BadBlood : AD Enumeration Test Environment

by Vince
in Blog
Hits: 1217

The description for BadBlood states:  "It is a security tool for Active Directory. Run BadBlood on a domain so that security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory.  Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different."

I think that pretty much sums it up and the point is that we don't often get to work on large test environments and this creates large, unique, environments, that we can use to hone our craft.

This is my test domain:



Now we invoke BadBlood:


As it states, this WILL muck up your domain -- best to have a snapshot.


Failsafe:


Once it begins, it will go through a lengthy process:


You might get some errors which I've removed to clean it up but in the end, when it finishes:


When we refresh AD Users and Computers, we can already see the difference. 


Searching for users:


Above, we can see that it dropped a password in the Description field which I've actually seen but it's something that we can retrieve through enumeration.  Also, what you can't see is that BadBlood created over 1,000 user accounts -- among other things.

Simple enumeration of users:


Hunting for that Description field:


Identifying Domain Admins:


If we roll back and run again, we have a completely different environment to hunt. 

There are a ton of exploitation angles, all unique, and it's a great way to hone your AD enumeration skills.