For those who want to perform a proper infrastructure pentest, here is a structured and realistic baseline.
This repository contains an AttackForge Reporting compatible Test Suite for Infrastructure and Active Directory test cases, designed specifically for internal infrastructure assessments and red team engagements.
The focus is strictly on:
- Active Directory security testing
- Windows domain environments
- AD CS and PKI abuse
- Kerberos and NTLM attack paths
- Delegation and ACL abuse
- Lateral movement primitives
- Credential access techniques
- SCCM, MSSQL, and Exchange related AD abuse
- Infrastructure misconfigurations and protocol weaknesses
This repository is not intended to be used as a rigid checklist or compliance framework.
In real-world infrastructure engagements, there is rarely enough time to execute every possible technique against every asset. Attempting to do so is unrealistic and does not reflect how professional infrastructure pentesting is performed.
A proper infrastructure assessment is reconnaissance-driven and attack-path focused.
The correct approach is:
- Perform thorough reconnaissance
- Identify trust relationships, privilege boundaries, and architectural weaknesses
- Map realistic attack paths
- Execute techniques that are relevant to those paths
The test cases in this repository should therefore be viewed as documented attack primitives and potential attack paths, not mandatory steps.
They exist to ensure coverage, consistency, and reporting clarity. They do not replace the judgment and methodology of the pentester.
Use this baseline as a reference library of techniques that may be applicable depending on the findings during reconnaissance and enumeration.
This project provides:
- A structured and standardized infrastructure pentest baseline
- Complete AD attack surface coverage checklist
- Reporting-ready JSON format compatible with AttackForge
- A methodology aligned with modern offensive tradecraft
- A continuously extensible test suite
The goal is to prevent incomplete AD testing and ensure consistency across engagements.
- LLMNR, NBT-NS, mDNS poisoning
- DHCPv6 and DNS spoofing
- WPAD abuse
- NTLM relay preconditions
- Coerced authentication techniques
- SMB and LDAP signing weaknesses
- BloodHound collection and attack path analysis
- LDAP, RPC, SMB enumeration
- Trust relationship mapping
- SYSVOL and GPO review
- AD CS discovery
- AS-REP roasting
- Kerberoasting
- Targeted Kerberoasting
- Password spraying
- LSASS dumping feasibility
- SAM and LSA extraction
- DPAPI secret recovery
- DCSync validation
- GenericAll, GenericWrite, WriteDACL, WriteOwner
- ForceChangePassword
- Group membership abuse
- SPN manipulation
- MachineAccountQuota abuse
- Shadow Credentials
- Resource-based Constrained Delegation
- Unconstrained delegation
- Constrained delegation
- Protocol transition abuse
- Resource-based constrained delegation
- Bronze Bit exposure
- NoPAC exposure
- ESC1 through ESC16
- NTLM relay to certificate enrollment
- Weak template configurations
- Certificate mapping misconfigurations
- Pass the Certificate
- Golden Certificate risk
- Certifried exposure
- Pass the Hash
- Overpass the Hash
- Pass the Ticket
- WMI execution
- WinRM execution
- DCOM execution
- Scheduled Task execution
- MSSQL abuse
- SCCM abuse
- Golden Ticket validation
- Silver Ticket validation
- Diamond and Sapphire ticket scenarios
- RODC considerations
- AdminSDHolder abuse
- DCShadow exposure
- SIDHistory injection
This test suite is:
- Modular
- Enumeration-driven
- Abuse-focused
- Impact validated
- Reporting-ready
- Technique-aligned
Each test case is:
- Structured
- Mapped to a known attack primitive
- Tagged for categorization
- Tool-referenced
- Methodology-aligned
The JSON structure is designed to be:
- Directly importable into AttackForge
- Easy to extend
- Cleanly sortable
- Suitable for enterprise reporting workflows
If:
- A new AD CS technique is published
- A new Kerberos bypass appears
- A new delegation edge case is discovered
- A new enterprise abuse primitive emerges
Or:
- You want to improve or expand the coverage
You are encouraged to:
- Open an issue
- Submit a pull request
- Improve or extend existing test cases
Keep the structure consistent and aligned with infrastructure pentesting.
This baseline is intended for authorized:
- penetration testing
- red teaming
- lab research
- defensive validation
Use responsibly and only with explicit authorization and in accordance with local laws.
Primary technical references:
These resources provide the foundation for modern Active Directory offensive research and methodology.