Lessons
Each lesson covers an offensive security technique in depth: how it works, what defenders see, and how to explain it in an interview or report.
Foundations
- 01ActiveDirectoryFoundationsbeginner12 minFreeOpen lesson →
Access Control Lists
Access control lists define who can do what to every object in Active Directory. This lesson explains what ACLs are, how they control permissions on AD objects, why they matter for delegated administration and attack surface, and how to explain them clearly in interviews.
- 02ActiveDirectoryFoundationsbeginner12 minFreeIntroOpen lesson →
Active Directory Certificate Services
Understand what AD CS is, why organizations deploy it, and why its integration with Active Directory identity makes it one of the most consequential — and most commonly misconfigured — components in enterprise Windows environments.
- 03ActiveDirectoryFoundationsbeginner12 minFreeIntroOpen lesson →
Active Directory Structure
Active Directory is the identity and access backbone of most enterprise Windows networks. This lesson explains how AD organizes users, computers, groups, and policies into a hierarchical structure, why that structure matters for both administrators and attackers, and how to explain it clearly in interviews.
- 04GeneralFoundationsintermediate14 minPremiumIntroPremium →
Building Practice Labs with Ludus
Learn to build deliberate, repeatable practice labs with Ludus that support real skill development. Covers lab design around learning goals, environment configuration for attack practice, snapshot discipline, and the habits that separate productive lab work from aimless tinkering.
- 05ActiveDirectoryFoundationsbeginner12 minFreeOpen lesson →
Certificate Templates and Enrollment Rights
Understand how certificate templates control what certificates get issued and who can request them, and why template configuration and enrollment permissions are the primary attack surface in AD CS — not the certificate authority itself.
- 06ActiveDirectoryFoundationsintermediate14 minPremiumPremium →
Certificate-Based Authentication in Active Directory
Understand how certificates are used for authentication in Active Directory through PKINIT and Schannel, why certificate-based authentication creates unique security implications, and why controlling certificate issuance can be functionally equivalent to controlling domain authentication.
- 07ActiveDirectoryFoundationsintermediate14 minFreeOpen lesson →
Domain Trusts
Domain trusts define how authentication and access flow between domains and forests in Active Directory. This lesson explains what trusts are, why they exist, how they change the scope of both legitimate access and potential compromise, and how to explain trust relationships clearly in interviews.
- 08GeneralFoundationsintermediate14 minPremiumIntroPremium →
Explaining Business Impact to Stakeholders
Learn to translate technical security findings into business-impact language that resonates with executives, managers, and non-technical decision-makers. Covers impact framing, audience adaptation, and the communication habits that turn technical expertise into organizational influence.
- 09ActiveDirectoryFoundationsbeginner12 minFreeOpen lesson →
Group Policy Objects
Group Policy Objects are the primary mechanism for centrally managing configuration across users and computers in Active Directory. This lesson explains what GPOs are, how they apply settings across the environment, why control over GPOs matters for security, and how to explain Group Policy clearly in interviews.
- 10GeneralFoundationsbeginner12 minPremiumIntroPremium →
Handling SSH Keys Securely
Learn to generate, store, rotate, and clean up SSH keys according to professional standards. Covers per-engagement key isolation, passphrase discipline, key labeling, and the lifecycle habits that prevent your credentials from becoming a liability.
- 11GeneralFoundationsbeginner14 minFreeIntroOpen lesson →
Interviewing for Offensive Security Roles
Learn to explain offensive security concepts clearly in interview settings. Covers answer structure, handling follow-ups, avoiding weak answer patterns, and the communication habits that separate strong candidates from technically capable ones who cannot articulate what they know.
- 12ActiveDirectoryFoundationsbeginner12 minFreeOpen lesson →
Kerberos Authentication
Kerberos is the default authentication protocol in Active Directory. This lesson covers how it works at a level that supports clear technical communication, explains why its design matters for both security and attack surface, and prepares you to discuss Kerberos confidently in interviews and with stakeholders.
- 13GeneralFoundationsbeginner10 minPremiumIntroPremium →
Maintaining a Daily Work Log
Learn to keep a daily work log that tracks what you worked on, what changed, what blocked you, and what to resume next — so you never lose continuity between sessions.
- 14GeneralFoundationsbeginner12 minPremiumIntroPremium →
Maintaining a Work VM
Learn to keep your work VM clean, reproducible, and engagement-ready. Covers snapshot discipline, tool tracking, artifact cleanup between clients, and the maintenance habits that prevent your primary working environment from becoming an operational liability.
- 15ActiveDirectoryFoundationsbeginner12 minFreeOpen lesson →
NTLM Authentication
NTLM is a legacy authentication protocol that remains widely present in Active Directory environments despite known weaknesses. This lesson explains how it works, why it persists, what makes it vulnerable, and how to explain its relevance clearly in interviews and stakeholder conversations.
- 16GeneralFoundationsbeginner12 minPremiumPremium →
Organizing Evidence for Reporting
Learn to organize screenshots, command output, and artifacts into a structured evidence package that directly supports report writing. Covers naming conventions, finding-to-evidence mapping, and the organization habits that prevent evidence chaos on multi-day engagements.
- 17GeneralFoundationsintermediate14 minPremiumIntroPremium →
Preserving Access During Authorized Testing
Learn to maintain reliable access during an authorized penetration test without exceeding scope, leaving untracked artifacts, or creating operational risk. Covers access planning, documentation discipline, client coordination, and the judgment calls that separate professional access management from careless persistence.
- 18GeneralFoundationsbeginner12 minPremiumIntroPremium →
Staying Current on Vulnerabilities Without Drowning in Noise
Learn to build a sustainable habit for staying informed about new vulnerabilities, tools, and techniques without getting overwhelmed. Covers source curation, triage discipline, and the information habits that keep you current without burning you out.
- 19GeneralFoundationsbeginner12 minFreeIntroOpen lesson →
Taking Notes During Engagements
Learn to take structured, real-time engagement notes that support reporting, evidence review, and team collaboration. Covers what to capture, when to capture it, and how to keep notes useful without turning them into unstructured command dumps.
- 20GeneralFoundationsintermediate14 minPremiumIntroPremium →
Using Proxmox for Security Practice Labs
Learn to use Proxmox VE as the foundation for security practice environments that are isolated, segmented, and reproducible. Covers resource planning, template-based provisioning, network segmentation, and the lab-management habits that keep practice environments useful instead of chaotic.
- 21GeneralFoundationsbeginner12 minPremiumIntroPremium →
Writing Professional Security Emails
Learn to write clear, professional emails for common security work scenarios: status updates, finding notifications, scope clarifications, and engagement coordination. Covers email structure, tone calibration, and the communication habits that keep engagements running smoothly.
- 22GeneralFoundationsintermediate14 minFreeIntroOpen lesson →
Writing Professional Security Reports
Learn to write security reports that drive action. Covers finding structure, impact framing, audience awareness, and the quality standards that separate professional deliverables from forgettable ones.
Discovery
- 23ActiveDirectoryDiscoverybeginner12 minFreeOpen lesson →
Enumerating Domain Password Policy
Enumerating the domain password policy is a concrete discovery technique that directly informs credential attack decisions. This lesson explains how to retrieve the policy, what each setting means for attack planning, what the attacker gains from this information, and how to explain the findings in interviews, reports, and stakeholder conversations.
- 24ActiveDirectoryDiscoverybeginner12 minFreeOpen lesson →
Enumerating Privileged Groups
Enumerating privileged groups is a concrete discovery technique that identifies which accounts have elevated control over an Active Directory environment. This lesson explains what the attacker is looking for, which groups matter and why, what group membership reveals about paths to domain compromise, and how to communicate findings clearly in interviews, reports, and stakeholder conversations.
- 25ActiveDirectoryDiscoveryintermediate12 minFreeOpen lesson →
Identifying Kerberoastable Service Accounts
Identifying Kerberoastable service accounts is a targeted discovery technique that finds user-based accounts with Service Principal Names registered in Active Directory. This lesson explains what makes an account a viable Kerberoasting target, how to distinguish high-value targets from noise, what the attacker gains before the actual roasting step, and how to communicate this discovery work clearly in interviews and reports.
- 26ActiveDirectoryDiscoveryintermediate14 minFreeOpen lesson →
Identifying Privilege Paths with BloodHound
BloodHound maps Active Directory relationships into a graph that reveals privilege escalation paths invisible to manual enumeration. This lesson explains what an attacker does with BloodHound during an AD engagement, what it takes to use it effectively, what the attacker gains, and how to explain BloodHound findings clearly in interviews, reports, and stakeholder conversations.
Credential Access
- 27ActiveDirectoryCredentialAccessintermediate12 minFreeOpen lesson →
AS-REP Roasting
AS-REP Roasting targets Active Directory accounts that have Kerberos pre-authentication disabled, allowing an attacker to request encrypted credential material without knowing the account's password. This lesson explains the precondition that makes the attack possible, why the mechanism works, what the attacker gains, how it differs from Kerberoasting, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
- 28ActiveDirectoryCredentialAccessadvanced14 minPremiumPremium →
DCSync
DCSync uses Active Directory's built-in replication protocol to request password data for any account in the domain — without accessing a domain controller's file system, memory, or running processes. This lesson explains why the technique works, what permissions enable it, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
- 29ActiveDirectoryCredentialAccessintermediate14 minPremiumPremium →
Extracting Credentials from LSASS
Extracting credentials from LSASS targets the Local Security Authority Subsystem Service process to recover authentication material — NT hashes, Kerberos tickets, and plaintext credentials — from memory on a compromised host. This lesson explains what LSASS holds, why extracting from it is impactful, what preconditions matter, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
- 30ActiveDirectoryCredentialAccessintermediate14 minFreeOpen lesson →
Kerberoasting
Kerberoasting exploits a design property of Kerberos to extract service account credential material for offline cracking. This lesson explains why the attack works, what makes it possible, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
- 31ActiveDirectoryCredentialAccessadvanced16 minPremiumPremium →
NTLM Relay Attacks
NTLM relay attacks intercept a legitimate NTLM authentication exchange and forward it to a different target, gaining authenticated access as the relayed identity without knowing the password or cracking the hash. This lesson explains why relay works, what conditions enable it, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
- 32ActiveDirectoryCredentialAccessintermediate14 minPremiumPremium →
Password Spraying
Password spraying is a credential access technique that tests a small number of commonly used passwords against many accounts simultaneously, staying under the lockout threshold. This lesson explains why the technique works, how the domain password policy shapes attacker decisions, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
- 33ActiveDirectoryCredentialAccessadvanced16 minPremiumPremium →
Relaying NTLM to AD CS Web Enrollment
Learn how NTLM relay attacks can target AD CS HTTP enrollment endpoints to obtain certificates for relayed identities, converting intercepted network authentication into long-lived certificate-based access that survives password resets.
- 34ActiveDirectoryCredentialAccessadvanced14 minPremiumPremium →
Shadow Credentials
Shadow Credentials exploits write access to an AD object's msDS-KeyCredentialLink attribute to register an attacker-controlled public key, enabling the attacker to authenticate as that object using Kerberos PKINIT without knowing the account's password. This lesson explains why the technique works, what preconditions matter, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Lateral Movement
- 35ActiveDirectoryLateralMovementintermediate12 minPremiumPremium →
Lateral Movement via WinRM
Lateral movement via WinRM uses the Windows Remote Management service to execute commands and access systems remotely with valid credentials. This lesson explains what WinRM provides operationally, what preconditions matter, what the attacker gains, where it fits in post-credential lateral movement, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
- 36ActiveDirectoryLateralMovementintermediate12 minFreeOpen lesson →
Pass the Hash
Pass the Hash is a lateral movement technique that uses a stolen NTLM password hash to authenticate as a user without knowing the plaintext password. This lesson explains why the attack works, what material is needed, where it fits in post-compromise movement, and how to explain the significance of NTLM hash reuse clearly in interviews, reports, and stakeholder conversations.
- 37ActiveDirectoryLateralMovementintermediate14 minPremiumPremium →
Pass-the-Ticket
Pass-the-Ticket is a lateral movement technique that uses stolen Kerberos ticket material — TGTs or TGS tickets extracted from memory — to authenticate as another user without knowing their password. This lesson explains what ticket material is reused, why the technique works, how it differs from Pass the Hash and ticket forgery, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
Privilege Escalation
- 38ActiveDirectoryPrivilegeEscalationintermediate14 minPremiumPremium →
Abusing ACL Permissions
Abusing ACL permissions exploits misconfigured access control entries on Active Directory objects to escalate privileges — modifying group memberships, resetting passwords, taking ownership, or granting new permissions. This lesson explains what makes these permissions abusable, what preconditions matter, what the attacker gains, and how to communicate ACL-based findings clearly in interviews, reports, and stakeholder conversations.
- 39ActiveDirectoryPrivilegeEscalationintermediate14 minPremiumPremium →
Abusing Certificate Template Permissions
Learn to identify and exploit overly permissive ACLs on certificate template objects, enabling an attacker to modify a safe template into a vulnerable one and then abuse it for privilege escalation — turning write access into domain compromise.
- 40ActiveDirectoryPrivilegeEscalationadvanced16 minPremiumPremium →
Abusing Constrained Delegation
Abusing constrained delegation exploits the S4U Kerberos extensions to impersonate users to specific services — and in many configurations, to bypass the intended service restrictions entirely. This lesson explains how constrained delegation works, why it can be abused, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.
- 41ActiveDirectoryPrivilegeEscalationintermediate14 minPremiumPremium →
Abusing Group Policy Objects
Abusing Group Policy Objects exploits write access to a GPO to push malicious configuration — scripts, scheduled tasks, or registry changes — to every system within the GPO's linked scope. This lesson explains what makes GPO control powerful, what preconditions matter, what the attacker gains, and how to communicate GPO-based findings clearly in interviews, reports, and stakeholder conversations.
- 42ActiveDirectoryPrivilegeEscalationintermediate14 minFreeOpen lesson →
Abusing Misconfigured Certificate Templates
Learn to identify and exploit certificate templates where a low-privilege user can request authentication certificates for any identity in the domain, and explain why this common misconfiguration creates a direct path from standard domain user to domain compromise.
- 43ActiveDirectoryPrivilegeEscalationadvanced14 minPremiumPremium →
Abusing Unconstrained Delegation
Abusing unconstrained delegation exploits systems configured to store forwarded TGTs from any authenticating user, allowing an attacker who compromises that system to impersonate anyone who connects to it. This lesson explains why unconstrained delegation creates risk, what preconditions matter, what the attacker gains, and how to communicate the risk clearly in interviews, reports, and stakeholder conversations.