We all know the issue. You just installed Active Directory Domain Services but everything is empty. To start testing you need to create all sorts of objects which cost a lot of time. This is where BadBlood comes to rescue.
Create Real World Active Directory domains
BadBlood is a collection of scripts developed by David Prowe from Secframe. It eliminates the manual labor for creating real-world content in your Active Directory domain for testing or research. For example, it creates a lot of User objects filled with full names, complex passwords, and a structure of Organisation Units. This takes care of the whole process for creating this manually.
Besides the Users and OU’s there this tool also address the need for Groups and Permissions. This completes the whole real-world scenario to deploy a test domain as quickly as possible. The only thing you need to manually do is install the ADDS role and create the initial domain. Of course, you can also automate that part with a script.
I found BadBlood in a post of Daniel Dieterle a.k.a Cyberarms in his Instagram stories. He has some nice content on there, so be sure to follow him.
Quick deployment of a test domain
This script could not come at a better time. I was just deploying a new Microsoft Windows Server 2019 Domain Controller to build a quick test domain on virtualbox. I downloaded a trial ISO for the installation and did the next-next-finish thing to deploy the machine. After that the usual stuff of chaning the hostname and update this bad boy with the lastest patches.
Before you can start and use this script you need to install the Active Directory Domain Services role. When choosing this role on Windows Server 2019 it will automatically install all the management tools. I also deploy the DNS server role and create the zones prior to the installation. Here is a quick Powershell example of my Domain Controller promotion.
Import-Module ADDSDeployment Install-ADDSForest ` -CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "WinThreshold" ` -DomainName "cybertron.local" ` -DomainNetbiosName "CYBERTRON" ` -ForestMode "WinThreshold" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true
Since this blogpost is not about the installation of the Domain Controller itself, I leave that up to you. Let’s say it is ready and configured the way you like. We can now start and deploy the real-world content in it, since it is a bit empty now.
The first thing you need is to download or clone the BadBlood repository from GitHub. If you have the Git client installed, you can do this with an easy onliner.
git clone https://github.com/davidprowe/BadBlood
I have the scripts ready for action. There are a few files in the repository, but the only one you need is Invoke-BadBlood.ps1.
After some disclaimer questions (because you do NOT want to run this in a production environment) the script starts to deploy all the objects.
While the script runs, you see the different stages passing by. All of the stages below are run to create that sweet domain content you where looking for.
- Creating Tiered OU Structure
- Creating Users on Domain
- Creating Groups on Domain
- Creating Computers on Domain
- Creating Permissions on Domain
- Nesting objects into groups on Domain
After BadBlood is finished, you’ll end up with something that looks like this. But, never with the same content. BadBlood randomizes everything on every run. As you can see I have a nice OU structure in my domain and lots of users. The users are also added to groups to make for a real world nesting.
A nice feature of BadBlood is also the permissions on User objects themself. As you can see in the example below the User FREDA has Full Control on MARA’s User object. This makes looking a possible privilege escalation routes more realistic.
BadBlood saves a huge amount of time
Every now and then you just want to have an Microsoft Active Directory domain to try your new found magic on. BadBlood not only makes this job very less time consuming, it also provides you with an automated real worls scenario. And since a good hacker is a lazy hacker (in terms of doing manual stuff), I really recommend using BadBlood.