We know times are tough right now because of COVID-19 so we are offering a MASSIVE Discount. Stay safe and happy learning!

Attacking Active Directory with Linux Lab Objective:

Attacking Active Directory with Linux (LinuxAD) is a training environment and playground. Students get access to dedicated lab setup (not shared with other students).

The lab contains a Linux based machine to execute attacks and a target AD setup. The target AD is a fully patched AD environment with all Server 2019 machines.

Students can practice techniques like network discovery, enumeration, abusing file shares, bypassing AMSI and Windows Defender, metasploit payloads, domain enumeration, credentials spraying and reuse, extracting secrets, testing LOLBAS, evading application whitelisting, SQL Server abuse, pivoting, ACL abuse, exploiting delegation, domain privilege escalation and more!

There are 30 flags to capture across various categories. The flags help in further understanding key concepts like credentials storage in Windows, local privilege escalation, application whitelisting enumeration, extracting secrets from SQL Server, WMI permanent events, manipulating windows firewall etc.

The lab is beginner friendly and comes with a lab manual and 6+ hours of video content containing course and walk-through!

If you need advanced labs, check out our Red Team labs

What will your learn?

The LinuxAD lab enables you to:

  • Understand and practice the basics of attacking Active Directory using metasploit and other tools.
  • Understand how to approach attacking Windows Server 2019 machines.
  • Practice popular tools to understand the techniques they implement.
  • Learn to execute memory-only attacks from Linux against Windows machines.
The following are the prerequisites for the lab:
  • Basic familiarity with Linux command line
  • Basic understanding of information security concepts






I. Network Discovery and Enumeration

  • Use port scanning and other techniques to find target machines in the network
  • Find open shares on target machines and abuse them

II. Bypassing AMSI and Windows Defender

  • Use publicly known bypasses of AMSI and Windows Defender to run metasploit payloads from memory
  • Enumerate and abuse exclusions for Windows defender

III. Generating and using Metasploit payloads

  • Generate metasploit payloads using msfvenom
  • Using metasploit payloads with an AMSI bypass stager from memory

IV. Active Directory Enumeration

  • Enumerate AD using PowerShell, .Net and Python tools.
  • Find interesting information like delegation issues, credentials in clear-text etc.
  • Enumerate and abuse Restricted Groups.

V. Credentials spraying and re-use

  • Understand and Execute efficient password spraying attacks against AD.

VI. Local Privilege Escalation

  • Enumerate local users and built-in local groups and abusing their privileges.
  • Understand service permissions issue.

VII. Extracting Secrets

  • Extract credentials from unattend.xml, Registry Autologon, SAM hive, LSASecrets, lsass process, PowerShell history, application configuration files

VIII. Basics of Application Whitelisting and evading it

  • Find application whitelisting solution in use and enumerate its policies.
  • Practice methods of evading it.

IX. Abusing SQL Servers

  • Enumerating information about SQL Server.
  • Abusing Agent jobs to get code execution.
  • Find information like emails and CC from databases.

X. Pivoting and Port Forwarding on Windows

  • Understanding Kerberos double hop
  • Using metasploit and Windows built-in netsh command for pivoting and port forwarding.
  • Super simple modification to impacket tools to connect to non-standard ports.
  • Understand built-in commands in Windows to play with Windows firewall.

XI. Active Directory ACL Abuse

  • Enumerating and abusing ACL permissions in AD

XII. Abusing Unconstrained Delegation

  • Find machines with Unconstrained Delegation using PowerShell, .Net and/or Python tools.
  • Abuse unconstrained delegation to get credentials of the domain controller.

XIII. Escalating to Domain Administrator

  • Execute DCSync attack to extract secrets from DC and escalate to DA.
  • Get meterpreter in memory on the DC.

Lab Completion Certificate

Every student who successfully completes the lab and captures all the flags will get a verifiable lab completion certificate.

A certification holder demonstrates the understanding of active directory based attacks and holds the skills to test the most prevalent mis-configurations in enterprise active directory environments.

Nikhil Mittal: BlackHat USA Trainer, DEF CON Speaker, Discoverer of Windows Threats

Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes red teaming, active directory security, attack research, defense strategies and post exploitation research. He has 11+ years of experience in red teaming.

He specializes in assessing security risks at secure environments that require novel attack vectors and "out of the box" approaches. He has worked extensively on Active Directory attacks and bypassing detection mechanisms and Offensive PowerShell for red teaming. He is creator of Kautilya, a toolkit that makes it easy to use HIDs in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and boot camps for various corporate clients (in US, Europe and SE Asia), and at the world’s top information security conferences. He has spoken/trained at conferences like DEF CON, Black Hat, CanSecWest, BruCON, 44CON and more. He blogs at https://www.labofapenetrationtester.com/


Selected Conference Talks:

$199 $149 for 30 Hours Lab Access

Student Name:
Student Email:
For alternate payment methods or enterprise team purchase please use the Contact-Us section

Terms of Purchase and Use:

  • You get 30 hours of total lab time which must be used within 30 days
  • You need a Google account to access to the lab portal as we use login with Google
  • Your 30 days subscription will start within 24 hours of purchase once you receive a confirmation email
  • Purchase includes access to the videos and lab manual.
  • Every student gets a dedicated lab environment that is not shared with other students.

Please use the form below: