# Active Directory Pentesting

- [Reconnaissance](/ad/recon.md)
- [Tools ⚙️](/ad/recon/tools.md)
- [PowerView ⚙️](/ad/recon/tools/powerview.md)
- [Responder ⚙️](/ad/recon/tools/responder.md)
- [BloodHound ⚙️](/ad/recon/tools/bloodhound.md)
- [enum4linux ⚙️](/ad/recon/tools/enum4linux.md)
- [Network](/ad/recon/network.md)
- [DHCP](/ad/recon/network/dhcp.md)
- [DNS](/ad/recon/network/dns.md)
- [NBT-NS](/ad/recon/network/nbt-ns.md)
- [Port scanning](/ad/recon/network/port-scanning.md)
- [SMB](/ad/recon/network/smb.md)
- [LDAP](/ad/recon/network/ldap.md)
- [MS-RPC](/ad/recon/network/ms-rpc.md)
- [Objects & Settings](/ad/recon/objects-and-settings.md)
- [DACLs](/ad/recon/objects-and-settings/dacls.md)
- [Group policies](/ad/recon/objects-and-settings/group-policies.md)
- [Password policy](/ad/recon/objects-and-settings/password-policy.md)
- [LAPS](/ad/recon/objects-and-settings/laps.md)
- [Movement](/ad/movement.md)
- [Credentials](/ad/movement/credentials.md)
- [Dumping](/ad/movement/credentials/dumping.md): MITRE ATT\&CK™ Techniques T1003 and T1552
- [Cracking](/ad/movement/credentials/cracking.md): MITRE ATT\&CK™ Sub-technique T1110.002
- [Bruteforcing](/ad/movement/credentials/bruteforcing.md)
- [Guessing](/ad/movement/credentials/bruteforcing/guessing.md): MITRE ATT\&CK™ Sub-technique T1110.001
- [Spraying](/ad/movement/credentials/bruteforcing/password-spraying.md): MITRE ATT\&CK™ Sub-technique T1110.003
- [Stuffing](/ad/movement/credentials/bruteforcing/stuffing.md): MITRE ATT\&CK™ Sub-technique T1110.004
- [Shuffling](/ad/movement/credentials/credential-shuffling.md): MITRE ATT\&CK™ Techniques T1003 and T1552 (kind of)
- [MITM and coerced auths](/ad/movement/mitm-and-coerced-authentications.md)
- [ARP poisoning](/ad/movement/mitm-and-coerced-authentications/arp-poisoning.md): MITRE ATT\&CK™ Sub-technique T1557.002
- [DNS spoofing](/ad/movement/mitm-and-coerced-authentications/dns-spoofing.md)
- [DHCP poisoning](/ad/movement/mitm-and-coerced-authentications/dhcp-poisoning.md)
- [DHCPv6 spoofing](/ad/movement/mitm-and-coerced-authentications/dhcpv6-spoofing.md)
- [WSUS spoofing](/ad/movement/mitm-and-coerced-authentications/wsus-spoofing.md)
- [LLMNR, NBT-NS, mDNS spoofing](/ad/movement/mitm-and-coerced-authentications/llmnr-nbtns-mdns-spoofing.md): MITRE ATT\&CK™ Sub-technique T1557.001
- [ADIDNS poisoning](/ad/movement/mitm-and-coerced-authentications/adidns-spoofing.md)
- [WPAD spoofing](/ad/movement/mitm-and-coerced-authentications/wpad-spoofing.md)
- [MS-EFSR abuse (PetitPotam)](/ad/movement/mitm-and-coerced-authentications/ms-efsr.md)
- [MS-RPRN abuse (PrinterBug)](/ad/movement/mitm-and-coerced-authentications/ms-rprn.md)
- [MS-FSRVP abuse (ShadowCoerce)](/ad/movement/mitm-and-coerced-authentications/ms-fsrvp.md)
- [MS-DFSNM abuse (DFSCoerce)](/ad/movement/mitm-and-coerced-authentications/ms-dfsnm.md)
- [MS-EVEN abuse (CheeseOunce)](/ad/movement/mitm-and-coerced-authentications/ms-even-abuse-cheeseounce.md)
- [PushSubscription abuse](/ad/movement/mitm-and-coerced-authentications/pushsubscription-abuse.md)
- [WebClient abuse (WebDAV)](/ad/movement/mitm-and-coerced-authentications/webclient.md)
- [Living off the land](/ad/movement/mitm-and-coerced-authentications/living-off-the-land.md)
- [NBT Name Overwrite](/ad/movement/mitm-and-coerced-authentications/nbt-name-overwrite.md)
- [ICMP Redirect](/ad/movement/mitm-and-coerced-authentications/icmp-redirect.md)
- [NTLM](/ad/movement/ntlm.md)
- [Capture](/ad/movement/ntlm/capture.md)
- [Relay](/ad/movement/ntlm/relay.md): MITRE ATT\&CK™ Sub-technique T1557.001
- [Pass the hash](/ad/movement/ntlm/pth.md): MITRE ATT\&CK™ Sub-technique T1550.002
- [Kerberos](/ad/movement/kerberos.md)
- [Pre-auth bruteforce](/ad/movement/kerberos/pre-auth-bruteforce.md)
- [Pass the key](/ad/movement/kerberos/ptk.md)
- [Overpass the hash](/ad/movement/kerberos/opth.md)
- [Pass the ticket](/ad/movement/kerberos/ptt.md): MITRE ATT\&CK™ Sub-technique T1550.003
- [Pass the cache](/ad/movement/kerberos/ptc.md)
- [Forged tickets](/ad/movement/kerberos/forged-tickets.md): MITRE ATT\&CK™ Sub-techniques T1558.001 and T1558.002
- [Silver tickets](/ad/movement/kerberos/forged-tickets/silver.md)
- [Golden tickets](/ad/movement/kerberos/forged-tickets/golden.md)
- [Diamond tickets](/ad/movement/kerberos/forged-tickets/diamond.md)
- [Sapphire tickets](/ad/movement/kerberos/forged-tickets/sapphire.md)
- [RODC Golden tickets](/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md)
- [MS14-068](/ad/movement/kerberos/forged-tickets/ms14-068.md): CVE-2014-6324
- [ASREQroast](/ad/movement/kerberos/asreqroast.md)
- [ASREProast](/ad/movement/kerberos/asreproast.md)
- [Kerberoast](/ad/movement/kerberos/kerberoast.md): MITRE ATT\&CK™ Sub-technique T1558.003
- [Delegations](/ad/movement/kerberos/delegations.md)
- [(KUD) Unconstrained](/ad/movement/kerberos/delegations/unconstrained.md)
- [(KCD) Constrained](/ad/movement/kerberos/delegations/constrained.md)
- [(RBCD) Resource-based constrained](/ad/movement/kerberos/delegations/rbcd.md)
- [S4U2self abuse](/ad/movement/kerberos/delegations/s4u2self-abuse.md)
- [Bronze Bit](/ad/movement/kerberos/delegations/bronze-bit.md): CVE-2020-17049
- [Shadow Credentials](/ad/movement/kerberos/shadow-credentials.md)
- [UnPAC the hash](/ad/movement/kerberos/unpac-the-hash.md)
- [Pass the Certificate - PKINIT](/ad/movement/kerberos/pass-the-certificate.md)
- [Kerberos relay](/ad/movement/kerberos/kerberos-relay.md)
- [sAMAccountName spoofing](/ad/movement/kerberos/samaccountname-spoofing.md): CVE-2021-42278 and CVE-2021-42287
- [SPN-jacking](/ad/movement/kerberos/spn-jacking.md)
- [Netlogon](/ad/movement/netlogon.md)
- [ZeroLogon](/ad/movement/netlogon/zerologon.md): CVE-2020-1472
- [DACL abuse](/ad/movement/dacl.md)
- [AddMember](/ad/movement/dacl/addmember.md)
- [ForceChangePassword](/ad/movement/dacl/forcechangepassword.md)
- [Targeted Kerberoasting](/ad/movement/dacl/targeted-kerberoasting.md)
- [WriteOwner](/ad/movement/dacl/writeowner.md)
- [ReadLAPSPassword](/ad/movement/dacl/readlapspassword.md)
- [ReadGMSAPassword](/ad/movement/dacl/readgmsapassword.md)
- [Grant ownership](/ad/movement/dacl/grant-ownership.md)
- [Grant rights](/ad/movement/dacl/grant-rights.md)
- [Logon script](/ad/movement/dacl/logon-script.md)
- [Rights on RODC object](/ad/movement/dacl/rights-on-rodc-object.md)
- [BadSuccessor (dMSA abuse)](/ad/movement/dacl/badsuccessor-dmsa-abuse.md)
- [Group policies](/ad/movement/group-policies.md)
- [Trusts](/ad/movement/domain-trusts.md)
- [Certificate Services (AD-CS)](/ad/movement/ad-cs.md)
- [Certificate templates](/ad/movement/ad-cs/certificate-templates.md)
- [Certificate authority](/ad/movement/ad-cs/certificate-authority.md)
- [Access controls](/ad/movement/ad-cs/access-controls.md)
- [Unsigned endpoints](/ad/movement/ad-cs/unsigned-endpoints.md)
- [Certifried](/ad/movement/ad-cs/certifried.md): CVE-2022–26923
- [Schannel](/ad/movement/schannel.md)
- [Pass the Certificate - Schannel](/ad/movement/schannel/pass-the-certificate-schannel.md)
- [SCCM / MECM](/ad/movement/sccm-mecm.md)
- [Privilege Escalation](/ad/movement/sccm-mecm/privilege-escalation.md)
- [Post Exploitation](/ad/movement/sccm-mecm/post-exploitation.md)
- [Exchange services](/ad/movement/exchange-services.md)
- [PrivExchange](/ad/movement/exchange-services/privexchange.md): CVE-2018-8581
- [ProxyLogon](/ad/movement/exchange-services/proxylogon.md): Chained CVE-2021-26855 and CVE-2021-27065
- [ProxyShell](/ad/movement/exchange-services/proxyshell.md): Chained CVE-2021-34473, CVE-2021-34523, CVE-2021-31207
- [ProxyNotShell](/ad/movement/exchange-services/proxynotshell.md): Chained CVE-2022-41040, CVE-2022-41082
- [Print Spooler Service](/ad/movement/print-spooler-service.md)
- [PrinterBug](/ad/movement/print-spooler-service/printerbug.md)
- [PrintNightmare](/ad/movement/print-spooler-service/printnightmare.md): CVE-2021-1675 & CVE-2021-34527
- [Built-ins & settings](/ad/movement/domain-settings.md)
- [Builtin Groups](/ad/movement/domain-settings/builtin-groups.md)
- [DNSAdmins](/ad/movement/domain-settings/builtin-groups/dnsadmins.md)
- [AD Recycle Bin](/ad/movement/domain-settings/builtin-groups/ad-recycle-bin.md)
- [MachineAccountQuota](/ad/movement/domain-settings/machineaccountquota.md)
- [Pre-Windows 2000 computers](/ad/movement/domain-settings/pre-windows-2000-computers.md)
- [RODC](/ad/movement/domain-settings/rodc.md): Read-Only Domain Controller
- [Persistence](/ad/persistence.md)
- [Skeleton key](/ad/persistence/skeleton-key.md)
- [SID History](/ad/persistence/sid-history.md)
- [AdminSDHolder](/ad/persistence/adminsdholder.md)
- [GoldenGMSA](/ad/persistence/goldengmsa.md)
- [Kerberos](/ad/persistence/kerberos.md)
- [Forged tickets](/ad/persistence/kerberos/forged-tickets.md)
- [Delegation to KRBTGT](/ad/persistence/kerberos/delegation-to-krbtgt.md)
- [Certificate Services (AD-CS)](/ad/persistence/ad-cs.md)
- [Certificate authority](/ad/persistence/ad-cs/certificate-authority.md)
- [Access controls](/ad/persistence/ad-cs/access-controls.md)
- [Golden certificate](/ad/persistence/ad-cs/golden-certificate.md)
- [LAPS](/ad/persistence/laps.md)
- [DC Shadow](/ad/persistence/dcshadow.md)
- [Access controls](/ad/persistence/access-controls.md)