# Active Directory Pentesting - [Reconnaissance](https://red.infiltr8.io/ad/recon.md) - [Tools ⚙️](https://red.infiltr8.io/ad/recon/tools.md) - [PowerView ⚙️](https://red.infiltr8.io/ad/recon/tools/powerview.md) - [Responder ⚙️](https://red.infiltr8.io/ad/recon/tools/responder.md) - [BloodHound ⚙️](https://red.infiltr8.io/ad/recon/tools/bloodhound.md) - [enum4linux ⚙️](https://red.infiltr8.io/ad/recon/tools/enum4linux.md) - [Network](https://red.infiltr8.io/ad/recon/network.md) - [DHCP](https://red.infiltr8.io/ad/recon/network/dhcp.md) - [DNS](https://red.infiltr8.io/ad/recon/network/dns.md) - [NBT-NS](https://red.infiltr8.io/ad/recon/network/nbt-ns.md) - [Port scanning](https://red.infiltr8.io/ad/recon/network/port-scanning.md) - [SMB](https://red.infiltr8.io/ad/recon/network/smb.md) - [LDAP](https://red.infiltr8.io/ad/recon/network/ldap.md) - [MS-RPC](https://red.infiltr8.io/ad/recon/network/ms-rpc.md) - [Objects & Settings](https://red.infiltr8.io/ad/recon/objects-and-settings.md) - [DACLs](https://red.infiltr8.io/ad/recon/objects-and-settings/dacls.md) - [Group policies](https://red.infiltr8.io/ad/recon/objects-and-settings/group-policies.md) - [Password policy](https://red.infiltr8.io/ad/recon/objects-and-settings/password-policy.md) - [LAPS](https://red.infiltr8.io/ad/recon/objects-and-settings/laps.md) - [Movement](https://red.infiltr8.io/ad/movement.md) - [Credentials](https://red.infiltr8.io/ad/movement/credentials.md) - [Dumping](https://red.infiltr8.io/ad/movement/credentials/dumping.md): MITRE ATT\&CK™ Techniques T1003 and T1552 - [Cracking](https://red.infiltr8.io/ad/movement/credentials/cracking.md): MITRE ATT\&CK™ Sub-technique T1110.002 - [Bruteforcing](https://red.infiltr8.io/ad/movement/credentials/bruteforcing.md) - [Guessing](https://red.infiltr8.io/ad/movement/credentials/bruteforcing/guessing.md): MITRE ATT\&CK™ Sub-technique T1110.001 - [Spraying](https://red.infiltr8.io/ad/movement/credentials/bruteforcing/password-spraying.md): MITRE ATT\&CK™ Sub-technique T1110.003 - [Stuffing](https://red.infiltr8.io/ad/movement/credentials/bruteforcing/stuffing.md): MITRE ATT\&CK™ Sub-technique T1110.004 - [Shuffling](https://red.infiltr8.io/ad/movement/credentials/credential-shuffling.md): MITRE ATT\&CK™ Techniques T1003 and T1552 (kind of) - [MITM and coerced auths](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications.md) - [ARP poisoning](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/arp-poisoning.md): MITRE ATT\&CK™ Sub-technique T1557.002 - [DNS spoofing](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/dns-spoofing.md) - [DHCP poisoning](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/dhcp-poisoning.md) - [DHCPv6 spoofing](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/dhcpv6-spoofing.md) - [WSUS spoofing](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/wsus-spoofing.md) - [LLMNR, NBT-NS, mDNS spoofing](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/llmnr-nbtns-mdns-spoofing.md): MITRE ATT\&CK™ Sub-technique T1557.001 - [ADIDNS poisoning](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/adidns-spoofing.md) - [WPAD spoofing](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/wpad-spoofing.md) - [MS-EFSR abuse (PetitPotam)](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/ms-efsr.md) - [MS-RPRN abuse (PrinterBug)](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/ms-rprn.md) - [MS-FSRVP abuse (ShadowCoerce)](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/ms-fsrvp.md) - [MS-DFSNM abuse (DFSCoerce)](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/ms-dfsnm.md) - [MS-EVEN abuse (CheeseOunce)](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/ms-even-abuse-cheeseounce.md) - [PushSubscription abuse](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/pushsubscription-abuse.md) - [WebClient abuse (WebDAV)](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/webclient.md) - [Living off the land](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/living-off-the-land.md) - [NBT Name Overwrite](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/nbt-name-overwrite.md) - [ICMP Redirect](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/icmp-redirect.md) - [NTLM](https://red.infiltr8.io/ad/movement/ntlm.md) - [Capture](https://red.infiltr8.io/ad/movement/ntlm/capture.md) - [Relay](https://red.infiltr8.io/ad/movement/ntlm/relay.md): MITRE ATT\&CK™ Sub-technique T1557.001 - [Pass the hash](https://red.infiltr8.io/ad/movement/ntlm/pth.md): MITRE ATT\&CK™ Sub-technique T1550.002 - [Kerberos](https://red.infiltr8.io/ad/movement/kerberos.md) - [Pre-auth bruteforce](https://red.infiltr8.io/ad/movement/kerberos/pre-auth-bruteforce.md) - [Pass the key](https://red.infiltr8.io/ad/movement/kerberos/ptk.md) - [Overpass the hash](https://red.infiltr8.io/ad/movement/kerberos/opth.md) - [Pass the ticket](https://red.infiltr8.io/ad/movement/kerberos/ptt.md): MITRE ATT\&CK™ Sub-technique T1550.003 - [Pass the cache](https://red.infiltr8.io/ad/movement/kerberos/ptc.md) - [Forged tickets](https://red.infiltr8.io/ad/movement/kerberos/forged-tickets.md): MITRE ATT\&CK™ Sub-techniques T1558.001 and T1558.002 - [Silver tickets](https://red.infiltr8.io/ad/movement/kerberos/forged-tickets/silver.md) - [Golden tickets](https://red.infiltr8.io/ad/movement/kerberos/forged-tickets/golden.md) - [Diamond tickets](https://red.infiltr8.io/ad/movement/kerberos/forged-tickets/diamond.md) - [Sapphire tickets](https://red.infiltr8.io/ad/movement/kerberos/forged-tickets/sapphire.md) - [RODC Golden tickets](https://red.infiltr8.io/ad/movement/kerberos/forged-tickets/rodc-golden-tickets.md) - [MS14-068](https://red.infiltr8.io/ad/movement/kerberos/forged-tickets/ms14-068.md): CVE-2014-6324 - [ASREQroast](https://red.infiltr8.io/ad/movement/kerberos/asreqroast.md) - [ASREProast](https://red.infiltr8.io/ad/movement/kerberos/asreproast.md) - [Kerberoast](https://red.infiltr8.io/ad/movement/kerberos/kerberoast.md): MITRE ATT\&CK™ Sub-technique T1558.003 - [Delegations](https://red.infiltr8.io/ad/movement/kerberos/delegations.md) - [(KUD) Unconstrained](https://red.infiltr8.io/ad/movement/kerberos/delegations/unconstrained.md) - [(KCD) Constrained](https://red.infiltr8.io/ad/movement/kerberos/delegations/constrained.md) - [(RBCD) Resource-based constrained](https://red.infiltr8.io/ad/movement/kerberos/delegations/rbcd.md) - [S4U2self abuse](https://red.infiltr8.io/ad/movement/kerberos/delegations/s4u2self-abuse.md) - [Bronze Bit](https://red.infiltr8.io/ad/movement/kerberos/delegations/bronze-bit.md): CVE-2020-17049 - [Shadow Credentials](https://red.infiltr8.io/ad/movement/kerberos/shadow-credentials.md) - [UnPAC the hash](https://red.infiltr8.io/ad/movement/kerberos/unpac-the-hash.md) - [Pass the Certificate - PKINIT](https://red.infiltr8.io/ad/movement/kerberos/pass-the-certificate.md) - [Kerberos relay](https://red.infiltr8.io/ad/movement/kerberos/kerberos-relay.md) - [sAMAccountName spoofing](https://red.infiltr8.io/ad/movement/kerberos/samaccountname-spoofing.md): CVE-2021-42278 and CVE-2021-42287 - [SPN-jacking](https://red.infiltr8.io/ad/movement/kerberos/spn-jacking.md) - [Netlogon](https://red.infiltr8.io/ad/movement/netlogon.md) - [ZeroLogon](https://red.infiltr8.io/ad/movement/netlogon/zerologon.md): CVE-2020-1472 - [DACL abuse](https://red.infiltr8.io/ad/movement/dacl.md) - [AddMember](https://red.infiltr8.io/ad/movement/dacl/addmember.md) - [ForceChangePassword](https://red.infiltr8.io/ad/movement/dacl/forcechangepassword.md) - [Targeted Kerberoasting](https://red.infiltr8.io/ad/movement/dacl/targeted-kerberoasting.md) - [WriteOwner](https://red.infiltr8.io/ad/movement/dacl/writeowner.md) - [ReadLAPSPassword](https://red.infiltr8.io/ad/movement/dacl/readlapspassword.md) - [ReadGMSAPassword](https://red.infiltr8.io/ad/movement/dacl/readgmsapassword.md) - [Grant ownership](https://red.infiltr8.io/ad/movement/dacl/grant-ownership.md) - [Grant rights](https://red.infiltr8.io/ad/movement/dacl/grant-rights.md) - [Logon script](https://red.infiltr8.io/ad/movement/dacl/logon-script.md) - [Rights on RODC object](https://red.infiltr8.io/ad/movement/dacl/rights-on-rodc-object.md) - [BadSuccessor (dMSA abuse)](https://red.infiltr8.io/ad/movement/dacl/badsuccessor-dmsa-abuse.md) - [Group policies](https://red.infiltr8.io/ad/movement/group-policies.md) - [Trusts](https://red.infiltr8.io/ad/movement/domain-trusts.md) - [Certificate Services (AD-CS)](https://red.infiltr8.io/ad/movement/ad-cs.md) - [Certificate templates](https://red.infiltr8.io/ad/movement/ad-cs/certificate-templates.md) - [Certificate authority](https://red.infiltr8.io/ad/movement/ad-cs/certificate-authority.md) - [Access controls](https://red.infiltr8.io/ad/movement/ad-cs/access-controls.md) - [Unsigned endpoints](https://red.infiltr8.io/ad/movement/ad-cs/unsigned-endpoints.md) - [Certifried](https://red.infiltr8.io/ad/movement/ad-cs/certifried.md): CVE-2022–26923 - [Schannel](https://red.infiltr8.io/ad/movement/schannel.md) - [Pass the Certificate - Schannel](https://red.infiltr8.io/ad/movement/schannel/pass-the-certificate-schannel.md) - [SCCM / MECM](https://red.infiltr8.io/ad/movement/sccm-mecm.md) - [Privilege Escalation](https://red.infiltr8.io/ad/movement/sccm-mecm/privilege-escalation.md) - [Post Exploitation](https://red.infiltr8.io/ad/movement/sccm-mecm/post-exploitation.md) - [Exchange services](https://red.infiltr8.io/ad/movement/exchange-services.md) - [PrivExchange](https://red.infiltr8.io/ad/movement/exchange-services/privexchange.md): CVE-2018-8581 - [ProxyLogon](https://red.infiltr8.io/ad/movement/exchange-services/proxylogon.md): Chained CVE-2021-26855 and CVE-2021-27065 - [ProxyShell](https://red.infiltr8.io/ad/movement/exchange-services/proxyshell.md): Chained CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 - [ProxyNotShell](https://red.infiltr8.io/ad/movement/exchange-services/proxynotshell.md): Chained CVE-2022-41040, CVE-2022-41082 - [Print Spooler Service](https://red.infiltr8.io/ad/movement/print-spooler-service.md) - [PrinterBug](https://red.infiltr8.io/ad/movement/print-spooler-service/printerbug.md) - [PrintNightmare](https://red.infiltr8.io/ad/movement/print-spooler-service/printnightmare.md): CVE-2021-1675 & CVE-2021-34527 - [Built-ins & settings](https://red.infiltr8.io/ad/movement/domain-settings.md) - [Builtin Groups](https://red.infiltr8.io/ad/movement/domain-settings/builtin-groups.md) - [DNSAdmins](https://red.infiltr8.io/ad/movement/domain-settings/builtin-groups/dnsadmins.md) - [AD Recycle Bin](https://red.infiltr8.io/ad/movement/domain-settings/builtin-groups/ad-recycle-bin.md) - [MachineAccountQuota](https://red.infiltr8.io/ad/movement/domain-settings/machineaccountquota.md) - [Pre-Windows 2000 computers](https://red.infiltr8.io/ad/movement/domain-settings/pre-windows-2000-computers.md) - [RODC](https://red.infiltr8.io/ad/movement/domain-settings/rodc.md): Read-Only Domain Controller - [Persistence](https://red.infiltr8.io/ad/persistence.md) - [Skeleton key](https://red.infiltr8.io/ad/persistence/skeleton-key.md) - [SID History](https://red.infiltr8.io/ad/persistence/sid-history.md) - [AdminSDHolder](https://red.infiltr8.io/ad/persistence/adminsdholder.md) - [GoldenGMSA](https://red.infiltr8.io/ad/persistence/goldengmsa.md) - [Kerberos](https://red.infiltr8.io/ad/persistence/kerberos.md) - [Forged tickets](https://red.infiltr8.io/ad/persistence/kerberos/forged-tickets.md) - [Delegation to KRBTGT](https://red.infiltr8.io/ad/persistence/kerberos/delegation-to-krbtgt.md) - [Certificate Services (AD-CS)](https://red.infiltr8.io/ad/persistence/ad-cs.md) - [Certificate authority](https://red.infiltr8.io/ad/persistence/ad-cs/certificate-authority.md) - [Access controls](https://red.infiltr8.io/ad/persistence/ad-cs/access-controls.md) - [Golden certificate](https://red.infiltr8.io/ad/persistence/ad-cs/golden-certificate.md) - [LAPS](https://red.infiltr8.io/ad/persistence/laps.md) - [DC Shadow](https://red.infiltr8.io/ad/persistence/dcshadow.md) - [Access controls](https://red.infiltr8.io/ad/persistence/access-controls.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/ad.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.