Exploitationactive directoryprivilege escalationldapntlmkerberospass-the-hashpass-the-ticket

bloodyAD

Active Directory privilege escalation framework that performs specific LDAP calls to domain controllers. Supports authentication via cleartext passwords, pass-the-hash, pass-the-ticket, or certificates.

Description

bloodyAD is designed for Active Directory privilege escalation, enabling users to exploit domain controllers through targeted LDAP operations. It binds to LDAP services on domain controllers to execute privilege escalation tasks, making it a versatile tool for AD environments.

The tool supports multiple authentication methods including cleartext passwords, pass-the-hash, pass-the-ticket, and certificates. It can operate without LDAPS, allowing exchange of sensitive information over standard LDAP, and is compatible with SOCKS proxies for transparent usage in networked environments.

Use cases include red team engagements where initial access to a domain user is obtained, and escalation to higher privileges is required via AD misconfigurations or weak permissions.

How It Works

bloodyAD connects to domain controller LDAP services using NTLM or Kerberos authentication. It issues specific LDAP calls to perform operations like adding, getting, removing, or setting AD objects, exploiting permission weaknesses for privilege escalation. Supports non-encrypted LDAPS exchanges and proxying via SOCKS.

Installation

bash

sudo apt install bloodyad

Flags

-h, --helpshow this help message and exit

-d, --domain DOMAINDomain used for NTLM authentication

-u, --username USERNAMEUsername used for NTLM authentication

-p, --password PASSWORDpassword or LMHASH:NTHASH for NTLM authentication, password or AES/RC4 key for kerberos, password for certificate

-k [KERBEROS ...]Kerberos authentication options

-f {b64,hex,aes,rc4,default}Key format specification

-c [CERTIFICATE]Certificate authentication

-sUse SOCKS proxy

--host HOSTTarget host

--dc-ip DC_IPDomain controller IP

--dns DNSDNS server

--gcUse Global Catalog

-v {QUIET,INFO,DEBUG}Verbosity level

Examples

Display the full usage help message for bloodyAD

bloodyAD -h

Perform add operations in the ADD function category with NTLM authentication

bloodyAD -d DOMAIN -u USERNAME -p PASSWORD add

Execute get operations using Kerberos authentication

bloodyAD -d DOMAIN -u USERNAME -k KERBEROS get

Carry out remove operations via SOCKS proxy with password authentication

bloodyAD -d DOMAIN -u USERNAME -p PASSWORD -s remove

Perform set operations targeting a specific domain controller IP

bloodyAD --dc-ip DC_IP -u USERNAME -p PASSWORD set

Retrieve information using certificate authentication and custom DNS

bloodyAD -d DOMAIN -u USERNAME -c CERTIFICATE --dns DNS get

Run add operations with debug verbosity level

bloodyAD -d DOMAIN -u USERNAME -p PASSWORD -v DEBUG add

Updated 2026-04-16kali.org ↗