Check out these Hands-On-Labs that will be at Mile High 2026!
Active Directory Exploitation Lab 1 ADCS and NTLM Relay
The Active Directory Exploitation Lab 1 features a vulnerable Active Directory domain with AD Certificate Services (ADCS), allowing participants to perform reconnaissance on domain structures, users, and ADCS certificate templates using tools like BloodHound and Certipy. Trainees then conduct password spraying attacks to test weak credentials across multiple accounts and domains. The environment supports LLMNR poisoning with Responder to capture NTLM hashes, followed by NTLM relay attacks over SMB for unauthorized access and code execution. Finally, participants exploit misconfigured ADCS templates for privilege escalation and target MSSQL servers to extract data or enable lateral movement through techniques like xp_cmdshell.
Active Directory Exploitation Lab 2 SCCM
The Active Directory Exploitation Lab 2 SCCM features a vulnerable Microsoft Endpoint Configuration Manager (SCCM) environment, enabling participants to perform reconnaissance by enumerating site servers, management points, and distribution points using tools like SharpSCCM and Sccmhunter. Trainees then abuse PXE boot processes on distribution points to extract credentials from task sequences or collection variables, often leveraging tools like PXEThief when passwords are weak or absent. The setup supports coercing NTLM authentication from the site server machine account, relaying it to the MSSQL database server to execute queries granting full SCCM administrator privileges. Finally, with escalated SCCM admin access, participants abuse client push mechanisms and deploy applications/scripts to achieve lateral movement and remote code execution on managed clients.
Doorbell Replay Attack Lab
This lab includes an introduction to software defined radio (SDR) recording and playback for static code devices. Steps include identifying signal characteristics, waveform analysis, static code analysis/regeneration, and signal reply. Attendees will be able to perform a replay attack against a wireless doorbell.
Electronic Access Control Lab
This lab introduces participants to some of the common pitfalls associated with electronic access control systems. In the lab, participants will gain familiarity with low and high-frequency RFID cards. Then step-by-step instructions are provided for performing replay, card cloning, and brute force attacks against the targeted system. In addition, participants will explore reader implant devices that exploit cleartext communication between the reader and controller. Finally, participants will explore operation of doors remotely with direct access to the controller.
Bluetooth Low Energy (BLE)
This lab provides an introduction to the Bluetooth Low Energy (BLE) protocol. Participants will gain familiarization with various software tools used to interact with devices supporting the BLE protocol. Those tools will be used to interact with services exposed through BLE to retrieve information from the target device.
Keystroke Injections Lab
This lab includes concepts of hijacking a wireless mouse or keyboard and performing keystroke injection attacks. Several wireless input devices are found to still be vulnerable to this type of attack. Attendees will be able to understand and demonstrate how this attack is performed.