Windows & AD Pentesting - Hands-on Lab Scenarios

Name: Windows & AD Pentesting - Hands-on Lab Scenarios
Rating: 4.6 (39 reviews)

Learn & Experience how to attack Windows & Active Directory - Ethical Hacking & Penetration Testing primer 2023

Created bySlayer Labs | OSCP - CISSP - GWAPT - PenTest+

Last updated 6/2023

English

What you'll learn

Full Windows Pentesting Lifecycle from Recon to Post-Exploitation
Red Teaming with Common Windows Services - WinRM - SMB - WMI
AD Domain Enumeration - BloodHound - PowerView - ldapsearch
Initial Access Exploitation - AS-REP Roasting - SharePoint - Password Spraying
Privilege Escalation - WinPEAS - 3rd-party Passwords - AlwaysInstallElevated
Post-Exploitation - Golden Ticket Attacks - Pass-the-Ticket - Overpass-the-Hash - Dumping & Cracking Hashs

Course content

11 sections • 35 lectures • 3h 10m total length

Introduction1:14

WinRM2:50
Master Windows remote management with WinRM and PS remoting to securely access remote hosts using remote PowerShell, Invoke-Command, and WinRS. Use evil-winrm and crackmapexec for credentialed remote access.
SMB3:36
WMI1:38
Learn Windows management instrumentation (WMI) to enumerate hardware and applications via command line or PowerShell. Remote access requires local admin privileges and a Windows transport layer like Winterim or Dycom.
Kerberos2:07
Learn how Windows Kerberos authenticates users and services in a domain using tickets. Explore abuses such as golden tickets and roasting with Rubeus and Mimikatz in a lab.

BloodHound5:30
Explore Bloodhound, a graphical active directory attack path tool, to enumerate domains, map relationships, and identify shortest paths to domain admins, with cypher queries and gpo insights.
PowerView4:22
Explore Windows domain enumeration with Powerview, a PowerShell tool for domain info, groups, trusts, and SPNs. Learn commands to enumerate users, GPOs, and Kerberos settings on a domain-joined machine.
ldapsearch3:53
Dsquery1:00
A Note on Defender and AV3:24

AS-REP Roasting4:16
Kerberoasting1:35
MS17-0102:01
Password Spraying4:51
Spray a set of known domain users with weak passwords across SSH, SMB, and RDP to illustrate how lax password policies enable credential compromise.
SharePoint Exploit8:12
WebDAV + Web Shell5:24
NTLM Relay Attacks6:00
NTLM relay attacks that intercept and relay authentication to access domain resources, with offline cracking of captured hashes in a safe, small lab setup.

Tips on Transferring Files5:19
Explore practical file transfer techniques between Windows and Kali, including PowerShell downloads with Invoke-WebRequest, SCP transfers via SSH, and SMB shares with net use.
Note on LocalAccountTokenFilterPolicy2:29
Dumping and Cracking NTLM Hashes5:41
Explore collecting NTLM and Miss Cache credentials on Windows hosts, dump LSA and SAM hives, and crack offline with Hashcat or John the Ripper.
Dumping and Cracking MS-Cache2:43
DCSync3:18
Pass-the-Hash3:57
DPAPI4:54
Overpass-the-Hash & Pass-the-Ticket7:57
Golden Ticket Attack1:36

Requirements

Basic knowledge of Windows and AD terminology and functionality
Beginner to Intermediate knowledge and experience in Pentesting
Experience with Linux and Windows command line
A Kali Linux VM and high-speed internet connection to follow along in the labs

Description

This 2023 course is targeted for Beginner to Intermediate security professionals and enthusiasts who want to learn more about Windows and Active Directory security. Topics covered are 100% Windows related and dive into the full pentesting lifecycle of Windows and Active Directory.

The course guides the student through red team and ethical hacking TTP's while showcasing real-world scenarios on a Windows cyber-range which mimics a corporate network. The cyber-range, Kinetic is hosted by SlayerLabs and contains 25 Windows VM's with 5 Domains and 6 subnets all engineered to exploit!

The mission of this course and cyber-range is to provide the user with a technical high-level overview of Windows and Active Directory security, along with realistic scenarios and learning opportunities to become proficient in Windows AD Pentesting. The goal is to provide real-world scenarios so the student can get hands-on keyboard and start running through the entire process from Reconnaissance to Post-Exploitation.

The course has been designed to trim the fat and only covers Windows related topics. With that, the student is expected to know basic TTP's in relation to offensive security, ethical hacking and pentesting. For example - covering how to setup a VM in VirtualBox, explaining the basics of networking or installing additional tools on Kali will not be covered.

Each topic dives into the technical side, providing command-line examples and explanations along the way. Topics covered (but are not limited to):

Domain Enumeration with BloodHound, PowerView, ldapsearch and Dsquery.
Initial Exploitation of AS-REP Roasting, Kerberoasting, Follina, Sharpoint Exploits, and Password Spraying.
PrivEsc with WinPEAS, Saved 3rd party creds, and AlwaysInstallElevated.
Post-Exploitation using Golden Ticket attacks, Pass-the-Ticket, Overpass-the-Hash, Pass-the-Hash, Dumping & Cracking NTLM & MsCache hashes and DPAPI.

Course content uses Kali the majority of the time, but also uses Slayer Labs Kinetic range Windows targets as jump boxes, utilizing built-in services such as WinRM and SMB. Students should be comfortable using Kali Linux along with Linux and Windows command-line. Majority of the commands used throughout this course are provided as a downloadable resource once purchased. Common tools used on Kali are Impacket Suite, CrackMapExec, Evil-Winrm and Metasploit.

Who this course is for:

Students interested in learning about Windows and Active Directory Pentesting
Students who want to learn and get hands on experience running through entire Windows Pentesting lifecycle

Windows & AD Pentesting - Hands-on Lab Scenarios

What you'll learn

Explore related topics

Course content

Introduction1 lecture • 1min

Common Windows Services4 lectures • 10min

Domain Enumeration5 lectures • 18min

Initial Exploitation7 lectures • 32min

Privilege Escalation2 lectures • 6min

Post-Exploitation9 lectures • 38min

Full-Phased Pentesting Scenario - DevSuper to Moondust2 lectures • 30min

Full-Phased Pentesting Scenario - FemmeFatale to Arc2 lectures • 14min

Full-Phased Pentesting Scenario - Broadcast to Exodus1 lecture • 19min

Full-Phased Pentesting Scenario - Uplink to Pulsar1 lecture • 20min

Requirements

Description

Who this course is for: