hardw00t/network-pentest

Network Penetration Testing

STOP — Authorization check (read before any execution)

This skill executes offensive techniques against live infrastructure. Before any action:

1. Confirm a written engagement letter / SOW is in scope and in-date.
2. Confirm Rules of Engagement (ROE) covering: target CIDRs, excluded hosts, allowed techniques (coercion? DCSync? password spray?), permitted hours, source-IP allowlist, and customer emergency contact.
3. Confirm the authorization explicitly names the domain(s) and tenant(s) you are about to test.
4. If ANY of the above is unclear, ambiguous, or missing — STOP and request clarification. Do not proceed on the basis of verbal approval, chat-channel approval, or inferred scope.

Destructive/high-blast-radius actions (DCSync against production DCs, Zerologon, Skeleton Key, GPO edits, krbtgt reset, cert forgery) require a second, specific written approval in addition to the base engagement letter. Every such action must be logged with timestamp, operator, and justification for the customer's IR reconciliation.

Prefer read-only enumeration and dry-run modes first. Escalate only when the previous step establishes the precondition. Never chain offensive actions speculatively.

---

This skill enables comprehensive internal network and Active Directory penetration testing: reconnaissance, credential attacks, lateral movement, privilege escalation, and domain dominance. It is a thin router — heavy content lives in workflows/, references/, and payloads/. Load only the file you need.

When to Use

• Authorized internal network penetration test
• Authorized Active Directory security assessment
• Lateral movement / privilege escalation validation
• Credential-attack testing (spray, Kerberoast, AS-REP)
• Post-exploitation path verification from a simulated phished user
• Network segmentation bypass validation
• Purple-team exercises where offensive action is agreed with the blue team

Trigger Phrases

• "pentest the internal network"
• "attack Active Directory" / "AD assessment"
• "perform lateral movement"
• "escalate privileges on the domain"
• "extract NTDS / DCSync"
• "kerberoast" / "AS-REP roast" / "password spray"
• "test network segmentation"

When NOT to Use This Skill

• Cloud IAM assessment (AWS IAM, Azure Entra ID, GCP IAM) — use cloud-security. This skill is for on-prem AD, not cloud-native identity. (Azure Hybrid / AD-Connect scenarios may touch both.)
• External web application / external surface testing — use dast-automation for unauthenticated web surface, Burp-based testing, and API security.
• Container image CVE scanning or runtime k8s hardening — use container-security.
• Source-code/IaC misconfiguration review — use iac-security / sast-review.
• Mobile app testing — use mobile-security.
• Social-engineering / phishing campaigns — out of scope; use the dedicated phishing skill if present.

If the engagement has a cloud + on-prem hybrid target (e.g., Entra Connect, AAD joined workstations), start here for the on-prem side and hand off specific cloud identity paths to cloud-security.

Decision Tree

Are you authorized (see STOP section)?
├── No  -> stop, request written scope + ROE
└── Yes
    │
    ├── No creds yet, no foothold
    │     -> workflows/recon.md
    │     -> workflows/credential_attacks.md  (Responder, spray)
    │
    ├── Low-priv domain cred in hand
    │     -> workflows/ad_enumeration.md  (BloodHound + LDAP)
    │     -> workflows/credential_attacks.md  (Kerberoast, AS-REP)
    │
    ├── Local admin on one host, need to spread
    │     -> workflows/lateral_movement.md
    │
    ├── Need to elevate (local or domain)
    │     -> workflows/privilege_escalation.md
    │
    └── Domain Admin / replication rights in hand
          -> workflows/domain_dominance.md   (DCSync, golden ticket, rollback)

Parallelism Hints

Independent — run concurrently (one sub-agent each):

• Host discovery across different /24s (subnet-level fan-out)
• Nmap service fingerprinting across disjoint host batches
• BloodHound collection methods: Default, ACL, LocalGroup, Session (independent LDAP/SMB streams)
• LDAP queries by object class (users, computers, groups, SPN, ASREP)
• Per-host LSASS/SAM/LSA extraction across a pwned-hosts list
• Kerberoast vs AS-REP roast vs Responder (different primitives)
• Hashcat sessions on separate hashlists / GPUs

Must be sequential (shared state / lockout / replication):

• Password spraying against the same domain — bad-pwd counters are shared; fanning out causes lockouts. Enforce a per-account cadence of attempts < LOCKOUT_THRESHOLD - 1 per observation window, with delays between passes.
• Repeated LSASS dumps on the same host — EDR stacking triggers
• Full secretsdump -just-dc runs against the same DC (replication contention)
• krbtgt password resets and their twin (required >= ticket-lifetime apart)

Sub-Agent Delegation

• Recon: one sub-agent per subnet (/24) for discovery + fingerprinting. Aggregator sub-agent consolidates services.csv.
• AD enumeration: one sub-agent per BloodHound collection method.
• Lateral movement: when BloodHound surfaces N distinct attack paths of similar length, dispatch one sub-agent per path; each owns its credential cache. Collate into a single engagement-notes.md.
• Hash cracking: dedicate a sub-agent per hash list to avoid GPU contention on a single hashcat process.

Do NOT fan out credential spraying — it is a single-threaded, lockout-aware operation.

Reasoning Budget

Extended thinking pays off for:

• Attack-path planning from BloodHound graph data — trade off chain length, noise, blast radius, reversibility
• Kill-chain sequencing from heterogeneous loot (e.g., a cracked svc account + a readable LAPS attribute + a vulnerable cert template — which chain is shortest to DA?)
• Cleanup ordering in domain dominance (remove artefacts in the correct order to avoid locking yourself out mid-rollback)
• Privilege-vector selection (which of 4 ACL write primitives to use, which delegation path to exploit)

Minimal reasoning — execute without deep thought:

• Nmap command construction from a port list
• Parsing linpeas / winpeas / nxc output for known signatures
• Single-purpose tool invocations with documented flags

Multimodal Hooks

• Capture screenshots of authoritative commands under DA context (e.g., Get-ADDomain, whoami /all) — link via schemas/finding.json#evidence.screenshot.
• BloodHound path screenshots for executive summary.
• Wireshark / tcpdump pcap snippets for relay/coercion evidence — link via schemas/finding.json#evidence.pcap.

Structured Output

All findings conform to schemas/finding.json. Skill-specific fields: target_host, ip, port, protocol, service_version, domain, compromised_account (object w/ sam/upn/credential_type), privilege_level, attack_chain (ordered step objects with MITRE technique IDs), mitre_attack, kill_chain_phase, blast_radius, authorized (must be true).

Workflow Index

| Workflow | Use when | File | |----------|----------|------| | Reconnaissance | Start of engagement, inventory the scope | workflows/recon.md | | AD enumeration | Have a domain cred, need the graph | workflows/ad_enumeration.md | | Credential attacks | Need (more) creds: spray / roast / coerce | workflows/credential_attacks.md | | Lateral movement | Have creds + one host, need to spread | workflows/lateral_movement.md | | Privilege escalation | Local or domain elevation | workflows/privilege_escalation.md | | Domain dominance | DA reached — evidence + rollback | workflows/domain_dominance.md |

Payloads Index

| File | Purpose | |------|---------| | payloads/responder_config.md | Three Responder.conf profiles (capture / relay / WPAD) | | payloads/cme_modules.md | Curated NetExec/CME module list by phase | | payloads/gpo_abuse_templates.md | SharpGPOAbuse / pyGPOAbuse templates + rollback |

References Index

| File | Content | |------|---------| | references/nmap_cheatsheet.md | Host discovery, port/service scans, masscan handoff | | references/bloodhound_queries.md | Cypher queries for paths, ACLs, delegation, sessions | | references/impacket_toolkit.md | GetUserSPNs, GetNPUsers, secretsdump, psexec, wmiexec, ticketer, ntlmrelayx, addcomputer | | references/crackmapexec.md | NetExec/CME protocols, spraying cadence, module list | | references/ad_attack_matrix.md | Kerberoast, AS-REP, DCSync, delegation, ACL, GPO, ADCS mapping with MITRE IDs | | references/lateral_movement.md | PtH, PtT, overpass, DCOM, WMI, WinRM, SSH pivot, ligolo | | references/bounty_patterns_2024_2026.md | Post-2023 bounty TTPs as network-recon primitives (HTTP/2 CONNECT scan, TE.0 smuggling recon, K8s SA-token theft pivot) |

Tools

| Tool | Purpose | Install | |------|---------|---------| | nmap | Network/service scan | apt install nmap / brew install nmap | | masscan | Fast large-scope discovery | apt install masscan | | NetExec (nxc) | Multi-proto post-auth | pipx install netexec | | Impacket | SMB/Kerberos/MSRPC suite | pipx install impacket | | BloodHound CE + SharpHound / bloodhound-python | AD graph | pipx install bloodhound + CE docker | | certipy-ad | ADCS attack toolkit | pipx install certipy-ad | | Rubeus | Windows Kerberos toolkit | Binary from GitHub | | mimikatz / pypykatz | Credential extraction | Binary / pipx install pypykatz | | Responder | LLMNR/NBT-NS/mDNS poisoner | git clone + run from repo | | evil-winrm | WinRM client | gem install evil-winrm | | kerbrute | Kerberos user enum + spray | Binary from GitHub | | hashcat | Hash cracking | apt install hashcat | | ligolo-ng / chisel | Modern pivoting / tunneling | Binaries |

Last Validated

• 2026-04
• Tested against: impacket 0.12, NetExec 1.3, certipy-ad 4.8, BloodHound CE 5.11, bloodhound-python 1.7.2, nmap 7.94, Rubeus 2.3, ligolo-ng 0.7.