ReddRadar
Topic: offensive-security
88 skills in this topic.
-
deserialization-dotnet
Exploit .NET deserialization vulnerabilities during authorized penetration testing.
blacklanternsecurity/red-run 126
-
deserialization-php
Exploit PHP deserialization vulnerabilities during authorized penetration testing.
blacklanternsecurity/red-run 126
-
ldap-injection
Exploit LDAP injection vulnerabilities during authorized penetration testing.
blacklanternsecurity/red-run 126
-
ajp-ghostcat
Exploit Apache JServ Protocol (AJP) misconfigurations and Ghostcat (CVE-2020-1938) for file read and remote code execution on Apache Tomcat. Use when port 8009 is open or AJP connector is exposed.
blacklanternsecurity/red-run 126
-
2fa-bypass
Bypass two-factor authentication (2FA/MFA) during authorized penetration testing.
blacklanternsecurity/red-run 126
-
retrospective
Post-engagement lessons-learned retrospective. Reads the engagement directory, analyzes skill routing decisions, identifies knowledge gaps and missing skills, and produces an actionable improvement report.
blacklanternsecurity/red-run 126
-
unknown-vector-analysis
Analyze custom applications, scripts, and binaries that standard technique skills could not exploit. Performs source code review, attack surface mapping, CVE research, and PoC adaptation. Route here when ANY technique agent returns saying standard patterns do not match, the target uses a custom/unknown application, or no existing technique skill covers the vector. Trigger phrases: "standard patterns don't match", "custom script", "unknown binary", "no matching technique", "unrecognized application". Do NOT use for known vulnerability classes that have dedicated technique skills — route to those instead.
blacklanternsecurity/red-run 126
-
<skill-name>
<What this skill does in 2-3 sentences. Focus on technique scope and when to use it. No trigger phrases, negative conditions, or OPSEC details here.>
blacklanternsecurity/red-run 126
-
acl-abuse
Exploits misconfigured Active Directory ACLs for privilege escalation. Covers GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword, targeted Kerberoasting via SPN manipulation, shadow credentials (msDS-KeyCredentialLink → PKINIT), and AdminSDHolder persistence.
blacklanternsecurity/red-run 126
-
ad-discovery
Enumerates Active Directory domains and maps attack surface for penetration testing.
blacklanternsecurity/red-run 126
-
ad-persistence
Establishes persistent access in Active Directory environments after domain compromise. Covers DCShadow (rogue DC attribute modification), Skeleton Key (LSASS master password), custom SSP injection (credential logging via mimilib/memssp), security descriptor backdoors (WMI/WinRM/ DCOM/registry ACL modification), ADFS Golden SAML (DKM key extraction and forged SAML tokens), SID history persistence (DA SID in regular user), and certificate-based persistence (golden certificate, renewal, enrollment agent).
blacklanternsecurity/red-run 126
-
sccm-exploitation
Enumerates and exploits Microsoft SCCM/MECM (System Center Configuration Manager / Microsoft Endpoint Configuration Manager) infrastructure for credential harvesting, lateral movement, and domain escalation. Covers SCCM enumeration (sccmhunter, SharpSCCM), Network Access Account (NAA) credential extraction (policy request, WMI DPAPI, WMI repository), management point NTLM relay to MSSQL (TAKEOVER1), client push relay (ELEVATE2), PXE boot media credential harvesting (CRED1), SCCM database credential extraction, application deployment for lateral movement, and SCCM share looting.
blacklanternsecurity/red-run 126
-
adcs-persistence
Establishes persistence and exploits weak certificate mapping in AD CS. Covers ESC9 (no security extension), ESC10 (weak certificate mapping), ESC12-15 (YubiHSM, issuance policy, altSecIdentities, application policies), Golden Certificate (forge with stolen CA key), certificate theft (DPAPI/CAPI/CNG), and account persistence via certificate mapping.
blacklanternsecurity/red-run 126
-
adcs-template-abuse
Exploits misconfigured AD CS certificate templates to impersonate any domain user via SAN manipulation or enrollment agent abuse. Covers ESC1 (enrollee supplies subject), ESC2 (any-purpose/no EKU), ESC3 (enrollment agent), ESC6 (EDITF_ATTRIBUTESUBJECTALTNAME2 CA flag).
blacklanternsecurity/red-run 126
-
auth-coercion-relay
Forces remote systems to authenticate back to attacker-controlled listeners and relays captured authentication to escalate privileges or move laterally. Covers authentication coercion (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, CheeseOunce), NTLM relay (ntlmrelayx to LDAP/SMB/AD CS/MSSQL), Kerberos relay (krbrelayx, mitm6), and name resolution poisoning (LLMNR/NBNS/WPAD via Responder).
blacklanternsecurity/red-run 126
-
credential-dumping
Extracts credentials from Active Directory: DCSync replication, NTDS.dit database extraction, SAM hive dump, Azure AD Connect (ADSync) credential extraction, LAPS passwords (legacy + Windows LAPS), gMSA passwords (KDS root key + GoldenGMSA), dMSA exploitation (BadSuccessor CVE-2025-21293), DSRM credentials, and EFS-encrypted file decryption.
blacklanternsecurity/red-run 126
-
gpo-abuse
Exploits Group Policy Objects for code execution, privilege escalation, and lateral movement in Active Directory. Covers GPO enumeration (GPOHound, BloodHound, PowerView), exploitation via immediate tasks, logon scripts, and registry modifications (SharpGPOAbuse, PowerGPOAbuse, pyGPOAbuse, GroupPolicyBackdoor), SYSVOL/NETLOGON logon script poisoning, and GPP password extraction.
blacklanternsecurity/red-run 126
-
kerberos-delegation
Exploits Kerberos delegation misconfigurations for privilege escalation and lateral movement in Active Directory. Covers Unconstrained Delegation (TGT harvesting via coercion), Constrained Delegation (S4U2Self + S4U2Proxy with SPN swapping), and Resource-Based Constrained Delegation (RBCD via writable machine accounts).
blacklanternsecurity/red-run 126
-
kerberos-roasting
Extracts and cracks Kerberos service tickets (Kerberoasting) and AS-REP hashes (AS-REP Roasting) for offline password recovery.
blacklanternsecurity/red-run 126
-
kerberos-ticket-forging
Forges Kerberos tickets for domain persistence and privilege escalation. Covers Golden Ticket (krbtgt hash → forged TGT), Silver Ticket (service hash → forged TGS), Diamond Ticket (decrypt/modify/re-encrypt legitimate TGT for stealth), Sapphire Ticket (U2U PAC swap), and Pass-the-Ticket injection.
blacklanternsecurity/red-run 126
-
pass-the-hash
Authenticates to AD services using NTLM hashes, AES keys, or Kerberos tickets without cracking passwords. Covers Pass-the-Hash, Over-Pass-the-Hash, Pass-the-Key, and Pass-the-Ticket for lateral movement.
blacklanternsecurity/red-run 126
-
smb-share-webshell
Deploy webshells to IIS, Apache, or Tomcat web roots via SMB share write access. Use when a domain user has write access to a file share that maps to a web server's document root — write a webshell via smbclient/net use, then trigger it via HTTP for RCE. Covers PHP, ASPX, and JSP webshells, .NET impersonation for same-host lateral movement, and internal site discovery.
blacklanternsecurity/red-run 126
-
lfi
Guide Local File Inclusion (LFI) and Remote File Inclusion (RFI) exploitation during authorized penetration testing.
blacklanternsecurity/red-run 126
-
pivoting-tunneling
Network pivoting, port forwarding, and tunneling through compromised hosts to reach internal networks.
blacklanternsecurity/red-run 126