The aim of this training course is to learn and understand the most common techniques used to compromise an Active Directory environment, their causes, and how to remedy them. The course simulates an internal penetration test, from connecting the workstation without a valid domain account, to the total compromise of the forest by obtaining the company’s administrator privileges.
Several techniques will be presented and explained for each stage of this compromise, with most participants putting the attacks into practice.
Course overview
- Understand the main vulnerabilities associated with internal networks based on Active Directory.
- Know how to detect the presence of these vulnerabilities
- Acquire good security administration practices
Course Curriculum
Day 1
- Introduction: why target Active Directory
- Authentication protocols (NTLM and Kerberos)
- Main application protocols (LDAP, SMB and RDP)
- Obtaining a first domain account
- Techniques:
- Obtain an NTLM response with network poisoning: ARP, DHCPv4/v6, LLMNR, NBT-NS, mDNS
- Break or relay this NTLM response.
- Get a list of users (via relay, NULL sessions, Kerbrute), to set up password spraying or ASREPRoasting.
- Network enumerations: web applications and network services
- Tools:
- Responder
- Impacket
- Bettercap
- Mitm6
- Kerbrute
- Wireshark
- Additional access via a domain account
- Techniques:
Day 2
- Obtain local administrator rights on machines
- Techniques:
- NTLM to LDAP authentication relays (RBCD, Shadow Credentials), ADCS and SMB
- Kerberoast
- Local elevation of privileges (PrivescCheck)
- Downgrade NTLMv1
- Update faults (PrintNightmare, MS17-010)
- Unencrypted disk on user workstation
- Tools:
- BloodHound
- Pingcastle
- Impacket
- PrivescCheck
- Additional access with local administrator access
- Techniques:
Day 3
- Raising domain privileges
- Techniques:
- Lateral movements (WMI, SMB, WinRM)
- Administrator sessions open on machines
- Extraction of passwords from service accounts and scheduled tasks
- Extraction of cached password fingerprints
- Kerberos delegations
- ADCS certificate templates
- Update defaults (ZeroLogon, SamAccountName Spoofing, Certifried)
- Intra-forest privilege elevation: child domain to parent domain.
- Tools:
- Rubeus
- Impacket
- Certipy
- Techniques:
- Attacking approval relationships
- Techniques:
- SID Filtering
- TGT Delegation
- Password reuse
- Inter-forest accounts in administration groups
- Techniques:
Method of Assessment
- Course validation through practical exercises
- Completion of a final online questionnaire covering all the concepts learned
Training benefits
- Training provided by an Active Directory security expert who has carried out numerous internal intrusion tests.
- Practical exercises carried out by participants themselves.
Who should attend?
- Team of system and network administrators
- Information systems security team
- User support team
Entry Requirements
Computer basics:
- Networking (protocols, OSI model, etc.)
- Active Directory environment
- Windows operating system
How and when to access
he participant is considered registered when:
- The prerequisites and needs are identified and validated
- The training agreement is signed
Registration requests can be sent up to 10 working days before the start of the training.
Accessibility
Whether you are recognized as having a disability or not, making our training accessible to everyone is part of our commitment.
If you need compensation or adaptation for the content, the supports, the “venue”, the material used, the schedules, the rhythm, we are at your disposal.
Duration
3 days
Price
€ 2750 excl. tax
Financing
OPCO support