What is CyberMind CLI?

CyberMind CLI is an AI-powered offensive security CLI with a VSCode extension, 20-tool recon chain, OMEGA plan mode, Abhimanyu exploit mode, and four new v4.4.0 modes: /devsec, /vibe-hack, /chain, and /red-team.

Is CyberMind CLI free?

Yes. CyberMind CLI has a free tier with 20 requests/day, AI chat, and basic scanning. Paid plans start at $4/month (Starter) for full recon, hunt, and /devsec mode.

Does CyberMind CLI work on Windows?

Yes. CyberMind CLI fully supports Windows via PowerShell. AI chat, /scan, /osint, /breach, /cve, /payload, and /devsec all work on Windows. Recon/hunt/Abhimanyu require Linux/Kali.

What AI models does CyberMind CLI use?

CyberMind CLI supports DeepSeek R1, Qwen3 Coder, GPT-5, Claude Opus 4, Llama 3.3 70B, and 11+ other providers. It auto-routes to the best model for your task and plan tier.

What is /devsec mode?

/devsec is CyberMind's Developer Security Scanner. It scans GitHub repos and local paths for secrets (trufflehog, gitleaks), SAST issues (semgrep), and vulnerable dependencies (trivy, npm audit, pip-audit). Available on Starter+ plan.

What is /vibe-hack mode?

/vibe-hack is an autonomous AI hacking session where the AI decides the next attack step, streams results live via SSE, and saves a full session transcript. Available on Pro+ plan.

What is /red-team mode?

/red-team is a structured 7-day red team campaign with mandatory scope validation, AI-guided phases (OSINT, phishing, initial access, lateral movement, persistence, report), and state persistence between sessions. Elite plan only.

How do I connect a custom domain to CyberMind on Vercel?

Deploy on Vercel, then go to Project Settings > Domains > Add Domain. In your domain registrar (Hostinger, GoDaddy), add a CNAME record pointing to cname.vercel-dns.com, or an A record pointing to 76.76.21.21. Vercel auto-provisions SSL.

Active Directory Attacks in 2026: Kerberoasting, DCSync, and Modern AD Exploitation

Key takeaways

Kerberoasting and AS-REP Roasting are still the fastest paths to privileged credentials.

BloodHound path analysis reveals attack paths that manual enumeration misses.

DCSync requires Domain Admin or equivalent — it is the endgame, not the entry point.

Why AD is still the primary enterprise target

Active Directory controls authentication, authorization, and group policy for most enterprise environments. A domain admin account is effectively a master key to every Windows system in the organization. That is why AD compromise is the goal of most internal penetration tests and red team engagements.

In 2026, hybrid environments (on-prem AD + Azure AD / Entra ID) have expanded the attack surface. Techniques that work on-prem often have cloud equivalents, and trust relationships between the two environments create new lateral movement paths.

Kerberoasting: extracting service account hashes

Kerberoasting exploits the Kerberos protocol to extract password hashes for service accounts. Any authenticated domain user can request a Kerberos service ticket (TGS) for any service principal name (SPN). The ticket is encrypted with the service account's NTLM hash, which can be cracked offline.

The attack is silent from a network perspective — requesting service tickets is normal Kerberos behavior. Detection requires monitoring for unusual TGS requests, particularly for accounts with weak passwords.

Kerberoasting with Impacket

# Get all kerberoastable accounts
python3 GetUserSPNs.py DOMAIN/user:password -dc-ip 10.10.10.1 -request

# Output: hashes in $krb5tgs$23$* format
# Crack with hashcat
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt --force

AS-REP Roasting: no credentials needed

AS-REP Roasting targets accounts with Kerberos pre-authentication disabled. Without pre-auth, an attacker can request an AS-REP for any username and receive a response encrypted with the user's password hash — no credentials required.

This is particularly dangerous for service accounts and legacy accounts where pre-auth was disabled for compatibility reasons.

AS-REP Roasting without credentials

# Enumerate accounts without pre-auth
python3 GetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip 10.10.10.1 -no-pass

# Crack the AS-REP hash
hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt

BloodHound: mapping attack paths

BloodHound uses graph theory to map relationships between AD objects and identify attack paths to high-value targets. It ingests data from SharpHound (Windows) or BloodHound.py (Linux) and visualizes paths like: compromised user → group membership → ACL → domain admin.

The most valuable BloodHound queries find shortest paths to Domain Admins, accounts with DCSync rights, and Kerberos delegation misconfigurations.

BloodHound data collection

# Collect from Linux (no agent needed)
python3 bloodhound.py -u user -p password -d DOMAIN -dc 10.10.10.1 -c All

# Import JSON files into BloodHound
# Then run: Find Shortest Paths to Domain Admins

DCSync: dumping the entire domain

DCSync abuses the Directory Replication Service (DRS) protocol to request password hashes for any account, including krbtgt and all domain admins. It requires the Replicating Directory Changes All privilege, which is held by Domain Admins and can be granted via ACL abuse.

A successful DCSync gives you the NTLM hash of every account in the domain, enabling Pass-the-Hash attacks against any system.

DCSync with Impacket secretsdump

# Dump all hashes via DCSync
python3 secretsdump.py DOMAIN/admin:password@10.10.10.1

# Or with just the krbtgt hash (for Golden Ticket)
python3 secretsdump.py DOMAIN/admin:password@10.10.10.1 -just-dc-user krbtgt

DCSync requires Domain Admin or equivalent privileges. It is the endgame technique, not the entry point. Use BloodHound to find the path to those privileges first.

FAQ

What is the difference between Pass-the-Hash and Pass-the-Ticket?

Pass-the-Hash uses an NTLM hash to authenticate to services that accept NTLM. Pass-the-Ticket uses a Kerberos ticket (TGT or TGS) to authenticate to Kerberos-enabled services. Both allow lateral movement without knowing the plaintext password.