At the end of the exam I had owned all machines and was on my way to working on the report. After the first 24 hours of the exam, I spend about another half a day on the report while taking my time and making sure I included everything.
Pro tip: Don’t forget to sleep, take breaks, eat healthy-ish food and get some air to clear your head when you’re stuck!
After submitting a full PDF report I received a confirmation email from the lab team. 2 days later and I received the congratulatory email that I had passed!
I’m happy to say I thoroughly enjoyed the course and especially the lab and exam. I got to develop and fine-tune my AD attack skills to gain a better understanding of attacks and tools which will come in handy in future red teams! Thanks to Pentester Academy and Nikhil Mittal :)