Timeline
Course Start Date: 03 November 2020
Exam Pass Date: 08 January 2021
Digital Certificate: https://verified.elearnsecurity.com/certificates/ab5d542b-ee79-4d91-a53a-b9f53112f29c
Background
Penetration Testing eXtreme (PTX) is one of the two "Extreme" level courses provided by eLearnSecurity that focused on Red Teaming. The students that successfully finished the course and passed the exam will be given the eLearnSecurity Certified Penetration Tester eXtreme (eCPTX) certificate. eCPTX has just been renewed to version 2 and this course is the first eLearnSecurity course that I had taken. I started this course on 3rd November 2020 while still doing the CRTO and pass the exam on 8th January 2021.
Course and Lab
The course material comes with the slides and video files. The course is divided into four (4) modules: Preparing the Attacks, Red Teaming Active Directory, Red Teaming Critical Domain Infrastructure, and Evasion.
#1 Preparing the Attacks
The major topic of this module talk about Social Engineering Attack Vectors such as how to deliver a triggerable outlook malware via macros, how to create an undetectable macro, and how to establish a shell through the victim's browser. This module also covers briefly the Red Team infrastructure, OPSEC considerations, and the C2 Frameworks.
#2 Red Teaming Active Directory
This module consists of two sub-modules: Advanced Active Directory Reconnaissance and Enumeration and Red Teaming Active Directory.
Advanced Active Directory Reconnaissance and Enumeration focused on enumeration and information gathering from external and also from inside the Active Directory environment. SPN Scanning/Service Discovery, Group Policies, Local Admin Enumeration, Group Enumeration, Domain Trusts, and AD User/Computer enumeration is some sample of the topic covered in this area. Most of the enumeration is performed using the native command, PowerView, and BloodHound.
The second sub-modules, Red Teaming Active Directory, starts with explaining the Active Directory Fundamentals such as the Authentication, Authorization, DNS, Domain Trees, Domain Forests, Domain OUs, and Domain Trusts. Then it moves to Traditional AD attacks such as LDAP relay, GPO, RDP MiTM, and LLMNR & NBT-NS Poisoning. The next is the Red-Team oriented AD attacks that cover things such as Constrained Delegation, Unconstrained Delegation (Printer Bug), Resource-Based Constrained Delegation (RBCD), Over Pass the Hash, Pass the Ticket (PTT), Dumping AD Credentials, Password Spraying, Golden Tickets, Silver Ticket, Trust Tickets, Kerberoast, Targeted Kerberoasting, ASREPRoast, LAPS, ACLs on AD objects, Microsoft Exchange Privilege Escalation, NTLMRelayx, Abusing PAM, Just Enough Administration (JEA), DPAPI Abuse, Token Abuses, and Lateral Movement Techniques. This module is my favorite as it covers a LOT of attack vector and techniques in Active Directory environment.
#3 Red Teaming Critical Domain Infrastructure
This module covers the attack vector and techniques for three common and critical infrastructures in the Active Directory environment: MS SQL Server, MS Exchange, and WSUS. The MS SQL Server part covers things such as how to remotely execute SQL Server Link Crawling and ARP poisoning as well as sample attack scenario from SQL injection to Domain Admin hash. The MS Exchange part covers things such as performing SMB relay to EWS (Exchange Web Services) and the WSUS part covers things such as how to compromise the WSUS server and spread the access stealthy by serving a malicious update.
#4 Evasion
The last module covers the evasion techniques. Unfortunately, this module does not have any labs and only consists of Slides guide. The evasion module cover things such ass AMSI, BYOI, Event Tracing, Sysmon, EDR, Discovery, Lateral Movement, and Credential Access.
Regarding the lab, the specific module has its own lab that is used to practice the technique taught in the course. There are also 3 Active Directory labs that can be used by the students to practice the full lifecycle of red teaming starting from the initial phase to the domain dominance. The lab connection is using the OpenVPN file that is unique for each lab. Overall the course and the lab are amazing. The course covers a lot and broad attack vectors and techniques and the lab also contains interesting attack scenarios.
Exam
Pre-exam manual and Letter of Engagement will be provided to give information about how the exam process, the scope of engagement, objectives, and some advice. The exam duration is 48 hours to obtain the objectives and another 48 hours for reporting. As far as I know, this is the only exam from eLearnSecurity that has a short duration. Other exams such as eCPPT, eWPT, and eWPTX are 7 days long.
The scope of engagement will detail what is the initial IP range, what's in scope, and what's things allowed to do and what's not. The Exam Objectives will detail the "Necessary but insufficient conditions to pass the exam" and the expected information that needs to be written in the exam report.
The exam attack scenarios are awesome. These scenarios are so far my favorite among others exam that I have done. However, the exam environment stability is a bit disappointing. The exam panel allowed the student to reset the exam environment. I took the exam on the weekend and when I tried to reset the environment, the reset process is stuck and the environment is no longer accessible. Considering the time constraint, I email support@elearnsecurity.com but it took a couple of emails for them to respond and solve the situation. The benefit of the doubt, it could be due to the weekend? no idea. I lost a lot of time and motivation to keep doing the exam in an unstable environment. eLearnSecurity did give me an "extension" of exam duration to compensate the environment issue. However, the extension is on my working days where I can't really optimize it. TLDR; I passed the exam and obtained my eCPTX on 8th January 2021.
Conclusion
I think the course is doing a good job of compiling and presenting the attack techniques and vectors for Red Team engagement. The course lab is a good place for the student to practice the theory that learned from the course. The exam itself is very enjoyable (excluding the environment issues) and challenging.