// Active Directory Security

Active Directory Security & Enterprise Attacks

Master Active Directory enumeration, Kerberos attacks, LDAP reconnaissance, credential attacks, privilege escalation, relay attacks, and advanced post-exploitation techniques used in enterprise penetration testing environments.

Duration

1 Month / 4 Weeks / 30 Hours

Level

Advanced

Modules

13 Modules

Format

Hands-on Labs

// Course Overview

What You'll Learn

The Advanced Active Directory Penetration Testing course is designed for ethical hackers, penetration testers, red teamers, SOC analysts, and cybersecurity professionals who want to specialize in attacking and assessing Active Directory environments. This course covers LDAP enumeration, Kerberos authentication internals, Kerberoasting, AS-REP Roasting, Pass-the-Hash, Pass-the-Ticket, SMB/LLMNR relay attacks, domain enumeration, privilege escalation, credential extraction, BloodHound analysis, and complete AD attack methodology.

// Prerequisites

  • - Basic networking knowledge
  • - Familiarity with Windows environments
  • - Understanding of Active Directory basics
  • - Knowledge of Linux command line
  • - Basic penetration testing experience
ad-pentest--syllabus

$ armour --training ad-pentest --info

[*] Course: Active Directory Security & Enterprise Attacks

[*] Duration: 1 Month / 4 Weeks / 30 Hours

[*] Level: Advanced

[!] 13 modules | 107 topics

[+] Lab environment: READY

[+] Certification prep: INCLUDED

$ _

// Syllabus

Complete Course Modules

01

LDAP Enumeration

  • > Overview of LDAP
  • > LDAP Enumeration Techniques
  • > LDAP Enumeration Tools
  • > LDAP Queries and Filters
  • > Nmap Scripts for LDAP Enumeration
  • > ldapsearch Usage
  • > JXplorer GUI Tool
  • > Active Directory Structure Mapping
02

Kerberos Authentication

  • > Introduction to Kerberos
  • > Kerberos Authentication Flow
  • > Kerberos Encryption Types
  • > Ticket Granting Ticket (TGT)
  • > Service Tickets (ST)
  • > Kerberos Attack Surface
  • > Key Distribution Center (KDC)
  • > Authentication Service (AS) and Ticket Granting Service (TGS)
03

Kerberoasting Attacks

  • > Service Principal Names (SPNs)
  • > Kerberoasting Methodology
  • > Extracting Service Tickets
  • > Offline Password Cracking
  • > Kerberoasting Tools
  • > Targeted Kerberoasting
  • > Detection and Mitigation
04

Pass-the-Ticket (PtT)

  • > Kerberos Ticket Abuse
  • > Ticket Injection Techniques
  • > Lateral Movement via Tickets
  • > Session Hijacking
  • > Kerberos Ticket Manipulation
  • > Golden Ticket Attacks
  • > Silver Ticket Attacks
05

AS-REP Roasting

  • > Kerberos Pre-Authentication
  • > AS-REP Roasting Methodology
  • > User Enumeration for AS-REP
  • > Offline Password Cracking
  • > Identifying Vulnerable Accounts
  • > Kerbrute Enumeration
  • > Detection and Prevention
06

Manual Enumeration

  • > Manual Enumeration Techniques
  • > Operating System Enumeration
  • > Domain User Enumeration
  • > Enumerating Logged-On Users
  • > Enumerating Permissions and ACLs
  • > SPN Enumeration
  • > Domain Share Enumeration
  • > Group Membership Mapping
07

Password Attacks & Credential Dumping

  • > Password Attack Methodologies
  • > Credential Dumping Techniques
  • > Accessing SAM File
  • > Accessing SYSTEM File
  • > Extracting SECURITY Files
  • > NTDS.dit Extraction
  • > Offline Hash Cracking
  • > Password Spraying
  • > Hashcat and John the Ripper Usage
08

Pass-the-Hash (PtH)

  • > NTLM Authentication Internals
  • > Pass-the-Hash Attack Methodology
  • > Lateral Movement with PtH
  • > Remote Authentication Abuse
  • > CrackMapExec for PtH
  • > Mimikatz Hash Extraction
  • > Detection and Countermeasures
09

LLMNR Poisoning & SMB Relay Attacks

  • > LLMNR/NBT-NS Poisoning
  • > SMB Relay Attack Methodology
  • > Name Resolution Poisoning
  • > NTLM Relay Attacks
  • > Credential Interception
  • > Responder Tool Usage
  • > NTLMv2 Hash Capture
  • > Relay Attack Mitigation
10

Active Directory Offensive Security Tools

  • > Impacket Framework
  • > ldapsearch and JXplorer
  • > Kerbrute
  • > Responder
  • > PowerUp
  • > PowerView
  • > BloodHound and SharpHound
  • > Mimikatz
  • > CrackMapExec
  • > Evil-WinRM
  • > Rubeus
11

Active Directory Privilege Escalation

  • > Windows Privilege Escalation Vectors
  • > Token Impersonation
  • > Service Exploitation
  • > DLL Hijacking
  • > Constrained Delegation Abuse
  • > Unconstrained Delegation Exploitation
  • > Resource-Based Constrained Delegation
  • > DCSync Attacks
  • > ADCS Exploitation (ESC1-ESC8)
12

Enterprise Lateral Movement & Persistence

  • > Lateral Movement Techniques
  • > Pivoting and Port Forwarding
  • > SSH Tunneling from Windows
  • > Chisel and Ligolo Usage
  • > Multi-Hop Pivoting
  • > Golden and Silver Ticket Forging
  • > Shadow Credentials
  • > Persistence Mechanisms
  • > Domain Trust Exploitation
13

Active Directory Hardening & Reporting

  • > AD Security Best Practices
  • > Kerberos Hardening
  • > NTLM Restriction Policies
  • > Privileged Access Management
  • > Detection Strategies
  • > SIEM Integration for AD Attacks
  • > Penetration Test Reporting
  • > Remediation Recommendations
  • > Enterprise Security Posture Assessment
// Outcomes

Learning Outcomes

  • Enumerate Active Directory environments using LDAP and manual techniques
  • Exploit Kerberos authentication (Kerberoasting, AS-REP Roasting)
  • Perform Pass-the-Hash and Pass-the-Ticket attacks
  • Conduct LLMNR poisoning and SMB relay attacks
  • Extract credentials from SAM, SYSTEM, and NTDS.dit
  • Escalate privileges from standard user to domain administrator
  • Analyze attack paths using BloodHound
  • Pivot through multi-subnet AD environments
  • Use industry-standard tools (Mimikatz, CrackMapExec, Impacket, Evil-WinRM)
  • Identify and exploit AD certificate services misconfigurations
  • Provide enterprise hardening and remediation recommendations
// Lab Environment

Hands-On Labs

  • Multi-domain Active Directory forest
  • Multiple organizational units with various permissions
  • Certificate Services (ADCS) lab
  • Multi-subnet network with segmentation
  • Realistic enterprise user and group structure
  • Kerberos attack simulation targets
  • Relay attack practice environment
  • BloodHound data collection and analysis lab

Certification Preparation

  • + CRTP (Certified Red Team Professional)
  • + CRTE (Certified Red Team Expert)
  • + OSCP+ AD module
  • + HTB Pro Labs (Offshore, RastaLabs)
  • + PNPT (Practical Network Penetration Tester)
// Instructor

Meet Your Instructor

Armour Infosec Security Team

Active Directory Security Specialist

Our AD security instructors are experienced red teamers who have compromised enterprise Active Directory environments in professional engagements. They specialize in identity-based attacks, Kerberos exploitation, credential attacks, and AD hardening recommendations.

CRTPCRTEOSCP+GPENPNPT
// Testimonials

What Students Say

The Kerberos attack modules are incredibly detailed. I immediately found new attack paths in client environments I was missing before.

Ankit R.

Senior Pentester

Essential training for anyone doing internal pentests. The credential dumping and relay attack modules are worth the entire course.

Deepak S.

Red Team Operator

Excellent progression from LDAP enumeration to domain compromise. The BloodHound analysis and privilege escalation labs are realistic and challenging.

Meera J.

Security Consultant

// FAQ

Frequently Asked Questions

Common questions about the course, enrollment, and certification.

Ready to Enroll?

Secure your spot in the next batch. Limited seats available for hands-on lab access.

Enroll NowDownload Syllabus