Attack Path: Active Directory Attack Chain

[samugit83]

Description

Implement a dedicated classified attack path for Active Directory environments: Kerberoasting, Pass-the-Hash, AS-REP Roasting, DCSync, NTLM Relay, and lateral movement — the most requested skill in enterprise pentesting.

Why the unclassified fallback isn't enough

AD attacks are multi-step chains where each step's output is the next step's input in a very specific format. The agent must:

1. Know the exact attack graph: enumerate SPNs → Kerberoast → crack TGS hashes → authenticate with cracked creds → DCSync → dump domain. Each transition requires understanding Windows authentication internals (NTLM vs Kerberos, TGT vs TGS, NTLMv1 vs NTLMv2 hash formats).
2. Handle hash format routing: an NTLMv2 hash from SMB capture needs hashcat -m 5600, a Kerberos TGS ticket needs -m 13100, a NetNTLMv1 needs -m 5500. Without workflow prompts, the agent picks the wrong hashcat mode and wastes cycles.
3. Coordinate concurrent Metasploit jobs: LLMNR/NBNS poisoning must run as a background job (run -j) while the capture server collects hashes simultaneously. The agent needs explicit guidance on job management or it kills one to start the other.
4. Understand privilege requirements: DCSync requires Domain Admin; AS-REP Roasting requires no auth at all; Kerberoasting requires any domain user. The agent must pick the right attack for its current privilege level, not attempt DCSync from an unprivileged shell.
5. Chain lateral movement: after cracking one credential, Pass-the-Hash to other machines using psexec, then enumerate further. This recursive expand-and-pivot pattern gets lost without structured workflow guidance.

Without a classified chain, the agent tries random AD commands, uses wrong hash formats, doesn't understand the prerequisite chain, and gives up after 2-3 failed attempts.

What already exists

• Metasploit modules for all AD attacks documented in README.ATTACK_PATHS.md (Categories 6.2)
• Hydra brute force chain (credential guessing, but not hash-based attacks)
• kali_shell tool with access to Impacket, john, hashcat
• Post-exploitation phase with Meterpreter session management

What needs to be built

• New attack path classification: active_directory_attack
• Workflow prompts with the AD kill chain (enumerate → capture → crack → pivot → escalate)
• Hash format detection and automatic hashcat/john mode selection
• Concurrent job management guidance (capture + spoofing running simultaneously)
• Privilege-aware attack selection (what's possible at current access level)
• Lateral movement loop (credential → new host → enumerate → repeat)
• Integration with Impacket tools (secretsdump, GetUserSPNs, GetNPUsers, psexec, wmiexec)