pip install red-specter-dominion
Active Directory testing requires a dozen tools. Impacket for protocol operations. BloodHound for path mapping. Rubeus for Kerberos. Mimikatz for secrets. PowerView for enumeration. DOMINION replaces them all — single tool, pure Python, no .NET, no PowerShell, no compiled dependencies.
AD testing requires Impacket + BloodHound + Rubeus + Mimikatz + PowerView + CrackMapExec + Certipy. Six different tools with six different interfaces. Each with its own dependencies, its own output format, its own learning curve.
Rubeus requires .NET. PowerView requires PowerShell. Mimikatz requires Windows. DOMINION runs on any platform with Python. Linux, macOS, Windows — one tool, one language, one install.
Most AD tools find individual weaknesses. DOMINION maps the shortest path to Domain Admin — BloodHound-style attack path mapping with built-in exploitation. Discover and execute in one workflow.
Traditional AD tools don't integrate with AI security testing. DOMINION feeds into NEMESIS. AD compromise becomes a stage in AI infrastructure exploitation. Traditional findings chain into AI attack vectors.
Nine modules. Each one built from scratch in pure Python. No Impacket wrappers. No .NET dependencies. No PowerShell scripts. Every LDAP query crafted natively. Every Kerberos ticket forged in Python. Every protocol implemented from the RFC. 1,866 tests. 35 attack patterns. 50+ LDAP queries.
AD enumeration via native LDAP. DC discovery, users, groups, computers, trusts, GPOs, SPNs, OUs, ACLs. Kerberos pre-auth status detection. Recursive group membership resolution. BloodHound-compatible JSON export.
BloodHound-style attack path discovery. Shortest path to Domain Admin through ACL chains, delegation abuse, trust relationships, and group nesting. Graph-based pathfinding with exploitability scoring.
Kerberoasting, AS-REP Roasting, Golden Ticket, Silver Ticket, S4U delegation abuse. Pure Python ASN.1 encoding. RC4-HMAC encryption. AS-REQ/REP and TGS-REQ/REP message construction and parsing.
Pass-the-Hash authentication. NTLM relay attacks. NTLMv2 capture and cracking. Pure Python NTLM challenge-response implementation. Relay to LDAP, SMB, HTTP, and MSSQL targets.
DCSync via DRSUAPI. SAM database extraction. LSA secrets. DPAPI master key recovery. NTDS.dit parsing. LAPS password retrieval. gMSA password extraction. All pure Python — no Mimikatz.
GPP password extraction from SYSVOL. GPO modification for code execution. Scheduled task creation via GPO. Registry modification through Group Policy. cPassword decryption.
ACL abuse detection and exploitation. WriteDACL, GenericAll, GenericWrite, WriteOwner. Shadow Credentials via msDS-KeyCredentialLink. AD CS abuse — ESC1 through ESC8. 17+ dangerous ACE types identified and exploitable.
Pure Python lateral movement via WMI, WinRM, PSExec, DCOM, smbexec, and atexec. Named pipe communication. Service creation. Remote registry manipulation. Each method implemented from protocol specifications.
Domain persistence mechanisms. Golden Ticket generation. Silver Ticket forging. Skeleton Key injection. DCShadow for stealthy DC registration. SID History manipulation. AdminSDHolder abuse. Machine account quota exploitation.
Full domain enumeration and attack path discovery:
Every protocol implemented natively. LDAP, Kerberos, SMB, DRSUAPI — all in Python. No Impacket. No .NET. No PowerShell. No compiled dependencies.
BloodHound-style graph analysis with built-in exploitation. Discover the path and execute the attack in one workflow. No context switching between tools.
Kerberoasted and AS-REP roasted hashes feed directly into GHOUL for cracking. Cracked credentials enable DCSync, lateral movement, and domain persistence.
Every attack pattern mapped to MITRE ATT&CK techniques. T1558, T1003, T1550, T1021, T1098 — 35 patterns with full technique references.
DOMINION implements four core Active Directory protocols from scratch. No wrappers. No library bindings. Every byte of every message constructed in Python from the protocol specification. This is what separates engineering from scripting.
Full LDAP client implementation. BER/DER encoding and decoding. Bind, search, modify, add, delete operations. Paged result control for large queries. SASL authentication support.
ASN.1 message construction and parsing. AS-REQ/REP for TGT requests. TGS-REQ/REP for service tickets. RC4-HMAC encryption and decryption. PA-DATA pre-authentication handling.
SMB2 protocol negotiation. NTLMv2 authentication over SMB. Named pipe communication for RPC. Tree connect and file operations. Session setup with NTLMSSP.
DCE/RPC binding and authentication. DRSGetNCChanges for DCSync replication. DRSBind session establishment. NTLM hash extraction from replicated data. Pure Python implementation — no Impacket.
Standard mode discovers and reports. UNLEASHED mode executes. Actually performs DCSync. Actually forges Golden Tickets. Actually modifies ACLs. Actually moves laterally. Actually establishes persistence. Ed25519 key gate required. Two flags must be passed. This is not accidental.
| Capability | Standard | Unleashed |
|---|---|---|
| Enumeration | Full LDAP enumeration | Full + recursive + BloodHound export |
| Kerberoast | Identify SPNs | Request TGS tickets, extract hashes |
| DCSync | Check privileges | Execute full domain replication |
| Golden Ticket | Check requirements | Forge and inject ticket |
| ACL abuse | Identify abusable ACEs | Execute WriteDACL, GenericAll |
| Lateral movement | Identify targets | Execute WMI, PSExec, WinRM, DCOM |
| Persistence | Document methods | Deploy Skeleton Key, DCShadow |
UNLEASHED mode requires an Ed25519 private key at ~/.redspecter/override_private.pem and the --override --confirm-destroy flags. Without both, DOMINION operates in enumeration and assessment mode — discovering weaknesses and mapping paths without executing attacks. The gate is cryptographic. There is no bypass. One key. One operator. Founder's machine only.
DOMINION completes the traditional infrastructure attack chain. WRAITH finds the network. REAPER gains initial access. GHOUL cracks harvested credentials. DOMINION takes the domain. Every stage feeds the next. Every tool integrates natively.
WRAITH discovers domain controllers, service ports, and network topology. Open LDAP ports, Kerberos services, and SMB shares are mapped and documented for DOMINION targeting.
REAPER exploits discovered vulnerabilities to gain initial domain credentials. A single compromised account is all DOMINION needs to begin enumeration and attack path mapping.
Kerberoasted and AS-REP roasted hashes from DOMINION feed into GHOUL. Cracked service account passwords enable deeper access — DCSync, lateral movement, and domain persistence.
DOMINION enumerates the domain, maps attack paths, exploits Kerberos and NTLM weaknesses, extracts secrets via DCSync, moves laterally, and establishes persistence. Full domain compromise.
Domain compromise feeds into NEMESIS. Compromised AD infrastructure that hosts AI systems becomes an attack vector. Traditional domain takeover enables AI infrastructure exploitation.
Most AD tools are Python wrappers around Impacket, .NET assemblies, or PowerShell scripts. DOMINION is actual engineering. Every LDAP query, every Kerberos ticket, every SMB packet, every DRSUAPI call written from scratch in pure Python. Four protocols. Nine modules. Complete AD attack coverage.
DOMINION is Tool 15 in the Red Specter offensive pipeline. It attacks the Active Directory infrastructure that most enterprise environments depend on. Domain compromise feeds into NEMESIS for AI exploitation chaining.
Pure Python Active Directory attack framework. 9 modules. 4 protocols. 35 attack patterns. MITRE ATT&CK mapped. One tool replaces the entire AD toolchain.