Mastering Bloodyad with Kali Linux Tools

In the realm of cybersecurity, particularly in penetration testing and ethical hacking, tools that facilitate the analysis and exploitation of Active Directory (AD) environments are invaluable. One such tool that has garnered attention is BloodyAD, an Active Directory Privilege Escalation Framework integrated into the Kali Linux distribution. This blog post aims to provide an in-depth look at BloodyAD, exploring its features, installation process, usage, and practical applications.

Understanding BloodyAD

BloodyAD is an open-source framework designed to identify and exploit privilege escalation paths within Active Directory environments. It operates by performing specific LDAP (Lightweight Directory Access Protocol) and SAMR (Security Account Manager Remote) calls to a domain controller, enabling users to manipulate AD objects and configurations to achieve elevated privileges. This tool supports various authentication methods, including:

• Cleartext Passwords: Direct authentication using plain text credentials.
• Pass-the-Hash: Utilizing NTLM hashes to authenticate without knowing the actual password.
• Pass-the-Ticket: Employing Kerberos tickets for authentication.
• Certificates: Using digital certificates for secure authentication.

BloodyAD is designed to bind to LDAP services of a domain controller to perform privilege escalation tasks. Notably, it supports the exchange of sensitive information without requiring LDAPS (LDAP over SSL/TLS), enhancing its flexibility in different network configurations. Additionally, it is designed to be used transparently with a SOCKS proxy, facilitating operations in segmented networks. ( GitHub)

Key Features of BloodyAD

BloodyAD offers a suite of features that make it a potent tool for security professionals:

1. Versatile Authentication Support: Accommodates multiple authentication methods, providing flexibility in various scenarios.
2. Direct Interaction with Domain Controllers: Performs specific LDAP and SAMR calls to manipulate AD objects and configurations.
3. Privilege Escalation Capabilities: Identifies and exploits potential paths to escalate privileges within an AD environment.
4. Proxy Compatibility: Designed for seamless operation through SOCKS proxies, aiding in navigating complex network architectures.
5. Command-Line Interface: Provides a comprehensive CLI with various commands to perform tasks such as adding users, changing passwords, and modifying object attributes.

Installing BloodyAD on Kali Linux

BloodyAD is included in the Kali Linux repositories, simplifying the installation process. Follow these steps to install BloodyAD:

1. Update the Package List: Open a terminal and run:

   sudo apt update
   

2. Install BloodyAD: Execute the following command:

   sudo apt install bloodyad
   

3. Verify the Installation: After installation, you can verify it by checking the version:

   bloodyAD --version
   

For detailed installation instructions and troubleshooting, refer to the official BloodyAD GitHub repository.

Using BloodyAD: A Practical Overview

Once installed, BloodyAD can be utilized to perform various tasks within an Active Directory environment. Below is an overview of common commands and their usage:

1. Changing a User’s Password

To change the password of a user account:

bloodyAD --host <DC_IP> -d <domain> -u <username> -p <password> changePassword <target_user> '<new_password>'

Example:

bloodyAD --host 192.168.1.10 -d example.local -u admin -p 'AdminPass123' changePassword john.doe 'NewPass123!'

This command changes the password of john.doe to NewPass123!. ( GitHub)

2. Adding a New User

To add a new user to the domain:

bloodyAD --host <DC_IP> -d <domain> -u <username> -p <password> addUser <new_user> '<new_user_password>'

Example:

bloodyAD --host 192.168.1.10 -d example.local -u admin -p 'AdminPass123' addUser jane.doe 'SecurePass456!'

This command creates a new user jane.doe with the password SecurePass456!. ( GitHub)

3. Setting User Account Control (UAC) Flags

To modify User Account Control flags for a user:

bloodyAD --host <DC_IP> -d <domain> -u <username> -p <password> setUserAccountControl <target_user> <UAC_flag> <True/False>

Example:

bloodyAD --host 192.168.1.10 -d example.local -u admin -p 'AdminPass123' setUserAccountControl john.doe 0x400000 True

This command enables the DONT_REQ_PREAUTH flag for john.doe, making the account susceptible to ASREPRoasting attacks. ( GitHub)

4. Retrieving Group Members

To list members of a specific group:

bloodyAD --host <DC_IP> -d <domain> -u <username> -p <password> getObjectAttributes <group_dn> member

Example:

bloodyAD --host 192.168.1.10 -d example.local -u admin -p 'AdminPass123' getObjectAttributes 'CN=Admins,CN=Users,DC=example,DC=local' member

This command lists all members of the Admins group. ( GitHub)

5. Adding a User to a Group

To add a user to a specific group:

bloodyAD --host <DC_IP> -d <domain> -u <username> -p <password> addObjectToGroup <target_user> <target_group>

Example:

bloodyAD --host 192.168.1.10 -d example.local -u admin -p 'AdminPass123' addObjectToGroup jane.doe 'CN=Admins,CN=Users,DC=example,DC=local'

This command adds jane.doe to the Admins group. ( GitHub)

For a comprehensive list of commands and their usage, consult the BloodyAD User Guide.

Practical Applications of BloodyAD

BloodyAD is a versatile tool with several practical applications in cybersecurity:

1. Penetration Testing

Security professionals can use BloodyAD to identify and exploit privilege escalation paths within an Active Directory environment, assessing the security posture of an organization.

2. Red Team Operations

Red teams can simulate advanced attack scenarios by leveraging BloodyAD to manipulate AD objects and configurations,