autobloody: automatically exploit Active Directory privilege escalation paths
autobloody
autobloody is a tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound combining pathgen.py and autobloody.py.
This tool automates the AD privesc between two AD objects, the source (the one we own) and the target (the one we want) if a privesc path exists in the BloodHound database. The automation is split into two parts in order to be used transparently with tunneling tools such as proxychains:
- pathgen.py to find the optimal path for privesc using bloodhound data and neo4j queries.
- autobloody.py to execute the path found with pathgen.py
autobloody relies on bloodyAD and supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket, or certificates and binds to LDAP services of a domain controller to perform AD privesc.
How it works
First pathgen.py generates a privesc path using the Dijkstra’s algorithm implemented into the Neo4j’s GDS library. The Dijkstra’s algorithm allows to solve the shortest path problem on a weighted graph. By default, the edges created by BloodHound don’t have weight but a type (e.g MemberOf, WriteOwner). A weight is then added to each edge accordingly to the type of edge and the type of node reached (e.g user,group,domain).
Once a path is generated and stored as a json file, autobloody.py will connect to the DC and execute the path and clean what is reversible (everything except password change).
Limitations
Here is the list of the BloodHound edges currently supported for automatic exploitation:
- MemberOf
- ForceChangePassword
- AddMembers
- AddSelf
- DCSync
- GetChanges/GetChangesAll
- GenericAll
- WriteDacl
- GenericWrite
- WriteOwner
- Owns
- Contains
- AllExtendedRights
Install
git clone https://github.com/CravateRouge/autobloody.git
cd autobloody
pip3 install -r requirements.txt
Use
First data must be imported into BloodHound (e.g using SharpHound or BloodHound.py) and Neo4j must be running.
⚠️ -ds and -dt values are case sensitive
Simple usage:
pathgen.py -dp neo4jPass -ds ‘OWNED_USER@ATTACK.LOCAL’ -dt ‘TARGET_USER@ATTACK.LOCAL’ && proxychains autobloody.py -d ATTACK -u ‘owned_user’ -p ‘owned_user_pass’ –host dc01.attack.local
Copyright (c) 2022 CravateRouge
Source: https://github.com/CravateRouge/
