b4blood

Just a wrapper, scans for a breach in Active Directory to gain access to your first shell.

• Scans the DC, time sync for Kerberos
• Scans for SMB vulns
• Kerbrutes users/passwords, you can provide your own users list (-U my_userslist.txt) and/or your password list (-P passlist.txt)
• Checks for AS-REP roasting and launch rockyou.txt against the hash
• Dumps AD
• Scans recursively SMB/NFS shares and dumps juicy files (could be long, --nsd to skip this part)
• Scans for .xml GPP files in SYSVOL and extracts passwords
• Scans for remote connections
• Scans for Kerberoastable accounts
• Dumps NTDS.DIT

Very useful for CTF's, this is a nice tool before BloodHound ingestor.
Could be use for internal audit with these options: --internal -i eth0

Installation (KALI)

git clone https://github.com/moloch54/b4blood  
sudo python3 b4blood/setup.py  

Download NOT THE LATEST VERSION of Kerbrute for your computer (amd64 or 386 CPU):
https://github.com/ropnop/kerbrute/releases
Rename it to "kerbrute"

cd ~/Downloads
sudo cp kerbrute /usr/bin
sudo chmod +x /usr/bin/kerbrute  

Usage

USAGE:  
First make a folder, a lot of logs will be written.  

mkdir myfolder; cd myfolder  

b4blood --ip 192.168.0.45  
b4blood --ip 192.168.0.0/24  
b4blood --ip 192.168.0.* -U users.txt -P passwd.txt  

b4blood --internal -i eth0  

Features

• Scans the DC, time sync for Kerberos
  

• Scans for SMB vulns
  

• Kerbrutes users/passwords, you can provide your own users list (-U my_userslist.txt) and/or your password list (-P passlist.txt)

• Checks for AS-REP roasting and launches rockyou.txt against the hash
  

• Dumps AD

• Scans recursively SMB/NFS shares and dumps juicy files (could be long, --nsd to skip this part)
  
  

• Scans for .xml GPP files in SYSVOL and extracts passwords
  

• Scans for remote connections
  

• Scans for Kerberoastable accounts
  

Add your new creds to all_creds.txt and relaunch b4blood

• Dumps NTDS.DIT