DCSync Attack: Dumping AD Credentials with Mimikatz

What Is a DCSync Attack? DCSync is a credential dumping technique that abuses Active Directory’s replication mechanism. Instead of running code on a Domain Controller, an attacker with the right privileges impersonates a Domain Controller and requests password data directly from another DC using the MS-DRSR (Directory Replication Service Remote Protocol). The result: you get NTLM hashes, Kerberos keys, and plaintext passwords (in some configurations) for any account in the domain — including krbtgt and Domain Admins — without ever touching LSASS on a DC. ...

July 14, 2026 · 7 min · Red Team Guide

Pass-the-Hash vs Pass-the-Ticket: Complete Guide

Active Directory credential attacks come in two flavors that confuse people constantly: Pass-the-Hash (PtH) and Pass-the-Ticket (PtT). Both let you authenticate as another user without knowing their plaintext password. But they work on completely different protocols, hit different defenses, and fail in different ways. This guide covers how each attack actually works under the hood, when to reach for one vs the other, how defenders detect them, and how red teamers stay ahead of detection. ...

July 10, 2026 · 9 min · Red Team Guide

NetExec (CrackMapExec) Complete Guide 2026

CrackMapExec is dead. Long live NetExec. If you’ve been in offensive security for more than a few years, CrackMapExec (CME) was probably one of the first tools you learned. It became the go-to for Active Directory enumeration, credential testing, and lateral movement — packed into a single framework with clean output and a protocol-agnostic design. In 2023, the original author archived the project. The community forked it and kept building under a new name: NetExec (nxc). Same DNA, actively maintained, and compatible with everything CME could do. ...

July 7, 2026 · 11 min · Red Team Guide

Kerberoasting Attack: How It Works and How to Exploit It

Kerberoasting is one of the most reliable privilege escalation techniques in Active Directory environments. It’s quiet, requires no special privileges to execute, and often yields domain admin within hours — because organizations routinely set weak passwords on service accounts and never rotate them. This guide covers everything: how Kerberos works, why the attack is possible, what you need to execute it, and how defenders detect it. What Is Kerberoasting? Kerberoasting targets service accounts in Active Directory that have a Service Principal Name (SPN) set. Any authenticated domain user can request a Kerberos Ticket Granting Service (TGS) ticket for any SPN — and those tickets are encrypted with the service account’s NTLM hash. ...

July 3, 2026 · 8 min · Red Team Guide

BloodHound Complete Guide: AD Attack Path Mapping

BloodHound is the closest thing to a cheat code for Active Directory pentesting. Feed it your domain data and it draws a map of every path from regular user to Domain Admin — paths that would take you days to find manually. This guide covers everything: installation, data collection with SharpHound, running Cypher queries, and using the attack paths you find to actually escalate privileges. What BloodHound Does (and Why It Matters) Active Directory environments are complex. Thousands of users, hundreds of groups, nested permissions, ACL misconfigurations, Kerberos delegation settings — no human can reason about all of it manually. ...

June 30, 2026 · 10 min · Red Team Guide
Windows Privilege Escalation Cheat Sheet 2026

Windows Privilege Escalation Cheat Sheet 2026: Every Technique That Works

Windows privilege escalation is one of the most critical skills in offensive security. You land on a box as a low-privileged user, and your job isn’t done until you have SYSTEM. This cheat sheet covers every technique that actually works in 2026 — with real commands, the right tools, and notes on which Windows versions each technique applies to. Bookmark it. You’ll use it. Why Windows PrivEsc Is Different From Linux Linux privilege escalation has patterns: SUID binaries, sudo misconfigs, writable cron jobs, kernel exploits. Clean and predictable. ...

May 19, 2026 · 9 min · Red Team Guide
CRTO Review 2026 - Red Team Ops Certification Worth It?

CRTO Review 2026: Red Team Ops Cert Worth It?

There’s a specific moment in a red teamer’s career when OSCP stops feeling like the ceiling and starts feeling like the floor. You’ve got your shells. You can pivot. You understand the methodology. But real engagements don’t look like OSCP machines. They look like hardened Active Directory environments with EDR, segmented networks, and defenders who are actually watching. That’s exactly the gap the CRTO fills. The Certified Red Team Operator from Zero-Point Security is the most practical red team certification I’ve seen in the mid-level space. It’s taught by Daniel Duggan (known in the community as RastaMouse), covers Cobalt Strike end-to-end, and teaches you how to operate inside a defended environment — not just pop boxes. ...

May 5, 2026 · 9 min · Red Team Guide
PNPT certification review 2026 - TCM Security

PNPT Certification Review 2026: Is TCM Security's Exam Worth It?

The OSCP used to be the only certification that mattered for penetration testers. Then TCM Security released the PNPT and changed the conversation. In 2026, the PNPT has become one of the most respected entry-to-mid-level certifications in offensive security — not because of brand recognition, but because of what the exam actually tests. This is a full review of whether it belongs in your certification roadmap. What Is the PNPT? The Practical Network Penetration Tester (PNPT) is a certification from TCM Security , created by Heath Adams (The Cyber Mentor). It’s a fully practical exam — no multiple choice, no CTF flags, no memorization. ...

April 1, 2026 · 6 min · Red Team Guide

How to Build a Home Pentest Lab on a Budget (2026 Guide)

A home lab is the single highest-leverage investment you can make in an offensive security career. Online platforms are great, but nothing replaces the muscle memory you build configuring, breaking, and rebuilding your own environment. The good news: you don’t need to spend thousands. A functional pentest lab in 2026 can be built for under $300 — and if you already have a decent laptop, possibly for free. This is the guide I wish I’d had when I started. ...

March 28, 2026 · 11 min · Red Team Guide