blacklanternsecurity
@blacklanternsecurity Organization
Public Skills
orchestrator
by blacklanternsecurity
USE THIS SKILL when the user provides a target or list of targets (IPs, hostnames, URLs, subnets) and asks to attack, pentest, hack, scan, assess, or test them. ALSO USE THIS SKILL when the user references an existing engagement — resuming, continuing, picking up, checking status, or asking about next steps. Trigger phrases: "attack X", "pentest X", "hack X", "scan X", "start testing X", "pop X", "CTF target X", "engage X", "these targets", "resume engagement", "pick it up", "continue testing", "next steps", "where were we", "resuming", "advise next steps", "what should we do next", "engagement status". This is the entry point for all multi-phase penetration tests — handles recon, attack surface mapping, vulnerability chaining, and routes to technique skills for exploitation. Do NOT use when the user names a specific single technique (e.g., "run kerberoasting against X").
<skill-name>
by blacklanternsecurity
<What this skill does in 2-3 sentences. Focus on technique scope and when to use it. No trigger phrases, negative conditions, or OPSEC details here.>
network-recon
by blacklanternsecurity
Network reconnaissance, host discovery, port scanning, and service enumeration.
linux-discovery
by blacklanternsecurity
Linux local privilege escalation enumeration and attack surface mapping.
ad-discovery
by blacklanternsecurity
Enumerates Active Directory domains and maps attack surface for penetration testing.
windows-discovery
by blacklanternsecurity
Windows local privilege escalation enumeration and attack surface mapping.
adcs-access-and-relay
by blacklanternsecurity
Exploits ADCS through ACL abuse on templates/CA objects and NTLM relay to enrollment endpoints. Covers ESC4 (template ACL → modify to ESC1), ESC5 (PKI object ACLs), ESC7 (ManageCA/ManageCertificates abuse), ESC8 (NTLM relay to HTTP enrollment), ESC11 (NTLM relay to ICPR RPC).
adcs-persistence
by blacklanternsecurity
Establishes persistence and exploits weak certificate mapping in AD CS. Covers ESC9 (no security extension), ESC10 (weak certificate mapping), ESC12-15 (YubiHSM, issuance policy, altSecIdentities, application policies), Golden Certificate (forge with stolen CA key), certificate theft (DPAPI/CAPI/CNG), and account persistence via certificate mapping.
kerberos-ticket-forging
by blacklanternsecurity
Forges Kerberos tickets for domain persistence and privilege escalation. Covers Golden Ticket (krbtgt hash → forged TGT), Silver Ticket (service hash → forged TGS), Diamond Ticket (decrypt/modify/re-encrypt legitimate TGT for stealth), Sapphire Ticket (U2U PAC swap), and Pass-the-Ticket injection.
trust-attacks
by blacklanternsecurity
Enumerates Active Directory trust relationships and exploits them for cross-domain and cross-forest privilege escalation. Covers trust enumeration (nltest, PowerView, BloodHound), SID history injection (child domain to forest root via golden/diamond ticket with extra SIDs), inter-realm TGT forging using trust keys, cross-forest trust abuse (SID filtering bypass, RBCD, Kerberoasting via trust account), and PAM trust exploitation (shadow principals in bastion forests).
gpo-abuse
by blacklanternsecurity
Exploits Group Policy Objects for code execution, privilege escalation, and lateral movement in Active Directory. Covers GPO enumeration (GPOHound, BloodHound, PowerView), exploitation via immediate tasks, logon scripts, and registry modifications (SharpGPOAbuse, PowerGPOAbuse, pyGPOAbuse, GroupPolicyBackdoor), SYSVOL/NETLOGON logon script poisoning, and GPP password extraction.
acl-abuse
by blacklanternsecurity
Exploits misconfigured Active Directory ACLs for privilege escalation. Covers GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword, targeted Kerberoasting via SPN manipulation, shadow credentials (msDS-KeyCredentialLink → PKINIT), and AdminSDHolder persistence.
adcs-template-abuse
by blacklanternsecurity
Exploits misconfigured AD CS certificate templates to impersonate any domain user via SAN manipulation or enrollment agent abuse. Covers ESC1 (enrollee supplies subject), ESC2 (any-purpose/no EKU), ESC3 (enrollment agent), ESC6 (EDITF_ATTRIBUTESUBJECTALTNAME2 CA flag).
pivoting-tunneling
by blacklanternsecurity
Network pivoting, port forwarding, and tunneling through compromised hosts to reach internal networks.
password-spraying
by blacklanternsecurity
Performs password spraying against authentication services with lockout-safe techniques. Works against AD (SMB/Kerberos/LDAP), SSH, web login forms, OWA, and any service with username/password auth. Service-agnostic — the orchestrator passes target services and spray intensity tier.
credential-cracking
by blacklanternsecurity
Offline credential and file cracking with hashcat and john. Use when any skill recovers hashes (NTLM, Kerberos TGS/AS-REP, shadow, MSCACHE2) or encrypted files (ZIP, Office, PDF, KeePass, SSH key, 7z, RAR). Trigger phrases: "crack this hash", "brute force the password", "offline crack", "john", "hashcat", "zip2john", "password-protected file". Do NOT use for online password attacks (spraying, brute force against services) — use password-spraying instead.
kerberos-delegation
by blacklanternsecurity
Exploits Kerberos delegation misconfigurations for privilege escalation and lateral movement in Active Directory. Covers Unconstrained Delegation (TGT harvesting via coercion), Constrained Delegation (S4U2Self + S4U2Proxy with SPN swapping), and Resource-Based Constrained Delegation (RBCD via writable machine accounts).
pass-the-hash
by blacklanternsecurity
Authenticates to AD services using NTLM hashes, AES keys, or Kerberos tickets without cracking passwords. Covers Pass-the-Hash, Over-Pass-the-Hash, Pass-the-Key, and Pass-the-Ticket for lateral movement.
ad-persistence
by blacklanternsecurity
Establishes persistent access in Active Directory environments after domain compromise. Covers DCShadow (rogue DC attribute modification), Skeleton Key (LSASS master password), custom SSP injection (credential logging via mimilib/memssp), security descriptor backdoors (WMI/WinRM/ DCOM/registry ACL modification), ADFS Golden SAML (DKM key extraction and forged SAML tokens), SID history persistence (DA SID in regular user), and certificate-based persistence (golden certificate, renewal, enrollment agent).
smb-exploitation
by blacklanternsecurity
Exploit remote SMB vulnerabilities for unauthenticated code execution on Windows hosts.
av-edr-evasion
by blacklanternsecurity
Bypass antivirus and EDR detection for payload delivery during exploitation. Covers custom payload compilation (mingw C, Go), AMSI bypass, shellcode alternatives, and ETW patching. Route here when an agent reports a payload was quarantined, blocked, or detected by endpoint protection.
linux-file-path-abuse
by blacklanternsecurity
Exploit writable critical files, NFS misconfigurations, shared library hijacking, and privileged group membership (docker, lxd, disk, adm, video, staff) for Linux privilege escalation. Use when a user belongs to a privileged group or has write access to sensitive files or paths.
sccm-exploitation
by blacklanternsecurity
Enumerates and exploits Microsoft SCCM/MECM (System Center Configuration Manager / Microsoft Endpoint Configuration Manager) infrastructure for credential harvesting, lateral movement, and domain escalation. Covers SCCM enumeration (sccmhunter, SharpSCCM), Network Access Account (NAA) credential extraction (policy request, WMI DPAPI, WMI repository), management point NTLM relay to MSSQL (TAKEOVER1), client push relay (ELEVATE2), PXE boot media credential harvesting (CRED1), SCCM database credential extraction, application deployment for lateral movement, and SCCM share looting.
kerberos-roasting
by blacklanternsecurity
Extracts and cracks Kerberos service tickets (Kerberoasting) and AS-REP hashes (AS-REP Roasting) for offline password recovery.
auth-coercion-relay
by blacklanternsecurity
Forces remote systems to authenticate back to attacker-controlled listeners and relays captured authentication to escalate privileges or move laterally. Covers authentication coercion (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, CheeseOunce), NTLM relay (ntlmrelayx to LDAP/SMB/AD CS/MSSQL), Kerberos relay (krbrelayx, mitm6), and name resolution poisoning (LLMNR/NBNS/WPAD via Responder).
linux-sudo-suid-capabilities
by blacklanternsecurity
Exploit sudo misconfigurations, SUID/SGID binaries, and Linux capabilities for privilege escalation.
windows-token-impersonation
by blacklanternsecurity
Exploit Windows token privileges for local privilege escalation to SYSTEM.
linux-cron-service-abuse
by blacklanternsecurity
Exploit cron jobs, systemd timers/services, D-Bus services, and Unix sockets for privilege escalation.
2fa-bypass
by blacklanternsecurity
Bypass two-factor authentication (2FA/MFA) during authorized penetration testing.
cors-misconfiguration
by blacklanternsecurity
Exploit CORS (Cross-Origin Resource Sharing) misconfigurations during authorized penetration testing.
container-escapes
by blacklanternsecurity
Container escape, Docker breakout, and Kubernetes exploitation.
credential-dumping
by blacklanternsecurity
Extracts credentials from Active Directory: DCSync replication, NTDS.dit database extraction, SAM hive dump, Azure AD Connect (ADSync) credential extraction, LAPS passwords (legacy + Windows LAPS), gMSA passwords (KDS root key + GoldenGMSA), dMSA exploitation (BadSuccessor CVE-2025-21293), and DSRM credentials.
file-upload-bypass
by blacklanternsecurity
Guide file upload restriction bypass during authorized penetration testing.
lfi
by blacklanternsecurity
Guide Local File Inclusion (LFI) and Remote File Inclusion (RFI) exploitation during authorized penetration testing.
windows-kernel-exploits
by blacklanternsecurity
Exploit Windows kernel vulnerabilities, vulnerable drivers, and privileged file operations for local privilege escalation to SYSTEM.
linux-kernel-exploits
by blacklanternsecurity
Exploit Linux kernel vulnerabilities and escape restricted shells for privilege escalation.
windows-uac-bypass
by blacklanternsecurity
Bypass Windows User Account Control to escalate from medium to high integrity.
csrf
by blacklanternsecurity
Exploit Cross-Site Request Forgery (CSRF) vulnerabilities during authorized penetration testing.
ajp-ghostcat
by blacklanternsecurity
Exploit Apache JServ Protocol (AJP) misconfigurations and Ghostcat (CVE-2020-1938) for file read and remote code execution on Apache Tomcat. Use when port 8009 is open or AJP connector is exposed.
windows-credential-harvesting
by blacklanternsecurity
Harvest stored credentials from a Windows system for privilege escalation or lateral movement.
idor
by blacklanternsecurity
Exploit Insecure Direct Object Reference (IDOR) and broken access control vulnerabilities during authorized penetration testing.
windows-service-dll-abuse
by blacklanternsecurity
Exploit Windows service misconfigurations and DLL hijacking for local privilege escalation.
deserialization-dotnet
by blacklanternsecurity
Exploit .NET deserialization vulnerabilities during authorized penetration testing.
jwt-attacks
by blacklanternsecurity
Exploit JWT (JSON Web Token) vulnerabilities during authorized penetration testing.
command-injection
by blacklanternsecurity
Guide OS command injection exploitation during authorized penetration testing.
ldap-injection
by blacklanternsecurity
Exploit LDAP injection vulnerabilities during authorized penetration testing.
deserialization-java
by blacklanternsecurity
Exploit Java deserialization vulnerabilities during authorized penetration testing.
deserialization-php
by blacklanternsecurity
Exploit PHP deserialization vulnerabilities during authorized penetration testing.
xmpp-enumeration
by blacklanternsecurity
XMPP/Jabber service enumeration for Openfire, ejabberd, Prosody, and other XMPP servers. Trigger when ports 5222 (client), 5223 (legacy TLS), or 5269 (server-to-server) are found open. Covers authentication testing, user enumeration, MUC room discovery, and server fingerprinting. Do NOT use for AD enumeration or credential spraying — route those to the appropriate skills.
retrospective
by blacklanternsecurity
Post-engagement lessons-learned retrospective. Reads the engagement directory, analyzes skill routing decisions, identifies knowledge gaps and missing skills, and produces an actionable improvement report.