Attacking Active Directory with Linux (LinuxAD)

Attacking Active Directory with Linux Lab Objective:

Attacking Active Directory with Linux (LinuxAD) is a training environment and playground. Students get access to dedicated lab setup (not shared with other students).

The lab contains a Linux based machine to execute attacks and a target AD setup. The target AD is a fully patched AD environment with all Server 2019 machines.

Students can practice techniques like network discovery, enumeration, abusing file shares, bypassing AMSI and Windows Defender, metasploit payloads, domain enumeration, credentials spraying and reuse, extracting secrets, testing LOLBAS, evading application whitelisting, SQL Server abuse, pivoting, ACL abuse, exploiting delegation, domain privilege escalation and more!

There are 30 flags to capture across various categories. The flags help in further understanding key concepts like credentials storage in Windows, local privilege escalation, application whitelisting enumeration, extracting secrets from SQL Server, WMI permanent events, manipulating windows firewall etc.

What's Included

Red Team Lab, Red Team Certifications, Red Team Trainings, Azure Pentesting, Azure Security

Access to a lab environment (35 hours to be spent in one month) with Server 2019 machines. Lab can be accessed using a web browser.
6+ hours of video course
Course slides
Lab manual
Walk-through videos

What will you Learn?

The LinuxAD lab enables you to:

Understand and practice the basics of attacking Active Directory using metasploit and other tools.
Understand how to approach attacking Windows Server 2019 machines.
Practice popular tools to understand the techniques they implement.
Learn to execute memory-only attacks from Linux against Windows machines.

The following are the prerequisites for the lab:

Basic familiarity with Linux command line
Basic understanding of information security concepts

Purchase On Demand Lab

35 hours for 30 Days

LAB ACCESS
PERIOD

$149

Terms of Purchase and Use:

You get 35 hours of total lab time which must be used within 30 days
You need a Google account to access the lab portal linuxad.io
Your 30 days subscription will start within 24 hours of purchase once you receive a confirmation email
Purchase includes access to the videos and lab manual
Every student gets a dedicated lab environment that is not shared with other students

Nikhil: Founder of Altered Security, BlackHat USA Trainer, DEF CON Speaker

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, Azure and active directory security, attack research, defense strategies and post exploitation research. He has 15+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approach. He has worked extensively on Azure AD, Active Directory attacks, defense and bypassing detection mechanisms.

Nikhil has trained more than 10000 security professionals in private trainings and at the world’s top information security conferences.

He has spoken/trained at conferences like DEF CON, BlackHat, BruCON and more.

He is the founder of Altered Security - a company focusing on hands-on enterprise security learning - https://www.alteredsecurity.com/

Selected Conference Talks

1 Evading Microsoft ATA for Active Directory Domination (BlackHat USA 2017 and BruCON 2017)

3 PowerShell for Practical Purple Teaming
(x33fcon 2017)

5 RACE - Minimal Rights and ACE for Active Directory Dominance (DEF CON 2019)

2 AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well it Does it (BlackHat USA 2016)

4 PowerShell for Practical Purple
Teaming (DEF CON 21)

6 0wn-premises: Bypassing Microsoft Defender for Identity (BruCON 2022)

Purchase On Demand Lab

35 hours for 30 Days

LAB ACCESS
PERIOD

$149

Terms of Purchase and Use:

You get 35 hours of total lab time which must be used within 30 days
You need a Google account to access the lab portal linuxad.io
Your 30 days subscription will start within 24 hours of purchase once you receive a confirmation email
Purchase includes access to the videos and lab manual
Every student gets a dedicated lab environment that is not shared with other students

I. Network Discovery and Enumeration

Use port scanning and other techniques to find target machines in the network
Find open shares on target machines and abuse them

II. Bypassing AMSI and Windows Defender

Use publicly known bypasses of AMSI and Windows Defender to run metasploit payloads from memory
Enumerate and abuse exclusions for Windows defender

III. Generating and using Metasploit payloads

Generate metasploit payloads using msfvenom
Using metasploit payloads with an AMSI bypass stager from memory

IV. Active Directory Enumeration

Enumerate AD using PowerShell, .Net and Python tools.
Find interesting information like delegation issues, credentials in clear-text etc.
Enumerate and abuse Restricted Groups.

V. Credentials spraying and re-use

Understand and Execute efficient password spraying attacks against AD.

VI. Local Privilege Escalation

Enumerate local users and built-in local groups and abusing their privileges.
Understand service permissions issue.

VII. Extracting Secrets

Extract credentials from unattend.xml, Registry Autologon, SAM hive, LSASecrets, lsass process, PowerShell history, application configuration files

VIII. Basics of Application Whitelisting and evading it

Find application whitelisting solution in use and enumerate its policies.
Practice methods of evading it.

IX. Abusing SQL Servers

Enumerating information about SQL Server.
Abusing Agent jobs to get code execution.
Find information like emails and CC from databases.

X. Pivoting and Port Forwarding on Windows

Understanding Kerberos double hop
Using metasploit and Windows built-in netsh command for pivoting and port forwarding.
Super simple modification to impacket tools to connect to non-standard ports.
Understand built-in commands in Windows to play with Windows firewall.

XI. Active Directory ACL Abuse

Enumerating and abusing ACL permissions in AD

XII. Abusing Unconstrained Delegation

Find machines with Unconstrained Delegation using PowerShell, .Net and/or Python tools.
Abuse unconstrained delegation to get credentials of the domain controller.

XIII. Escalating to Domain Administrator

Execute DCSync attack to extract secrets from DC and escalate to DA.
Get meterpreter in memory on the DC.

linux ad purchase

LAB ACCESS PERIOD

$149

Terms of Purchase and Use:

You get 35 hours of total lab time which must be used within 30 days

You need a Google account to access the lab portal linuxad.io

Your 30 days subscription will start within 24 hours of purchase once you receive a confirmation email

Purchase includes access to the videos and lab manual

Every student gets a dedicated lab environment that is not shared with other students

LAB ACCESS
PERIOD