BlackHat - Bad Active Directory (BAD) Training | NCC Group's Dhruv Verma, Michael Roberts, Xiang Wen Kuan

Don't miss NCC Group's very own presenting the Bad Active Directory (BAD) training at BlackHat on the 31st of July - 1st of August or from the 2nd - 3rd of August 2021!

Bad Active Directory (BAD) is a beginner-to-intermediate level training for hacking Windows Active Directory. The hands-on CTF-like exercises we offer aim to simulate real traffic, and the challenges are deployed in AWS. By presenting a realistic exploit chain (minus covert techniques), users will learn about various types of vulnerabilities within an Active Directory environment and how to exploit them, employing different tools and tricks to pivot across machines towards achieving the privileges of Domain Admin.

This training consists of four lab modules based on real attacks we've performed on client environments, and each lab would imitate how modern networks look. Each attendee will have access to their own environment, credentials for which will be distributed via a web application. Within each environment, there would be two test machines (a linux host, and a windows host), which the attendees can use to perform the test. All required tools will be pre-installed.

While prior experience is not necessary, some familiarity with networks and active directory will be beneficial.

The following is the syllabus for this course:

Day 1 - Module 1:

• Basics of active directory
• Port scanning, service enumeration, domain enumeration
• Exploiting LLMNR and NBTNS
• Cracking net-NTLMv2 hashes
• Basic mapping out of an active directory network using Bloodhound and Sharphound
• Dumping LSASS
• Pass the hash
• Exploiting AD misconfigurations
• Abusing the powers of a domain admin

Day 1 - Module 2:

• Port scanning, service enumeration, domain enumeration
• Exploiting common HTTP misconfigurations (printers)
• Advanced mapping out of an active directory network using Bloodhound and Sharphound
• Hijacking DNS
• LDAP relay
• DCSync Attack
• Pass the hash
• Abusing the powers of a domain admin

Day 2 - Module 3:

• Port scanning, service enumeration, domain enumeration
• SYSVOL enumeration
• GPO enumeration
• Local system enumeration
• Active directory Powershell enumeration
• Covert LSASS dumping
• Advanced mapping out of an Active Directory network using Bloodhound and Sharphound
• LAPS
• Shadow copy attack

Day 2 - Module 4:

• Port scanning, service enumeration, domain enumeration
• Exploiting common HTTP misconfigurations (Jenkins Web UI)
• ADIDNS Injection
• WPAD
• SMB Relay
• Unconstrained Delegation
• Print Spooler Bug

KEY TAKEAWAYS

WHO SHOULD TAKE THIS COURSE

STUDENT REQUIREMENTS

WHAT STUDENTS SHOULD BRING

WHAT STUDENTS WILL BE PROVIDED WITH

TRAINERS

Dhruv Verma is a Regional Director at NCC Group, an information security firm specializing in application, network, and mobile security. Dhruv has extensive experience performing infrastructure assessments with a special interest in Windows Active Directory environments and projects involving social engineering vectors. He has gotten domain admin on multiple client networks by chaining together vulnerabilities in a very unique and interesting fashion. For instance, Dhruv combined a ADIDNS wildcard injection vulnerability, a misconfigured Jenkins server and an AWS IAM privilege escalation vulnerability to gain Domain Admin on an enterprise network via a clone'n'pwn attack.

Michael Roberts is a Principal Security Consultant with NCC Group. Michael performs web, mobile application and network penetration tests, and has a passion for virtual reality and cooking outside of work life. Michael holds an bachelor's degree in computer and information technology from Purdue University.

Xiang Wen Kuan is an Security Consultant at NCC Group. Kuan has conducted some infrastructure assessments and first started BAD under the supervision of Dhruv and Michael as his intern project at NCC. Kuan is as exciting as Kashi cereal and likes to eat free food at hacker events.