Autobloodyis an application that automatically exploits Active Directory privilege escalation pathways shown by BloodHound.
Description
The tool automates AD privesc between AD objects. This includes the source (the AD object we have) and target (the AD object we wish). If a BloodHound database has a privesc path, this tool will also do the same. Two steps make up the automation:
- Utilizing bloodhound data, neo4j queries and bloodhound data to determine the best path to privesc.
-
Follow the directions provided by
bloodyAD
Package
Autobloody uses to authenticate. It supports cleartext passwords and pass-the–hash or pass-the–ticket authentication. Additionally, autobloody binds to the LDAP services provided by a domain controller in order to provide AD privesc.
Installation
To make kerberos work, first you need and libkrb5_dev
on Linux.
Debian/Ubuntu/Kali @ Centos/RHEL at apt-get libkrb5_dev Fedora @ Fedora @ Fedora install krb5–devel Arch Linux Pacman -S. krb5
You can purchase a python bundle:
Pip Install Autobloody
You can also clone it:
git clone --depth 1 https://github.com/CravateRouge/autobloody pip install .
Dependencies
- Neo4j python driver
- Neo4j and the library
- BloodHound
- Python 3.
- Gssapi, Linux or Winkerberos for Windows
It’s how to use it
BloodHound must import the first data (e.g. using SharpHound, BloodHound.py), and Neo4j should be up.
-ds, -dt values are case sensitive
Simple use:
autobloody --u John.doe--p "Password123!" --host 192.168.10.2 -dp '[email protected]' -ds '[email protected]' -dt 'BLOODY.LOCAL'
Full Help:
[bloodyAD]$ ./autobloody.py -h usage: autobloody.py [-h] [--dburi DBURI] [-du DBUSER] -dp DBPASSWORD -ds DBSOURCE -dt DBTARGET [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-c CERTIFICATE] [-s] --host HOST AD Privesc Automation options: -h, --help show this help message and exit --dburi DBURI The host neo4j is running on (default is "bolt://localhost:7687") -du DBUSER, --dbuser DBUSER Neo4j username to use (default is "neo4j") -dp DBPASSWORD, --dbpassword DBPASSWORD Neo4j password to use -ds DBSOURCE, --dbsource DBSOURCE Case sensitive label of the source node (name property in bloodhound) -dt DBTARGET, --dbtarget DBTARGET Case sensitive label of the target node (name property in bloodhound) -d DOMAIN, --domain DOMAIN Domain used for NTLM authentication -u USERNAME, --username USERNAME Username used for NTLM authentication -p PASSWORD, --password PASSWORD Cleartext password or LMHASH:NTHASH for NTLM authentication -k, --kerberos -c CERTIFICATE, --certificate CERTIFICATE Certificate authentication, e.g: "path/to/key:path/to/cert" -s, --secure Try to use LDAP over TLS aka LDAPS (default is LDAP) --host HOST Hostname or IP of the DC (ex: my.dc.local or 172.16.1.3)
It works
The Dijkstra algorithm is used to find the first privesc path. It has been integrated into Neo4j’s GDS library. Dijkstra’s algorithm solves the problem of finding the shortest path on a weighted diagram. BloodHound’s edges don’t have a weight by default, but they do have a type (e.g MemberOf or WriteOwner). Each edge is given a weight based on the type and node it has reached. (e.g user.group.domain).
After generating a path, autobloody
will connect with the DC to execute it and remove what’s reversible.
There are limitations
The following BloodHound edges can be used for automatic exploitation at the moment:
- MemberOf
- ForceChangePassword
- AddMembers
- AddSelf
- DCSync
- GetChanges/GetChangesAll
- GenericAll
- WriteDacl
- GenericWrite
- WriteOwner
- Owners
- This contains
- AllExtendedRights