Active Directory Labs
Hands-on AD pentesting — Build. Attack. Learn.
Choose a Lab
Select the environment you want to build and attack.
■ Easy
InGen Corporation
ingen.local — 1 DC • No workstations
Easy
InGen Corporation spared no expense — on dinosaurs. The single Domain Controller has AS-REP roastable accounts, a Kerberoastable service, and a Domain Admin with a password from the default provisioning list.
AS-REP Roasting Kerberoasting Password Spraying DCSync
Open Lab →
■ Medium
Meridian Financial Group
meridianfg.local — 1 DC • 2 Workstations
Medium
You've just landed a foothold on the internal network of Meridian Financial Group — a mid-sized firm that never got around to hardening their Active Directory. Broadcasts are leaking credentials, service accounts are roastable, and someone left the ACLs wide open. Chain it all the way to Domain Admin.
Weak Passwords LLMNR SMB Relay AS-REP Roast Kerberoasting ACL Abuse Pass the Hash BloodHound
Open Lab →
TCM Security — Hydra
marvel.local — 1 DC • 2 Workstations
Medium
The classic TCM Security lab — HYDRA-DC, THEPUNISHER, SPIDERMAN. LLMNR broadcasts are flying, SQLService is waiting to be Kerberoasted and the IT admin hash sits in memory on every boot. A perfect companion to the Practical Ethical Hacking course.
Weak Passwords LLMNR SMB Relay AS-REP Roast Kerberoasting ACL Abuse Pass the Hash BloodHound
Open Lab →
■ Expert
Northgate Hospital
northgate.local — AD CS • ESC1 • RBCD
Expert
Northgate Hospital runs AD Certificate Services — and the enrollment templates are a disaster waiting to happen. Request a certificate as anyone, forge a Kerberos ticket, and leverage RBCD to DCSync the domain. No margin for error.
Kerberoasting AD CS / ESC1 RBCD DCSync