Bloodhound 4.1 released, new edges added

[jsdhasfedssad]

Hi,

Bloodhound 4.1 was released yesterday. With that came three new edges. "AddKeyCredentialLink", "AddSelf" and "WriteSPN". See the slidedeck for more info.

You already support "AddKeyCredentialLink" (shadow credentials) but does your tool work when only the edge "AddKeyCredentialLink" and not "GenericWrite" or "GenericAll" is available? The same goes for "WriteSPN". At least you used to be able to write SPNs.

Will you support the new edges?

[CravateRouge]

You can already exploit those edges manually using bloodyAD. You can write SPNs using the 'setAttribute' function.

I could however add AddSelf and later AddKeyCredentialLink in autobloody. I will let this issue opened to remember. The problem for AddKeyCredentialLink as you experienced, is that you need a Windows 2016 functional level and a DC with a certificate for pkinit and Sharphound doesn't check those conditions.

[jsdhasfedssad]

Thanks. Could you write an example on how to write an SPN? Also, are you saying that "AddSelf" will not work using bloodyAD.py or that it already can be used using the "addObjectToGroup" function in bloodyAD.py?

[CravateRouge]

I think something like this should work: python bloodyAD.py -u john.doe -d bloody -p Password512! --host 192.168.10.2 setAttribute 'computer1$' servicePrincipalName ["HTTP/www.contoso.com","TERMSRV/FRONTRM.contoso.com"] Be aware that it will not keep the old values so if you want to keep it use getObjectAttributes first and note the SPN value

[honphilemon]

Can I use a URL with this...appears to be a great tool

[CravateRouge]

Could you be more explicit? I don't understand your question.