Autobloody: A Tool to Automatically Explore Active Directory Privilege Escalation Routes (Shown by BloodHound)

Autobloodyis an application that automatically exploits Active Directory privilege escalation pathways shown by BloodHound.

Description

The tool automates AD privesc between AD objects. This includes the source (the AD object we have) and target (the AD object we wish). If a BloodHound database has a privesc path, this tool will also do the same. Two steps make up the automation:

• Utilizing bloodhound data, neo4j queries and bloodhound data to determine the best path to privesc.
• Follow the directions provided by bloodyAD Package

Autobloody uses to authenticate. It supports cleartext passwords and pass-the–hash or pass-the–ticket authentication. Additionally, autobloody binds to the LDAP services provided by a domain controller in order to provide AD privesc.

Installation

To make kerberos work, first you need and libkrb5_dev on Linux.

Debian/Ubuntu/Kali @ Centos/RHEL at apt-get libkrb5_dev Fedora @ Fedora @ Fedora install krb5–devel Arch Linux Pacman -S. krb5

You can purchase a python bundle:

Pip Install Autobloody

You can also clone it:

git clone --depth 1 https://github.com/CravateRouge/autobloody pip install .

Dependencies

• Neo4j python driver
• Neo4j and the library
• BloodHound
• Python 3.
• Gssapi, Linux or Winkerberos for Windows

It’s how to use it

BloodHound must import the first data (e.g. using SharpHound, BloodHound.py), and Neo4j should be up.

-ds, -dt values are case sensitive

Simple use:

autobloody --u John.doe--p "Password123!" --host 192.168.10.2 -dp '[email protected]' -ds '[email protected]' -dt 'BLOODY.LOCAL'

Full Help:

[bloodyAD]$ ./autobloody.py -h usage: autobloody.py [-h] [--dburi DBURI] [-du DBUSER] -dp DBPASSWORD -ds DBSOURCE -dt DBTARGET [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-c CERTIFICATE] [-s] --host HOST AD Privesc Automation options: -h, --help show this help message and exit --dburi DBURI The host neo4j is running on (default is "bolt://localhost:7687") -du DBUSER, --dbuser DBUSER Neo4j username to use (default is "neo4j") -dp DBPASSWORD, --dbpassword DBPASSWORD Neo4j password to use -ds DBSOURCE, --dbsource DBSOURCE Case sensitive label of the source node (name property in bloodhound) -dt DBTARGET, --dbtarget DBTARGET Case sensitive label of the target node (name property in bloodhound) -d DOMAIN, --domain DOMAIN Domain used for NTLM authentication -u USERNAME, --username USERNAME Username used for NTLM authentication -p PASSWORD, --password PASSWORD Cleartext password or LMHASH:NTHASH for NTLM authentication -k, --kerberos -c CERTIFICATE, --certificate CERTIFICATE Certificate authentication, e.g: "path/to/key:path/to/cert" -s, --secure Try to use LDAP over TLS aka LDAPS (default is LDAP) --host HOST Hostname or IP of the DC (ex: my.dc.local or 172.16.1.3)

It works

The Dijkstra algorithm is used to find the first privesc path. It has been integrated into Neo4j’s GDS library. Dijkstra’s algorithm solves the problem of finding the shortest path on a weighted diagram. BloodHound’s edges don’t have a weight by default, but they do have a type (e.g MemberOf or WriteOwner). Each edge is given a weight based on the type and node it has reached. (e.g user.group.domain).

After generating a path, autobloody will connect with the DC to execute it and remove what’s reversible.

There are limitations

The following BloodHound edges can be used for automatic exploitation at the moment:

• MemberOf
• ForceChangePassword
• AddMembers
• AddSelf
• DCSync
• GetChanges/GetChangesAll
• GenericAll
• WriteDacl
• GenericWrite
• WriteOwner
• Owners
• This contains
• AllExtendedRights