└── README.md
/README.md:
--------------------------------------------------------------------------------
1 |
2 | 
3 |
4 |
5 |
6 |
7 | List of tools and resources for pentesting Microsoft Active Directory
8 | ===========
9 |
10 |
11 |
12 | Create Vulnerable AD Lab
13 | ====
14 | - [Medium Tutorial by Logan Hugli](https://medium.com/@lhugli/constructing-a-vulnerable-active-directory-hacking-lab-environment-6e7cc7fd55c6)
15 | - [Medium article by Justin Duru](https://medium.com/@jduru213/cybersecurity-homelab-building-an-on-premise-domain-environment-with-splunk-windows-and-active-840ba325f3ee)
16 | - [Vulnerable-AD Script](https://github.com/safebuffer/vulnerable-AD/tree/master)
17 | - [BadBlood Script](https://github.com/davidprowe/BadBlood)
18 | - [DetectionLab](https://www.detectionlab.network/introduction/)
19 | - [Game of Active Directory - GOAD](https://github.com/Orange-Cyberdefense/GOAD)
20 | - [Ludus](https://ludus.cloud)
21 |
22 |
23 |
24 | AD Pentesting Cheat Sheets
25 | ====
26 | - [Orange Cyberdefense AD Mindmap](https://orange-cyberdefense.github.io/ocd-mindmaps/)
27 | - [AD Pentesting Cheat-Sheets](https://swisskyrepo.github.io/InternalAllTheThings/)
28 | - This one contains an AMAZING amount of info on AD for Pentesters and Red Teams
29 | - [S1ckB0y1337 Active Directory Exploitation Cheat-Sheet](https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet)
30 | - [HackTheBox AD Pentesting Cheat-Sheet](https://www.hackthebox.com/blog/active-directory-penetration-testing-cheatsheet-and-guide)
31 | - [HackTricks AD Methodology](https://book.hacktricks.xyz/windows-hardening/active-directory-methodology)
32 | - [The Hacker Recipes](https://www.thehacker.recipes/)
33 | - [ired.team AD and Kerberos Cheat Sheets](https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse)
34 |
35 |
36 |
37 | AD Security Write-Ups and Research Articles
38 | ====
39 | - [Writeup for CVE-2025-21299 and CVE-2025-29280](https://www.netspi.com/blog/technical-blog/adversary-simulation/cve-2025-21299-cve-2025-29809-unguarding-microsoft-credential-guard/)
40 | + Insufficient validation of the Kerberos krbtgt service name within the TGT can lead to a bypass of credential guard, and therefore extraction of a primary TGT from the host that should otherwise be prevented.
41 | - [Common Tool Errors - Kerberos](https://blog.zsec.uk/common-tool-errors-kerberos/)
42 | + So you are performing your favourite kerberos attacks, such as pass the ticket, Public Key Cryptography for Initial Authentication (PKINIT), Shadow Credentials or Active Directory Certificate Services (AD CS) vulnerabilities but you run into a kerberos error and despite troubleshooting you're still none-the-wiser on what todo?
43 | - [BadSuccessor: Abusing dMSA to Priv Esc in Active Directory](https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory)
44 | + Akamai researcher Yuval Gordon discovered a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory (AD). The attack exploits the delegated Managed Service Account (dMSA) feature that was introduced in Windows Server 2025, works with the default configuration, and is trivial to implement.
45 | - [BadSuccessor Deep Dive: Full AD Compromise](https://www.youtube.com/watch?v=IWP-8IMzQU8)
46 | + Step-by-step walkthroughs of the BadSuccessor attack
47 | + Also some detection guidance
48 |
49 |
50 |
51 | AD Security Tools
52 | ====
53 | + [BloodHound CE](https://github.com/SpecterOps/BloodHound)
54 | - BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment
55 | - Attackers can use BloodHound to quickly identify highly complex attack paths that would otherwise be impossible to find
56 | - Defenders can use BloodHound to identify and eliminate those same attack paths
57 | - Both red and blue teams can use BloodHound to better understand privileged relationships in an Active Directory or Azure environment
58 |
59 |
60 |
61 | + [GoodHound](https://github.com/idnahacks/GoodHound?tab=readme-ov-file)
62 | - GoodHound operationalises Bloodhound by determining the busiest paths to high value targets and creating actionable output to prioritise remediation of attack paths
63 |
64 |
65 |
66 | + [GPO-Hound](https://github.com/cogiceo/GPOHound)
67 | - A tool for dumping and analysing Group Policy Objects (GPOs) extracted from the SYSVOL share
68 |
69 |
70 |
71 | + [ADalanche](https://github.com/lkarlslund/Adalanche)
72 | - Adalanche instantly reveals what permissions users and groups have in an Active Directory
73 | - It is useful for visualizing and exploring
74 | + Who can take over accounts, machines or the entire domain
75 | + Find and show misconfigurations
76 |
77 |
78 |
79 | + [Hardening Kitty](https://github.com/scipag/HardeningKitty)
80 | - Intended use is for Windows system hardening
81 | - Can be used to **test for weak configurations**
82 |
83 |
84 |
85 | + [Delinea Weak Password Finder](https://delinea.com/resources/weak-password-finder-tool-active-directory)
86 | - Free tool to quickly **discover weak passwords in AD**
87 |
88 |
89 |
90 | + [Rubeus](https://github.com/GhostPack/Rubeus)
91 | - A C# toolset for raw Kerberos interaction and abuses
92 |
93 |
94 |
95 | + [Seatbelt](https://github.com/GhostPack/Seatbelt)
96 | - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives
97 |
98 |
99 |
100 | + [Microsoft Security Compliance Toolkit](https://www.microsoft.com/en-us/download/details.aspx?id=55319)
101 | - This set of tools allows enterprise security administrators to download, analyze, test, edit and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products, while comparing them against other security configurations
102 |
103 |
104 |
105 | + [Semperis Forest Druid](https://www.semperis.com/forest-druid/)
106 | - Focuses on attack paths leading into the Tier 0 perimeter in hybrid identity environments—saving time by prioritizing your most critical assets
107 |
108 |
109 |
110 | + [Semperis Purple Knight](https://www.semperis.com/purple-knight/)
111 | - A free AD, Entra ID, and Okta security assessment tool—to help you discover indicators of exposure (IoEs) and indicators of compromise (IoCs) in your hybrid AD environment
112 |
113 |
114 |
115 | + [Group3r](https://github.com/Group3r/Group3r)
116 | - A tool for pentesters and red teamers to rapidly **enumerate relevant settings in AD Group Policy**, and to identify exploitable misconfigurations
117 |
118 |
119 |
120 | + [LockSmith](https://github.com/TrimarcJake/Locksmith)
121 | - A tool built to find and fix common misconfigurations in **Active Directory Certificate Services**
122 |
123 |
124 |
125 | + [BlueTuxedo](https://github.com/TrimarcJake/BlueTuxedo)
126 | - A tool built to find and fix common misconfigurations in **Active Directory-Integrated DNS**
127 | + Also a little bit of DHCP
128 |
129 |
130 |
131 | + [Empire](https://github.com/BC-SECURITY/Empire)
132 | - A post-exploitation and adversary emulation **C2 framework** that is used to aid Red Teams and Penetration Testers
133 |
134 |
135 |
136 | + [Starkiller](https://github.com/BC-SECURITY/Starkiller)
137 | - Frontend for Empire
138 |
139 |
140 |
141 | + [PowerSploit](https://github.com/PowerShellMafia/PowerSploit)
142 | - A collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment
143 |
144 |
145 |
146 | + [SharpSploit](https://github.com/cobbr/SharpSploit)
147 | - A .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers
148 |
149 |
150 |
151 | + [Ping Castle](https://www.pingcastle.com/)
152 | - An Active Directory health and security audit tool
153 | - Specifically designed to assess the security posture of an AD environment and provides a report with detailed findings
154 |
155 |
156 |
157 | + [ADRecon](https://github.com/sense-of-security/ADRecon)
158 | - Extracts and combines various artefacts out of an AD environment
159 |
160 |
161 |
162 | + [GPOZaurr](https://github.com/EvotecIT/GPOZaurr)
163 | - Group Policy Eater is a PowerShell module that aims to gather information about Group Policies
164 | - Also allows fixing issues that you may find in them
165 | - Provides 360 degrees of information about Group Policies and their settings
166 |
167 |
168 |
169 | + [SharpSuccessor](https://github.com/logangoins/SharpSuccessor)
170 | - SharpSuccessor is a .NET Proof of Concept(PoC) of BadSuccessor attack from Akamai
171 |
172 |
173 |
174 | + [BadSuccessor.ps1](https://github.com/LuemmelSec/Pentest-Tools-Collection/blob/main/tools/ActiveDirectory/BadSuccessor.ps1)
175 | - Checks for prerequisites and attack abuse of BadSuccessor exploit
176 |
177 | Blue and Purple Team Resources
178 | =========
179 |
180 |
181 |
182 | + [PowerPUG](https://github.com/Trimarc/PowerPUG)
183 | - A tiny tool built to help Active Directory (AD) admins, operators, and defenders smoothly transition their most sensitive users (Domain Admins, etc.) into the AD Protected Users group (PUG) with minimal complications.
184 |
185 |
186 |
187 | + [PlumHound](https://github.com/PlumHound/PlumHound)
188 | - Released as Proof of Concept for Blue and Purple teams to more effectively use BloodHoundAD in continual security life-cycles by utilizing the BloodHoundAD pathfinding engine to identify Active Directory security vulnerabilities resulting from business operations, procedures, policies and legacy service operations
189 |
190 |
191 |
192 | + [The Respotter Honepot](https://github.com/lawndoc/Respotter)
193 | - This application detects active instances of Responder by taking advantage of the fact that Responder will respond to any DNS query
194 |
195 |
196 |
197 | + [Atomic Purple Team](https://github.com/DefensiveOrigins/AtomicPurpleTeam)
198 | - A business/organizational concept designed to assist organizations in building, deploying, maintaining, and justying Attack-Detect-Defend Infosec Exercises
199 |
200 |
201 |
202 | + [Active Directory Firewall](https://github.com/MichaelGrafnetter/active-directory-firewall)
203 | - This project aims to provide production-ready and well-tested guidelines on configuring the Windows Firewall for Active Directory-related server roles.
204 |
--------------------------------------------------------------------------------