📌 Active Directory Enumeration with BloodyAD

🧠 About BloodyAD

BloodyAD is an open‑source Python tool that communicates over LDAP(S) and MS‑SAMR to read and write Active Directory objects without requiring Windows‑based utilities. It is ideal for Linux‑based red team engagements.

Installation:

pip install bloodyad

🔍 Basic Connection

bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987'

📋 Enumerating Computer Accounts

bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987' get children --otype computer

This reveals workstations, servers, and service accounts registered as computer objects.

👥 Enumerating All User Accounts

bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987' get children --otype useronly

Lists all user accounts – default accounts (Administrator, Guest, krbtgt) plus domain users.

🗂️ Enumerating Containers and OUs

bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987' get children --otype container

Reveals container structure and where GPOs are applied.

🌐 DNS Zone Dump

bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987' get dnsDump

Dumps all DNS records – reveals additional hosts, services, and infrastructure.

👑 Domain Admins Group Members

bloodyAD --host 192.168.1.11 -d ignite.local -u administrator -p 'Ignite@987' get object "Domain Admins" --attr member

🔎 Deep Inspection of a User Object

bloodyAD -d ignite.local -u administrator -p Ignite@987 --host 192.168.1.11 get object aaru

Dumps all LDAP attributes – often reveals cleartext passwords in userPassword or unixUserPassword attributes.

⚙️ Checking Machine Account Quota

bloodyAD --host 192.168.1.11 -d ignite.local -u Administrator -p 'Ignite@987' get object "DC=ignite,DC=local" --attr ms-DS-MachineAccountQuota

By default, regular users can create up to 10 computer accounts – abuseable for RBCD attacks.

🛡️ Detection & Hardening

📚 References

• BloodyAD GitHub
• Next: Kerberoasting & AS-REP Roasting →