Skip to content
Don't miss NCC Group's very own presenting the Bad Active Directory (BAD) training at BlackHat on the 31st of July - 1st of August or from the 2nd - 3rd of August 2021!
Don't miss NCC Group's very own presenting the Bad Active Directory (BAD) training at BlackHat on the 31st of July - 1st of August or from the 2nd - 3rd of August 2021!

BlackHat - Bad Active Directory (BAD) Training | NCC Group's Dhruv Verma, Michael Roberts, Xiang Wen Kuan

Event date 31 July 2021 – 3 August 2021

Location BlackHat

Don't miss NCC Group's very own presenting the Bad Active Directory (BAD) training at BlackHat on the 31st of July - 1st of August or from the 2nd - 3rd of August 2021!

Bad Active Directory (BAD) is a beginner-to-intermediate level training for hacking Windows Active Directory. The hands-on CTF-like exercises we offer aim to simulate real traffic, and the challenges are deployed in AWS. By presenting a realistic exploit chain (minus covert techniques), users will learn about various types of vulnerabilities within an Active Directory environment and how to exploit them, employing different tools and tricks to pivot across machines towards achieving the privileges of Domain Admin.

This training consists of four lab modules based on real attacks we've performed on client environments, and each lab would imitate how modern networks look. Each attendee will have access to their own environment, credentials for which will be distributed via a web application. Within each environment, there would be two test machines (a linux host, and a windows host), which the attendees can use to perform the test. All required tools will be pre-installed.

While prior experience is not necessary, some familiarity with networks and active directory will be beneficial.

The following is the syllabus for this course:

Day 1 - Module 1:

  • Basics of active directory
  • Port scanning, service enumeration, domain enumeration
  • Exploiting LLMNR and NBTNS
  • Cracking net-NTLMv2 hashes
  • Basic mapping out of an active directory network using Bloodhound and Sharphound
  • Dumping LSASS
  • Pass the hash
  • Exploiting AD misconfigurations
  • Abusing the powers of a domain admin


Day 1 - Module 2:

  • Port scanning, service enumeration, domain enumeration
  • Exploiting common HTTP misconfigurations (printers)
  • Advanced mapping out of an active directory network using Bloodhound and Sharphound
  • Hijacking DNS
  • LDAP relay
  • DCSync Attack
  • Pass the hash
  • Abusing the powers of a domain admin


Day 2 - Module 3:

  • Port scanning, service enumeration, domain enumeration
  • SYSVOL enumeration
  • GPO enumeration
  • Local system enumeration
  • Active directory Powershell enumeration
  • Covert LSASS dumping
  • Advanced mapping out of an Active Directory network using Bloodhound and Sharphound
  • LAPS
  • Shadow copy attack


Day 2 - Module 4:

  • Port scanning, service enumeration, domain enumeration
  • Exploiting common HTTP misconfigurations (Jenkins Web UI)
  • ADIDNS Injection
  • WPAD
  • SMB Relay
  • Unconstrained Delegation
  • Print Spooler Bug

KEY TAKEAWAYS

  • Most importantly, A Network Penetration Tester's mindset - being able to understand the network one is operating in, having an intuition for whether more enumeration is required, and asking if an attack may be relevant in a scenario. This mindset makes one ask the right questions, and that can propel any further self-study.
  • Second, practical experience with the techniques themselves for enumerating targets, identifying weaknesses, and exploiting them.
  • Third, attendees will become aware of common misconfigurations in Active Directory that are likely in their own work environments.

WHO SHOULD TAKE THIS COURSE

Though we expect even experienced network penetration testers to learn something, this course is tailored for those new to Network Penetration Tests. Highly recommended for IT Professionals, Penetration testers, Security consultants, security engineers, CTF enthusiasts and anyone else interested in network testing and/or active directory environments.

STUDENT REQUIREMENTS

Experience with CLI, like Terminal, Powershell, or Command Prompt. Some knowledge of basic networking such as IP addresses and ports, DNS, OSI Model. Some active directory knowledge will be beneficial as well.

WHAT STUDENTS SHOULD BRING

A laptop with a working internet connection and the ability to SSH and RDP to a host.

WHAT STUDENTS WILL BE PROVIDED WITH

The testing environment and the course materials will be readily available over the web. References will be provided for all the tools used.

TRAINERS

Dhruv Verma is a Regional Director at NCC Group, an information security firm specializing in application, network, and mobile security. Dhruv has extensive experience performing infrastructure assessments with a special interest in Windows Active Directory environments and projects involving social engineering vectors. He has gotten domain admin on multiple client networks by chaining together vulnerabilities in a very unique and interesting fashion. For instance, Dhruv combined a ADIDNS wildcard injection vulnerability, a misconfigured Jenkins server and an AWS IAM privilege escalation vulnerability to gain Domain Admin on an enterprise network via a clone'n'pwn attack.

Michael Roberts is a Principal Security Consultant with NCC Group. Michael performs web, mobile application and network penetration tests, and has a passion for virtual reality and cooking outside of work life. Michael holds an bachelor's degree in computer and information technology from Purdue University.

Xiang Wen Kuan is an Security Consultant at NCC Group. Kuan has conducted some infrastructure assessments and first started BAD under the supervision of Dhruv and Michael as his intern project at NCC. Kuan is as exciting as Kashi cereal and likes to eat free food at hacker events.

Subjects

Press contacts

NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7824 412 405
NCC Group - Financial Media Enquiries

NCC Group - Financial Media Enquiries

Press contact Maitland AMO Financial Results Media Enquiries +44 (0)20 7379 5151
Regional Press Office - North America

Regional Press Office - North America

Press contact +1 408 776 1400