Active Directory attack suite. Forty-one modules.
Built on impacket v0.12.0 with a unified Typer CLI and structured JSON output. Covers LDAP enumeration (users, groups, SPNs, GPOs, trusts, LAPS, password policy), Kerberos attacks (Kerberoast, ASREProast, ticket forgery, S4U), NTLM coercion (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce), relay orchestration, ADCS via certipy wrappers, DCSync, lateral movement (psexec/wmiexec/smbexec), and BloodHound CE ingest with attack path analysis. BeaconExecutor abstraction runs all commands through a NYX beacon or locally.
scroll to access
Kill_Chain_Position
Capabilities
Full LDAP enumeration sweep
10 enum modules: users, groups, computers, SPNs, trusts, GPOs, GPP cpassword scan, LAPS readers, password policy, PSOs
Kerberoast + ASREProast
TGS-REQ per SPN → hashcat mode 13100; AS-REQ without pre-auth → mode 18200; randomized request order with delay for OPSEC
Golden / Silver / Diamond ticket
Krbtgt hash → forge TGT; service hash → forge service ticket with custom PAC; Diamond via authentic AS-REQ→TGS modification
NTLM coercion + relay chain
PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce → auto-prioritized relay targets sorted by SMB signing status
ADCS exploitation via certipy
Full ESC1–16 detection and exploitation wrapped through certipy-ad ≥v4.8; structured findings parsed from certipy JSON output
DCSync (secretsdump)
DRSUAPI replication with DA-equivalent check first; parsed output feeds PtH credential store automatically
Shadow credentials
msDS-KeyCredentialLink write on GenericAll/GenericWrite targets → certificate request → TGT without password
BloodHound CE attack paths
Ingest SharpHound v5+ zip; pure Python graph traversal for shortest path from owned principal to Domain Admins
Architecture
Forty-one Python modules across 12 subpackages. The Executor abstraction (ABC) is the key design decision: every module accepts an Executor, not caring whether it's LocalExecutor (runs impacket/certipy on operator machine) or BeaconExecutor (translates commands into NYX Operator API task queue calls). The enum/ package uses ldap3 for read-only enumeration over LDAPS, falling back to impacket LDAP for NTLM/hash-only auth. All credential-generating operations pass through lockout.py which checks password policy first. Dependencies: impacket v0.12.0 (pinned for behavioral stability), ldap3, cryptography (KeyCredentialLink blob construction), dnspython (SRV resolution), httpx (NYX API client). External tools called as subprocesses: certipy-ad, netexec (nxc). Typer CLI with 9 subcommand groups.
Engagement_Types
Also_In_The_Suite
Secure_Channel
All work requires a signed scope document. Initial contact is encrypted. Response within 48h.
INITIALIZE_CONTACT