Certified Red Team Professional - Review

Written By Syed Huda

Introduction

Since I had been conducting a lot of Internal Infrastructure assessments primarily based on Active Directory goal-based engagements in 2019 and then early 2020, I had been snooping around for an Active Directory attack related course that will broaden my spectrum of looking at attacks and their mitigations.

In early 2021, I reviewed the course syllabus and liked the idea that the course and exercises revolved around manual exploitation techniques in a fully patched environment. The course was available for 30, 60 and 90-day lab access windows, although at the time of enrolling on the course I grasped on Active Directory and its associated attacks to a fairly in-depth extent due to participation in some Red Teaming exercises so I took the 30-day course which at the time was discounted and cost $249 a month's access to the practical labs and an exam attempt. The other material such as videos and the PDF document was found to be available even after the lab access expired.

Course Overview

The course relied on vulnerabilities that could be manually exploited through misconfigurations across the Active Directory environment. As the environment is fully patched, all that’s needed is Powershell access which adds to the realm of learning. The following were the core topics covered at the time of the course enrolment.

  • Active Directory enumeration

  • Local privilege escalation

  • Domain and forest privilege escalation

  • Domain and forest persistence

  • Trust attacks

  • Auditing and defending

The course teaches how to find security loopholes in Active Directory, how to abuse them. Further to exploitation, the course also teaches mitigation and defensive techniques against the aforementioned and taught attacks.

Course Content

The course material is very intuitive and the content is explained thoroughly. There are learning objectives that can be completed after each phase of the learning, although if you are stuck a walkthrough handbook is provided to ensure that the student understands how to solve the objective. For me personally, I went over the objectives about 7 times with the slides and the videos in sync. To keep things tidy, I made notes of all the techniques, commands and any diagrams etc of the network. I take my notes in Notion, but you are free to use any note-taking utility as you please (note-taking helps get a good grip on muscle memory on the content you are trying to learn).

Lab Access and Support

The lab access is provided through an OpenVPN certificate or through Apache Guacamole (Remote access through a web browser). I completed all my objectives and practised over the Apache Guacamole web access. Although I do suggest to setup OpenVPN access as well, just so you have a failover/backup access method.

Without giving any spoilers, you are provided with a Windows machine in an assumed breach scenario. This machine is now used as your attacking machine to escalate privileges, pivot and eventually gain Domain Admin! The other machines are split up across multiple domains and forests and you’ll find application and SQL servers as well as domain controllers. During your enumeration, you might find student machines belonging to other users, these are strictly out of the scope of the lab and the exam.

The lab and exam access support are both pretty quick. I gave my exam being in the European timezone and the Lab Support being in the Indian/Asian timezone, they were kind and quick to answer. A few items stopped working on my lab and my machine got disassociated with the AD environment, they were also kind enough to fix this for me pretty quick!

The Exam

The exam can be scheduled anytime with a click of a button! Yes, you read that right. Once on the student portal, you can schedule the exam whenever you are ready by clicking the 'Start Exam' button. The course comes with 1 exam attempt included in its price and once you click the 'Start Exam' button, it takes about 10-15 minutes for the OpenVPN certificate and Guacamole access to be active. The exam is 24 hours for the practical and 24 hours additional to the practical exam are provided to prepare a detailed report of how you went about enumeration, exploitation and any pivoting you attempted. Moreover, the examiner also expects detailed mitigation of all issues you found and exploited. Out of the 24 hours of practical, I used about 16 hours, the rest of the hours I spent sleeping/eating or just plainly procrastinating. The report writing was quick enough so took about 4-5 hours of writing, polishing up and then quality check for grammar, alignment and aesthetics.

Conclusion

I received the amazing news of passing the exam about 1.5 after I submitted the report!

Overall, I think the course is a really good head-start if you plan to dive into Active Directory attacks. If you already have a basic grasp on it, I would suggest 30 days but if you are a total beginner then 90 days is a good place to be to ensure you have ample time to grasp concepts and practise upon them during lab access. The course is one of the few AD attack courses out there, the lab and exam access are both stable, although some minor roadblocks would be that they require a Google account to provide you access and some video and slide materials might differ in terms of methods/commands (but that’s not a major drawback considering you should be technically capable enough to ensure you know what the command does). Conclusively, a great course to take. As always, enumeration is a major key!

Syed Huda
Previous

Commonly asked Application Security interview questions? Part 1
Next

Missing in Action