All lessons
Each lesson covers an offensive security technique in depth: how it works, what defenders see, and how to explain it in an interview or report.
Access control lists define who can do what to every object in Active Directory. This lesson explains what ACLs are, how they control permissions on AD objects, why they matter for delegated administration and attack surface, and how to explain them clearly in interviews.
Understand what AD CS is, why organizations deploy it, and why its integration with Active Directory identity makes it one of the most consequential — and most commonly misconfigured — components in enterprise Windows environments.
Active Directory is the identity and access backbone of most enterprise Windows networks. This lesson explains how AD organizes users, computers, groups, and policies into a hierarchical structure, why that structure matters for both administrators and attackers, and how to explain it clearly in interviews.
Learn to build deliberate, repeatable practice labs with Ludus that support real skill development. Covers lab design around learning goals, environment configuration for attack practice, snapshot discipline, and the habits that separate productive lab work from aimless tinkering.
Understand how certificate templates control what certificates get issued and who can request them, and why template configuration and enrollment permissions are the primary attack surface in AD CS — not the certificate authority itself.
Understand how certificates are used for authentication in Active Directory through PKINIT and Schannel, why certificate-based authentication creates unique security implications, and why controlling certificate issuance can be functionally equivalent to controlling domain authentication.
Domain trusts define how authentication and access flow between domains and forests in Active Directory. This lesson explains what trusts are, why they exist, how they change the scope of both legitimate access and potential compromise, and how to explain trust relationships clearly in interviews.
Learn to translate technical security findings into business-impact language that resonates with executives, managers, and non-technical decision-makers. Covers impact framing, audience adaptation, and the communication habits that turn technical expertise into organizational influence.
Group Policy Objects are the primary mechanism for centrally managing configuration across users and computers in Active Directory. This lesson explains what GPOs are, how they apply settings across the environment, why control over GPOs matters for security, and how to explain Group Policy clearly in interviews.
Learn to generate, store, rotate, and clean up SSH keys according to professional standards. Covers per-engagement key isolation, passphrase discipline, key labeling, and the lifecycle habits that prevent your credentials from becoming a liability.
Learn to explain offensive security concepts clearly in interview settings. Covers answer structure, handling follow-ups, avoiding weak answer patterns, and the communication habits that separate strong candidates from technically capable ones who cannot articulate what they know.
Kerberos is the default authentication protocol in Active Directory. This lesson covers how it works at a level that supports clear technical communication, explains why its design matters for both security and attack surface, and prepares you to discuss Kerberos confidently in interviews and with stakeholders.
Learn to keep a daily work log that tracks what you worked on, what changed, what blocked you, and what to resume next — so you never lose continuity between sessions.
Learn to keep your work VM clean, reproducible, and engagement-ready. Covers snapshot discipline, tool tracking, artifact cleanup between clients, and the maintenance habits that prevent your primary working environment from becoming an operational liability.
NTLM is a legacy authentication protocol that remains widely present in Active Directory environments despite known weaknesses. This lesson explains how it works, why it persists, what makes it vulnerable, and how to explain its relevance clearly in interviews and stakeholder conversations.
Learn to organize screenshots, command output, and artifacts into a structured evidence package that directly supports report writing. Covers naming conventions, finding-to-evidence mapping, and the organization habits that prevent evidence chaos on multi-day engagements.
Learn to maintain reliable access during an authorized penetration test without exceeding scope, leaving untracked artifacts, or creating operational risk. Covers access planning, documentation discipline, client coordination, and the judgment calls that separate professional access management from careless persistence.
Learn to build a sustainable habit for staying informed about new vulnerabilities, tools, and techniques without getting overwhelmed. Covers source curation, triage discipline, and the information habits that keep you current without burning you out.
Learn to take structured, real-time engagement notes that support reporting, evidence review, and team collaboration. Covers what to capture, when to capture it, and how to keep notes useful without turning them into unstructured command dumps.
Learn to use Proxmox VE as the foundation for security practice environments that are isolated, segmented, and reproducible. Covers resource planning, template-based provisioning, network segmentation, and the lab-management habits that keep practice environments useful instead of chaotic.
Learn to write clear, professional emails for common security work scenarios: status updates, finding notifications, scope clarifications, and engagement coordination. Covers email structure, tone calibration, and the communication habits that keep engagements running smoothly.
Learn to write security reports that drive action. Covers finding structure, impact framing, audience awareness, and the quality standards that separate professional deliverables from forgettable ones.
Enumerating the domain password policy is a concrete discovery technique that directly informs credential attack decisions. This lesson explains how to retrieve the policy, what each setting means for attack planning, what the attacker gains from this information, and how to explain the findings in interviews, reports, and stakeholder conversations.
Enumerating privileged groups is a concrete discovery technique that identifies which accounts have elevated control over an Active Directory environment. This lesson explains what the attacker is looking for, which groups matter and why, what group membership reveals about paths to domain compromise, and how to communicate findings clearly in interviews, reports, and stakeholder conversations.
Identifying Kerberoastable service accounts is a targeted discovery technique that finds user-based accounts with Service Principal Names registered in Active Directory. This lesson explains what makes an account a viable Kerberoasting target, how to distinguish high-value targets from noise, what the attacker gains before the actual roasting step, and how to communicate this discovery work clearly in interviews and reports.
BloodHound maps Active Directory relationships into a graph that reveals privilege escalation paths invisible to manual enumeration. This lesson explains what an attacker does with BloodHound during an AD engagement, what it takes to use it effectively, what the attacker gains, and how to explain BloodHound findings clearly in interviews, reports, and stakeholder conversations.
AS-REP Roasting targets Active Directory accounts that have Kerberos pre-authentication disabled, allowing an attacker to request encrypted credential material without knowing the account's password. This lesson explains the precondition that makes the attack possible, why the mechanism works, what the attacker gains, how it differs from Kerberoasting, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
DCSync uses Active Directory's built-in replication protocol to request password data for any account in the domain — without accessing a domain controller's file system, memory, or running processes. This lesson explains why the technique works, what permissions enable it, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Extracting credentials from LSASS targets the Local Security Authority Subsystem Service process to recover authentication material — NT hashes, Kerberos tickets, and plaintext credentials — from memory on a compromised host. This lesson explains what LSASS holds, why extracting from it is impactful, what preconditions matter, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Kerberoasting exploits a design property of Kerberos to extract service account credential material for offline cracking. This lesson explains why the attack works, what makes it possible, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
NTLM relay attacks intercept a legitimate NTLM authentication exchange and forward it to a different target, gaining authenticated access as the relayed identity without knowing the password or cracking the hash. This lesson explains why relay works, what conditions enable it, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Password spraying is a credential access technique that tests a small number of commonly used passwords against many accounts simultaneously, staying under the lockout threshold. This lesson explains why the technique works, how the domain password policy shapes attacker decisions, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Learn how NTLM relay attacks can target AD CS HTTP enrollment endpoints to obtain certificates for relayed identities, converting intercepted network authentication into long-lived certificate-based access that survives password resets.
Shadow Credentials exploits write access to an AD object's msDS-KeyCredentialLink attribute to register an attacker-controlled public key, enabling the attacker to authenticate as that object using Kerberos PKINIT without knowing the account's password. This lesson explains why the technique works, what preconditions matter, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Lateral movement via WinRM uses the Windows Remote Management service to execute commands and access systems remotely with valid credentials. This lesson explains what WinRM provides operationally, what preconditions matter, what the attacker gains, where it fits in post-credential lateral movement, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Pass the Hash is a lateral movement technique that uses a stolen NTLM password hash to authenticate as a user without knowing the plaintext password. This lesson explains why the attack works, what material is needed, where it fits in post-compromise movement, and how to explain the significance of NTLM hash reuse clearly in interviews, reports, and stakeholder conversations.
Pass-the-Ticket is a lateral movement technique that uses stolen Kerberos ticket material — TGTs or TGS tickets extracted from memory — to authenticate as another user without knowing their password. This lesson explains what ticket material is reused, why the technique works, how it differs from Pass the Hash and ticket forgery, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Abusing ACL permissions exploits misconfigured access control entries on Active Directory objects to escalate privileges — modifying group memberships, resetting passwords, taking ownership, or granting new permissions. This lesson explains what makes these permissions abusable, what preconditions matter, what the attacker gains, and how to communicate ACL-based findings clearly in interviews, reports, and stakeholder conversations.
Learn to identify and exploit overly permissive ACLs on certificate template objects, enabling an attacker to modify a safe template into a vulnerable one and then abuse it for privilege escalation — turning write access into domain compromise.
Abusing constrained delegation exploits the S4U Kerberos extensions to impersonate users to specific services — and in many configurations, to bypass the intended service restrictions entirely. This lesson explains how constrained delegation works, why it can be abused, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Abusing Group Policy Objects exploits write access to a GPO to push malicious configuration — scripts, scheduled tasks, or registry changes — to every system within the GPO's linked scope. This lesson explains what makes GPO control powerful, what preconditions matter, what the attacker gains, and how to communicate GPO-based findings clearly in interviews, reports, and stakeholder conversations.
Learn to identify and exploit certificate templates where a low-privilege user can request authentication certificates for any identity in the domain, and explain why this common misconfiguration creates a direct path from standard domain user to domain compromise.
Abusing unconstrained delegation exploits systems configured to store forwarded TGTs from any authenticating user, allowing an attacker who compromises that system to impersonate anyone who connects to it. This lesson explains why unconstrained delegation creates risk, what preconditions matter, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.