[go: up one dir, main page]

Packages and Binaries:

bloodyad

Active Directory privilege escalation framework
bloodyAD can perform specific LDAP calls to a domain controller in order to perform AD privesc. It supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket or certificates and binds to LDAP services of a domain controller to perform AD privesc.

Exchange of sensitive information without LDAPS is supported. It is also designed to be used transparently with a SOCKS proxy.

Installed size: 49.50 MB
How to install: sudo apt install bloodyad

Dependencies:
  • python3
  • python3.13
bloodyad
root@kali:~# bloodyad -h
usage: bloodyad [-h] [-d DOMAIN] [-u USERNAME] [-p PASSWORD]
                [-k [KERBEROS ...]] [-f {b64,hex,aes,rc4,default}]
                [-c [CERTIFICATE]] [-s] -H HOST [-i DC_IP] [--dns DNS]
                [-t TIMEOUT] [--gc] [-v {QUIET,INFO,DEBUG,TRACE}] [--json]
                {add,get,msldap,remove,set} ...

AD Privesc Swiss Army Knife

options:
  -h, --help            show this help message and exit
  -d, --domain DOMAIN   Domain used for NTLM authentication
  -u, --username USERNAME
                        Username used for NTLM authentication
  -p, --password PASSWORD
                        password or LMHASH:NTHASH for NTLM authentication,
                        password or AES/RC4 key for kerberos, password for
                        certificate (Do not specify to trigger integrated
                        windows authentication)
  -k, --kerberos [KERBEROS ...]
                        Enable Kerberos authentication. If '-p' is provided it
                        will try to query a TGT with it. You can also provide
                        a list of one or more optional keywords as '-k
                        kdc=192.168.100.1 kdcc=192.168.150.1
                        realmc=foreign.realm.corp
                        <keyfile_type>=/home/silver/Admin.ccache',
                        <keyfile_type> being ccache, kirbi or keytab, 'kdc'
                        being the kerberos server for the keyfile provided and
                        'realmc' and 'kdcc' for cross realm (the realm of the
                        '--host' provided)
  -f, --format {b64,hex,aes,rc4,default}
                        Specify format for '--password' or '-k <keyfile>'
  -c, --certificate [CERTIFICATE]
                        Schannel authentication or krb pkinit if -k also
                        provided, e.g: "path/to/key:path/to/cert" (Use Windows
                        Certstore with krb if left empty)
  -s, --secure          Use LDAP/GC over TLS (LDAPS/GCS). Use -ss to remove
                        all encryption/signing (useful for debug).
  -H, --host HOST       Hostname or IP of the DC (ex: my.dc.local or
                        172.16.1.3)
  -i, --dc-ip DC_IP     IP of the DC (useful if you provided a --host which
                        can't resolve)
  --dns DNS             IP of the DNS to resolve AD names (useful for inter-
                        domain functions)
  -t, --timeout TIMEOUT
                        Connection timeout in seconds
  --gc                  Connect to Global Catalog (GC)
  -v, --verbose {QUIET,INFO,DEBUG,TRACE}
                        Adjust output verbosity
  --json                Output results in JSON format

Commands:
  {add,get,msldap,remove,set}
    add                 [ADD] function category
    get                 [GET] function category
    msldap              [MSLDAP] function category
    remove              [REMOVE] function category
    set                 [SET] function category



Updated on: 2026-Jun-17