autobloody: automatically exploit Active Directory privilege escalation paths

by ddos ·

autobloody

autobloody is a tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound combining pathgen.py and autobloody.py.

This tool automates the AD privesc between two AD objects, the source (the one we own) and the target (the one we want) if a privesc path exists in the BloodHound database. The automation is split into two parts in order to be used transparently with tunneling tools such as proxychains:

  • pathgen.py to find the optimal path for privesc using bloodhound data and neo4j queries.
  • autobloody.py to execute the path found with pathgen.py

autobloody relies on bloodyAD and supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket, or certificates and binds to LDAP services of a domain controller to perform AD privesc.

How it works

First pathgen.py generates a privesc path using the Dijkstra’s algorithm implemented into the Neo4j’s GDS library. The Dijkstra’s algorithm allows to solve the shortest path problem on a weighted graph. By default, the edges created by BloodHound don’t have weight but a type (e.g MemberOf, WriteOwner). A weight is then added to each edge accordingly to the type of edge and the type of node reached (e.g user,group,domain).

Once a path is generated and stored as a json file, autobloody.py will connect to the DC and execute the path and clean what is reversible (everything except password change).

Limitations

Here is the list of the BloodHound edges currently supported for automatic exploitation:

  • MemberOf
  • ForceChangePassword
  • AddMembers
  • AddSelf
  • DCSync
  • GetChanges/GetChangesAll
  • GenericAll
  • WriteDacl
  • GenericWrite
  • WriteOwner
  • Owns
  • Contains
  • AllExtendedRights

Install

git clone https://github.com/CravateRouge/autobloody.git
cd autobloody
pip3 install -r requirements.txt

Use

First data must be imported into BloodHound (e.g using SharpHound or BloodHound.py) and Neo4j must be running.

⚠️ -ds and -dt values are case sensitive

Simple usage:

pathgen.py -dp neo4jPass -ds ‘OWNED_USER@ATTACK.LOCAL’ -dt ‘TARGET_USER@ATTACK.LOCAL’ && proxychains autobloody.py -d ATTACK -u ‘owned_user’ -p ‘owned_user_pass’ –host dc01.attack.local

Active Directory privilege escalation

Copyright (c) 2022 CravateRouge

Source: https://github.com/CravateRouge/

Tags: Active Directory Privilege Escalation