⚠️ autobloody has been moved to its own repo
bloodyAD is an Active Directory privilege escalation swiss army knife
This tool can perform specific LDAP calls to a domain controller in order to perform AD privesc.
bloodyAD supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket or certificates and binds to LDAP services of a domain controller to perform AD privesc.
Exchange of sensitive information without LDAPS is supported.
It is also designed to be used transparently with a SOCKS proxy.
Simple usage:
bloodyAD --host 172.16.1.15 -d bloody.local -u jane.doe -p :70016778cb0524c799ac25b439bd6a31 set password john.doe 'Password123!'See the wiki for more.
Like this project? Donations are greatly appreciated
Need personalized support? send us an email or check our website cravaterouge.com to see all our cybersecurity services.
- Thanks to @skelsec for his amazing libraries especially MSLDAP which is now the engine on which bloodyAD is running.
- Thanks to impacket contributors. Structures and several LDAP attacks are based on their work.
- Thanks to @PowerShellMafia team (PowerView.ps1) and their work on AD which inspired this tool.
- Thanks to @dirkjanm (adidnsdump.py) and (@Kevin-Robertson)(Invoke-DNSUpdate.ps1) for their work on AD DNS which inspired DNS functionnalities.
- Thanks to @p0dalirius and his pydsinternals module which helped to build the shadow credential attack