Awesome

:warning: autobloody has been moved to its own repo

bloodyAD

bloodyAD is an Active Directory privilege escalation swiss army knife

Description

This tool can perform specific LDAP calls to a domain controller in order to perform AD privesc.

bloodyAD supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket or certificates and binds to LDAP services of a domain controller to perform AD privesc.

Exchange of sensitive information without LDAPS is supported.

It is also designed to be used transparently with a SOCKS proxy.

Simple usage:

bloodyAD --host 172.16.1.15 -d bloody.local -u jane.doe -p :70016778cb0524c799ac25b439bd6a31 set password john.doe 'Password123!'

See the wiki for more.

Support

Like this project? Donations are greatly appreciated :relaxed:

Need personalized support? send us an email or check our website cravaterouge.com to see all our cybersecurity services.

Acknowledgements

• Thanks to @skelsec for his amazing libraries especially MSLDAP which is now the engine on which bloodyAD is running.
• Thanks to impacket contributors. Structures and several LDAP attacks are based on their work.
• Thanks to @PowerShellMafia team (PowerView.ps1) and their work on AD which inspired this tool.
• Thanks to @dirkjanm (adidnsdump.py) and (@Kevin-Robertson)(Invoke-DNSUpdate.ps1) for their work on AD DNS which inspired DNS functionnalities.
• Thanks to @p0dalirius and his pydsinternals module which helped to build the shadow credential attack