Skip to main content

AD Privesc Automation

Project description

bloodyAD logo autobloody

autobloody is a tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound.

Description

This tool automates the AD privesc between two AD objects, the source (the one we own) and the target (the one we want) if a privesc path exists in BloodHound database. The automation is composed of two steps:

  • Finding the optimal path for privesc using bloodhound data and neo4j queries.
  • Execute the path found using bloodyAD package

Because autobloody relies on bloodyAD, it supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket or certificates and binds to LDAP services of a domain controller to perform AD privesc.

Installation

A python package is available:

pip install autobloody

Or you can clone the repo:

git clone --depth 1 https://github.com/CravateRouge/autobloody
pip install .

Dependencies

  • bloodyAD
  • Neo4j python driver
  • Neo4j with BloodHound
  • Python 3

For better performance, it's recommended to have the GDS library installed in Neo4j. Without it, autobloody will use native CYPHER queries which are slower but still functional.

A light bloodhound environment with GDS plugin can be installed by launching ./bloodhound-ce from https://github.com/CravateRouge/Single-User-BloodHound.

How to use it

First data must be imported into BloodHound (e.g using SharpHound or BloodHound.py) and Neo4j must be running.

:warning: -ds and -dt values are case sensitive

Simple usage:

autobloody -p 'Password123!' --host 192.168.10.2 -dp 'neo4jP@ss' -ds 'JOHN.DOE@BLOODY.LOCAL' -dt 'BLOODY.LOCAL'

Full help:

[bloodyAD]$ ./autobloody.py -h
usage: autobloody.py [-h] [--dburi DBURI] [-du DBUSER] -dp DBPASSWORD -ds DBSOURCE -dt DBTARGET [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-c CERTIFICATE] [-s] --host HOST [-y] [-v] [--timeout TIMEOUT]

AD Privesc Automation

options:
  -h, --help            show this help message and exit
  --dburi DBURI         The host neo4j is running on (default is "bolt://localhost:7687")
  -du DBUSER, --dbuser DBUSER
                        Neo4j username to use (default is "neo4j")
  -dp DBPASSWORD, --dbpassword DBPASSWORD
                        Neo4j password to use
  -ds DBSOURCE, --dbsource DBSOURCE
                        Case sensitive label of the source node (name property in bloodhound)
  -dt DBTARGET, --dbtarget DBTARGET
                        Case sensitive label of the target node (name property in bloodhound)
  -d DOMAIN, --domain DOMAIN
                        Domain used for NTLM authentication (optional, default is dbsource domain)
  -u USERNAME, --username USERNAME
                        Username used for NTLM authentication (optional, default is dbsource sAMAccountName)
  -p PASSWORD, --password PASSWORD
                        Cleartext password or LMHASH:NTHASH for NTLM authentication
  -k, --kerberos
  -c CERTIFICATE, --certificate CERTIFICATE
                        Certificate authentication, e.g: "path/to/key:path/to/cert"
  -s, --secure          Try to use LDAP over TLS aka LDAPS (default is LDAP)
  --host HOST           Hostname or IP of the DC (ex: my.dc.local or 172.16.1.3)
  -y, --yes             Assume yes to apply the generated privesc
  -v, --verbose         Enable verbose output (-v for INFO, -vv for DEBUG)
  --timeout TIMEOUT     Connection timeout in seconds (default is 60)

How it works

First a privesc path is found using the Dijkstra's algorithm implemented into the Neo4j's GDS library. The Dijkstra's algorithm allows to solve the shortest path problem on a weighted graph. By default the edges created by BloodHound don't have weight but a type (e.g MemberOf, WriteOwner). A weight is then added to each edge accordingly to the type of edge and the type of node reached (e.g user,group,domain).

Once a path is generated, autobloody will connect to the DC and execute the path and clean what is reversible (everything except ForcePasswordChange and setOwner).

Limitations

For now, only the following BloodHound edges are currently supported for automatic exploitation:

  • MemberOf
  • ForceChangePassword
  • AddMembers
  • AddSelf
  • DCSync
  • GetChanges/GetChangesAll
  • GenericAll
  • WriteDacl
  • GenericWrite
  • WriteOwner
  • Owns
  • Contains
  • AllExtendedRights
  • ReadGMSAPassword

Support

Like this project? Donations are welcome

Need personalized support? send me an email for trainings or custom features.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

autobloody-1.1.0.tar.gz (14.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

autobloody-1.1.0-py3-none-any.whl (13.4 kB view details)

Uploaded Python 3

File details

Details for the file autobloody-1.1.0.tar.gz.

File metadata

  • Download URL: autobloody-1.1.0.tar.gz
  • Upload date:
  • Size: 14.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.0.1 CPython/3.11.2

File hashes

Hashes for autobloody-1.1.0.tar.gz
Algorithm Hash digest
SHA256 2a783c5748182361b484d05257886fe61279794ad1ede7ad7511fda930ea609b
MD5 ebfcb722f015183fc9ba559bbb9e3d2b
BLAKE2b-256 97c1d4e8bed0d62e69cab8727bc879ad8d4abeca8403522cebbd4378ca4928ff

See more details on using hashes here.

File details

Details for the file autobloody-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: autobloody-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 13.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.0.1 CPython/3.11.2

File hashes

Hashes for autobloody-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ce524a0c9632dcbb69f5aa3fa27c832b1c1893c63268c4b425973c54328720dc
MD5 df4ab99b225d5a7a8a1db07ef2461778
BLAKE2b-256 7f1de3e33e4c51543b24fbcc00ccbbaec04abf4099ad82574430924773d3e79b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page