Active Directory Attack Path Analysis

This project is a comprehensive, community-sourced knowledge base designed for security professionals and researchers. It functions as a centralized repository of offensive security techniques, providing a structured collection of exploit payloads, attack vectors, and methodologies for conducting vulnerability assessments and penetration testing. The repository distinguishes itself through a cross-platform payload taxonomy that categorizes exploitation methods by vulnerability type and target environment, enabling rapid lookup during security assessments. It maintains high standards of data integrity and collaborative growth by utilizing version-controlled knowledge management and template-driven content generation, ensuring that the research remains current and consistent across a wide range of technical domains. The project covers a broad capability surface, including detailed references for web application security, database injection, insecure deserialization, and AI model security testing. It also aggregates external resources, such as research papers and third-party tools, to provide a holistic view of modern threat analysis and defensive research. The documentation is organized as a hierarchical tree of markdown files, designed for easy navigation and reference during active security engagements.

This project is a comprehensive cybersecurity tool collection designed to support security research, penetration testing, and vulnerability assessment. It functions as a unified penetration testing suite, providing a centralized environment where professionals can access a wide range of offensive security utilities to identify system weaknesses and study attack vectors. The platform distinguishes itself through a modular architecture that aggregates disparate security scripts into a single, hierarchical command-line interface. It simplifies the management of these utilities by integrating external repositories, allowing users to fetch and organize third-party tools directly into a structured local directory. By utilizing a categorized menu system and shell-based process execution, the suite enables efficient navigation and direct invocation of specialized tools for tasks ranging from forensic analysis and reverse engineering to exploit development. The toolkit covers a broad spectrum of security domains, including web and wireless attack vectors, cloud security, payload creation, and social media analysis. It also incorporates automated environment setup to handle the installation of necessary system packages and language runtimes, ensuring compatibility across its diverse collection of utilities.

This project serves as a centralized, community-driven repository of technical knowledge and administrative resources. It provides a structured taxonomy that aggregates disparate information into a searchable framework, supporting continuous learning and rapid problem-solving for system administrators and cybersecurity practitioners. By mapping resources across offensive security, infrastructure management, and software development, it offers a unified path for skill acquisition and professional reference. The project is defined by a command-line-first design philosophy, prioritizing terminal-based utilities and scriptable interfaces to facilitate efficient system administration and repeatable security workflows. It distinguishes itself through a platform-agnostic approach, maintaining documentation and operational guides that remain applicable across diverse Unix-like and cloud-based environments. This modular toolchain integration allows users to compose custom environments tailored to specific administrative or security tasks. The repository covers a broad capability surface, including comprehensive toolkits for system auditing, network management, and infrastructure hardening. It provides structured learning paths for cybersecurity skill development, ranging from ethical hacking labs and penetration testing standards to vulnerability assessment and system configuration best practices. The collection also encompasses a wide array of productivity tools, diagnostic utilities, and educational materials designed to streamline routine maintenance and enhance overall security posture.

GOAD is an Ansible-based automation tool and infrastructure orchestrator used to deploy pre-configured networks of vulnerable Windows virtual machines. It serves as a security training environment for practicing Active Directory penetration testing, privilege escalation, and lateral movement across various cloud platforms and local virtualization hypervisors. The project distinguishes itself through a multi-provider infrastructure model and a system of infrastructure recipes that simulate intentional security misconfigurations. It supports the deployment of varied attack scenarios, including vulnerable Active Directory environments, Exchange servers, and SCCM setups, while allowing for custom lab extensions and tiered inventory overrides to adapt the environment to specific provider settings. Broad capabilities include the provisioning of blue team monitoring stacks with EDR solutions and centralized logging for security event analysis. It also provides network access utilities such as SSH jumpboxes and SOCKS proxies to route attack traffic into isolated segments, and simulates specific security challenges like database impersonation and access control list manipulation.

This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments.

The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to manage high-performance, concurrent network connections and features a transport-agnostic communication layer that abstracts protocols to maintain persistent command and control. Users can extend the core functionality through a plugin system and define complex exploit logic using a domain-specific language. The framework provides robust capabilities for remote payload management, including the configuration of network settings like sleep intervals and timeout thresholds. It maintains state persistence across long-running sessions by storing discovered host information and vulnerability data in a relational database. The software is designed for cross-platform deployment, with installation support available for Linux, macOS, and Windows environments.

This is a hands-on lab environment for learning network penetration testing techniques, centered on setting up and attacking a vulnerable Active Directory network. The project provides a structured framework for practicing the full attack chain, from initial reconnaissance and scanning through exploitation, privilege escalation, lateral movement, and credential theft, all within isolated virtual machine labs. The lab environment is designed to simulate real-world attack scenarios, including the ability to compile and execute exploit code directly against targets without relying on Metasploit. It also integrates Metasploit for gaining shell access and maintaining persistence, and includes workflows for applying security patches to demonstrate defensive countermeasures. The project coordinates multiple tools like Nmap, Nessus, and Nikto through scripted pipelines for scanning and enumeration. Beyond the technical attack simulation, the project includes a framework for documenting findings, attack paths, and remediation steps into a structured report suitable for client delivery. The documentation covers building the Active Directory lab, executing the full attack chain, and patching the environment to reinforce defensive practices.

Bloodhound is an Active Directory attack path mapper and security auditor designed to visualize trust relationships and permission chains. It serves as an attack surface management tool that identifies paths to domain administrator and other high-privileged accounts. The project uses a graph database analyzer to map complex identity and access relationships. It quantifies the risk of privilege escalation by identifying misconfigured permissions and trust links within Windows domains. The system provides capabilities for Active Directory security analysis, identity and access auditing, and network attack path visualization to detect potential security vulnerabilities.

This project is a community-curated database of network patterns designed to facilitate regional access bypass. It functions as a centralized, crowdsourced registry where distributed contributors submit and verify domain identifiers to maintain an accurate and up-to-date list of network rules. The registry provides a declarative syntax that allows diverse proxy clients to distinguish between local and restricted traffic. By standardizing these rules, the project enables automated configuration of routing tables, ensuring that only specific requests are directed through external proxy tunnels. The repository serves as a version-controlled distribution point for these network filters, allowing client applications to consume the data to maintain consistent filtering logic. The project is maintained as a collaborative, open-source database accessible for integration into various network routing tools.

Clash-rules provides a standardized, declarative system for managing network traffic routing across desktop and mobile proxy clients. It functions as a centralized configuration provider that uses structured rule sets to categorize outgoing requests, allowing users to define whether specific connections should be proxied, rejected, or routed directly. The project distinguishes itself through its comprehensive, curated rulesets that enable granular control over network behavior. By employing domain-pattern matching, CIDR-based network analysis, and application-specific signatures, it ensures consistent traffic management across diverse environments. It also supports automated synchronization, allowing proxy clients to fetch updated routing logic from external sources without manual intervention. The platform covers a broad range of traffic management capabilities, including regional content access, local network optimization, and malicious traffic filtering. These features allow for the systematic blocking of advertising and tracking domains while ensuring that private, local, and internal network resources bypass proxy tunnels to maintain direct connectivity.

This project provides a framework for managing multi-agent systems, designed to automate complex software development, infrastructure, and business workflows. It functions as a multi-agent workflow orchestrator that routes tasks to domain-specific workers while maintaining state persistence and infrastructure automation. By leveraging large language models, the system decomposes high-level objectives into actionable plans, ensuring that complex operations are executed with consistency and reliability. The framework distinguishes itself through its hierarchical agent registry and policy-driven tool access, which enforce security boundaries by restricting agent operations based on defined functional roles. It utilizes context-aware task routing to match incoming requests with specific agent capabilities and model performance profiles, while implementing deterministic fallback mechanisms to maintain operational continuity when agents encounter errors or context limits. This architecture allows for modular capability expansion and reproducible environment configurations through version-controlled templates. The system covers a broad capability surface, including automated technical documentation, cloud infrastructure management, and security auditing. It supports diverse domains such as API design, database optimization, and system reliability engineering, providing tools for incident response, performance monitoring, and compliance enforcement. These capabilities are integrated into a command-line interface that enables developers to search, fetch, and deploy specialized subagents directly from the repository.

Zoxide is a terminal utility designed to accelerate filesystem navigation by learning user habits. It functions as a command-line navigation tool that allows users to jump to frequently accessed directories using partial names rather than typing out full file paths. The tool maintains a persistent, atomic file-based database that records navigation history, enabling rapid lookups and safe updates across multiple shell sessions. The project distinguishes itself through a frecency-based ranking algorithm, which calculates directory relevance by combining access frequency with temporal decay. This ensures that the most likely destinations are prioritized during path resolution. To maintain accuracy and performance, the tool employs heuristic fuzzy matching to resolve partial queries and includes automated background maintenance to prune stale records or directories that no longer exist on the filesystem. The utility integrates directly into various shell environments through a lightweight hook layer, enabling command-line completion and streamlined navigation workflows. Users can further customize the tool's behavior, storage locations, and filtering rules through environment variables defined in their shell configuration files.

CrackMapExec is a network penetration testing framework and automated security scanner designed to assess security postures across large IP ranges. It functions as a multi-protocol security scanner and network protocol auditor used to identify vulnerabilities and misconfigurations. The tool provides capabilities for Active Directory auditing to enumerate users and permissions, as well as post-exploitation enumeration to gather system metadata and discover lateral movement paths. It includes a framework for credential spraying and harvesting across various network services. The system utilizes asynchronous network I/O and parallel execution to manage high volumes of socket connections. It employs a modular protocol implementation and dynamic plugin loading to extend security assessment tools, with a local database for persisting discovered credentials and host metadata.

This application provides a comprehensive interface for managing network traffic through a core proxy engine. It supports multiple traffic interception methods, including system-wide proxy settings and virtual network interfaces, allowing users to route TCP and UDP traffic based on specific domain, IP, port, or process criteria. The system facilitates complex network configurations through proxy chaining, rule-based routing, and the aggregation of multiple remote subscription sources. Beyond core networking, the tool includes developer-focused utilities for configuration management and system diagnostics. Users can modify configuration objects using a sandboxed scripting engine or automate imports via URL-based protocols and custom response headers. The application also offers administrative service modes for elevated privilege management and provides tools for visual interface customization, including support for custom style sheets and icon management.

Ethical-Hacking-Labs is a comprehensive cybersecurity training curriculum and lab suite designed for learning penetration testing, network analysis, and offensive security techniques. It provides a structured environment for practicing the full attack lifecycle, from initial reconnaissance and scanning to exploitation and post-compromise analysis. The project provides instructional materials and guided exercises that cover specific technical domains, including open source intelligence research and network security courseware. It includes a practical workbook for identifying system vulnerabilities and practicing credential cracking and privilege escalation. The suite covers a broad range of security capabilities, including network scanning, vulnerability assessment, and traffic analysis. It also includes utilities for credential access through hash cracking, open source intelligence gathering, and the simulation of attack vectors using malicious payloads. The labs utilize virtualization environment setup to deploy pre-configured security distribution images within isolated virtual networks.

Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platform distinguishes itself through a privacy-focused architecture that relies on cryptographic fingerprinting to track and deduplicate findings without ever transmitting or storing raw sensitive values. It supports distributed scanning via independent agents that connect to a central dashboard, allowing for localized analysis while maintaining network isolation. Furthermore, the system provides automated incident response capabilities, including secret rotation and revocation, which help organizations minimize the window of vulnerability for compromised credentials. Beyond core detection, the project offers a broad capability surface for enterprise-wide access governance and security compliance. It includes modular detection logic for custom rule definitions, integration with external identity providers for role-based access control, and extensive monitoring across cloud storage, container infrastructure, and collaboration platforms. The system also provides detailed metadata tracing to link findings to specific users, pipelines, or commits, facilitating efficient remediation and auditability across large-scale development environments.

BloodHound is an identity risk management platform and graph-based attack path analyzer used to map identity relationships and permissions in Active Directory. It functions as a security tool for auditing directory services, uncovering unintended privilege relationships, and visualizing sequences of permissions that can lead to domain compromise. The project differentiates itself as a comprehensive adversary emulation framework that coordinates remote agents and executes post-exploitation commands. It includes a reverse proxy for bypassing multi-factor authentication via real-time session hijacking and a system for simulating phishing campaigns to track user interactions. The platform covers a broad set of offensive security capabilities, including credential harvesting from memory and local stores, Kerberos and PKI manipulation, and infrastructure enumeration targeting system management tools. It also provides tools for remote command execution, lateral movement through authentication coercion, and the discovery of privilege escalation vectors across host configurations. The system is deployed as a multi-tier container architecture and can be installed and configured via a command-line utility.

This project provides a system-wide content filtering utility that controls network traffic by redirecting domain resolution requests to local null addresses. By mapping unwanted hostnames to these addresses at the operating system level, it effectively blocks connections to advertising, tracking, and malicious domains across all applications on a machine. The core of the system is a data-driven build pipeline that aggregates multiple curated source lists into a single, unified configuration file. This process is highly customizable, allowing users to employ declarative filtering logic through external blacklist and whitelist files to define exactly which domains are included or excluded. The build process is managed via a command-line interface, which supports various flags to control output formats, source selection, and custom domain mappings. Beyond basic aggregation, the project supports diverse deployment scenarios, including containerized environments and integration with local network resolver services. It provides platform-specific utilities to ensure consistent application of these filtering rules, including mechanisms to manage local DNS client services for immediate configuration updates. The resulting output is designed to be environment-agnostic, maintaining compatibility across a wide range of operating systems and network services.

BloodHound is a graph-based security analysis tool designed to map trust relationships and attack vectors within Active Directory environments. It functions as an attack path mapper and risk assessment system that uses graph theory to identify hidden relationships and paths leading to high-privilege accounts. The tool specializes in network attack surface mapping and privilege escalation pathfinding. It quantifies security risks by measuring the reliability of attack paths to critical targets, allowing for the prioritization of vulnerability elimination. The system provides capabilities for directed graph visualization and permission-based path analysis. It utilizes query-driven data extraction to pull permission sets and group memberships, storing them in a schema-mapped format to calculate the shortest routes to high-value targets.

Sing-box is a universal proxy engine and traffic router designed to manage complex network connectivity across multiple operating systems. It functions as a configuration-driven core that intercepts system-level traffic, allowing for transparent proxying through encrypted tunnels. By normalizing diverse network protocols into a unified interface, the engine enables consistent traffic forwarding and protocol translation regardless of the underlying environment. The project distinguishes itself through a declarative configuration pipeline that validates and merges modular settings into a unified internal state before execution. It employs a rule-based traffic dispatcher that evaluates incoming packets against hierarchical criteria to determine optimal routing paths dynamically. This is complemented by an asynchronous domain name resolution pipeline, which provides granular control over how network requests are mapped and filtered, ensuring that traffic handling remains both accurate and performant. Beyond its core routing capabilities, the platform includes a comprehensive security layer for managing encrypted connections, including support for advanced handshake options and certificate validation. It also provides tools for monitoring real-time traffic and connection status, alongside flexible management of routing rule sets that can be sourced from local or remote locations. The software is designed to be installed as a background service, providing a stable and scalable infrastructure for controlled network communication.