Bounty
Protect your domain's treasure - breach yourself before someone else does.
Where password security meets treasure protection
Protect Your Digital Treasure
Bounty is an Active Directory hardening tool that compares your users' password hashes against a database of cracked and leaked credentials. Like a vigilant guardian, Bounty proactively identifies weak or compromised accounts before they can be exploited. This empowers you to enforce a stronger authentication posture across your enterprise environment and stay ahead of potential threats.
Secure Your Domain's Most Valuable Assets
Secure Hash Comparison
Like a seasoned treasure hunter consulting a trusted guide, Bounty securely checks your Active Directory password hashes against an encrypted database of known cracked credentials. It identifies vulnerable accounts without ever exposing your sensitive data, ensuring both security and insight.
Flexible Hash Processing Options
Choose between sending NTLM hashes for comprehensive analysis or more secure hash digests for 1:1 matching. Full hashes undergo rigorous testing against specialized wordlists, rules, and masks to detect even low-entropy permutations of known compromised passwords, while digests offer maximum security with targeted matching.
Active Directory Integration
Bounty integrates seamlessly with your Active Directory environment, allowing for targeted auditing of specific user groups, OUs, or the entire domain. This precision targeting ensures you can focus your security efforts where they matter most.
Password Hygiene Enforcement
Beyond simple detection, Bounty provides comprehensive tools for enforcing resilient password policies, helping organizations implement and maintain strong password hygiene across their entire user base.
Complete Data Isolation
Your company identity and usernames are fully decoupled from submitted hash data. Authentication occurs through a separate secure channel, and absolutely no organizational or user identifiers are ever attached to password hashes or digests. This architectural separation ensures your sensitive data cannot be linked back to your organization or specific users, providing an additional layer of security and privacy protection. Hashes exist in isolation—completely untraceable to their source.
Secure Authentication
Bounty authentication credentials are never stored locally on your systems. The tool supports popular two-factor authentication methods, ensuring that only authorized security personnel can access the system and its findings. This zero-footprint authentication approach adds another layer of protection to your security operations.
Privileged Local Operation
Bounty operates entirely on disk within your Domain Controller in a privileged folder, accessible only to local administrators. This ensures that regular domain users cannot access the tool or its sensitive operations, maintaining strict access control aligned with your existing security hierarchy.
Active Directory Misconfiguration Detection
Beyond password analysis, Bounty identifies critical Active Directory misconfigurations that could expose your environment to attack. Our comprehensive scanning detects vulnerabilities across multiple attack vectors, and every misconfiguration identified includes an automated fix option dynamically tailored for each vulnerability type.
ADCS Vulnerabilities
Identifies Active Directory Certificate Services misconfigurations that could allow privilege escalation or certificate-based attacks.
Kerberoasting Detection
Discovers service accounts vulnerable to Kerberoasting attacks, where attackers can request service tickets and crack them offline.
ASREPRoasting Identification
Finds accounts that don't require Kerberos pre-authentication, making them susceptible to ASREPRoasting attacks.
SMB & RPC Null Bind Analysis
Detects systems allowing null session binds over SMB and RPC, which can leak sensitive domain information to unauthenticated attackers.
GPP Password Discovery
Identifies Group Policy Preferences containing stored passwords, which can be easily decrypted by attackers with domain access.
GPP Autologin Detection
Discovers autologin credentials stored in Group Policy Preferences, exposing plaintext or easily decryptable credentials.
Delegation Misconfiguration Analysis
Detects dangerous delegation settings including Resource-Based Constrained Delegation (RBCD), Unconstrained Delegation, and Constrained Delegation that could allow privilege escalation.
Pre-Windows 2000 Computer Accounts
Identifies computer accounts vulnerable to Pre2k attacks, where legacy compatibility settings allow authentication with weak or empty passwords.
Automated Remediation
Each detected vulnerability comes with an automated fix option, dynamically customized for the specific misconfiguration type. Apply fixes with confidence using our tested remediation scripts.
Continuously Evolving Detection
We are constantly adding new vulnerability detection capabilities based on emerging threats and attack techniques, ensuring your defenses stay ahead of adversaries.
The Kraken's Advantage
What sets Bounty apart is its unique approach to password security. While traditional tools focus on enforcing complex password policies, Bounty takes a proactive stance by identifying passwords that have already been compromised in the wild.
This approach provides a level of protection that traditional password policies alone cannot provide by addressing the fundamental weakness of complex passwords: their reuse or compromise in real-world breaches and red team engagements.
Technical Specifications
System Requirements
Domain Controller Access
- Windows Server 2012 R2 or newer
- Password expiration modification privileges
- 8GB RAM minimum (16GB recommended)
- 500MB+ storage for temporary audit storage
Security Features
- Secure hash processing for maximum security
- Encrypted storage of all sensitive data
- Detailed audit logging of all operations
- SIEM Integrations and Email Alerting
Hash Database
- Regular updates from multiple breach and real-world sources
- Over 18 billion cracked, unique hashes
- Fast and secure bleeding edge protocols
- Optimized search for rapid comparison
Use Cases
- →Regular security audits of Active Directory environments
- →Post-breach assessment to identify potentially compromised accounts
- →Compliance verification for password security requirements
- →Proactive security hardening before penetration testing
How Bounty Works
A secure, step-by-step process that protects your data while identifying vulnerabilities
Secure Job Creation
Administrator creates secure job on Domain Controller
Hash Extraction
Extract password hashes from NTDS.dit database
Smart Filtering
Filter users/groups, exclude krbtgt account
Data Anonymization
Decouple user info from hashes for anonymity
Hash Preparation
Prepare NTLM hashes or secure digests
Secure Transmission
Send anonymous hashes via encrypted channel
Local Encryption
Store random IDs in AES-256 encrypted database
Access Control
Require DPAPI access and unique nonce
Status Monitoring
Query job status until completion
Local Processing
Retrieve and compare results locally
Secure Storage
Save metadata to encrypted key-value store
Become a Beta Tester
Help shape the future of Active Directory security by joining our beta testing program.