/b4blood

Finds Domain Controller on a network, enumerates users, AS-REP Roasting and hash cracking, bruteforces password, dumps AD users, DRSUAPI, scans SMB/NFS shares for passwords, scans for remote accesses, dumps NTDS.dit.

Primary LanguagePython

b4blood

banner

Just a wrapper, scans for a breach in Active Directory to gain access to your first shell.

  • Scans the DC, time sync for Kerberos
  • Scans for SMB vulns
  • Kerbrutes users/passwords, you can provide your own users list (-U my_userslist.txt) and/or your password list (-P passlist.txt)
  • Checks for AS-REP roasting and launch rockyou.txt against the hash
  • Dumps AD
  • Scans recursively SMB/NFS shares and dumps juicy files (could be long, --nsd to skip this part)
  • Scans for .xml GPP files in SYSVOL and extracts passwords
  • Scans for remote connections
  • Scans for Kerberoastable accounts
  • Dumps NTDS.DIT

Very useful for CTF's, this is a nice tool before BloodHound ingestor.
Could be use for internal audit with these options: --internal -i eth0

Installation (KALI)

git clone https://github.com/moloch54/b4blood  
sudo python3 b4blood/setup.py

Download NOT THE LATEST VERSION of Kerbrute for your computer (amd64 or 386 CPU):
https://github.com/ropnop/kerbrute/releases
Rename it to "kerbrute"

cd ~/Downloads
sudo cp kerbrute /usr/bin
sudo chmod +x /usr/bin/kerbrute
⚠️ WARNING
rockyou.txt must be in /usr/share/wordlists/rockyou.txt
xato-net-10-million-usernames must be in /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
⚠️ WARNING2
If Impacket is already installed, you need to specifie line 12 in /usr/bin/b4blood YOUR own path for impacket/examples:
path_impacket="/opt/impacket/examples"

Usage

USAGE:  
First make a folder, a lot of logs will be written.  

mkdir myfolder; cd myfolder  

b4blood --ip 192.168.0.45  
b4blood --ip 192.168.0.0/24  
b4blood --ip 192.168.0.* -U users.txt -P passwd.txt  

b4blood --internal -i eth0

Features

  • Scans the DC, time sync for Kerberos
    synchro

  • Scans for SMB vulns
    smb_vuln

  • Kerbrutes users/passwords, you can provide your own users list (-U my_userslist.txt) and/or your password list (-P passlist.txt) ker

  • Checks for AS-REP roasting and launches rockyou.txt against the hash
    asrep

  • Dumps AD ldap

  • Scans recursively SMB/NFS shares and dumps juicy files (could be long, --nsd to skip this part) smb_shares
    smb_dump
    NFS

  • Scans for .xml GPP files in SYSVOL and extracts passwords
    gpp

  • Scans for remote connections
    ssh

  • Scans for Kerberoastable accounts
    kerberostable

Add your new creds to all_creds.txt and relaunch b4blood

  • Dumps NTDS.DIT
    ntds