David Hamann

Hi, I'm David

I'm a software developer, penetration tester and IT consultant.

Currently I'm working on allgood.systems - a tool for monitoring your websites and cron jobs.

CRTP Certification Review

23 minute read

A couple of days ago I took the exam for the CRTP (Certified Red Team Professional) certification by Pentester Academy. In this review I want to give a quick overview of the course contents, the labs and the exam.

Course Contents

Attacking and Defending Active Directory is the accompanying course for the CRTP certification and it covers – as the name suggests – various common attack vectors and persistence techniques in Windows AD networks. The course also gives an overview of the defensive measures you can take – from more high-level explanations of privilege separation models to deploying decoy objects in the environment for deception.

The course structure is roughly like this:

  1. AD Enumeration
  2. Local privilege escalation
  3. Domain privilege escalation and Lateral Movement
  4. Persistence
  5. Trust attacks across Domains and Forests
  6. Defenses and detections

It starts out with a short refresher about Active Directory but pretty much expects you to already have a basic understanding of the main services and logical structure that make up AD. The same goes for PowerShell, which is used across the course and only introduced very briefly.

Most of the enumeration is taught via PowerView and Microsoft’s Active Directory PowerShell module. The teacher, Nikhil Mittal, then walks you through common enumeration tasks, looking at Users, Computers, Shares, GPOs, explaining how to read ACLs, finding sessions, enumerating Trusts, etc.

There’s also a section on BloodHound, albeit very short as the course is supposed to be “Red Team” focussed and so the amount of “noise” you generate in an environment is taken into consideration to avoid being detected for as long as possible.

While I mentioned Local Privilege Escalation above, it is not the focus of the course and only touched very briefly (essentially just service abuses). The domain privilege escalation / lateral movement part is more thorough and teaches you how to jump from one box to another and eventually get Domain Admin or Enterprise Admin – again with the focus on abusing misconfigurations.

The common attacks are all covered: kerberoasting in its different forms, constrained and unconstrained delegation abuses, utilizing trust tickets for moving across domains and reaching external forests, pivoting through SQL Servers, DNS Admins escalation, and more…

A big chunk of the course then goes into persistence techniques, i.e. what techniques an attacker can use to stay in the environment, likely remain undetected, and how long the persistence methods usually work. This was the section where I learned the most – there are just so many places you can hide and information you can use to “come back” at a later stage.

The course covers the more known ways like golden and silver tickets, but also talks about techniques like skeleton keys, custom SSPs, various ACL settings, DCShadow, DSRM admin login, and so on.

For a lot of techniques mimikatz is used. Naturally, not everything can be taught in much detail but the course introduces you to topics you can then further research on your own.

In the defensive part of the course the logs/events created during the attacks are discussed. But not only detection, also mitigation strategies and helpful tools are mentioned. And, as it is a cat and mouse game, also common bypasses and weaknesses of the mitigations/detections are shown.

Lab environment

You get access to a lab which consists of an AD environment containing multiple domains and also trusts to another forest. From a provided “student vm” you can then try out the different attacks.

The lab environment consists (as of the time of writing) of Windows Server 2016 machines and is solely focussed on exploiting misconfigurations (no CVEs with publicly available exploits). This introduces you to realistic scenarios as misconfigurations happen all the time and cannot be just “patched away” with an update.

While it is a shared environment and certain attacks wouldn’t be possible when executed by multiple students, I didn’t have a single issue due to other “attackers” in the environment. Also, the lab resets every 24 hours.

The lab can be accessed via VPN or directly through a browser via Apache Guacamole. I’m not a huge fan of doing everything in a browser, so I always connected via the VPN through a dedicated VM.

There are packages of 30, 60 and 90 days of lab access. I chose 30 days and found it was time enough time to do the exersises multiple times, even though I only did the course on the side in the evenings. My suggestion would be to go for 30 days and do the first enumeration exercises in your own AD lab (if you have one) before starting the official lab time (you get access to the course material and can decide to start the labs at a later stage, which seems like a fair option).

While not a deal breaker, I didn’t like so much that you needed a Google associated email account for accessing the lab control panel.

Exam

The exam drops you into an environment similar to the lab and requires you to get access to a given number of machines in the network. As it is an assumed breach scenario, access to a foothold machine and a low-priv user is given. You have 24 hours to compromise the machines and then 48 hours to write a report describing the weaknesses you exploited to gain access. You have to provide both a walkthrough and remediation recommendations.

You can use any tool on the exam, not just the ones discussed in the course.

Obviously, I cannot say anything about the exam’s contents. All what is needed to pass is explained and taught in the course but expect some hurdles on the way (you cannot just run BloodHound and follow a straight path of layed-out abuses). In my opinion it was a very well thought-out exam.

My recommendations (that apply to any practical exam, really): feel comfortable with the techniques taught so that you can troubleshoot them when they don’t work as expected at first. Carefully enumerate before you try an attack. Don’t put your trust in the output of only a single tool, have alternative ways of verifying things. Keep hacking, even when you haven’t made any progress for some time – you know there is a way in :-)

Should you take the course?

This solely depends on what you want to learn and your previous experience. In my opinion, even if you’re already doing pentesting and AD is not your prime focus, you will learn new tricks. As mentioned above, for me especially the persistance techniques were worth it.

If you know AD in and out and regularly perform assessments that also include the persistence part and cross-trust attacks, then maybe you won’t learn anything new. Pentester Academy also has a much more challenging lab and something in between, although I haven’t done them, so cannot say anything about it.

While I have some non-AD material piled up which I want go through first, let me know if you have done one of the other red team labs. I’d like to hear your experience.

Like to comment? Feel free to send me an email or reach out on Twitter.

Did this or another article help you? If you like and can afford it, you can buy me a coffee (3 EUR) ☕️ to support me in writing more posts. In case you would like to contribute more or I helped you directly via email or coding/troubleshooting session, you can opt to give a higher amount through the following links or adjust the quantity: 50 EUR, 100 EUR, 500 EUR. All links redirect to Stripe.

You May Also Enjoy

Building a 6502 Computer

71 minute read

My notes of building a computer based on the 6502 microprocessor following Ben Eater’s design.