Hi. Thank you for this tool and all your help!

According to the help output of the command "setShadowCredentials" not only should shadow credentials be written on a target account but those should then also be used to request a certificate. However, it seems no certificate is outputted. Is this part still to be implemented?

Also, which filter can I use with the command "getObjectAttributes" in order to verify that shadow credentials has indeed been removed? Actually, I have the same question related to disabling the flag "DONT_REQ_PREAUTH".

Hi. Me again :) This time I am trying to add DCSync rights to the account "tristan.davies" using the same environment as in my first ticket in which "BIR-ADFS-GMSA$" has GenericAll rights on "tristan.davies".

It seems the targeted account is successfully identified since its SID is outputted but then something happens. In my test environment "tristan.davies" is a domain admin and thus already has this right if that is the problem?

Hi,

Bloodhound 4.1 was released yesterday. With that came three new edges. "AddKeyCredentialLink", "AddSelf" and "WriteSPN". See the slidedeck for more info.

You already support "AddKeyCredentialLink" (shadow credentials) but does your tool work when only the edge "AddKeyCredentialLink" and not "GenericWrite" or "GenericAll" is available? The same goes for "WriteSPN". At least you used to be able to write SPNs.

Will you support the new edges?

First of all, thanks for this amazing project... which seems like a good alternative to aclpwn which has lib issues nowadays.... The error that I am having is when using pathgen.py.

neo4j.exceptions.ClientError: {code: Neo.ClientError.Procedure.ProcedureNotFound} {message: There is no procedure with the name gds.shortestPath.dijkstra.stream registered for this database instance. Please ensure you've spelled the procedure name correctly and that the procedure is properly deployed.}

Hello, I encountered a problem during the local environment test old

┌──(root㉿kali)-[/home/laot/桌面/bloodyAD-main]
└─# python3 bloodyAD.py -d test.lcoal -u 'test' -p 'Pass123' --host 192.168.1.15 addComputer pwnmachine 'CVEPassword1234*'
Opening domain TEST...
Successfully added machine account pwnmachine$ with password CVEPassword1234*.

new

┌──(root㉿kali)-[/home/laot/桌面/bloodyAD-0.1.8]
└─# python3 bloodyAD.py -d test.lcoal -u 'test' -p 'Pass123' --host 192.168.1.15 addComputer pwnmachine 'CVEPassword1234*'
Traceback (most recent call last):
  File "/home/laot/桌面/bloodyAD-0.1.8/bloodyAD.py", line 5, in <module>
    main.main()
  File "/home/laot/桌面/bloodyAD-0.1.8/bloodyAD/main.py", line 71, in main
    args.func(conn, **params)
  File "/home/laot/桌面/bloodyAD-0.1.8/bloodyAD/modules.py", line 157, in addComputer
    ldap_conn.add(computer_dn, attributes=attr)
  File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 1013, in add
    response = self.post_send_single_response(self.send('addRequest', request, controls))
  File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 160, in post_send_single_response
    responses, result = self.get_response(message_id)
  File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 403, in get_response
    raise LDAPOperationResult(result=result['result'], description=result['description'], dn=result['dn'], message=result['message'], response_type=result['type'])
ldap3.core.exceptions.LDAPConstraintViolationResult: LDAPConstraintViolationResult - 19 - constraintViolation - None - 0000200B: AtrErr: DSID-033E0F1B, #1:
        0: 0000200B: DSID-033E0F1B, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9026b (dNSHostName)
 - addResponse - None

The same test environment, I don't understand why

The first run goes fine, then, re-running it, shows Insuffient Access.

Then, flushing it and rerunning, goes smooth again:

Is it possible to add a method to flush the attribute if not empty?

Cheers!

Hi. Thank you for your work! This tool can hopefully fill the void after ACLPwn. I would very much like to try the tool but currently using pathgen.py fails with "TypeError: 'NoneType' object is not subscriptable".

I am using the standard installation of Bloodhound in Kali (which also includs Neo4j 4.2.1) and they are both running during testing of your tool. AD data is imported. I have also installed all the other requirements your tool requires. When executing the command "python3 pathgen.py -du neo4j -dp [password] -ds '[email protected]' -dt '[email protected]' I get the below stacktrace:

Traceback (most recent call last): File "/root/pentest/bloodyAD/pathgen.py", line 30, in main() File "/root/pentest/bloodyAD/pathgen.py", line 18, in main path = db.getPrivescPath(args.dbsource, args.dbtarget) File "/root/pentest/bloodyAD/autobloody/database.py", line 11, in getPrivescPath relationships = session.read_transaction(self._findShortestPath, source, target) File "/root/pentest/virtual_env_bloodyad/lib/python3.9/site-packages/neo4j/work/simple.py", line 396, in read_transaction return self._run_transaction(READ_ACCESS, transaction_function, *args, **kwargs) File "/root/pentest/virtual_env_bloodyad/lib/python3.9/site-packages/neo4j/work/simple.py", line 325, in _run_transaction result = transaction_function(tx, *args, **kwargs) File "/root/pentest/bloodyAD/autobloody/database.py", line 64, in _findShortestPath return result.single()[0].relationships TypeError: 'NoneType' object is not subscriptable

Is there something I do wrong or does the code need updating?

The "setGenericAll" module with flag "enable" set to "False" does not work for me. After adding the permissions them with the module it is not possible to remove them.

https://github.com/CravateRouge/bloodyAD/blob/68408821b4f0ab280d7b45e2af621ee5268d4082/bloodyAD/utils.py#L266

"ace_haspriv" is always "false" here.

Therefore the remove is never reached. https://github.com/CravateRouge/bloodyAD/blob/68408821b4f0ab280d7b45e2af621ee5268d4082/bloodyAD/utils.py#L282

Also this path is not taken, if the permissions are added twice. https://github.com/CravateRouge/bloodyAD/blob/68408821b4f0ab280d7b45e2af621ee5268d4082/bloodyAD/utils.py#L272

Are you planning to implement reading of LAPS passwords? Or can I read that already using the command "getObjectAttributes"? I tried reading the attribute "ms-mcs-AdmPwd" but either you do not collect that or it is not there since I do not have LAPS enabled.

Hi,

When I try to install bloodyAD with pip, I get this error, I think it's related to the gssapi module

  error: subprocess-exited-with-error
  
  × Getting requirements to build wheel did not run successfully.
  │ exit code: 1
  ╰─> [21 lines of output]
      /bin/sh: 1: krb5-config: not found
      Traceback (most recent call last):
        File "/usr/local/lib/python3.10/site-packages/pip/_vendor/pep517/in_process/_in_process.py", line 363, in <module>
          main()
        File "/usr/local/lib/python3.10/site-packages/pip/_vendor/pep517/in_process/_in_process.py", line 345, in main
          json_out['return_val'] = hook(**hook_input['kwargs'])
        File "/usr/local/lib/python3.10/site-packages/pip/_vendor/pep517/in_process/_in_process.py", line 130, in get_requires_for_build_wheel
          return hook(config_settings)
        File "/tmp/user/0/pip-build-env-q04orkgu/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 338, in get_requires_for_build_wheel
          return self._get_build_requires(config_settings, requirements=['wheel'])
        File "/tmp/user/0/pip-build-env-q04orkgu/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 320, in _get_build_requires
          self.run_setup()
        File "/tmp/user/0/pip-build-env-q04orkgu/overlay/lib/python3.10/site-packages/setuptools/build_meta.py", line 335, in run_setup
          exec(code, locals())
        File "<string>", line 109, in <module>
        File "<string>", line 22, in get_output
        File "/usr/lib/python3.10/subprocess.py", line 420, in check_output
          return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
        File "/usr/lib/python3.10/subprocess.py", line 524, in run
          raise CalledProcessError(retcode, process.args,
      subprocess.CalledProcessError: Command 'krb5-config --libs gssapi' returned non-zero exit status 127.
      [end of output]
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
error: subprocess-exited-with-error

× Getting requirements to build wheel did not run successfully.
│ exit code: 1
╰─> See above for output.

Any ideas how to fix it ?

I can successfully execute an RBCD attack without involving an existing SPN and instead using a computer account I added just before this using the tool at https://github.com/tothi/rbcd-attack. I tried the same attack using your command "setRbcd" but at the stage when the silver ticket is requested Impacket fails. I didn't actually expect your tool to work since it seems it requires an SPN which I did not input. Still, I wanted to try this before contacting you. I guess this is more of a feature request than a bug report. Can your tool support this attack without needing an SPN? This would lessen the number of requirements needed for this attack to work since anyone can add computers to a domain.