๐ CRTP Certification Guide
Certified Red Team Professional - Master Active Directory exploitation and red team operations
Advanced-Level CertificationOverview
The Certified Red Team Professional (CRTP) by Altered Security (formerly PentesterAcademy) is a hands-on certification focused exclusively on Active Directory security. This certification validates your ability to compromise and persist in Windows Active Directory environments using realistic attack scenarios.
Why Choose CRTP?
- 100% hands-on lab-based certification focused on Active Directory
- Real-world Windows domain exploitation scenarios
- Comprehensive coverage of modern AD attack techniques
- 24-hour practical exam with 5-machine environment
- Excellent preparation for advanced red team roles
- Highly regarded in the cybersecurity industry
๐ Exam Details
Exam Information
- Duration: 24 hours hands-on lab
- Format: 5-machine Active Directory environment
- Passing Criteria: Compromise specific targets and demonstrate persistence
- Prerequisites: Strong Windows and PowerShell knowledge
- Cost: $249 USD (course + exam)
- Lab Access: 30 days of lab time included
๐ฏ Learning Objectives
Active Directory Enumeration
Comprehensive AD environment reconnaissance and intelligence gathering.
- Domain and forest enumeration
- User and group discovery
- Trust relationship analysis
- Service Principal Name (SPN) enumeration
Local Privilege Escalation
Windows privilege escalation techniques and methodologies.
- Service exploitation
- Kernel exploits
- Token manipulation
- UAC bypass techniques
Lateral Movement
Moving through the Active Directory environment stealthily.
- PowerShell remoting
- WMI and DCOM exploitation
- Credential theft and reuse
- Over-pass-the-hash attacks
Domain Privilege Escalation
Advanced techniques to achieve Domain Administrator privileges.
- Kerberoasting attacks
- ASREPRoasting exploitation
- DCSync and DCShadow
- Golden and Silver tickets
Domain Persistence
Maintaining long-term access in compromised AD environments.
- AdminSDHolder abuse
- Security descriptor manipulation
- Group Policy modification
- Skeleton key attacks
Cross-Forest Attacks
Attacking across forest boundaries and trust relationships.
- Trust relationship enumeration
- Cross-forest golden tickets
- Trust key extraction
- Foreign security principals
๐ Study Plan
Week 1-2: Prerequisites
Strengthen your Windows and PowerShell fundamentals.
- Windows internals and architecture
- PowerShell scripting and cmdlets
- Active Directory basics
- Windows authentication mechanisms
Week 3-4: AD Enumeration
Master Active Directory enumeration and reconnaissance.
- PowerView and AD module usage
- BloodHound data collection
- Manual enumeration techniques
- Trust relationship discovery
Week 5-6: Privilege Escalation
Local and domain privilege escalation techniques.
- Windows privilege escalation
- Kerberoasting and ASREPRoasting
- Delegation attacks
- Lateral movement methods
Week 7-8: Advanced Attacks
Advanced AD attack techniques and persistence.
- Golden and Silver tickets
- DCSync and DCShadow
- Persistence mechanisms
- Cross-forest attacks
Week 9-10: Lab Practice
Intensive hands-on practice in lab environments.
- CRTP lab completion
- Additional AD lab practice
- Attack chain development
- Exam preparation
๐ ๏ธ Essential Tools
PowerShell Tools
- PowerView: AD enumeration and exploitation
- PowerUp: Windows privilege escalation
- Invoke-Mimikatz: Credential extraction
- PowerShell Empire: Post-exploitation framework
C# Tools
- Rubeus: Kerberos interaction toolkit
- SharpHound: BloodHound data collector
- Seatbelt: System enumeration
- SharpUp: C# privilege escalation
Analysis Tools
- BloodHound: AD attack path analysis
- ADRecon: AD information gathering
- PingCastle: AD security assessment
- Impacket: Network protocol implementations
๐งช Attack Chains
Common CRTP Attack Scenarios
Scenario 1: Kerberoasting Chain
- Initial foothold on domain machine
- Enumerate SPNs using PowerView
- Request TGS tickets for service accounts
- Crack service account passwords offline
- Lateral movement with service credentials
Scenario 2: Delegation Abuse
- Identify unconstrained delegation
- Force authentication to compromised machine
- Extract TGT from LSASS memory
- Pass-the-ticket for privilege escalation
- Achieve Domain Admin privileges
๐ Study Resources
- CRTP Course Material - Official Altered Security training
- Active Directory Security - Sean Metcalf's research
- PowerShell Empire Documentation - Post-exploitation techniques
- BloodHound Documentation - Attack path analysis
- HarmJ0y Blog - Advanced AD attack research
- SpecterOps Research - Cutting-edge AD techniques
๐ก Exam Strategy
CRTP Success Tips
- ๐ฏ Master PowerView: Essential for AD enumeration
- ๐ฉธ Understand BloodHound: Visualize attack paths
- โก Practice Kerberoasting: Common exam scenario
- ๐ Credential extraction: Mimikatz and alternatives
- ๐ Lateral movement: Multiple techniques required
- ๐ Golden tickets: Understand KRBTGT extraction
- โฐ Time management: 24 hours goes quickly
- ๐ Document everything: Keep detailed notes
๐ RFS Achievement
โ RFS CRTP Certified
RFS has successfully achieved the CRTP certification, demonstrating advanced expertise in:
- ๐ข Active Directory enumeration and exploitation
- ๐ Advanced privilege escalation techniques
- ๐ญ Red team lateral movement operations
- ๐ Domain compromise and persistence
- ๐ฒ Cross-forest attack methodologies
Professional Impact: This certification validates RFS's expertise in Windows domain security and contributes to specialized telecommunications and unified communications security assessments.
๐ Career Advancement
Professional Roles
Career opportunities enabled by CRTP certification.
- Senior Penetration Tester
- Red Team Operator
- Active Directory Security Specialist
- Windows Security Consultant
Skill Validation
Technical competencies proven by CRTP.
- Advanced Windows exploitation
- Active Directory security
- Red team methodologies
- Enterprise network compromise
Next Certifications
Natural progression after CRTP.
- CRTO (Red Team Ops)
- CRTE (Red Team Expert)
- GXPN (Advanced Exploitation)
- OSEP (Experienced Penetration Tester)
๐ฏ Ready for CRTP?
Readiness Assessment: Verify your preparation before attempting the exam.
- โ Strong PowerShell scripting abilities
- โ Windows internals knowledge
- โ Active Directory fundamentals
- โ Comfortable with PowerView and BloodHound
- โ Understanding of Kerberos protocol
- โ Privilege escalation experience
- โ Lateral movement techniques
- โ 24-hour exam endurance