pentest-adlisted

Active Directory pentest methodology — BloodHound graph analysis, Kerberos abuse, ACL exploitation, lateral movement path advisory. Triggers on Active Directory, AD pentest, BloodHound, Kerberoasting, AS-REP, DCSync, Golden Ticket, Silver Ticket, NTLM relay, lateral movement, Impacket, NetExec, Certipy.
fatihkan/badi · ★ 5 · AI & Automation · score 76

Install: claude install-skill fatihkan/badi

# pentest-ad Internal pentest Active Directory advisory. BloodHound graph, Kerberos vulnerability classes, ACL abuse, lateral path. Live command composing requires a scope declaration. ## Triggers - "AD pentest" - "BloodHound graph analysis" - "I found a Kerberoast hash" - "can I DCSync" - "lateral movement plan" - "Golden Ticket" - "NTLM relay" - "AD CS abuse" ## Methodology Flow ``` 1. Enum: SMB, LDAP, DNS, GPP (passive first) 2. Cred: kerbrute users -> AS-REP roasting (no preauth) -> hashcat 3. Foothold: low-priv shell (phish/web/initial) 4. Recon: BloodHound -> high-value path 5. Privesc: ACL abuse, Kerberos delegation, GPO modify 6. Lateral: PtH, PtT, NTLM relay, WinRM, RDP 7. DA: DCSync (Replicating Changes), Golden Ticket (offline) 8. Persistence: Skeleton key, AdminSDHolder (TIER 2, scope-required) ``` ## BloodHound Graph Analysis If the user provides a BloodHound JSON export, the skill runs these queries (Cypher): ```cypher // Shortest path to Domain Admin from owned user MATCH p=shortestPath((u:User {owned:true})-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN"})) RETURN p LIMIT 5 // Kerberoastable users with priv access MATCH (u:User {hasspn:true})-[:MemberOf|AdminTo*1..]->(c:Computer) WHERE u.enabled=true RETURN u.name, c.name // AS-REP roastable MATCH (u:User {dontreqpreauth:true, enabled:true}) RETURN u.name, u.serviceprincipalnames // Unconstrained delegation MATCH (c:Computer {unconstraineddelegation:true}) RETURN c.name, c.distinguishedname // GPO mo