autobloody is a tool to automatically exploit Active Directory privilege escalation paths shown by BloodHound.
This tool automates the AD privesc between two AD objects, the source (the one we own) and the target (the one we want) if a privesc path exists in BloodHound database. The automation is composed of two steps:
- Finding the optimal path for privesc using bloodhound data and neo4j queries.
- Execute the path found using bloodyAD package
Because autobloody relies on bloodyAD, it supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket or certificates and binds to LDAP services of a domain controller to perform AD privesc.
First if you run it on Linux, you must have libkrb5-dev installed on your OS in order for kerberos to work:
# Debian/Ubuntu/Kali apt-get install libkrb5-dev # Centos/RHEL yum install krb5-devel # Fedora dnf install krb5-devel # Arch Linux pacman -S krb5
A python package is available:
pip install autobloody
Or you can clone the repo:
git clone --depth 1 https://github.com/CravateRouge/autobloody pip install .
- Neo4j python driver
- Neo4j with the GDS library
- Python 3
- Gssapi (linux) or Winkerberos (Windows)
How to use it
First data must be imported into BloodHound (e.g using SharpHound or BloodHound.py) and Neo4j must be running.
-ds and -dt values are case sensitive
autobloody -u john.doe -p 'Password123!' --host 192.168.10.2 -dp '[email protected]' -ds '[email protected]' -dt 'BLOODY.LOCAL'
[bloodyAD]$ ./autobloody.py -h usage: autobloody.py [-h] [--dburi DBURI] [-du DBUSER] -dp DBPASSWORD -ds DBSOURCE -dt DBTARGET [-d DOMAIN] [-u USERNAME] [-p PASSWORD] [-k] [-c CERTIFICATE] [-s] --host HOST AD Privesc Automation options: -h, --help show this help message and exit --dburi DBURI The host neo4j is running on (default is "bolt://localhost:7687") -du DBUSER, --dbuser DBUSER Neo4j username to use (default is "neo4j") -dp DBPASSWORD, --dbpassword DBPASSWORD Neo4j password to use -ds DBSOURCE, --dbsource DBSOURCE Case sensitive label of the source node (name property in bloodhound) -dt DBTARGET, --dbtarget DBTARGET Case sensitive label of the target node (name property in bloodhound) -d DOMAIN, --domain DOMAIN Domain used for NTLM authentication -u USERNAME, --username USERNAME Username used for NTLM authentication -p PASSWORD, --password PASSWORD Cleartext password or LMHASH:NTHASH for NTLM authentication -k, --kerberos -c CERTIFICATE, --certificate CERTIFICATE Certificate authentication, e.g: "path/to/key:path/to/cert" -s, --secure Try to use LDAP over TLS aka LDAPS (default is LDAP) --host HOST Hostname or IP of the DC (ex: my.dc.local or 172.16.1.3)
How it works
First a privesc path is found using the Dijkstra’s algorithm implemented into the Neo4j’s GDS library. The Dijkstra’s algorithm allows to solve the shortest path problem on a weighted graph. By default the edges created by BloodHound don’t have weight but a type (e.g MemberOf, WriteOwner). A weight is then added to each edge accordingly to the type of edge and the type of node reached (e.g user,group,domain).
Once a path is generated, autobloody will connect to the DC and execute the path and clean what is reversible (everything except ForcePasswordChange and setOwner).
For now, only the following BloodHound edges are currently supported for automatic exploitation: