W200 Syllabus - Active Directory Penetration Testing

The W200 course equips participants with essential skills for conducting penetration tests within Active Directory environments. Through meticulously designed technical labs and simulated enterprise scenarios, students will delve into the inner workings of Active Directory, privilege escalation vectors, and common misconfigurations that adversaries may exploit. 

By the conclusion of the course, participants will be adept at identifying, exploiting, and documenting security vulnerabilities and providing actionable remediations. This training empowers learners to become impactful consultants who can effectively mitigate risks in Active Directory, discern between inconsequential findings and those that pose significant threats to business operations, and deliver strategic guidance to clients.

Syllabus

Introduction to Active Directory

  1. Overview of Active Directory (AD)
  2. Key terminologies, components, and architecture of AD
  3. Common services in Active Directory environments (e.g., SMB, DNS, Kerberos, LDAP)
  4. Roles and responsibilities of domain controllers
  5. Understanding forests, domains, organizational units (OUs), and trust relationships
  6. Authentication mechanisms in Active Directory (NTLM & Kerberos)
  7. Understanding daily operations within Active Directory
  8. Integration of Linux systems with Active Directory
  9. Integration with Entra ID (formerly Azure AD)

The Role of a Penetration Tester

  1. Understanding the pentester’s role in security assessments
  2. Objectives and scope of internal network assessments
  3. Distinctions between Red Team Operations and Internal Penetration Tests
  4. Industry Reporting Standards (MITRE ATT&CK, OWASP Top Ten, CVSS, NIST SP 800-115).

Authentication in Active Directory

  1. Authentication using NTLM (e.g., Pass-the-Hash)
  2. Authentication using Kerberos (e.g., Pass-the-Ticket, Overpass-the-Hash)
  3. Authenticating to SSH with NTLM and Kerberos
  4. Credential delegation mechanisms (GSSAPI)
  5. Evaluating tool limitations (Linux vs. Windows)
  6. Understanding the importance of interoperability (kirbi vs. .ccache)

Breaching the Perimeter (Unauthenticated Enumeration)

  1. Disclaimer on assumed breach scenarios
  2. Reconnaissance and network scanning techniques
  3. Service enumeration and guest/anonymous authentication
  4. User identification via Kerberos
  5. Password spraying techniques
  6. Traditional attack vectors (e.g., RCE via Command Injection)
  7. Transitioning from RCE to obtaining a Ticket Granting Ticket (TGT)

Active Directory Enumeration (Authenticated Enumeration)

  1. Overview of the Active Directory landscape
  2. Manual LDAP queries
  3. Introduction to BloodHound and various ingestors
  4. Utilizing PowerView (from Windows and Linux)
  5. Mapping the network of a domain
  6. Looting secrets from SMB shares
  7. Identifying credentials in domain-wide scripts (SYSVOL)

Introduction to Windows Privilege Escalation

  1. Identifying common attack surfaces associated with Windows services
  2. Recognizing high-risk privileges (e.g., SeDebugPrivilege, SeImpersonatePrivilege)
  3. Extracting credentials from configuration files
  4. Analyzing permissions on legitimate Windows services and applications (e.g., IIS)

Credential Harvesting

  1. Extracting domain credentials from the Local Security Authority Subsystem Service (LSASS)
  2. Alternative methods for domain credential extraction (e.g., DPAPI, Kerberos Tickets)
  3. Dumping local credentials from the Security Account Manager (SAM)
  4. Accessing machine credentials from the Local Security Authority (LSA)
  5. Understanding Domain Cached Credentials (DCC)

Abusing Access Control Lists (ACLs)

  1. Enumerating Access Control Entries (ACEs) for misconfigurations
  2. Understanding the limitations of BloodHound
  3. Exploiting ACEs for lateral movement and privilege escalation
  4. Exploring the limitations of BloodHound, and its various ingestors
  5. Understanding the limitations of enumeration tools

Microsoft SQL Server (MSSQL) Enumeration & Exploitation

  1. Enumerating SQL servers within Active Directory
  2. Gaining situational awareness in SQL databases
  3. Exploiting impersonation privileges
  4. Escalating local privileges on SQL servers via Service Accounts

Attacking Domain-Joined Linux Machines

  1. Identifying domain-joined Linux systems
  2. Authenticating to Linux machines using Active Directory credentials
  3. Exploiting traditional privilege escalation vectors on Linux
  4. Obtaining domain credentials from Linux systems
  5. Escalating domain privileges using ACEs on Linux systems
  6. Harvesting domain credentials in Linux environments

Introduction to Kerberos Attacks

  1. Understanding, and following the 6 steps of the Kerberos authentication workflow
  2. Abusing the various stages of the Kerberos authentication phases (AS-REP roasting, AS-REQ roasting and Kerberoasting)
  3. Roasting Kerberos using native system capabilities (“living-off-the-land”) without reliance on external tooling
  4. Requesting Service Tickets (STs) without knowledge of Service Principal Names (SPNs).
  5. Abusing an asreproastable user to request a Service Ticket (ST) through an AS-REQ
  6. Forging d Kerberos tickets (Silver, Golden, Diamond and Sapphire) for domain persistence and privilege escalation
  7. Deep dives into Kerberos extensions (S4U2Self, S4U2Proxy, U2U, etc.)
  8. Exploiting unconstrained, constrained and resource-based constrained delegation, with and without protocol transition.

Attacking Domain Trusts

  1. Utilizing "secure-by-default" configurations in child-parent domains
  2. Performing Kerberoasting attacks across trusts
  3. Identifying groups with ACEs in trusted domains
  4. Understanding the security landscape of trusts in Active Directory

Security Best Practices and Hardening Techniques

  1. Identify what is and isn’t important for profit-driven organizations and businesses
  2. Enforcing protections on LSASS (PPL), and virtualization-based protections
  3. Discussing the feasibility of disabling NTLM and/or SMB Signinig
  4. Understanding the benefits of adding Tier-0 assets to protected groups

Hands-On Practice:

  1. Massive Network Labs: Practice your skills in safe, modular environments focused building your fundamentals.
  2. ChronoLabs Access: Time-bound high-difficulty simulations replicating real-world breach scenarios