⚠️ autobloody has been moved to its own repo
bloodyAD
is an Active Directory privilege escalation swiss army knife
This tool can perform specific LDAP calls to a domain controller in order to perform AD privesc.
bloodyAD
supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket or certificates and binds to LDAP services of a domain controller to perform AD privesc.
Exchange of sensitive information without LDAPS is supported.
It is also designed to be used transparently with a SOCKS proxy.
Simple usage:
bloodyAD --host 172.16.1.15 -d bloody.local -u jane.doe -p :70016778cb0524c799ac25b439bd6a31 set password john.doe 'Password123!'
See the wiki for more.
Like this project? Donations are greatly appreciated
Need personalized support? send me an email for trainings or custom features.
- Thanks to impacket contributors. Structures and several LDAP attacks are based on their work.
- Thanks to @PowerShellMafia team (PowerView.ps1) and their work on AD which inspired this tool.
- Thanks to @dirkjanm (adidnsdump.py) and (@Kevin-Robertson)(Invoke-DNSUpdate.ps1) for their work on AD DNS which inspired DNS functionnalities.
- Thanks to @p0dalirius and his pydsinternals module which helped to build the shadow credential attack