Active Directory Hacking Cheat Sheet

Active Directory remains the crown jewel of most enterprise environments — and the #1 target for red teamers, pentesters, and real attackers. Once SharpHound has dumped the JSON files, the key is turning that raw data into actionable attack paths.

BloodBash is the lightweight, offline Python alternative to BloodHound that does exactly that: it ingests SharpHound (and AzureHound) JSON files, builds a full graph, and surfaces every high-impact misconfiguration — no Neo4j, no GUI, just fast terminal output with abuse hints.

For the original introduction to the tool, read the excellent article on SquidHacker.com:
BloodBash: A Lightweight Python Alternative to BloodHound for Active Directory Analysis

Below is the complete breakdown of everything BloodBash detects, with:

• What the vulnerability/misconfiguration actually is
• Why it’s useful (and dangerous) for attackers to detect
• The exact BloodBash command to find it

git clone https://github.com/DotNetRussell/BloodBash.git && cd BloodBash
python3 -m venv venv && source venv/bin/activate
pip install -r requirements.txt

Run it against your SharpHound JSON folder:

python3 BloodBash.py /path/to/json/folder --all --verbose

Kerberoastable accounts (--kerberoastable)

What it is: Service accounts that have a Service Principal Name (SPN) set. Any authenticated user can request a Kerberos service ticket for them and crack the ticket offline using tools like Hashcat.

Why it’s useful to detect: These tickets often use weak RC4 encryption and service accounts frequently have poor passwords. Cracking them gives you long-term credentials that are rarely rotated. One cracked service account can lead to lateral movement or privilege escalation across the domain.

Command:

python3 BloodBash.py sharpout --kerberoastable

AS-REP roastable accounts (--as-rep-roastable)

What it is: User accounts with the DoNotRequirePreauth (DONT_REQ_PREAUTH) flag set. Attackers can request an AS-REP (Authentication Service Response) without a password and crack it offline.

Why it’s useful to detect: These accounts are extremely easy to attack — no interaction required from the user. Once cracked, you have valid domain credentials. Very common on legacy accounts or service principals.

Command:

python3 BloodBash.py sharpout --as-rep-roastable

Unconstrained Delegation (--unconstrained-delegation)

What it is: Computers or users with the TrustedForDelegation flag (or TrustedToAuthForDelegation). When they authenticate to a service, they cache a copy of the user’s TGT (Ticket Granting Ticket).

Why it’s useful to detect: If you compromise a machine with unconstrained delegation (common on older servers), you can coerce any user to authenticate to it and steal their TGT. This lets you impersonate anyone (including Domain Admins) anywhere in the domain. Extremely high impact.

Command:

python3 BloodBash.py sharpout --unconstrained-delegation

Constrained Delegation (--constrained-delegation)

What it is: Accounts allowed to delegate to specific services only (msDS-AllowedToDelegateTo attribute).

Why it’s useful to detect: If you control the delegating account, you can impersonate any user to the allowed target services (e.g., CIFS, LDAP, HTTP). This is a precise but powerful way to pivot to high-value resources without needing the victim’s password.

Command:

python3 BloodBash.py sharpout --constrained-delegation

Resource-Based Constrained Delegation (RBCD) (--rbcd)

What it is: Any computer or user can be added to another object’s msDS-AllowedToActOnBehalfOfOtherIdentity attribute.

Why it’s useful to detect: You don’t need control of the delegating account — you only need write permission on the target computer’s attribute. This lets you impersonate any user to that computer (often used to escalate from a regular user to Domain Admin via a single compromised machine). One of the most abused modern techniques.

Command:

python3 BloodBash.py sharpout --rbcd

ADCS ESC1–ESC8 (--adcs)

What it is: Misconfigurations in Active Directory Certificate Services templates and permissions that allow low-privileged users to request certificates with arbitrary identities, SANs, or enrollment agent rights (ESC1–ESC8 cover different attack vectors).

Why it’s useful to detect: A single vulnerable template can let you request a certificate as a Domain Admin or Enterprise Admin, giving you a golden ticket equivalent. ADCS is often overlooked, yet it provides some of the most reliable domain dominance paths in modern environments.

Command:

python3 BloodBash.py sharpout --adcs

DCSync / Replication Rights (--dcsync)

What it is: Any principal with Replicating Directory Changes or Replicating Directory Changes All rights can act like a Domain Controller and pull password hashes.

Why it’s useful to detect: This is the modern equivalent of dumping the NTDS.dit file. It lets you extract every user’s hash (including krbtgt) without touching a DC. Extremely stealthy and devastating.

Command:

python3 BloodBash.py sharpout --dcsync

Dangerous ACLs on high-value objects (--dangerous-permissions --high-value)

What it is: GenericAll, ResetPassword, WriteDacl, WriteOwner, or other powerful rights granted to non-admins on Domain Admins groups, key users, computers, or OUs.

Why it’s useful to detect: These rights let attackers reset passwords, modify group membership, or take ownership of critical objects. One over-permission on a Domain Admin account = instant domain compromise. BloodBash prioritizes these on high-value targets.

Command:

python3 BloodBash.py sharpout --dangerous-permissions --high-value

GPO Abuse (--gpo-abuse)

What it is: Weak permissions on GPOs (Edit Settings, Apply Group Policy, etc.) combined with full XML parsing of Scheduled Tasks, Scripts, and legacy cPassword fields.

Why it’s useful to detect: Attackers can modify GPOs to push malicious scheduled tasks or scripts that run as SYSTEM across hundreds of machines. The cPassword field is a classic cleartext password giveaway. GPOs are one of the fastest ways to achieve mass lateral movement.

Command:

python3 BloodBash.py sharpout --gpo-abuse --gpo-content-dir /path/to/gpo/backups

Shadow Credentials (--shadow-credentials)

What it is: The KeyCredentialLink attribute on users or computers, which allows an attacker to register a new public key and authenticate as that principal.

Why it’s useful to detect: It’s a silent, passwordless way to backdoor any account. Once detected, you know exactly which accounts have been (or can be) compromised without triggering normal logging.

Command:

python3 BloodBash.py sharpout --shadow-credentials

SID History Abuse (--sid-history)

What it is: The sidHistory attribute contains extra SIDs from previous domains or migrations.

Why it’s useful to detect: Attackers can add privileged SIDs (e.g., Domain Admins from a trusted domain) to their account and instantly gain those rights. Classic persistence and trust-abuse technique.

Command:

python3 BloodBash.py sharpout --sid-history

Password in description, PasswordNeverExpires, PasswordNotRequired

What it is: Plaintext passwords stored in the description field, or accounts with PasswordNeverExpires or PasswordNotRequired flags.

Why it’s useful to detect: These are low-hanging fruit. Passwords in descriptions are often used by admins for service accounts. Never-expires accounts are rarely rotated, giving attackers a permanent credential.

Commands:

python3 BloodBash.py sharpout --password-descriptions --password-never-expires --password-not-required

LAPS Status & Sessions (--laps --sessions)

BloodBash shows whether Local Administrator Password Solution (LAPS) is properly deployed and maps LocalAdmin, RDP, and DCOM sessions.

Why it’s useful: LAPS misconfigurations = easy local admin on every workstation. Session mapping tells you exactly who is logged in where — perfect for targeted phishing or pass-the-hash.

Shortest Paths to High-Value Targets (--shortest-paths)
BloodBash computes the shortest attack paths to Domain Admins, Enterprise Admins, krbtgt, etc. (and lets you specify your own owned principals with --owned).

Why it’s useful: This is the “attack graph” view in terminal form — it tells you the exact minimal steps needed to own the domain.

• Full audit → --all --verbose
• ADCS only → --adcs
• All delegation → --unconstrained-delegation --constrained-delegation --rbcd
• Dangerous perms → --dangerous-permissions --high-value
• Kerberos focus → --kerberoastable --as-rep-roastable
• DCSync + GPO + RBCD combo → --dcsync --gpo-abuse --rbcd
• Export everything → --all --export=html --export=md

Pro tip: Chain everything you care about in one command for a single-run report:

python3 BloodBash.py sharpout --adcs --dcsync --gpo-abuse --rbcd --dangerous-permissions --kerberoastable --as-rep-roastable --shortest-paths --verbose

BloodBash gives you the same intelligence as BloodHound — but faster, lighter, and with clear explanations of why each finding matters to an attacker. Use it on every AD engagement and you’ll never miss a critical path again.

Resources

• SquidHacker.com Article: BloodBash – Lightweight BloodHound Alternative
• GitHub (latest version + full README): github.com/DotNetRussell/BloodBash

Run SharpHound, point BloodBash at the JSONs, and start dominating the domain. Happy hacking!

---

Need your attack surface actually tested — not just scanned?

I don’t do checkbox audits or automated-report spam. I do deep, adversary-emulated penetration testing that finds the chains attackers would actually use against you in 2026.

• Web + API pentests
• Cloud infrastructure & misconfig deep-dives (AWS, Azure, GCP)
• Supply-chain & dependency risk assessments
• Purple-team workshops and or Lunch and Learns for engineers
• Custom tool development for persistent threats

If you’re tired of vendors who patch CVEs but miss business logic bugs, nation-state persistence, or post-exploit pivots — let’s talk

🕸️ Hire SquidSec
📩 contact@squidhacker.com
🔒 Encrypted comms (PGP / Signal) available on request

No fluff.
No Scanner Output
No Nonsense
Just results that matter.

—
☣️ Mr. The Plague ☣️
squidhacker.com