Skip to main content
Manusで任意のスキルを実行
ワンクリックで
GitHub リポジトリ

red-run

red-run には blacklanternsecurity から収集した 80 個の skills があり、リポジトリ単位の職業カバレッジとサイト内 skill 詳細ページを表示します。

収集済み skills
80
Stars
232
更新
2026-04-01
Forks
30
職業カバレッジ
1 件の職業カテゴリ · 100% 分類済み
リポジトリエクスプローラー

このリポジトリの skills

red-run-ctf
情報セキュリティアナリスト

Multi-phase penetration test orchestrator. Handles recon, assessment surface mapping, vulnerability chaining, and routes to technique skills for execution. Invoke via /red-run-ctf slash command only.

2026-04-01
acl-abuse
情報セキュリティアナリスト

Exploits misconfigured Active Directory ACLs for privilege escalation. Covers GenericAll, GenericWrite, WriteDACL, WriteOwner, ForceChangePassword, targeted Kerberoasting via SPN manipulation, shadow credentials (msDS-KeyCredentialLink → PKINIT), and AdminSDHolder persistence.

2026-03-30
adcs-persistence
情報セキュリティアナリスト

Establishes persistence and exploits weak certificate mapping in AD CS. Covers ESC9 (no security extension), ESC10 (weak certificate mapping), ESC12-15 (YubiHSM, issuance policy, altSecIdentities, application policies), Golden Certificate (forge with stolen CA key), certificate theft (DPAPI/CAPI/CNG), and account persistence via certificate mapping.

2026-03-30
auth-coercion-relay
情報セキュリティアナリスト

Forces remote systems to authenticate back to attacker-controlled listeners and relays captured authentication to escalate privileges or move laterally. Covers authentication coercion (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce, CheeseOunce), NTLM relay (ntlmrelayx to LDAP/SMB/AD CS/MSSQL), Kerberos relay (krbrelayx, mitm6), and name resolution poisoning (LLMNR/NBNS/WPAD via Responder).

2026-03-30
kerberos-roasting
情報セキュリティアナリスト

Extracts and cracks Kerberos service tickets (Kerberoasting) and AS-REP hashes (AS-REP Roasting) for offline password recovery.

2026-03-30
sccm-exploitation
情報セキュリティアナリスト

Enumerates and exploits Microsoft SCCM/MECM (System Center Configuration Manager / Microsoft Endpoint Configuration Manager) infrastructure for credential harvesting, lateral movement, and domain escalation. Covers SCCM enumeration (sccmhunter, SharpSCCM), Network Access Account (NAA) credential extraction (policy request, WMI DPAPI, WMI repository), management point NTLM relay to MSSQL (TAKEOVER1), client push relay (ELEVATE2), PXE boot media credential harvesting (CRED1), SCCM database credential extraction, application deployment for lateral movement, and SCCM share looting.

2026-03-30
red-run-legacy
情報セキュリティアナリスト

Legacy subagent-based orchestrator. Superseded by /red-run-ctf (agent teams). Use /red-run-legacy to invoke manually. Does not auto-trigger.

2026-03-30
credential-recovery
情報セキュリティアナリスト

Offline credential and file recovery with hashcat and john. Use when any skill captures hashes (NTLM, Kerberos TGS/AS-REP, shadow, MSCACHE2) or encrypted files (ZIP, Office, PDF, KeePass, SSH key, 7z, RAR). Trigger phrases: "recover this hash", "offline recovery", "john", "hashcat", "zip2john", "password-protected file". Do NOT use for online password attacks (spraying, brute force against services) — use password-spraying instead.

2026-03-30
linux-file-path-abuse
情報セキュリティアナリスト

Exploit writable critical files, NFS misconfigurations, shared library hijacking, and privileged group membership (docker, lxd, disk, adm, video, staff) for Linux privilege escalation. Use when a user belongs to a privileged group or has write access to sensitive files or paths.

2026-03-30
windows-credential-harvesting
情報セキュリティアナリスト

Harvest stored credentials from a Windows system for privilege escalation or lateral movement.

2026-03-30
jwt-attacks
情報セキュリティアナリスト

Exploit JWT (JSON Web Token) vulnerabilities during authorized penetration testing.

2026-03-30
smb-enumeration
情報セキュリティアナリスト

SMB share enumeration, access testing, password policy extraction, and content searching. Enumerates shares via null session, guest, and authenticated access. Covers share listing, per-share access testing, MANSPIDER content search, and SMB vulnerability detection (signing, EternalBlue). Use after network-recon identifies SMB ports (139/445).

2026-03-28
password-spraying
情報セキュリティアナリスト

Performs password spraying against authentication services with lockout-safe techniques. Works against AD (SMB/Kerberos/LDAP), SSH, web login forms, OWA, and any service with username/password auth. Service-agnostic — the orchestrator passes target services and spray intensity tier.

2026-03-27
network-recon
情報セキュリティアナリスト

Network reconnaissance, host discovery, port scanning, and OS fingerprinting. Produces a port/service map that the orchestrator uses to route to service-specific enumeration skills.

2026-03-27
xmpp-enumeration
情報セキュリティアナリスト

XMPP/Jabber service enumeration for Openfire, ejabberd, Prosody, and other XMPP servers. Trigger when ports 5222 (client), 5223 (legacy TLS), or 5269 (server-to-server) are found open. Covers authentication testing, user enumeration, MUC room discovery, and server fingerprinting. Do NOT use for AD enumeration or credential spraying — route those to the appropriate skills.

2026-03-27
windows-token-impersonation
情報セキュリティアナリスト

Exploit Windows token privileges for local privilege escalation to SYSTEM.

2026-03-27
source-code-review
情報セキュリティアナリスト

Security-focused source code review. Identifies hardcoded credentials, injection sinks, authentication weaknesses, and framework-specific vulnerabilities. Use when application source code is available for review.

2026-03-25
credential-dumping
情報セキュリティアナリスト

Extracts credentials from Active Directory: DCSync replication, NTDS.dit database extraction, SAM hive dump, Azure AD Connect (ADSync) credential extraction, LAPS passwords (legacy + Windows LAPS), gMSA passwords (KDS root key + GoldenGMSA), dMSA exploitation (BadSuccessor CVE-2025-21293), DSRM credentials, and EFS-encrypted file decryption.

2026-03-25
smb-share-webshell
情報セキュリティアナリスト

Deploy webshells to IIS, Apache, or Tomcat web roots via SMB share write access. Use when a domain user has write access to a file share that maps to a web server's document root — write a webshell via smbclient/net use, then trigger it via HTTP for RCE. Covers PHP, ASPX, and JSP webshells, .NET impersonation for same-host lateral movement, and internal site discovery.

2026-03-23
web-discovery
情報セキュリティアナリスト

Discover web application injection points and route to the correct exploitation skill during authorized penetration testing.

2026-03-23
lfi
情報セキュリティアナリスト

Guide Local File Inclusion (LFI) and Remote File Inclusion (RFI) exploitation during authorized penetration testing.

2026-03-22
ssrf
情報セキュリティアナリスト

Guide server-side request forgery (SSRF) exploitation during authorized penetration testing.

2026-03-22
ad-discovery
情報セキュリティアナリスト

Enumerates Active Directory domains and maps attack surface for penetration testing.

2026-03-22
ad-persistence
情報セキュリティアナリスト

Establishes persistent access in Active Directory environments after domain compromise. Covers DCShadow (rogue DC attribute modification), Skeleton Key (LSASS master password), custom SSP injection (credential logging via mimilib/memssp), security descriptor backdoors (WMI/WinRM/ DCOM/registry ACL modification), ADFS Golden SAML (DKM key extraction and forged SAML tokens), SID history persistence (DA SID in regular user), and certificate-based persistence (golden certificate, renewal, enrollment agent).

2026-03-22
adcs-access-and-relay
情報セキュリティアナリスト

Exploits ADCS through ACL abuse on templates/CA objects and NTLM relay to enrollment endpoints. Covers ESC4 (template ACL → modify to ESC1), ESC5 (PKI object ACLs), ESC7 (ManageCA/ManageCertificates abuse), ESC8 (NTLM relay to HTTP enrollment), ESC11 (NTLM relay to ICPR RPC).

2026-03-22
adcs-template-abuse
情報セキュリティアナリスト

Exploits misconfigured AD CS certificate templates to impersonate any domain user via SAN manipulation or enrollment agent abuse. Covers ESC1 (enrollee supplies subject), ESC2 (any-purpose/no EKU), ESC3 (enrollment agent), ESC6 (EDITF_ATTRIBUTESUBJECTALTNAME2 CA flag).

2026-03-22
gpo-abuse
情報セキュリティアナリスト

Exploits Group Policy Objects for code execution, privilege escalation, and lateral movement in Active Directory. Covers GPO enumeration (GPOHound, BloodHound, PowerView), exploitation via immediate tasks, logon scripts, and registry modifications (SharpGPOAbuse, PowerGPOAbuse, pyGPOAbuse, GroupPolicyBackdoor), SYSVOL/NETLOGON logon script poisoning, and GPP password extraction.

2026-03-22
kerberos-delegation
情報セキュリティアナリスト

Exploits Kerberos delegation misconfigurations for privilege escalation and lateral movement in Active Directory. Covers Unconstrained Delegation (TGT harvesting via coercion), Constrained Delegation (S4U2Self + S4U2Proxy with SPN swapping), and Resource-Based Constrained Delegation (RBCD via writable machine accounts).

2026-03-22
kerberos-ticket-forging
情報セキュリティアナリスト

Forges Kerberos tickets for domain persistence and privilege escalation. Covers Golden Ticket (krbtgt hash → forged TGT), Silver Ticket (service hash → forged TGS), Diamond Ticket (decrypt/modify/re-encrypt legitimate TGT for stealth), Sapphire Ticket (U2U PAC swap), and Pass-the-Ticket injection.

2026-03-22
pass-the-hash
情報セキュリティアナリスト

Authenticates to AD services using NTLM hashes, AES keys, or Kerberos tickets without cracking passwords. Covers Pass-the-Hash, Over-Pass-the-Hash, Pass-the-Key, and Pass-the-Ticket for lateral movement.

2026-03-22
trust-attacks
情報セキュリティアナリスト

Enumerates Active Directory trust relationships and exploits them for cross-domain and cross-forest privilege escalation. Covers trust enumeration (nltest, PowerView, BloodHound), SID history injection (child domain to forest root via golden/diamond ticket with extra SIDs), inter-realm TGT forging using trust keys, TGT delegation coercion capture (Rubeus monitor + SpoolSample/DFSCoerce across forest trusts with ENABLE_TGT_DELEGATION), cross-forest trust abuse (SID filtering bypass, RBCD, Kerberoasting via trust account), and PAM trust exploitation (shadow principals in bastion forests).

2026-03-22
av-edr-evasion
情報セキュリティアナリスト

Bypass antivirus and EDR detection for payload delivery during exploitation. Covers custom payload compilation (mingw C, Go), AMSI bypass, shellcode alternatives, and ETW patching. Route here when an agent reports a payload was quarantined, blocked, or detected by endpoint protection.

2026-03-22
container-escapes
情報セキュリティアナリスト

Container escape, Docker breakout, and Kubernetes exploitation.

2026-03-22
database-enumeration
情報セキュリティアナリスト

Database service enumeration and quick-win access checks for MSSQL, MySQL, PostgreSQL, Oracle, MongoDB, and Redis. Checks default/empty passwords, unauthenticated access, and command execution capabilities. Use after network-recon identifies database ports.

2026-03-22
infrastructure-enumeration
情報セキュリティアナリスト

Enumeration of infrastructure services: DNS, SMTP, SNMP, IPMI, NFS, TFTP, RPC/MSRPC, and HTTP/HTTPS surface detection. Checks zone transfers, open relays, default community strings, cipher zero, NFS exports, and web technology fingerprinting. Use after network-recon identifies infrastructure ports.

2026-03-22
pivoting-tunneling
情報セキュリティアナリスト

Network pivoting, port forwarding, and tunneling through compromised hosts to reach internal networks.

2026-03-22
remote-access-enumeration
情報セキュリティアナリスト

Enumeration of remote access services: FTP, SSH, RDP, VNC, and WinRM. Checks anonymous access, default credentials, version vulnerabilities, and authentication methods. Use after network-recon identifies remote access ports.

2026-03-22
smb-exploitation
情報セキュリティアナリスト

Exploit remote SMB vulnerabilities for unauthenticated code execution on Windows hosts.

2026-03-22
linux-cron-service-abuse
情報セキュリティアナリスト

Exploit cron jobs, systemd timers/services, D-Bus services, and Unix sockets for privilege escalation.

2026-03-22
linux-discovery
情報セキュリティアナリスト

Linux local privilege escalation enumeration and attack surface mapping.

2026-03-22
このリポジトリの収集済み skills 80 件中、上位 40 件を表示しています。