SpicyAD

░░░░░░░░░░░░░░▐█▀█▄░░░░░░░░░░▄█▀█▌░░░░░░░░░░░░░░
░░░░░░░░░░░░░░█▐▓░█▄░░░░░░░▄█▀▄▓▐█░░░░░░░░░░░░░░
░░░░░░░░░░░░░░█▐▓▓░████▄▄▄█▀▄▓▓▓▌█░░░░░░░░░░░░░░
░░░░░░░░░░░░▄█▌▀▄▓▓▄▄▄▄▀▀▀▄▓▓▓▓▓▌█░░░░░░░░░░░░░░
░░░░░░░░░░▄█▀▀▄▓█▓▓▓▓▓▓▓▓▓▓▓▓▀░▓▌█░░░░░░░░░░░░░░
░░░░░░░░░█▀▄▓▓▓███▓▓▓███▓▓▓▄░░▄▓▐█▌░░░░░░░░░░░░░
░░░░░░░░█▌▓▓▓▀▀▓▓▓▓███▓▓▓▓▓▓▓▄▀▓▓▐█░░░░░░░░░░░░░
░░░░░░░▐█▐██▐░▄▓▓▓▓▓▀▄░▀▓▓▓▓▓▓▓▓▓▌█▌░░░░░░░░░░░░
░░░░░░░█▌███▓▓▓▓▓▓▓▓▐░░▄▓▓███▓▓▓▄▀▐█░░░░░░░░░░░░
░░░░░░░█▐█▓▀░░▀▓▓▓▓▓▓▓▓▓██████▓▓▓▓▐█▌░░░░░░░░░░░
░░░░░░░▓▄▌▀░▀░▐▀█▄▓▓██████████▓▓▓▌█░░░░░░░░░░░░░
   _____ ____  ___ ______   __     _    ____
  / ___// __ \/  _/ ____/\ \/ /   / \  |  _ \
  \__ \/ /_/ // // /      \  /   / _ \ | | | |
 ___/ / ____// // /___    / /   / ___ \| |_| |
/____/_/   /___/\____/   /_/   /_/   \_\____/
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░
░░░Active Directory Penetration Testing Tool░░░░
░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░

---

Table of Contents

• Description
• Features
• Installation
• Execution
  • Interactive Mode
  • Command-Line Mode
  • Reflection (In-Memory)
• Global Options
• Connection Flags
• Commands
  • Enumeration
    • bloodhound
    • domain-info
    • enum-dcs
    • enum-users
    • enum-computers
    • enum-shares
    • find-shares
    • domain-trusts
    • delegations
    • laps
    • enum-vulns
    • enum-certs
  • Attacks
    • kerberoast
    • asreproast
    • targeted-kerberoast
    • spray
    • dump
    • ptt
    • asktgt
    • esc1
    • esc4
    • shadow-creds
    • rbcd
    • add-user
    • delete-user
    • add-machine
    • add-to-group
    • change-password
• Attack Workflows
• References
• Legal Disclaimer

---

Disclaimer: This tool was created using my knowledge of Kerberos and Active Directory, together with assistance from Claude-Code. We both may be wrong, so research, test, and modify as needed, it’s your responsibility :)

Description

SpicyAD is a C# Active Directory penetration testing tool designed for authorized security assessments. It combines multiple AD attack techniques into a single, easy-to-use tool with both interactive and command-line interfaces.

Secure by default: SpicyAD automatically detects and uses LDAPS (port 636) when available, falling back to LDAP (port 389) if not. This can be toggled manually via /ldaps flag or in the Settings menu.

| Category | Capabilities | |----------|--------------| | Enumeration | Domain info, DCs, users, computers, shares (SYSVOL/NETLOGON/all), trusts, delegations (Unconstrained/Constrained/RBCD), LAPS, certificate templates (ESC1-4, ESC8), BloodHound Ingestor | | Kerberos Attacks | Kerberoasting (RC4/AES), AS-REP Roasting, Password Spray, Pass-the-Ticket, Targeted Kerberoasting | | ADCS Attacks | ESC1 (arbitrary SAN), ESC4 (Template Hijacking), PKINIT + UnPAC-the-hash | | Credentials | Shadow Credentials, RBCD | | AD Management | Add/delete users, add machines, group management, password changes |

Automatic Attack Chains:

| Chain | Flow | |-------|------| | ESC4 full | Modify template → ESC1 → PKINIT → Restore | | ESC1 | Request cert → PKINIT → Extract NT hash | | Shadow Creds | Add shadow cred → PKINIT → Extract NT hash | | Targeted Kerberoast | Set SPN → Kerberoast → Restore | | Password Spray | Enum users + badPwdCount → spray |

---

Installation

Requirements

• .NET Framework 4.8
• Windows environment

Build

# Using dotnet CLI
dotnet build SpicyAD.csproj -c Release

# Using MSBuild
msbuild SpicyAD.csproj /p:Configuration=Release

Or just compile with VS

bin\Release\net48\SpicyAD.exe

---

Execution

SpicyAD supports three execution methods:

| Method | Use Case | |--------|----------| | Domain-Joined | Running from a machine joined to the target domain | | Non-Domain-Joined | Running from a workgroup machine or different domain | | Reflection | In-memory execution without touching disk |

Interactive Mode

# Domain-Joined
.\SpicyAD.exe

# Non-Domain-Joined
.\SpicyAD.exe /domain:evilcorp.net /dc-ip:10.10.10.10 /user:admin /password:P@ssw0rd

# Reflection
[Reflection.Assembly]::LoadFile("C:\Users\Public\SpicyAD.exe") | Out-Null; [SpicyAD.Program]::Run()

Command-Line Mode

.\SpicyAD.exe [command] [options]

Reflection (In-Memory)

Execute SpicyAD without writing to disk using .NET Reflection:

# Load assembly
[Reflection.Assembly]::LoadFile("C:\Users\Public\SpicyAD.exe")

# Execute command
[SpicyAD.Program]::Execute("command", "arg1", "arg2")

# Interactive menu
[SpicyAD.Program]::Run()

---

Global Options

| Option | Description | |--------|-------------| | /verbose, -v | Show detailed output | | /log | Save output to log file (current directory) | | /log:<path> | Save output to specified path |

---

Connection Flags

Required for non-domain-joined machines:

| Flag | Description | Example | |------|-------------|---------| | /domain:<fqdn> | Target domain FQDN | /domain:evilcorp.net | | /dc-ip:<ip> | Domain Controller IP | /dc-ip:10.10.10.10 | | /user:<user> | Username for auth | /user:elliot | | /password:<pwd> | Password for auth | /password:P@ssw0rd | | /dns:<ip> | DNS server (optional) | /dns:10.10.10.10 | | /ldaps, /ssl | Use LDAPS (SSL/TLS, port 636) | /ldaps |

---

Commands

Enumeration

---

bloodhound

BloodHound Ingestor - Collect AD data for BloodHound CE analysis. Generates JSON files compatible with BloodHound Community Edition.

| Option | Description | |--------|-------------| | /collection:<method> | Collection method(s) - see table below | | /outputdir:<path> | Output directory (default: current) | | /zipfilename:<name> | Custom ZIP filename | | /threads:<n> | Threads for session/local group enum (default: 10) | | /stealth | Skip session and local group enumeration | | /pretty | Pretty-print JSON (larger files) |

Collection Methods:

| Method | Description | |--------|-------------| | default | Group, Session, Trusts, ACL, ObjectProps, Container, LocalAdmin | | all | All collection methods | | dconly | Group, ACL, Trusts, ObjectProps, Container (no computer enum) | | session | Network session enumeration (NetSessionEnum) | | localgroup | Local group membership (LocalAdmin, RDP, DCOM, PSRemote) | | group | Group membership enumeration | | acl | Access Control List collection | | trusts | Domain trust enumeration | | container | OU, GPO, and container enumeration | | computeronly | Session and local group enum only | | certservices | Certificate Templates and Enterprise CAs |

Note: Methods can be combined with comma: /collection:group,acl,session

Domain-Joined:

# Default collection
.\SpicyAD.exe bloodhound

# All collection methods
.\SpicyAD.exe bloodhound /collection:all

# Stealth mode (LDAP only, no computer enumeration)
.\SpicyAD.exe bloodhound /collection:dconly /stealth

# Session enumeration with 20 threads
.\SpicyAD.exe bloodhound /collection:session /threads:20

# Custom output
.\SpicyAD.exe bloodhound /outputdir:C:\loot /zipfilename:target.zip

# Only certificate services
.\SpicyAD.exe bloodhound /collection:certservices

# With LDAPS (SSL/TLS, port 636)
.\SpicyAD.exe /ldaps bloodhound
.\SpicyAD.exe /ldaps bloodhound /collection:all

Non-Domain-Joined:

.\SpicyAD.exe /domain:evilcorp.net /dc-ip:10.10.10.10 /user:admin /password:P@ssw0rd bloodhound
.\SpicyAD.exe /domain:evilcorp.net /dc-ip:10.10.10.10 /user:admin /password:P@ssw0rd bloodhound /collection:all
.\SpicyAD.exe /domain:evilcorp.net /dc-ip:10.10.10.10 /user:admin /password:P@ssw0rd bloodhound /collection:dconly /stealth

# With LDAPS (SSL/TLS)
.\SpicyAD.exe /domain:evilcorp.net /dc-ip:10.10.10.10 /user:admin /password:P@ssw0rd /ldaps bloodhound

Reflection:

[Reflection.Assembly]::LoadFile("C:\Users\Public\SpicyAD.exe") | Out-Null; [SpicyAD.Program]::Execute("bloodhound")
[Reflection.Assembly]::LoadFile("C:\Users\Public\SpicyAD.exe") | Out-Null; [SpicyAD.Program]::Execute("bloodhound", "/collection:all")

# With LDAPS
[Reflection.Assembly]::LoadFile("C:\Users\Public\SpicyAD.exe") | Out-Null; [SpicyAD.Program]::Execute("/ldaps", "bloodhound")

# Non-Domain-Joined
[Reflection.Assembly]::LoadFile("C:\Users\Public\SpicyAD.exe") | Out-Null; [SpicyAD.Program]::Execute("/domain:evilcorp.net", "/dc-ip:10.10.10.10", "/user:admin", "/password:P@ssw0rd", "bloodhound")

# Non-Domain-Joined with LDAPS
[Reflection.Assembly]::LoadFile("C:\Users\Public\SpicyAD.exe") | Out-Null; [SpicyAD.Program]::Execute("/domain:evilcorp.net", "/dc-ip:10.10.10.10", "/user:admin", "/password:P@ssw0rd", "/ldaps", "bloodhound")

Output: ZIP file containing JSON files for import into BloodHound CE.

---

domain-info

Get domain information including name, mode, forest, and machine account quota.

Domain-Joined:

.\SpicyAD.exe domain-info

Non-Domain-Joined:

.\SpicyAD.exe /domain:evilcorp.net /dc-ip:10.10.10.10 /user:admin /password:P@ssw0rd domain-info

Reflection:

[Reflection.Assembly]::LoadFile("C:\Users\Public\SpicyAD.exe") | Ou