Pass-the-Hash & Pass-the-Ticket
In a Windows network you almost never need to crack a password. You just need to find where the secret that proves it is sitting i…
Active Directory → All Active Directory articles
In a Windows network you almost never need to crack a password. You just need to find where the secret that proves it is sitting i…
BloodHound changed AD pentesting permanently. It models AD as a graph database — users, groups, computers, and their relationships…
ACL misconfigurations are the silent privilege escalation path most AD assessments miss without BloodHound. GenericAll, WriteDACL,…
Kerberos delegation lets services authenticate to other services on behalf of users. Unconstrained delegation captures TGTs from a…
Forest trusts connect separate security boundaries. Misconfigured SID filtering, disabled quarantine, and trusted foreign groups c…
Entra ID Connect (formerly Azure AD Connect) synchronizes on-premises AD to Azure AD/Entra ID. The sync server holds credentials f…
DCShadow registers a rogue Domain Controller in Active Directory, triggers a replication event from it to a real DC, and uses that…
Active Directory Certificate Services is installed in over 90% of enterprise environments and is misconfigured in most of them. ES…
AD trusts extend the attack surface beyond a single domain. A parent-child trust is transitive — own the child domain, escalate to…
Authenticate as someone else without their password. Every attack covered with working commands: Responder poisoning, mitm6 IPv6, …