DOMAINATOR | Active Directory Pentest Platform

[ AI VS REALITY ]

Why AI scanners fail at Active Directory

of AI scanners can execute a single real Kerberos attack chain. They guess. We prove.

	AI SCANNERS	DOMAINATOR
Kerberos Exploitation	✗	✓ TGS-REQ + cracking
ADCS Certificate Abuse	✗	✓ ESC1-ESC11
DCSync Domain Dump	✗	✓ DRSUAPI replication
Pass-the-Hash / Relay	✗	✓ NTLM + Kerberos relay
Golden Ticket Forge	✗	✓ KRBTGT + crypto
Multi-Step Attack Chains	✗	✓ 30+ chained flows
Data Stays On-Premise	✗ sent to cloud LLM	✓ isolated namespaces
Reproducible Results	✗ non-deterministic	✓ deterministic always

Built by penetration testers who hack Active Directory daily. Every attack chain is battle-tested — not generated by AI and hoped for the best.

[ WHAT AI CAN'T DO ]

Real attacks need real protocol operations

AI-SCANNER-PRO v4.2 — ATTEMPTING AD PENTEST

$ ai-scan --target corp.local --mode full
[✗] Kerberoast: Cannot send TGS-REQ — no network access
[✗] DCSync: Cannot open DRSUAPI — requires authenticated RPC
[✗] ADCS ESC1: Cannot parse CA templates — needs live LDAP session
[✗] Pass-the-Hash: Cannot relay NTLM — no real protocol stack
[✗] Golden Ticket: Cannot forge TGT — requires KRBTGT hash + crypto
[✗] Shadow Creds: Cannot write msDS — needs authenticated LDAP write
[!] Result: 0 exploits, 47 hallucinated CVEs, $12,000 invoice
█

▼

DOMAINATOR — REAL AD EXPLOITATION ● LIVE

$ domainator --target 10.10.14.5 --mode warrior
[✓] Kerberoast: TGS-REQ sent → 3 SPNs cracked
[✓] ADCS ESC1: Certificate issued → Administrator impersonated
[✓] DCSync: DRSUAPI session → All domain hashes extracted
[✓] Pass-the-Hash: NTLM relay → Lateral movement confirmed
[✓] Golden Ticket: KRBTGT forged → Persistent domain access
[★] DOMAIN ADMIN ACHIEVED — Full compromise in 14 minutes
    Hashes: 847 | Certs: 3 | Users: 2,847 | Report: Generated

KERBEROAST ● AS-REP ROAST ● DCSYNC ● ADCS ESC1-ESC11 ● PASS-THE-HASH ● GOLDEN TICKET ● SHADOW CREDENTIALS ● RBCD DELEGATION ● ACL ABUSE ● S4U IMPERSONATION ● NTLM RELAY ● GPO ABUSE ● KERBEROAST ● AS-REP ROAST ● DCSYNC ● ADCS ESC1-ESC11 ● PASS-THE-HASH ● GOLDEN TICKET

[ BATTLE PLANS ]

Individual AD penetration testing

sword_rose SQUIRE — FREE TRIAL

Start with 1 free scan — no credit card required. Experience the full attack chain on your own environment.

1 SCAN 1 RESCAN WEB REPORT $0 FOREVER

START FREE SCAN

ENTERPRISE
FOR SECURITY TEAMS & CONSULTANCIES

shield

BARON

Entry Warrior

$49

/month

✔ 3 scans / month
✔ 1 rescan / month
✔ Essential Web Report
✔ Domain Conquest Map
✔ Live Terminal (Hackflix)
✔ 24h report access

SELECT

MOST POPULAR

security

DUKE

Battle Commander

$149

/month

✔ 6 scans / month
✔ 2 rescans / month
✔ Advanced Web Report
✔ Domain Conquest Map
✔ Live Terminal (Hackflix)
✔ 24h report access

SELECT

👑

EMPEROR

Supreme Ruler

$299

/month

✔ 12 scans / month
✔ 4 rescans / month
✔ Ultimate Web Report
✔ Domain Conquest Map
✔ Permanent report access
✔ Priority queue
✔ Dedicated support

SELECT

SOLO OPERATOR
FOR INDEPENDENT PENETRATION TESTERS

terminal

HACKER

Your Own Arsenal

$149

/month

✔ 5 scans / month
✔ 2 rescans / month
✔ Operator Web Report
✔ Full Attack Chain
✔ Live Terminal (Hackflix)
✔ Portable & Mobile Access

SELECT

CISO'S FORTRESS
FOR TEAM LEADERS MANAGING RANGERS

Multi-hacker team management

groups

WARBAND

CISO · 3 Rangers

$299

/month

♦ 4 scans / ranger / month
♦ 1 rescan / ranger / month
♦ Ranger Live Screens
♦ CISO Analytics Dashboard
♦ Per-Ranger Isolation
♦ Serial Key Management

SELECT

BEST VALUE

verified_user

LEGION

CISO · 5 Rangers

$499

/month

♦ 5 scans / ranger / month
♦ 2 rescans / ranger / month
♦ Ranger Live Screens
♦ CISO Analytics Dashboard
♦ Per-Ranger Isolation
♦ Serial Key Management
♦ Priority Support

SELECT

DOMAINATOR

Emperor Report

SCAN #4701 · 2026-05-10

✅

DOMAIN COMPROMISED

Target Domaincorp.contoso.com

Domain ControllerDC01

DC IP Address10.10.14.5

Scan Duration23 minutes

9.8

CRITICAL

RISK SCORE

2,847

USERS

156

CREDENTIALS

342

MACHINES

ATTACK PATH SUMMARY

AS-REP Roast → Kerberoast → ADCS ESC1 → Domain Admin

key CAPTURED CREDENTIALS

6 credentials recovered across multiple attack vectors

USERNAME	HASH / PASSWORD	SOURCE	TYPE
Administrator:500	aad3b435b51404ee:fc525c9683e8fe067cbb...	DCSync	NTLM
krbtgt:502	aad3b435b51404ee:9d1d6c0327e80c2a4c3b...	DCSync	NTLM
svc_mssql	Summer2024!	Kerberoast	Cleartext
svc_backup	$krb5asrep$23$svc_backup@CORP...	AS-REP	Hash
j.smith	Welcome2024!	Spray	Cleartext
DA_admin	P@ssw0rd2024	SYSVOL/GPP	Cleartext

verified_user ADCS ANALYSIS

Certificate AuthorityCONTOSO-DC01-CA

Templates Analyzed14

warning ESC1 VULNERABLE: CorpTemplate

Enrollee Supplies SubjectYES

Client Authentication EKUYES

Low-Privilege EnrollmentDomain Users

Manager ApprovalDISABLED

Authorized Signatures0

EXPLOITATION RESULT

Certificate issued for: Administrator@corp.contoso.com

TGT obtained via PKINIT authentication

account_tree ATTACK CHAIN

Full exploitation path from anonymous to domain admin

Anonymous Enumeration

847 users discovered

↓

User Spray

j.smith:Welcome2024!

↓

AS-REP Roast

svc_backup -- no pre-auth

↓

Kerberoast

svc_mssql:Summer2024!

↓

ADCS ESC1

Certificate as Administrator

↓

PKINIT → TGT

Administrator TGT obtained

↓

DCSync

All domain hashes extracted

↓

DOMAIN ADMIN

Full domain compromise achieved

build REMEDIATION

5 findings requiring immediate attention

Disable SPN accounts pre-auth requirement CRITICAL

Account svc_backup has Kerberos pre-authentication disabled, enabling AS-REP roasting. Enable pre-auth on all service accounts and audit accounts with DONT_REQUIRE_PREAUTH flag.

Fix ADCS ESC1 template -- remove enrollee-supplies-subject CRITICAL

CorpTemplate allows any domain user to request certificates with arbitrary SANs. Remove CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT, restrict enrollment to specific groups, and require CA manager approval.

Rotate all service account passwords (>25 chars) HIGH

svc_mssql password (Summer2024!) was cracked via Kerberoasting. Replace all SPN-associated accounts with gMSA (Group Managed Service Accounts) for automatic 120-char password rotation.

Implement tiered admin model HIGH

Lateral movement was trivial due to flat admin structure. Implement Microsoft's tiered administration model (Tier 0/1/2) to segment privileged access and prevent credential exposure across tiers.

Enable LDAP signing and channel binding MEDIUM

LDAP signing is not enforced, enabling relay attacks and MITM on LDAP traffic. Configure LdapServerIntegrity=2 and enable LDAP channel binding on all domain controllers.

OUR PLATFORMS

Same power, every device

language

WEB

Full-featured browser application. No installation required. Real-time scan terminal, interactive reports, domain graph visualizations, and account management.

[sidebar] Dashboard | Scan | Reports | Settings
STATUS: Ready to scan
VPN: Connected | Target: 10.10.14.5
[ START SCAN ]

desktop_windows

DESKTOP

Portable native application for Windows and Linux. Runs from USB drive with zero installation. Built with Tauri for minimal footprint and maximum performance.

◆ DOMAINator.exe -- Portable Edition
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Windows x64 | Linux x64 ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
✔ No install required

phone_android

MOBILE

Android APK for on-the-go pentesting. Full scan control from your phone with real-time terminal output, push notifications, and report access.

10:48 LTE 82%

DOMAINATOR

Scan active...
corp.contoso.com
73% complete

WHY NOT AI

Side-by-side: AI hallucinations vs real exploitation

AI-SCANNER-PRO v4.2.0

DOMAINATOR v3.0

ATTACK TECHNIQUES COMPARISON

✗

Kerberoasting

✓

✗

AS-REP Roasting

✓

✗

ADCS ESC1-ESC11

✓

✗

DCSync Attack

✓

✗

Pass-the-Hash

✓

✗

Golden Ticket

✓

✗

ACL Abuse

✓

✗

Multi-Step Chains

✓

AI SCANNER DOMAINATOR

warning

DATA EXFILTRATION RISK

AI scanners upload your AD topology, credentials, and network map to third-party cloud APIs

security

ZERO DATA LEAKAGE

DOMAINator uses isolated network namespaces. Your data never leaves the scan environment