DarthSidious
  • Darth Sidious
  • GETTING STARTED
    • Getting started
    • External network access to Domain Admin
    • Intro to Windows hashes
  • Building a lab
    • Building a lab
    • Preparing Kali
    • Building a small lab
    • Building a lab with ESXI and Vagrant
    • Cuckoo malware analysis lab
  • Initial access
    • Password spraying
    • Initial access through exchange
  • ENUMERATION
    • Powershell
    • BloodHound
    • PowerView
    • Azure enumeration
  • Execution
    • Pass the hash
    • Responder with NTLM relay and Empire
    • DeathStar
    • CrackMapExec
  • Privilege escalation
    • Mimikatz
    • Token Impersonation
    • Juicy Potato
    • ALPC bug 0day
  • Defense evasion
    • Bypassing Applocker and Powershell contstrained language mode
    • From RDS app to Empire shell
    • Stealth
  • OTHER
    • Link encyclopedia
    • Writeups
      • lkylabs v1
    • War stories
      • Domain admin in 30 minutes
  • Credential access
    • Password cracking and auditing
  • Command & Control
    • SILENTTRINITY
Powered by GitBook
On this page
  • Mapping AD with BloodHound
  • Installing neo4j
  • Getting started with Bloodhound
  • Data collection
  • More Bloodhound stuff
  1. ENUMERATION

BloodHound

BloodHound is a tool to graphically map Active Directory and discover attack paths.

PreviousPowershellNextPowerView

Last updated 7 years ago

Mapping AD with BloodHound

One of the glorious design features of AD is that everyone in the domain needs to know where everything is. So when you get user credentials and/or a shell, you can basically map the entire domain without breaking any rules. Any user can query Active Directory for computers, domain controllers, groups and sessions.

Now we can use this brilliant feature to collect a ton of information and create a cool GUI map of the entire AD which can be queried using BloodHound. There are two software requirements, you need BloodHound and a database to store the data in. The recommended choice is neo4j, see below for further instructions.

Installing neo4j

Linux

  • Run neo4j with /opt/neo4j-community-3.3.0/bin/neo4j start

  • Navigate to localhost:7474 in your browser

  • Log in with username and password neo4j

  • Set a new password for the neo4j account

  • Open the file neo4j.conf from the neo4j installation directory and set the following parameters to make any host be able to access the database.

    dbms.connector.http.enabled=true
    dbms.connector.http.listen_address=0.0.0.0:7474
  • Restart neo4j with /opt/neo4j-community-3.1.1/bin/neo4j restart

  • Access neo4j in the browser at http://0.0.0.0:7474/browser/

Windows

Neo4j can be started with powershell on windows.

  • Spawn an administrative powershell with -bypass exec

  • Navigate to the neo4j/bin directory

  • Import-Module .\Neo4j-Management.psd1

  • Invoke-Neo4j Console

  • Likewise to Linux, log in to localhost:7474 from your browser and change the password.

MacOS

Similar procedure as linux. Neo4j does not support Java 9, so Java SDK must be version 8 and not 9. Install java 8 with cask in Homebrew:

  • brew update

  • brew cask install java8

Getting started with Bloodhound

  • Launch BloodHound and log in to the neo4j database with credentials previously set

Data collection

To collect data in a format Bloodhound can read is called ingestion. There are several ways of doing this and different types of collection methods. The most useable is the C# ingestor called SharpHound and a Powershell ingestor called Invoke-BloodHound. Both are bundled with the latest release.

Powershell ingestion

What I recommend doing if you have internal network access is to run Bloodhound using runas /netonly from your own machine and not from a host you are not in the control of. This way you're not cluttering a domain joined machine with files, you will not trigger antivirus and you don't have to exfiltrate the data either, so its generally less noisy.

runas /netonly /FQDN\user\<username> powershell

Example with the domain testlab.local and a username testuser

runas /netonly /testlab.local\user\testuser powershell

Type in the password of testuser when prompted. This should spawn a new Powershell window. This window will use the local DNS settings to find the nearest domain controller and perform the various LDAP queries Bloodhound performs. First, from a powershell shell with execution policy set to bypass, import the powershell module Import-module SharpHound.ps1

Then, start collecting data. This command specifies to collect all kinds of information, compress it into a ZIP and remove stray CSV files generated during ingestion.

Invoke-BloodHound -CollectionMethod All -CompressData -RemoveCSV

You will now have get a ZIP file containing CSV files in the directory where you ran the ingestor from. This ZIP file can from v2.0 be dragged and dropped straight into the BloodHound interface.

You should immediately see data being populated into the database and the interface.

You can now play with BloodHound to create really some really cool maps. You can also perform queries to show the shortest path to DA, etc. See the default queries and SpectreOps blog posts for inspiration.

Python ingestion from Kali

More Bloodhound stuff

manually from their , not through apt.

Install BloodHound according to instructions on the

From Bloodhound : the container update, you can use the new "All" collection open. See the blogpost from for details.

Bloodhound is now in , so make sure to grab the latest version of the ingestor. For Windows you can use the .

If you have a Kali box on the local network you can use the .

Explanations of things found under Node info

Install neo4j
Community Edition
website
http://neo4j.com/download/other-releases/#releases
A guide on installing can be found here
Github page
version 1.5
Specter Ops
version 2.0
SharpHound exe
Bloodhound.py ingestor
https://github.com/BloodHoundAD/BloodHound/wiki/Users
https://posts.specterops.io/sharphound-target-selection-and-api-usage-bba517b9e69b
https://github.com/porterhau5/BloodHound
https://porterhau5.com/blog/representing-password-reuse-in-bloodhound/
https://porterhau5.com/blog/extending-bloodhound-track-and-visualize-your-compromise/
http://threat.tevora.com/lay-of-the-land-with-bloodhound/
Example picture
Example picture