3.3.2 - BloodHound

BloodHound

Most famous tool that provides GUI for AD entities and relationship for the data collected. It utilzies graph theory mapping shortest path for interesting things like Domain Admins, and contains built-in queries for more interesting path.

There two free versions of BloodHound:

BloodHound Legacy (present into C:\AD\Tools): https://github.com/BloodHoundAD/BloodHound
BloodHound CE (Community Edition): https://github.com/SpecterOps/BloodHound

BloodHound Installation

Steps to do on attacker machine (Kali)

1) apt-get install bloodhound

2) neo4j console

3) open browser and go to URL indicated by neo4j console (usually: http://localhost:7474)

In this certification is provided BloodHound WebUI to solve labs.

insert default credentials -> neo4j:neo4j and click to connect.

Collecting Data

SharpHound Documentation

BloodHound CE using SharpHound.exe and .ps1

CRTP Lab

C:\AD\Tools\Loader.exe -Path C:\AD\Tools\Sharphound\SharpHound.exe -args --collectionmethods All

Other Lab

Using SharpHound.ps1

Download and upload SharpHound.ps1 to the target.

Run:

Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All

Using SharpHound.exe

Run directly:
```
.\SharpHound.exe -c all
```

Using bloodhound.py

python3 bloodhound.py -u 'jdoe' -p 'Password123' -d DC.LOCAL -ns 192.168.1.1 --zip -c All

Collect Data in Stealthy Mode

SharpHound

The process of collection info/data isn't more stealthy, than in particular contest can be useful to remove noisy methods like RDP, DCOM, PSRemote and LocalAdmin (using flag --excludedcs)

C:\AD\Tools\Loader.exe -Path C:\AD\Tools\Sharphound\SharpHound.exe -args --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets,CertServices --excludedcs

SOAPHound

A really good method to collect data in stealth mode is using SOAPHound, it talks to AD Web Services (ADWS - Port 9389) sending LDAP queries, it doesn't send network-based data detection (like MDI) and retrieve info about all objects and process taking LDAP queries.

#Build a cache that includes basic info about domain objects
SOAPHound.exe --buildcache -c C:\AD\Tools\cache.txt
#Collect BloodHound compatible data
SOAPHound.exe -c C:\AD\Tools\cache.txt --bhdump -o C:\AD\Tools\bloodhound-output --nolaps

Download the resulting .zip file and upload it to BloodHound for analysis.

Labs

Post-Exploitation Basics THM Lab

Previous3.3.1.1 - Domain Enumeration (Video Lab)Next4 - Trust and Privileges Mapping

Last updated 3 months ago