A CRTP Journey

We followed the course “Attacking and defending Active Directory” and passed the CRTP certification. We made this little review to share you our feedback and our student experience.

Certified Red Team Professional

The Certified Red Team Professional is a completely hands-on certification. To be certified, a student must solve practical and realistic challenges in their fully patched Windows infrastructure labs containing multiple Windows domains and forests.

Course content

The course “Attacking and defending Active Directory” is based on realistic Active directory environment with workstations and specific servers like SQL servers or orchestrators. All these machines run a Windows Server 2016 operating system and are full patched and protected by Microsoft mechanisms.

The main goal of this course is to get good knowledge about misconfigurations to exploit or abuse them for privileges escalation and domain compromise and dominance.

The course structure is roughly like this:

• AD Enumeration
• Local privilege escalation
• Domain privilege escalation and Lateral Movement
• Domain Persistence
• Trust attacks across Domains and Forests
• Defenses and detections

The course shows how to use some technics, how to bypass some protections and how to use tools mainly in PowerShell that you re can use in RedTeam context.

Known technics to abuse a Domain are evoked :

• Bypass AMSI
• Services abuse
• Golden and Silver ticket
• Constrained and Unconstrained delegation
• Abuse Domain ACL
• (Over)Pass the hash or the ticket
• DC Sync
• And more

Video material are provided by PentesterAcademy and we really recommend you watch them ! They are made by Nikhil Mittal, an AD guru who made a lot of talks about the subject, including at the Defcon conference. Also, all tools are provided on the lab environment but to be honest they are not up to date : on our side we use the last version of these tools mainly available on Github.

About the lab, you start as a classical user of the domain and step by step you will get local admin and domain privileges, maintain yourself with these privileges and escalate to another domain forest.

This lab is deployed in an AWS platform, so you can choose your region, and you can access to the lab over VPN or a Webaccess is provided using Guacamole technology.

For more information, please consult the PentesterAcademy page : https://www.pentesteracademy.com/activedirectorylab

Exam

The certification challenges a student to compromise Active Directory by abusing features and functionalities without relying on patchable exploits. Students will have 24 hours for the hands-on certification exam.

During the exam, students are provided access to an individual Windows environment, which is fully patched and contains the latest Windows operating systems with configurations and privileges like a real enterprise environment.

The exam lab has 5 target servers which are spread across domains and have different configurations and applications running on them. When you start, you get access to a student VM in the lab and that does not count as a target server. The goal of the exam is to get OS command execution on all the target servers and not necessarily with administrative privileges.

You must submit your report within 48 hours of your exam lab time expiry, and the report must contain a detailed walkthrough with your approaches, tools used and proofs. Just note, no tools are provided on the exam VM, so bring your toolbox.

We passed the exam during a weekend, Saturday dedicated to the lab and Sunday to write the report. So, we started the lab a 9am and it took us 10 hours (with some breaks) to compromise all machines and partially write the report -we chose to write our report in parallel to collect the evidence as we go along. We decided our Sunday morning to detail the attacks carried out and to format the report. It is mention on the exam platform

• Please note that even if you have compromised all the target machines, a poor-quality report may result in not clearing the exam. By reading your report, we must get an idea of your methodology and attacker mindset. You need to explain ‘why’ a command or tool worked.

With hindsight, the time allowed is enough if you have worked seriously on the training and the lab: no bad surprises. Please keep in mind, the recon is the success key : at the beginning take the time to enumerate and analyze the results, several points will be useful for the future.

Moreover, sometimes you must take a step back before find a path of attack that make sense. This is what makes this exam very realistic.

Course and Exam Pros and Cons

This course was fun because it is realistic, well documented and you are driven. When you finish the training, the acquired skills are useful, and you can quickly use them during penetration tests. Moreover, the Pentester Academy Team is responsive and available if you have questions or when you encounter difficulties.

We learned a lot from the CRTP, it is a really good introduction to anyone is interested by Active Directory and its security and for $249 at least.

Just one negative point is about the platform stability : we have some troubles at few moments during the practice lab when the active directory was not available, or the RDP of the student machine was totally broken. In these cases, the only way you have is to contact the support, but they answered very fast, less that one hour and most of time in ten or twenty minutes.