Skip to main content

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review.

The course -
Certification - Certified Red Team Professional

The Course Content -
After paying the course fee, you will get the course content which contains -
1. Videos explaining AD pentesting concepts
2. Videos explaining walkthroughs of tasks
3. Lab guide containing walkthroughs of tasks
4. Lab access ( You can start your lab access withing 90 days from the day you bought the course)

Videos has good quality content explaining each stuff in detail and all the course is beginner friendly.

The Exam -
The exam is of 24 hours and is a completely dedicated exam lab with multiple misconfigurations and hosts. You are required to use your enumeration skills and find out ways to execute code on all the machines. There are 5 systems which are in scope except the student machine. You will get the VPN connection along with RDP credentials for student machine which will be part of the domain. I can't disclose much information on what needs to be done but you will definitely figure it out if you have gone through all the tasks and videos taught in the course. You need to gain code execution in all the 5 systems. However there are exceptions, if you manage to hack 3-4 machines and you made a great report with all the steps and practical mitigation techniques then only you are one step closer to crack this exam. It took me 24 hours to pwn the machines which always depends person to person as there are some of my friends who has done it within 4-5 hours of time.  You will have to prepare a good report containing the steps as well as practical mitigation of each attack. You are free to use your own report format but it should contain all the information about commands and tools which are used to gain access. You will get 48 hours of time apart from the exam time to prepare a report.

Certification -
I got my result within two days after submission of the exam report. Below is a sample mail when you pass the exam -

Just after this mail, I received an appreciation mail from the author Nikhil Mittal ( Course Instructor ) for writing a good report. I strongly recommend you to write a summary of the report on the first page containing your approach while pwning the machines. Below is the mail which made my day -

Although my report was short but it had all the information that was required. I strongly recommend you to write a detailed report if you have hacked less than 5 machines in the exam lab. 

Tools that can help you during Lab or Exam -
1. Powerview
2. Powerup
3. PowerupSQL
4. Nishang
5. Powercat
6. Netcat 
7. HeidiSql
8. Kekeo
9. Mimikatz
10. BloodHound
11. Wmiexec

You are free to use any tools you want ;) Just mention it in the report.

Some Resources -

Summary -
I have learnt a lot from the course and recommend it to everyone who wants to brush up his skills in AD pentesting or someone who want to begin with AD pentesting. The course is beginner friendly and test your basic concepts in exam. 

If you are a red teamer and want more fun and torture then you can surely go for the other course - Advance red team lab ( ). A very good review was written by my friend Chirag Savla which can be found here -

Other reviews of active directory lab -


  1. Congratulations! Would love to chat to you more about this - where can I reach you?

    1. Thanks ..
      @hexachordanu on twitter/facebook/linkedin :)


Post a Comment

Popular posts from this blog

Brute Force Basic Authentication - PSP Assignment 0x1

Before we start I would like to bring your attention to this PSP course from Pentester Academy   - . The course is focused on Powershell scripting which can be used in pentesting activities. AGENDA  : 1. Introduction to Powershell 2. Basic Authentication lab setup 3. Brute-force Basic Authentication using Powershell Script -   - cmdlet   - IP,Port and word-list should be easily configurable 1.  Introduction to Powershell  -  Microsoft says- PowerShell is a task-based command-line shell and scripting language built on .NET. PowerShell helps system administrators and power-users rapidly automate tasks that manage operating systems (Linux, macOS, and Windows) and processes. PowerShell commands let you manage computers from the command line. PowerShell providers let you access data stores, such as the registry and certificate store, as easily as you access the file system. PowerShell includes a rich expression parser and a fu

Hacking Thick Clients – Authorization Bypass

Hello Readers, This post will be focused on setting up a vulnerable thick client application and finding vulnerabilities. The blog post is an unofficial part of the on going series of post by NetSPI. NetSPI has released a vulnerable thick client app called BetaFast which has two versions - BetaBank and BetaFast based on 2-tier and 3-tier architecture respectively. The app is coded by Austin Altmann  and he is writing the walk-through series. Note: At the time of writing this blog, the walk-through/write-up for authorization bypass vulnerability was yet to be published by NetSPI and therefore I decided to create this blog post. All the credit for developing and maintaining this app goes to Austin and NetSPI team. You can find some of the cool write-ups here . Let's start. Setting up Betafast - 1. Download the files from github -  . 2. Extract and open the .sln file with