Posted on 2023-05-05 by Nathan Jarvie in Industry
Late last year I was looking into “What happens next?” after OSCP and PNPT certifications, and it is common to hear from those in the industry that the next step for network penetration testing is to complete Certified Red Team Operator (CRTO) or Certified Red Team Expert (CRTE).
But what I discovered is that while there are many blogs about each one, there are surprisingly few that compare the two directly. So I set out to remedy this issue.
I will try to keep it brief…
What are the CRTO and CRTE certifications?
Certified Red Team Operator (CRTO) and Certified Red Team Expert (CRTE) are courses that focus on the enumeration and exploitation of Active Directory features and misconfigurations. They are commonly considered the next logical step in education after completing an “entry level” penetration testing certification such as OffSec Certified Professional (OSCP) or Practical Network Penetration Tester (PNPT).
It is important to understand that these courses assume you already understand the basics of penetration testing and as such are targeted at intermediate level students and professionals.
There are a squillion blogs on each of these courses individually so I will keep my descriptions of each brief and instead highlight the differences between them.
Certified Red Team Operator (CRTO)
This course is developed by Zero-Point Security (RastaMouse) and is designed to walk the student through Active Directory penetration testing using Command and Control infrastructure (commonly referred to as C&C or C2). While the labs utilise Cobalt Strike, you could feasibly translate the teachings to almost any Command and Control frameworks you wish to use (Mythic, Covenant, Sliver, etc.).
The opportunity to play with Cobalt Strike, which would typically set a company back many thousands for a licence, is one of it’s biggest selling points and is often the reason you first hear of the course.
Certified Red Team Expert (CRTE)
This course is developed by Nikhil Mittal at Altered Security. This course and the exam were previously provided by Pentester Academy (INE), which can be a source of some confusion for those looking for it, as, understandably, there are still many references online to the previous provider. It is the middle child between the Certified Red Team Professional (CRTP) course, and the Certified Red Team Master (CRTM) - previously known as “PACES” to add more confusion - also provided by Altered Security.
The focus of the CRTE course is on the use of offensive PowerShell and open-source tools to enumerate and exploit Active Directory. it’s major selling point is in the living-off-the-land approach to Active Directory penetration testing.
But why would you want to do them?
Once many have completed their OSCP or equivalent, it is easy to think that you have a good understanding of Active Directory. After all, you can perform kerberoasting, and you can use Responder to relay NTLM auth to a service and dump credentials. But what happens the first time you go onsite and those techniques don’t work?
While weak passwords, LLMNR/NBT-NS poisoning and NTLM relaying are still incredibly prevalent in modern networks, more and more companies are getting internal penetration tests or network vulnerability assessment solutions and finding these low-hanging-fruit-type vulnerabilities. So attackers are getting sneakier and going after more abstract exploits in Active Directory services. As such, we need to do the same.
Active Directory is an ever-growing beast with new exploits and abuses discovered regularly. Learning how to use this to your advantage as a tester has a lot more practical use cases than any point-and-shoot exploit that could be developed and released.
What is similar between the courses?
So we have established that both courses cover Active Directory, but lets break that down a bit and see what you will learn from either course should you decide to take one. The following techniques are common across both courses:
- Domain/Forest object enumeration
- Credential theft (such as DCSync, Mimikatz, etc.)
- User impersonation (Overpass the Hash)
- Kerberos attacks (Constrained, Unconstrained and Role-Based Constrained delegation, Kerberoasting, Ticket forgery, etc.)
- AD Certificate Services attacks
- Lateral movement
- MSSQL Server attacks
- Domain/Forest trust abuses
- Applocker/WDAC bypasses
- Basics of AV/EDR evasion
- OPSEC considerations
This list is not exhaustive but that will give the the gist of it. As you can see, there is quite a bit more to Active Directory than the techniques covered in the entry level certification courses.
Both courses cover these techniques in relative detail allowing the student to understand what is happening and how it can be abused to gain some new level of access. However, in some cases one course may not cover a topic, or only cover it briefly, but the other will dive into it.
It is important to understand that neither of the courses will teach you how to bypass AV/EDR in a foolproof way. Bypassing antivirus (AV) or Endpoint Detection and Response (EDR) engines is an art more than a science, but both courses will cover the basics so that you can practice on your own.
Both utilise tools and techniques designed to be run on Windows systems such as PowerShell and C# Executables. There are few references to Linux throughout, however both mention that many techniques can be executed from a Linux system if you prefer.
What is different between them?
Now this is where it gets interesting. Both the courses have significant points of difference which can help you to decide which to take. While both have different techniques they wish to cover, there are a number of other points of difference worth discussing such as the content delivery method, labs, and the certification exams.
Content delivery is a big thing for me. I think the way in which the course content is provided to the student can have a large impact on how motivated they are to finish the course. I have experienced many courses that were so dry and difficult to process that it was a real drain to push through to the certification and in a few cases I never made it.
So the obvious one here is that this course focuses on the utilisation of a C2 frameworks to move around the network. The idea here is that we use our gained privilege to drop a beacon/agent on a target server and use it to execute our commands and tools.
Other than that, here is a list of some of the topics covered that are unique, or covered in more depth by CRTO:
- Initial compromise techniques such as phishing
- Host privilege escalation
- Process injection and session theft
- Proxies and pivoting
- NTLM relaying
- Group Policy abuses
While the focus is on using Cobalt Strike to execute these techniques, all the instructions can be modified to be run directly on the target system. That is to say that the use of a C2 is not strictly required to understand and utilise the content.
Zero-Point Security provide their content through a web portal with modules covering the various topics and subtopics. It is easy to follow and understand, with some videos throughout in which RastaMouse walks you through the attack. There is some information in the videos that is not in the text and vice versa so you wouldn’t want to skip them. Also, to quote one of my colleagues: “He has the voice of an Angel”.
It is laid out in a way that allows you to refer back to it like a notebook. Though, I would still recommend taking your own notes throughout. The thing that impressed me most about the content was how regularly it is updated. I would often go back and find new modules have been added and previous modules have been updated with more information.
The downside of this method is that it is not available for offline use, which may restrict opportunities for study if you dont have internet access (such as on a plane).
Labs are provided through Immersive Labs Cyber Ranges (SnapLabs), accessed through the web browser, and require a subscription. This is a separate charge to the course/exam bundle and is not strictly required; however not participating in the labs would be doing yourself a diservice as it is one of the few opportunities you can get to practice with a C2 in a functioning environment.
It is expected that you would finish the lab content within about 40 hours, so depending on how often you can study, this may incur a few months of subscription fees.
Subscription fees are £20 per month for 40 hours.
The techniques in this course are generally based on a “living-off-the-land” type approach (i.e. utilising Microsoft’s own tools against them where possible). The course provides command snippets from both PowerView and Microsoft’s own AD-Module, which is signed by Microsoft and therefore bypasses many protections by default. There is a great deal of emphasis put on utilising Microsoft’s tools where possible to avoid detection.
Additionally these techniques, and more, are covered in more depth in CRTE:
- PowerShell/WMI remoting
- PowerShell OPSEC
- AV/EDR bypass techniques for PowerShell and C#
- Access Control List abuse (e.g. gMSA)
- Cross-forest attacks
- AD Defences and mitigations
The meat of the CRTE course comes in the form of recorded zoom sessions. I was not able to attend the bootcamp sessions myself due to time-zone issues, but the recorded sessions were excellent if a little rushed at times. I found that it took me a lot longer than 3 hours to get through each 3-hour video as I would spend a lot of time going back over content that was discussed while I took my notes.
In the videos, Nikhil does an amazing job of explaining the attacks, and more importantly the “why” behind each one. He goes into great depth about how Active Directory works as a whole and uses that to explain the attacks in context. More than a few times, I was ready to skip a section because I knew that attack and how it is executed, and was glad that I did not because I learned a lot more about it. The slide deck is also provided for you to follow along if you wish.
Additionally, there is a lab manual which walks you through the lab content and how to execute the attacks, however this often differs (slightly) from what is described or demonstrated in the videos. The lab manual is not a substitute for the videos, and you will miss a lot of content if you rely on it entirely. I found I only really used it when I was failing to execute the attack successfully, and needed guidance on syntax.
The labs are hosted in Azure and can be accessed through the browser. Altered Security offer 30, 60 and 90 day packages for lab access. I personally found 30 days to be sufficient, but I was coming off the back of CRTO, so someone just starting their red-teaming journey may benefit more from the 60/90 day packages instead.
It is also worth noting that CRTE provides manuals outlining how to work through the content using Linux or Covenant (C2 tool), but neither are discussed in the videos or slide deck. If you have time remaining on your labs you may wish to try it but it is not officially supported.
Students who attempt their certification exams are under a strict NDA to protect the integrity of the certification, as such I will not go into detail about what you can expect to find on the exam itself. However, I will concisely summarise the publicly available information.
The CRTO exam consists of collecting a minimum of 6 flags (of 8) over 48 hours. These 48 hours can be distributed over 4 consecutive days in any way you choose, however this requires stopping and starting the labs, which means rebuilding your beacons, so make sure you are on top of that before you start. There is no report requirement, simply the flag submission.
The whole process was very well designed and was an enjoyable experience.
The CRTE exam is a little more restricted. You must compromise a minimum of 4 machines over 48 hours and a further 48 hours to produce a report. Unlike the CRTO there is no way to pause the exam environment, so you will need to factor breaks and rest into this time period.
The report is a full penetration test report and should be treated as such. This includes a comprehensive walkthrough detailing the steps taken, vulnerabilities exploited and mitigations that can be implemented. However, if English isn’t your native language, let the team know and that will be taken into account when being graded.
I found the best strategy after completing the technical component of the exam was to let the lab time expire naturally (rather than ending the exam early), giving me more time to complete the report and take any screenshots. As it turns out, I missed a few screenshots and had to go back to get them so I was glad for this additional time. Also, I had to write the report after work hours, so additional time allowed me to write a more comprehensive report.
Which one is better?
The honest answer is both are great and have their strengths. I found the CRTE to be more challenging, but this was possibly due to the feeling of having less time to complete the tasks. There was one stage where I was stuck on a single problem for over 9 hours before finding the solution and moving forward. However, both experiences were excellent overall. I think that if you could only choose one, I would recommend CRTE, but not because it is “better”, but because of the detail provided about Active Directory as a whole; and not every company uses a C2 framework. But CRTO was more fun. Playing with Cobalt Strike and gaining a much better understanding of C2 frameworks was well worth the investment.
There is great benefit in completing both courses if you have the time and the funds. Not only because each course has unique content and skills focus, but because it is a great opportunity to reinforce the knowledge, skills, and techniques covered by both. I often found that working through the course materials for CRTE, I would refer back to the notes taken in CRTO (because I took CRTO first). But I would then use the notes from both to craft a command that would do exactly what I was looking to do.
If you are looking to improve your Active Directory game, either of these courses will benefit you greatly. But if you can, I highly recommend doing both.
I had a lot of fun working my way through these courses. The content creators (RastaMouse and Nikhil Mittal) have clearly put a lot of love and time into honing their craft and have a desire to share their knowledge and skills. This does not go unnoticed throughout the courses. Both have such a passion for their trade that it is infectious, and I cannot wait to take on CRTL (CRTO2) and CRTM when time permits.
Thank you to them both for their courses.
If you have any questions, please feel free to reach out to me on my socials.
Thank you for reading and best of luck to you on whichever course you choose to take.
P.S. Looks like I failed at keeping it brief. Sorry about that.
About the author
Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.
Nathan is certification addict, he can’t stop and it’s becoming a problem. We can’t talk to him about it directly but consider this a call for help.