BloodyAD is an open-source Active Directory privilege escalation framework that uses specialized LDAP calls to interact with domain controllers. It enables various privilege escalation techniques within Active Directory environments.
Features
“I created this tool because I do a lot of internal testing on Active Directory infrastructures and at the time in 2021 there was no tool on Linux that could easily do the AD privesc shown by Bloodhound. The easiest was using Powersploit, which is great, but you always had to have a Windows machine. It relies on the WinAPI for authentication, so if you had a Kerberos ticket, you had to inject it in memory using Mimikatz to get Powersploit working correctly,” Baptiste Crepin, the creator of BloodyAD, told Help Net Security.
BloodyAD offers flexible authentication options, including cleartext passwords, pass-the-hash, pass-the-ticket, and certificate-based authentication. It connects to a domain controller’s LDAP services, facilitating privilege escalation.
The framework supports the exchange of sensitive information, even without LDAPS, and is designed to work seamlessly with a SOCKS proxy for enhanced operational transparency.
“What makes it unique is how versatile and portable it is. You can use many different types of credentials to perform the primary reconnaissance and privesc actions on AD, and it can run on Linux, macOS, and Windows. I also try to make it as verbose as possible so the user can understand why its action didn’t work and how to fix it for the domain controller to accept it,” Crepin explained.
Future plans and download
“I noticed AD tools aren’t thought for multi-domain infrastructure, which is a shame because there are often privesc opportunities by jumping from one domain to another. So, I’m focusing on making internal testing on multi-domain infrastructures easy using BloodyAD. I started by giving the possibility to display all the trusts and DNS records of all the domains you have access to, and I will expand it to other types of interesting data,” Crepin concluded.
BloodyAD is available for free on GitHub. Dependencies include Python 3, MSLDAP and dnspython.
Must read:
