> For the complete documentation index, see [llms.txt](https://csbygb.gitbook.io/pentips/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://csbygb.gitbook.io/pentips/windows/post-compromise-enum/bloodhound.md). # Bloodhound ## Setup and Install * Install: `sudo apt install bloodhound` * Launch neo4j for Setup: `neo4j console` * Open the link provided by neo4j, connect with default creds: `neo4j:neo4j` * Change the password * From the console launch `bloodhound` * Connect with the creds you just set up in neo4j * **Note: Sometimes Bloodhound will not properly process files.**\ **To solve this it can be useful to download a previous version.**\ [**Here**](https://github.com/BloodHoundAD/BloodHound/releases/tag/4.1.0) **is version 4.1.0 that usually does the trick for me.** ## Grabbing Data to feed Bloodhound * Download and setup an injector for instance invoke-bloodhound for powershell, we can use [sharphound](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1) * Put Sharphound in your target machine * From the cmd of your target run: `powershell -ep bypass` * Run Sharphound: `. .\SharpHound.ps1` * Now we can invoke-bloodhound to collect data: `Invoke-BloodHound -CollectionMethod All -Domain DOMAIN.local -ZipFilename data.zip` * Copy the zip file in your attacking machine * Click on upload data and double click on the zip file * In Analysis we can now click to Find all Domains * We can also find the shortest path to the domain admins * We want to find boxes where a domain admin is logged in. * `xfreerdp /v:IP /u:user /drive:data,/tmp` Transfer data to and from the target host with drive redirection ### Grab Data with Sharphound.exe through a Covenant grunt * Upload Sharphound.exe with the command `upload` on Covenant * launch it using `shell sharphound.exe -c all` * Once it's done we can copy the file name of the generated zip * And use the Covenant download command * Once done we can click on the file name it should open a pop up and you will be able to choose where to put the file ## Bloodhound Python * *Note: slower than the PowerShell and C# ingestors* * Requirements: impacket toolkit, ldap3, and dnspython * `pip install bloodhound` * From a linux box not in the domain * Edit /etc/resolv.conf ``` # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN # 127.0.0.53 is the systemd-resolved stub resolver. # run "systemd-resolve --status" to see details about the actual nameservers. domain domain.local domain localdomain search localdomain nameserver IP-ADR ``` * `bloodhound-python -dc domain-controller.domain.local -gc domain-controller.domain.local -d domain.local -c All -u first.last -p password` ## Analyzing data * Check out Domain Users group and see the rights it has * Click on the pathfinding button and enter the domain to see if we have any direct paths to Domain Admin for all users * Run some of the Pre-Built Analytics Queries to find additional interesting information * Obtain a list of all Domain Admins * Look at the `Find Shortest Paths to Domain Admins` query * `Find Principals with DCSync Rights` Find accounts that can perform the DCSync attack, which will be covered in a later module. * `Users with Foreign Domain Group Membership` Find users that belong to groups in other domains. This can help mount cross-trust attacks. * `Groups with Foreign Domain Group Membership` Find groups that are part of groups in other domains. This can help mount cross-trust attacks. * `Map Domain Trusts` Find all trust relationships with the current domain. * `Shortest Paths to Unconstrained Delegation Systems` Find the shortest path to hosts with Unconstrained Delegation. * `Shortest Paths from Kerberoastable Users` Show the shortest path to Domain Admins by selecting from all users in a dropdown that can be subjected to a Kerberoasting attack. * `Shortest Path from Owned Principals` If we right-click a node and select `Mark user as owned` or `Mark computer as owned`, we can then run this query to see how far we can go from any users/computers that we have marked as "owned". This can be very useful for mounting further attacks. * `Shortest Paths to Domain Admins from Owned Principals` Find the shortest path to Domain Admin access from any user or computer marked as "owned". * `Shortest Paths to High-Value Targets` This will give us the shortest path to any objects that BloodHound already considers a high-value target. It can also be used to find paths to any objects that we right-click on and select Mark X as High Value. * Look at GPOs as well. In the Enumerating Group Policy Objects (GPOs) section * In BloodHound, we can right-click on any edge and click on ? Help in the pop-up menu and receive help on the specific edge with various tabs * Info General overview of the edge and what type of access it grants. * Abuse Info Specific tools/commands/techniques that can be used to abuse the privilege. * Opsec Considerations Opsec Considerations are also documented on the BloodHound wiki. This provides info on how "noisy" a particular command can be and what type of event log ID it will generate. * References Additional reading on tactics/tools/techniques that can be used to abuse the privilege. > [*Source: ACTIVE DIRECTORY BLOODHOUND on HTB Academy*](https://academy.hackthebox.com/course/preview/active-directory-bloodhound) ## Icons in Bloodhound * This icon is used to represent a user:\ ![User Icon](/files/686yKDA4ynowy3fUnCZn) * This icon is used to represent a group:\ ![Group Icon](/files/om7aLLNbSCojQ6EMhigE) * This icon is used to represent a GPO:\ ![GPO Icon](/files/NHUVgQbLEM44RYEfHzBK)\ we can click on it and check the Node Info ## Cypher Query Language for custom queries > [*Source: ACTIVE DIRECTORY BLOODHOUND on HTB Academy*](https://academy.hackthebox.com/course/preview/active-directory-bloodhound) ### Structure of query * `MATCH (A)-[B]->(C) RETURN A,B,C` Here A and C are nodes B is the relationship between A and C * `MATCH (n:User),(m:Group) MATCH p=(n)-[r:MemberOf*1..3]->(m) RETURN p` ### Most common Keywords * `MATCH` Used before describing the search pattern for finding one or more nodes or relationships. * `WHERE` Used to add more constraints to specific patterns or filter out unwanted patterns. * `RETURN` Used to specify the results format and organizes the resulting data. Results can be returned with specific properties, lists, ordering, etc. * `CREATE` and `DELETE` - Used to create and delete nodes/relationships * `SET` and `REMOVE` - Used to set values to properties and add labels to nodes * `MERGE` - Used to create nodes uniquely without any duplicates. ### Example of query * `MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p` Find the members of all groups deemed to be "high-value targets." * `MATCH (u:User) WHERE ANY (x IN u.serviceprincipalnames WHERE toUpper(x) CONTAINS 'SQL')RETURN u` Find users with a keyword in their Service Principal Name (SPN) * `MATCH (u:User {dontreqpreauth: true}) RETURN u` Find users who do not require Kerberos pre-authentication * `MATCH (u:User) WHERE u.description IS NOT NULL RETURN u.name,u.description` Find all users with a description field that is not blank ### Edge relationships in Bloodhound * MemberOf One node (user, group, or computer) is a member of a second node (group) * AdminTo One node (user, group, or computer) has local admin rights on a second node (computer) * HasSession One node (user) has a session on a second node (computer) * TrustedBy One node (domain) is trusted by a second node (domain) ## Exploiting ACEs A significant amount of ACEs can be misconfigured, and the exploits for each vary. The Bloodhound documentation assists in explaining enumerated ACEs and how they can be exploited. * **ForceChangePassword**: We have the ability to set the user's current password without knowing their current password. * **AddMembers**: We have the ability to add users (including our own account), groups or computers to the target group. * **GenericAll**: We have complete control over the object, including the ability to change the user's password, register an SPN or add an AD object to the target group. * **GenericWrite**: We can update any non-protected parameters of our target object. This could allow us to, for example, update the scriptPath parameter, which would cause a script to execute the next time the user logs on. * **WriteOwner**: We have the ability to update the owner of the target object. We could make ourselves the owner, allowing us to gain additional permissions over the object. * **WriteDACL**: We have the ability to write new ACEs to the target object's DACL. We could, for example, write an ACE that grants our account full control over the target object. * **AllExtendedRights**: We have the ability to perform any action associated with extended AD rights against the target object. This includes, for example, the ability to force change a user's password. In order to exploit these ACEs, we will need a method to interact with AD to make these requests. The two best options for this are the AD-RSAT PowerShell cmdlets or PowerSploit.\ Depending on the breach and the detection tools in the environment, one option may be stealthier. > *Source:* [*Tryhackme*](https://tryhackme.com/room/exploitingad) ### Examples * `AddMembers` To exploit this we just need to add our user to the desired group using powershell `Add-ADGroupMember "IT Support" -Members "barbara.reid"` * Checked that it worked `Get-ADGroupMember -Identity "IT Support"` * `ForceChangePassword` Identify a member of the group we want to change the password for taking over their account `Get-ADGroupMember -Identity "Tier 2 Admins"` * And then we can change the password. *Note: It can take up to 10 minutes to be effective. We also might need to disconnect and reconnect*. ```dos $Password = ConvertTo-SecureString "Newpassword1234!" -AsPlainText -Force Set-ADAccountPassword -Identity "t2_melanie.davies" -Reset -NewPassword $Password ``` ## Other Tips Bloodhound * If we click on a blade in the graph and select help we will have useful info about the specific blade selected. It is really worth having a look at the help and abuse info to have more info and tips on ways of exploitation. ## Bloodhound - Resources * [Bloodhound - Lisandre](https://lisandre.com/cheat-sheets/bloodhound) * [Bloodhound: A Pentester’s best friend by Warren Butterworth](https://medium.com/@warrenbutterworth/bloodhound-a-pentesters-best-friend-d8467aa6c50) * [Cypher Query Language](https://neo4j.com/developer/cypher/) * [Edges in Bloodhound](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html) * [SharpHound: Target Selection and API Usage - CptJesus](https://blog.cptjesus.com/posts/sharphoundtargeting) * [Exploiting AD - Tryhackme](https://tryhackme.com/room/exploitingad) * [BloodHound – Sniffing Out the Path Through Windows Domains - Michiel Lemmens](https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-domains/) * [THE DOG WHISPERER'S HANDBOOK 3 - SadProcessor](https://ernw.de/download/ERNW_DogWhisperer3.pdf) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://csbygb.gitbook.io/pentips/windows/post-compromise-enum/bloodhound.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.