Packages and Binaries:
bloodyad
bloodyAD can perform specific LDAP calls to a domain controller in order to perform AD privesc. It supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket or certificates and binds to LDAP services of a domain controller to perform AD privesc.
Exchange of sensitive information without LDAPS is supported. It is also designed to be used transparently with a SOCKS proxy.
Installed size: 833 KB
How to install: sudo apt install bloodyad
Dependencies:
- python3
- python3-asn1crypto
- python3-asyauth
- python3-cryptography
- python3-dnspython
- python3-msldap
- python3-unicrypto
- python3-winacl
bloodyAD
root@kali:~# bloodyAD -h
usage: bloodyAD [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k]
[-c CERTIFICATE] [-s] [--host HOST] [--dc-ip DC_IP] [--gc]
[-v {QUIET,INFO,DEBUG}]
{add,get,remove,set} ...
AD Privesc Swiss Army Knife
options:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Domain used for NTLM authentication
-u USERNAME, --username USERNAME
Username used for NTLM authentication
-p PASSWORD, --password PASSWORD
Cleartext password or LMHASH:NTHASH for NTLM
authentication (Do not specify to trigger integrated
windows authentication)
-k, --kerberos
-c CERTIFICATE, --certificate CERTIFICATE
Certificate authentication, e.g:
"path/to/key:path/to/cert"
-s, --secure Try to use LDAP over TLS aka LDAPS (default is LDAP)
--host HOST Hostname or IP of the DC (ex: my.dc.local or
172.16.1.3)
--dc-ip DC_IP IP of the DC (used for kerberos auth if hostname
doesn't resolve)
--gc Connect to Global Catalog (GC)
-v {QUIET,INFO,DEBUG}, --verbose {QUIET,INFO,DEBUG}
Adjust output verbosity
Commands:
{add,get,remove,set}
add [ADD] function category
get [GET] function category
remove [REMOVE] function category
set [SET] function category
Updated on: 2024-Nov-17