SkillHub ClubShip Full StackFull Stack

pentest-active-directory

Assess Active Directory identity attack paths including roasting, relay, and delegation abuse.

Packaged view

This page reorganizes the original catalog entry around fit, installability, and workflow context first. The original raw source lives below.

Stars

3,087

Hot score

Updated

March 20, 2026

Overall rating

C4.0

Composite score

4.0

Best-practice grade

B77.6

Install command

npx @skill-hub/cli install openclaw-skills-pentest-active-directory

Repository

openclaw/skills

Skill path: skills/0x-professor/pentest-active-directory

Assess Active Directory identity attack paths including roasting, relay, and delegation abuse.

Open repository

Best for

Primary workflow: Ship Full Stack.

Technical facets: Full Stack.

Target audience: everyone.

License: Unknown.

Original source

Catalog source: SkillHub Club.

Repository owner: openclaw.

This is still a mirrored public skill entry. Review the repository before installing into production workflows.

What it helps with

Install pentest-active-directory into Claude Code, Codex CLI, Gemini CLI, or OpenCode workflows
Review https://github.com/openclaw/skills before adding pentest-active-directory to shared team environments
Use pentest-active-directory for development workflows

Works across

Claude CodeCodex CLIGemini CLIOpenCode

Favorites: 0.

Sub-skills: 0.

Aggregator: No.

Original source / Raw SKILL.md

---
name: pentest-active-directory
description: Assess Active Directory identity attack paths including roasting, relay, and delegation abuse.
---

# Pentest Active Directory

## Stage

- PTES: 6
- MITRE: TA0006, TA0008

## Objective

Map and validate AD privilege escalation and movement paths.

## Required Workflow

1. Validate scope before any active action and reject out-of-scope targets.
2. Run only authorized checks aligned to PTES, OWASP WSTG, NIST SP 800-115, and MITRE ATT&CK.
3. Write findings in canonical finding_schema format with reproducible PoC notes.
4. Honor dry-run mode and require explicit --i-have-authorization for live execution.
5. Export deterministic artifacts for downstream skill consumption.

## Execution

```bash
python skills/pentest-active-directory/scripts/active_directory.py --scope scope.json --target <target> --input <path> --output <path> --format json --dry-run
```

## Outputs

- `ad-findings.json`
- `ad-attack-paths.json`
- `ad-report.json`

## References

- `references/tools.md`
- `skills/autonomous-pentester/shared/scope_schema.json`
- `skills/autonomous-pentester/shared/finding_schema.json`

## Legal and Ethical Notice

```text
WARNING AUTHORIZED USE ONLY
This skill executes real security testing tools against live targets.
Use only with written authorization.

```


---

## Referenced Files

> The following files are referenced in this skill and included for context.

### references/tools.md

```markdown
# Pentest Active Directory Tools

| Tool | URL |
|---|---|
| BloodHound | https://github.com/BloodHoundAD/BloodHound |
| SharpHound | https://github.com/BloodHoundAD/SharpHound |
| Impacket | https://github.com/fortra/impacket |
| mimikatz | https://github.com/gentilkiwi/mimikatz |
| NetExec | https://github.com/Pennyw0rth/NetExec |
| Certipy | https://github.com/ly4k/Certipy |

```



---

## Skill Companion Files

> Additional files collected from the skill directory layout.

### _meta.json

```json
{
  "owner": "0x-professor",
  "slug": "pentest-active-directory",
  "displayName": "Pentest Active Directory",
  "latest": {
    "version": "0.1.0",
    "publishedAt": 1772315623270,
    "commit": "https://github.com/openclaw/skills/commit/9536e42658797d676c12507027dddc926e872d63"
  },
  "history": []
}

```

### scripts/active_directory.py

```python
#!/usr/bin/env python3
"""pentest-active-directory script - AUTHORIZED SECURITY TESTING ONLY."""
from __future__ import annotations
import argparse,json,sys
from datetime import datetime,timezone
from pathlib import Path
SHARED_DIR=Path(__file__).resolve().parents[2]/"autonomous-pentester"/"shared"
if str(SHARED_DIR) not in sys.path: sys.path.insert(0,str(SHARED_DIR))
from pentest_common import load_payload,render_result,resolve_artifact_path,resolve_output_file,validate_scope,write_placeholder_artifact  # noqa: E402
SKILL_NAME="pentest-active-directory"
REPORT_STEM="active-directory-report"
GENERATED_OUTPUTS=[
    "ad-findings.json",
    "ad-attack-paths.json",
    "ad-report.json"
]

def parse_args()->argparse.Namespace:
    p=argparse.ArgumentParser(description="Map and validate AD privilege escalation and movement paths.")
    p.add_argument('--scope',default='scope.json'); p.add_argument('--target',required=True)
    p.add_argument('--input',default='.'); p.add_argument('--output',default='.')
    p.add_argument('--format',choices=['json','md','csv'],default='json'); p.add_argument('--dry-run',action='store_true')
    p.add_argument('--i-have-authorization',action='store_true',help='Confirm you have written authorization to test this target.')
    return p.parse_args()

def build_finding(target:str)->dict:
    return {'finding_id':f"{SKILL_NAME.replace('-', '_')}-001",'skill':SKILL_NAME,'timestamp':datetime.now(timezone.utc).isoformat(),'target':target,'title':'Pentest Active Directory identified a security weakness','cve':'N/A','cwe':'CWE-693','cvss_score':8.0,'cvss_vector':'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L','owasp_category':'A05:2021 - Security Misconfiguration','mitre_attack':'TA0006, TA0008','severity':'High','description':'Automated and manual testing identified a security condition requiring remediation.','proof_of_concept':'python scripts/active_directory.py --dry-run','screenshot':'assets/findings/placeholder.png','remediation':'Apply least privilege, secure defaults, and verify fixes with retest.','references':["https://github.com/BloodHoundAD/BloodHound", "https://github.com/BloodHoundAD/SharpHound"],'status':'open'}

def main()->int:
    args=parse_args()
    scope_ok,scope_meta=validate_scope(args.target,args.scope)
    report_path=resolve_output_file(args.output,args.format,REPORT_STEM)
    if not scope_ok:
        r={'status':'error','summary':'TARGET NOT IN AUTHORIZED SCOPE - ABORTING','artifacts':[str(report_path)],'details':{'skill':SKILL_NAME,'target':args.target,'scope':scope_meta,'dry_run':args.dry_run}}
        render_result(r,report_path,args.format); print(json.dumps(r,indent=2)); return 1
    if not args.i_have_authorization and not args.dry_run:
        r={'status':'error','summary':'You must pass --i-have-authorization to confirm written authorization.','artifacts':[str(report_path)],'details':{'skill':SKILL_NAME,'target':args.target,'scope':scope_meta,'dry_run':args.dry_run}}
        render_result(r,report_path,args.format); print(json.dumps(r,indent=2)); return 1
    payload=load_payload(args.input); finding=build_finding(args.target); arts=[]
    if not args.dry_run:
        for rel in GENERATED_OUTPUTS:
            ap=resolve_artifact_path(report_path.parent,rel)
            write_placeholder_artifact(ap,{'skill':SKILL_NAME,'target':args.target,'generated_at':datetime.now(timezone.utc).isoformat(),'input_payload':payload,'findings':[finding]})
            arts.append(str(ap))
    r={'status':'ok','summary':'Dry run completed' if args.dry_run else 'Skill executed','artifacts':arts+[str(report_path)],'details':{'skill':SKILL_NAME,'target':args.target,'scope':scope_meta,'findings':[finding],'expected_outputs':GENERATED_OUTPUTS,'dry_run':args.dry_run}}
    render_result(r,report_path,args.format); print(json.dumps(r,indent=2)); return 0

if __name__=='__main__': raise SystemExit(main())

```