internal-network agent is a network and Active Directory specialist. It covers enumeration, credential attacks, lateral movement, and privilege escalation across Windows domain environments and internal networks.
Activating the agent
- TUI
- CLI
Press
Tab until internal-network appears in the status bar, then describe your target environment.Skills loaded
The agent automatically loads two skill files with detailed AD attack procedures:| Skill | Content |
|---|---|
ad-security | Active Directory enumeration, ACL abuse, GPO analysis, trust relationship exploitation |
kerberos-attacks | Kerberoasting, AS-REP Roasting, Pass-the-Ticket, constrained/unconstrained delegation abuse |
Tools
| Tool | Use |
|---|---|
nmap | Port scanning and service enumeration |
BloodHound | Active Directory relationship mapping and attack path visualization |
NetExec (CrackMapExec) | Network exploitation and credential validation |
Kerbrute | Kerberos-based user enumeration without triggering lockout |
Impacket | Protocol-level attacks: GetUserSPNs, secretsdump, psexec, wmiexec, ntlmrelayx |
Responder | LLMNR/NBT-NS/mDNS poisoning for NTLMv2 hash capture |
Mimikatz | Credential extraction from memory, DPAPI, SAM, NTDS |
bash | Tool orchestration and scripting |
report_vulnerability | Record findings with MITRE ATT&CK mapping |
Testing methodology
Network reconnaissance
Port scanning with nmap to identify live hosts and services. Service version detection and banner grabbing on discovered ports. Network mapping to understand topology, segmentation, and routing. Identifies domain controllers, file servers, web servers, and other high-value targets.
Active Directory enumeration
Enumerates domain users, groups, computers, OUs, and trusts using BloodHound and Impacket. Identifies privileged users (Domain Admins, Enterprise Admins, Account Operators). Reviews Group Policy Objects for misconfigured software deployment or logon scripts. Analyzes ACL chains for paths from low-privilege users to Domain Admin using BloodHound’s attack path queries.
Credential attacks
Kerberoasting — Requests Kerberos service tickets for accounts with SPNs and cracks them offline with hashcat. Targets service accounts that often have weak passwords and high privileges.AS-REP Roasting — Identifies accounts with pre-authentication disabled and requests AS-REP hashes for offline cracking without any credentials.Password spraying — Tests a single common password across all enumerated accounts using Kerbrute to avoid lockout. One attempt per account per window.NTLM relay — Uses Responder to capture NTLMv2 hashes from LLMNR/NBT-NS poisoning, then relays them with ntlmrelayx to authenticate to target services.
Lateral movement
Tests movement between hosts using captured credentials and hashes:
- Pass-the-Hash — Authenticates to services using NTLM hashes without knowing plaintext passwords
- Pass-the-Ticket — Uses captured Kerberos tickets for authentication
- DCOM/WMI execution — Remote code execution via Windows management protocols
- PSExec/WinRM — Remote shell via SMB named pipes or WinRM
Privilege escalation
Tests escalation from local admin to domain admin via:
- Unconstrained delegation — Any host with unconstrained delegation can capture TGTs for any user authenticating to it
- Resource-based constrained delegation (RBCD) — If
msDS-AllowedToActOnBehalfOfOtherIdentityis writable, escalate to impersonate any user on the target - AD CS abuse — Misconfigured certificate templates (ESC1–ESC8) allow privilege escalation to Domain Admin via PKINIT
- GPO abuse — Write access to a GPO linked to a high-privilege OU allows code execution as any user in that OU
Key attack chains
LLMNR poisoning → credential capture → lateral movement
LLMNR poisoning → credential capture → lateral movement
Start Responder to poison LLMNR/NBT-NS traffic. Wait for a host on the network to attempt name resolution for a non-existent host. Capture NTLMv2 hashes. Crack offline with hashcat or relay immediately with ntlmrelayx to authenticate to SMB shares or HTTP services without cracking.
Kerberoasting → service account compromise → domain escalation
Kerberoasting → service account compromise → domain escalation
Enumerate accounts with SPNs using GetUserSPNs. Request service tickets and extract hashes. Crack offline — service accounts often have weak passwords set years ago and never rotated. Use the cracked credentials to authenticate as the service account, which may have privileges over other systems or AD objects.
BloodHound path → ACL abuse → Domain Admin
BloodHound path → ACL abuse → Domain Admin
Collect BloodHound data. Query for shortest path from current user to Domain Admin. Identify ACL-based escalation: WriteDACL, GenericAll, WriteOwner on user or group objects. Exploit the ACL to add yourself to a privileged group or reset a privileged user’s password.
AD CS ESC1 → certificate → PKINIT → Domain Admin
AD CS ESC1 → certificate → PKINIT → Domain Admin
Enumerate certificate templates with Certipy. Find templates where low-privilege users can enroll, the template allows Client Authentication, and the Subject Alternative Name is user-supplied (ESC1). Request a certificate with
[email protected] in the SAN. Use the certificate with PKINIT to get a TGT as Domain Admin.Example workflows
Finding output format
Each finding the agent reports includes:- Attack vector — e.g.,
Kerberoasting - Target — Specific account or host affected
- Severity — High / Medium / Low with CVSS score
- MITRE ATT&CK — Technique ID, e.g.,
T1558.003 - Evidence — Captured hash, cracked password, or access proof
- Impact — What an attacker could achieve (e.g., domain compromise path)
- Remediation — Specific fix, e.g., use Managed Service Accounts, enforce 25+ character service account passwords, enable AES-only Kerberos encryption