Bloodhound

Setup and Install

• Install: sudo apt install bloodhound

• Launch neo4j for Setup: neo4j console

• Open the link provided by neo4j, connect with default creds: neo4j:neo4j

• Change the password

• From the console launch bloodhound

• Connect with the creds you just set up in neo4j

• Note: Sometimes Bloodhound will not properly process files. To solve this it can be useful to download a previous version. Here is version 4.1.0 that usually does the trick for me.

Grabbing Data to feed Bloodhound

• Download and setup an injector for instance invoke-bloodhound for powershell, we can use sharphound

• Put Sharphound in your target machine

• From the cmd of your target run: powershell -ep bypass

• Run Sharphound: . .\SharpHound.ps1

• Now we can invoke-bloodhound to collect data: Invoke-BloodHound -CollectionMethod All -Domain DOMAIN.local -ZipFilename data.zip

• Copy the zip file in your attacking machine

• Click on upload data and double click on the zip file

• In Analysis we can now click to Find all Domains

• We can also find the shortest path to the domain admins

• We want to find boxes where a domain admin is logged in.

• xfreerdp /v:IP /u:user /drive:data,/tmp Transfer data to and from the target host with drive redirection

Grab Data with Sharphound.exe through a Covenant grunt

• Upload Sharphound.exe with the command upload on Covenant

• launch it using shell sharphound.exe -c all

• Once it's done we can copy the file name of the generated zip

• And use the Covenant download command

• Once done we can click on the file name it should open a pop up and you will be able to choose where to put the file

Bloodhound Python

• Note: slower than the PowerShell and C# ingestors

• Requirements: impacket toolkit, ldap3, and dnspython

• pip install bloodhound

• From a linux box not in the domain

  • Edit /etc/resolv.conf

    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    # 127.0.0.53 is the systemd-resolved stub resolver.
    # run "systemd-resolve --status" to see details about the actual nameservers.
    
    
    domain domain.local
    domain localdomain
    search localdomain
    nameserver IP-ADR

• bloodhound-python -dc domain-controller.domain.local -gc domain-controller.domain.local -d domain.local -c All -u first.last -p password

Analyzing data

• Check out Domain Users group and see the rights it has

• Click on the pathfinding button and enter the domain to see if we have any direct paths to Domain Admin for all users

• Run some of the Pre-Built Analytics Queries to find additional interesting information

  • Obtain a list of all Domain Admins

  • Look at the Find Shortest Paths to Domain Admins query

  • Find Principals with DCSync Rights Find accounts that can perform the DCSync attack, which will be covered in a later module.

  • Users with Foreign Domain Group Membership Find users that belong to groups in other domains. This can help mount cross-trust attacks.

  • Groups with Foreign Domain Group Membership Find groups that are part of groups in other domains. This can help mount cross-trust attacks.

  • Map Domain Trusts Find all trust relationships with the current domain.

  • Shortest Paths to Unconstrained Delegation Systems Find the shortest path to hosts with Unconstrained Delegation.

  • Shortest Paths from Kerberoastable Users Show the shortest path to Domain Admins by selecting from all users in a dropdown that can be subjected to a Kerberoasting attack.

  • Shortest Path from Owned Principals If we right-click a node and select Mark user as owned or Mark computer as owned, we can then run this query to see how far we can go from any users/computers that we have marked as "owned". This can be very useful for mounting further attacks.

  • Shortest Paths to Domain Admins from Owned Principals Find the shortest path to Domain Admin access from any user or computer marked as "owned".

  • Shortest Paths to High-Value Targets This will give us the shortest path to any objects that BloodHound already considers a high-value target. It can also be used to find paths to any objects that we right-click on and select Mark X as High Value.

• Look at GPOs as well. In the Enumerating Group Policy Objects (GPOs) section

• In BloodHound, we can right-click on any edge and click on ? Help in the pop-up menu and receive help on the specific edge with various tabs

  • Info General overview of the edge and what type of access it grants.

  • Abuse Info Specific tools/commands/techniques that can be used to abuse the privilege.

  • Opsec Considerations Opsec Considerations are also documented on the BloodHound wiki. This provides info on how "noisy" a particular command can be and what type of event log ID it will generate.

  • References Additional reading on tactics/tools/techniques that can be used to abuse the privilege.

Source: ACTIVE DIRECTORY BLOODHOUND on HTB Academy

Icons in Bloodhound

• This icon is used to represent a user:
• This icon is used to represent a group:
• This icon is used to represent a GPO: we can click on it and check the Node Info

Cypher Query Language for custom queries

Source: ACTIVE DIRECTORY BLOODHOUND on HTB Academy

Structure of query

• MATCH (A)-[B]->(C) RETURN A,B,C Here A and C are nodes B is the relationship between A and C

• MATCH (n:User),(m:Group) MATCH p=(n)-[r:MemberOf*1..3]->(m) RETURN p

Most common Keywords

• MATCH Used before describing the search pattern for finding one or more nodes or relationships.

• WHERE Used to add more constraints to specific patterns or filter out unwanted patterns.

• RETURN Used to specify the results format and organizes the resulting data. Results can be returned with specific properties, lists, ordering, etc.

• CREATE and DELETE - Used to create and delete nodes/relationships

• SET and REMOVE - Used to set values to properties and add labels to nodes

• MERGE - Used to create nodes uniquely without any duplicates.

Example of query

• MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p Find the members of all groups deemed to be "high-value targets."

• MATCH (u:User) WHERE ANY (x IN u.serviceprincipalnames WHERE toUpper(x) CONTAINS 'SQL')RETURN u Find users with a keyword in their Service Principal Name (SPN)

• MATCH (u:User {dontreqpreauth: true}) RETURN u Find users who do not require Kerberos pre-authentication

• MATCH (u:User) WHERE u.description IS NOT NULL RETURN u.name,u.description Find all users with a description field that is not blank

Edge relationships in Bloodhound

• MemberOf One node (user, group, or computer) is a member of a second node (group)

• AdminTo One node (user, group, or computer) has local admin rights on a second node (computer)

• HasSession One node (user) has a session on a second node (computer)

• TrustedBy One node (domain) is trusted by a second node (domain)

Exploiting ACEs

A significant amount of ACEs can be misconfigured, and the exploits for each vary. The Bloodhound documentation assists in explaining enumerated ACEs and how they can be exploited.

• ForceChangePassword: We have the ability to set the user's current password without knowing their current password.

• AddMembers: We have the ability to add users (including our own account), groups or computers to the target group.

• GenericAll: We have complete control over the object, including the ability to change the user's password, register an SPN or add an AD object to the target group.

• GenericWrite: We can update any non-protected parameters of our target object. This could allow us to, for example, update the scriptPath parameter, which would cause a script to execute the next time the user logs on.

• WriteOwner: We have the ability to update the owner of the target object. We could make ourselves the owner, allowing us to gain additional permissions over the object.

• WriteDACL: We have the ability to write new ACEs to the target object's DACL. We could, for example, write an ACE that grants our account full control over the target object.

• AllExtendedRights: We have the ability to perform any action associated with extended AD rights against the target object. This includes, for example, the ability to force change a user's password.

In order to exploit these ACEs, we will need a method to interact with AD to make these requests. The two best options for this are the AD-RSAT PowerShell cmdlets or PowerSploit. Depending on the breach and the detection tools in the environment, one option may be stealthier.

Source: Tryhackme

Examples

• AddMembers To exploit this we just need to add our user to the desired group using powershell Add-ADGroupMember "IT Support" -Members "barbara.reid"

• Checked that it worked Get-ADGroupMember -Identity "IT Support"

• ForceChangePassword Identify a member of the group we want to change the password for taking over their account Get-ADGroupMember -Identity "Tier 2 Admins"

• And then we can change the password. Note: It can take up to 10 minutes to be effective. We also might need to disconnect and reconnect.

$Password = ConvertTo-SecureString "Newpassword1234!" -AsPlainText -Force 
Set-ADAccountPassword -Identity "t2_melanie.davies" -Reset -NewPassword $Password 

Other Tips Bloodhound

• If we click on a blade in the graph and select help we will have useful info about the specific blade selected. It is really worth having a look at the help and abuse info to have more info and tips on ways of exploitation.

Bloodhound - Resources

• Bloodhound - Lisandre
• Bloodhound: A Pentester’s best friend by Warren Butterworth
• Cypher Query Language
• Edges in Bloodhound
• SharpHound: Target Selection and API Usage - CptJesus
• Exploiting AD - Tryhackme
• BloodHound – Sniffing Out the Path Through Windows Domains - Michiel Lemmens
• THE DOG WHISPERER'S HANDBOOK 3 - SadProcessor