🩸BloodyAD

Introduction

This tool can perform specific LDAP calls to a domain controller for Active Directory privilege escalation.

On Kali Linux, the tool can be installed simply through the following command:

sudo apt install bloodyad -y

GitHub Repository

GitHub Repository: CravateRouge/bloodyAD - BloodyAD is an Active Directory Privilege Escalation Framework

Attacking AD using bloodyAD

Read LAPS Password

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' get search --filter '(ms-mcs-admpwdexpirationtime=*)' --attr ms-mcs-admpwd,ms-mcs-admpwdexpirationtime

Read GMSA Password

bloodyAD --host 10.10.10.10 -d domain.htb -u 'user' -p 'password' get object 'TARGET' --attr msDS-ManagedPassword

Enable DONT_REQ_PREAUTH for ASREPRoast

Requires GenericAll/GenericWrite permissions

Disable ACCOUNTDISABLE to Enable a Disabled User

Add User to a Group

Shadow Credentials Attack

Followed by Pass-the-Hash

Assign servicePrincipalName (SPN) to User for Kerberoasting Attack

Requires GenericAll/GenericWrite permissions over the target user

Make User Owner of an Object

Requires WriteOwner permissions

Assign GenericAll Permissions Over a User to an Object for Full Control

Change User Password

Add DCSync Permissions Over an Object

Assign Malicious Script to User (Executes on Login)

Create New DNS Record for DNS Spoofing Attacks

Assign Different UPN (userPrincipalName) for UPN Spoofing Attacks

Assign Value to altSecurityIdentities Attribute for X.509/ESC14 Attacks

Notes

  • Replace 10.10.10.10 with the target domain controller IP address

  • Replace domain.htb with the target domain name

  • Replace 'user' and 'password' with valid credentials

  • Replace target placeholders (TARGET, USER_TARGET, OBJECT_TARGET, etc.) with actual target names

  • Some commands require specific permissions as noted in their descriptions

PreviousToolsNextImpacket

Last updated