Certified Red Team Professional (CRTP) Review
IMPORTANT: Note that the Certified Red Team Professional (CRTP) course and lab are now offered by Altered Security who are the creators of the course and lab. You can get the course from here – https://www.alteredsecurity.com/adlab
Introduction
The Certified Red Team Professional is a penetration testing/red teaming certification and course provided by Pentester Academy, which is known in the industry for providing great courses and bootcamps.
In this review, I take the time to talk about my experience with this certification, the pros, and cons of enrolling in the course, my thoughts after taking and passing the exam, and a few tips and tricks.
Pros
- At about $250 USD (at the time when I bought it a Covid deal was on which made it cheaper) and for the amount of techniques it teaches, it is a no-brainer.
- In terms of beginner-level Active Directory courses, it is definitely one of the best and most comprehensive out there.
- This was by far the best experience I had when it comes to dealing with support for a course. The team would always be very quick to reply and would always provide with detailed answers and technical help when required. Keep in mind their support team is based in India so try to get in touch with them between 8am-10pm GMT+5:30, although they often did reply to my queries outside of those hours.
- The course provides two ways of connecting to the student machine, either through OpenVPN or through their Guacamole web interface. I would normally connect using Kali Linux and OpenVPN when it comes to online labs, but in this specific case their web interface was so easy to use and responsive that I ended up using that instead.
- The teacher for the course is Nikhil Mittal, who is very well known in the industry and is exceptional at red teaming and Active Directory hacking.
- For almost every technique and attack used throughout the course, a mitigation/remediation strategy is mentioned in the last chapter of the course which is something that is often overlooked in penetration testing courses.
Cons
- Pentester Academy still isn’t as recognized as other providers such as Offensive Security, so the certification won’t look as shiny on your resume.
- Some of the things taught during the course will not work in the exam environment or will produce inconsistent results due to the fact the exam machine does not have .NET 3.5 installed
- The flag system it uses follows the course material, meaning it can be completed by using all of the commands prior to the exercise, I personally would have preferred if there were flags to capture that simulated an entire environment (in order to give students an idea of what the exam is like) rather than one-off tasks. Pentester Academy does mention that for a real challenge students should check out their “Windows Red Team Lab”environment, although that one is designed for a different certification so I thought it would be best to go through it when the time to tackle CRTE has come.
Background
I decided to take on this course when planning to enroll in the Offensive Security Experienced Penetration Tester certification. Since it focuses on two main aspects of penetration testing i.e. Active Directory and evasion techniques and my knowledge on Active Directory hacking left much to be desired, I decided to first complete CRTP, and it turned out to be a great decision. I already heard a lot of great feedback from friends or colleagues who had taken this course before, and I had no doubt this would have been an awesome choice.
I was never a huge fan of Windows or Active Directory hacking so I didn’t think I would find the material particularly interesting, although, I was still pleasantly surprised with how much I enjoyed going through the course material and completing all of the learning objectives.
The course does not have any real pre-requisites in order to enroll, although basic knowledge of Active Directory systems is strongly recommended, in order to be able to understand all of the concepts taught throughout the course, so in case you have absolutely no knowledge of this topic, I would suggest going brush up on it first. Additionally, knowledge of PowerShell can also help greatly although it isn’t necessary at all.
The Course
The course provides both videos and PDF slides to follow along, the content walks through various enumeration, exploitation, lateral movement, privilege escalation, and persistence techniques that can be used in an Active Directory environment. The material is very easy to follow, all of the commands and techniques are very well explained by the instructor, Nikhil Mittal, not only explaining the command itself but how it actually works under the hood.
The following are some of the techniques taught throughout the course:
- Active Directory enumeration through scripts, built-in tools and the Active Directory module, in order to identify useful information like users, groups, group memberships, computers, user properties, group policies, ACLs etc.
- Understand and enumerate intra-forest and inter-forest trusts. Practice how to extract information from the trusts.
- Learn and practice different local privilege escalation techniques on a Windows machine.
- Hunt for local admin privileges on machines in the target domain using multiple methods.
- Abuse enterprise applications to execute complex attack paths that involve bypassing antivirus and pivoting to different machines.
- Learn to find and extract credentials and sessions of high privilege domain accounts like Domain Administrators, and use credential replay attacks to escalate privileges.
- Learn to extract credentials from a restricted environment where application whitelisting is enforced. Abuse derivative local admin privileges and pivot to other machines to escalate privileges to domain level.
- Understand the classic Kerberoast and its variants to escalate privileges.
- Enumerate the domain for objects with unconstrained and constrained delegation and abuse it to escalate privileges.
- Subvert the authentication on the domain level with Skeleton key and custom SSP.
- Abuse functionality such as Kerberos, replication rights DC safe mode Administrator or AdminSDHolder to obtain persistence.
- Learn to elevate privileges from Domain Admin of a child domain to Enterprise Admin on the forest root by abusing Trust keys and krbtgt account.
- Execute intra-forest trust attacks to access resources across forest.
- Abuse database links to achieve code execution across forest by just using the databases.
- Understand forest persistence technique like DCShadow and execute it to modify objects in the forest root without leaving change logs.
- Learn about architecture and work culture changes required to avoid certain attacks, such as Temporal group membership, ACL Auditing, LAPS, SID Filtering, Selective Authentication, credential guard, device guard, Protected Users Group, PAW, Tiered Administration and ESAE or Red Forest.
- Learn how Microsoft’s Advanced Threat Analytics and other similar tools detect domain attacks and the ways to avoid and bypass such tools.
- Understand how Deception can be effective deployed as a defense mechanism in AD and deplyoy various deception mechanisms.
- Learn how adversaries can identify decoy objects and how defenders can avoid the detection.
- Learn how various defensive mechanisms work, such as System Wide Transcription, Enhance logging, Constrained Language Mode, AMSI etc. and how some of these can be bypassed.
Throughout the course, at the end of certain chapters, there will be learning objectives that students can complete to practice the techniques taught in the course in a lab environment provided by the course, which is made of multiple domains and forests, in order to be able to replicate all of the necessary attacks. From my experience, pretty much all of the attacks could be run in the lab without any major issues, and the support was always available for any questions.
Towards the end of the material, the course also teaches what information is logged by Microsoft’s Advanced Threat Analytics and other similar tools when certain types of attacks are performed, how to avoid raising too many alarm bells, and also how to prevent most of the attacks demonstrated to secure an Active Directory environment.
I really enjoyed going through the course material and completing all of the learning objectives, and most of these attacks are applicable to real-world penetration testing and are definitely things I have experienced in actual engagements.
The course lightly touches on BloodHound, although I personally used this tool a lot during the exam and it is widely used in real engagements, to automate manual enumeration and quickly identify compromise paths to certain hosts (not necessarily Domain Admin), in a very visual fashion thanks to its graphical interface. I was recommended
The Dog Whisperer’s Handbook as an additional learning material to further understand this amazing tool, and it helped me a lot. It explains how to build custom queries towards the end, which isn’t something that is necessary for the exam, as long as you understand all of its main components such as nodes, paths, and edges.
The Exam
The exam consists of a 24-hour hands-on assessment (an extra hour is also provided to make up for the setup time which should take approximately 15 minutes), the environment is made of 5 fully-patched Windows servers that have to be compromised. After the exam has ended, an additional 48 hours are provided in order to write up a detailed report, which should contain a complete walkthrough with all of the steps performed, as well as practical recommendations. Individual machines can be restarted but cannot be reverted, the entire lab can be reverted, which will bring it back to the initial state.
Pentester Academy does not indicate whether there is a threshold of machines that have to be compromised in order to pass, and I have heard of people that have cleared the exam by just completing three or four of them, although what they do mention is that the quality of the report has a major impact on your result.
The initial machine does not come with any tools so you will need to transfer those either using the Guacamole web interface or the VPN access. Unlike Offensive Security exams, it is not proctored and you do not need to let anyone know if you are taking a break, also you are not required to provide any flag as evidence.
I started my exam on the 2nd of July 2021 at about 2 pm Sydney time, and in roughly a couple of hours, I had compromised the first host. I wasted a lot of time trying to get certain tools to work in the exam lab and later on decided to just install Bloodhound on my local Windows machine. A quick note on this: if you are using the latest version of Bloodhound, make sure to also use the corresponding version Ingestor, as otherwise you may get inconsistent results from it.
After completing the first machine, I was stuck for about 3-4 hours, both Blodhound and the enumeration commands I had in my notes brought back any results, so I decided to go out for a walk to stretch my legs. Once back, I had dinner and resumed the exam. After going through my methodology again I was able to get the second machine pretty quickly and I was stuck again for a few more hours.
At around 11 pm I had finally completed the first machine and decided to take another break as I started having a really bad headache. Surprisingly enough the last two machines were a lot easier than I thought, my 1 am I had the fourth one in the bag and I struggled for about 2 hours on the last one because for some reason I was not able to communicate with it any longer, so I decided to take another break and revert the entire exam lab to retry the attack one last time, as it was almost time to hit the sack. My suspicion was true and there indeed was an issue with one of the machines, which after a full revert was working fine again, compromising it only took a few minutes which means by 4:30 am I had completed the examination.
I honestly did not expect to stay up that long and I did not need to compromise all of the machines in order to pass, but since there was only one machine left I thought it would be best to push it through and leave nothing to chance.
I then worked on the report the day after, it took me 2-3 hours and it ended up being about 25 pages. I simply added an executive summary at the beginning which included overall background, results, and recommendations, as well as detailed information about each step and remediation strategies for each vulnerability that was identified.
After finishing the report I sent it to the email address specified in the portal, received a response almost immediately letting me know it was being reviewed and about 3 working days after that I received the following email:
I later also received the actual certificate in PDF format and a digital badge for it on Accredible.
Conclusion
Overall this was an extremely great course, I learned a lot of new techniques and I now feel a lot more confident when it comes to Active Directory engagements. I am sure that even seasoned pentesters would find a lot of useful information out of this course.
If you would like to learn or expand your knowledge on Active Directory hacking, this course is definitely for you.