https://github.com/CravateRouge/bloodyAD

BloodyAD is an Active Directory Privilege Escalation Framework
https://github.com/CravateRouge/bloodyAD

Last synced: 26 days ago
JSON representation

BloodyAD is an Active Directory Privilege Escalation Framework

• Host: GitHub
• URL: https://github.com/CravateRouge/bloodyAD
• Owner: CravateRouge
• License: mit
• Created: 2021-10-11T15:07:26.000Z (over 3 years ago)
• Default Branch: main
• Last Pushed: 2025-03-17T04:01:06.000Z (about 2 months ago)
• Last Synced: 2025-04-03T07:54:57.164Z (about 1 month ago)
• Language: Python
• Size: 642 KB
• Stars: 1,564
• Watchers: 14
• Forks: 140
• Open Issues: 3
• Metadata Files:
  • Readme: README.md
  • Funding: .github/FUNDING.yml
  • License: LICENSE

Awesome Lists containing this project

• awesome-hacking-lists - CravateRouge/bloodyAD - BloodyAD is an Active Directory Privilege Escalation Framework (Python)

README

        
> :warning: autobloody has been moved to its own [repo](https://github.com/CravateRouge/autobloody)  

# ![bloodyAD logo](https://repository-images.githubusercontent.com/415977068/9b2fed72-35fb-4faa-a8d3-b120cd3c396f) bloodyAD

`bloodyAD` is an Active Directory privilege escalation swiss army knife

## Description

This tool can perform specific LDAP calls to a domain controller in order to perform AD privesc.

`bloodyAD` supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket or certificates and binds to LDAP services of a domain controller to perform AD privesc.

Exchange of sensitive information without LDAPS is supported.

It is also designed to be used transparently with a SOCKS proxy.

Simple usage:

```ps1

bloodyAD --host 172.16.1.15 -d bloody.local -u jane.doe -p :70016778cb0524c799ac25b439bd6a31 set password john.doe 'Password123!'

```

See the [wiki](https://github.com/CravateRouge/bloodyAD/wiki) for more.

## Support

Like this project? Donations are greatly appreciated :relaxed: [![](https://img.shields.io/static/v1?label=Sponsor&message=%E2%9D%A4&logo=GitHub&color=%23fe8e86)](https://github.com/sponsors/CravateRouge)

Need personalized support? send me an [email](mailto:[email protected]) for trainings or custom features.

## Acknowledgements

- Thanks to [@skelsec](https://github.com/skelsec) for his amazing libraries especially [MSLDAP](https://github.com/skelsec/msldap) which is now the engine on which bloodyAD is running.

- Thanks to [impacket](https://github.com/fortra/impacket) contributors. [Structures](https://github.com/fortra/impacket/blob/master/impacket/structure.py) and several [LDAP attacks](https://github.com/fortra/impacket/blob/master/impacket/examples/ntlmrelayx/attacks/ldapattack.py) are based on their work.

- Thanks to [@PowerShellMafia](https://github.com/PowerShellMafia) team ([PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)) and their work on AD which inspired this tool.

- Thanks to [@dirkjanm](https://github.com/dirkjanm) ([adidnsdump.py](https://github.com/dirkjanm/adidnsdump)) and ([@Kevin-Robertson](https://github.com/Kevin-Robertson))([Invoke-DNSUpdate.ps1](https://github.com/Kevin-Robertson/Powermad/blob/master/Invoke-DNSUpdate.ps1)) for their work on AD DNS which inspired DNS functionnalities.

- Thanks to [@p0dalirius](https://github.com/p0dalirius/) and his [pydsinternals](https://github.com/p0dalirius/pydsinternals) module which helped to build the shadow credential attack