Enumeration by bloodhound

  • AD
  • Bloodhound

posted on 11 Jul 2022 under category Active-Directory in series Active_Directory

Bloodhound Overview

Bloodhound is a tool that is generally used by adversaries to visually map an organization’s Active Directory structure and analyze it to find its weaknesses. Being able to analyze the Active Directory is very useful to attackers to identify which objects are worth targeting in an organization. Any user within an active directory domain can interrogate their organization’s Active Directory which runs on the domain controllers.

Bloodhound uses the collector which is called as SharpHound to collect various kinds of data by running a ton of LDAP queries to collect information within Active Directory.

Grabbing Data with Bloodhound

  • Download it form github -> link

Desktop View


ruby evil-winrm.rb -i 192.168.1.2 -u superman -p 'Password123!'

Desktop View

  • See menu
[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

Desktop View

  • Upload SharpHound.ps1 script to machine

upload /home/kali/Desktop/AD/SharpHound.ps1

Desktop View

  • bypass powershell policy and run script
PowerShell -ep bypass # bypass policy powershell

ls # to see the script
. .\SharpHound.ps1 # to run script

Desktop View

  • Grabbing Data with Invoke-Bloodhound
Invoke-Bloodhound -CollectionMethod All -Domain Homelab.local -ZipFileName homelab.local.zip

Desktop View

  • download file to local kali machine
download 20220823031653_homlab.local.zip

Desktop View

  • check it after download it

Desktop View

next step install Bloodhound

 Bloodhound Setup

Install bloodhound

apt install bloodhound

config neo4j console

  • after run command will get link to access console
sudo neo4j console

Desktop View

  • defualt username and pass -> neo4j

Desktop View

  • change password as you like -> my new pass kali

Desktop View

upload collection Data to Bloodhound

  • Run neo4j console on one Tab
sudo neo4j console

Desktop View

  • Run Bloodhound on onther Tab
Bloodhound 

Desktop View

  • enter uername and new password

Desktop View

  • upload collection file to Bloodhound

Desktop View

Graphing the collected data

Back on your BloodHound instance login and upload the hound.zip file via the up arrow to the right of the screen. Once imported click the 3 lines at the top left of the window to view the Database info. This shows you the AD info and relationships etc. we have three tab database , node info and Important one is Analysis

Desktop View

To Graph the data, go to the Analysis tab and choose what you would like to enumerate.

Desktop View

By clicking on a node you can bring up the properties of that node

Desktop View

Selecting “Find Shortest Paths to Domain Admins”. This shows the shortest route to get to Domain Administrator. We can see that ecartman, who is a domain administrator is logged into machine SOUTHPARK.PWNME.LOCAL so this would be a perfect target to maybe try passing a hash and using Token Impersonation to login to the Domain Controller etc.

Desktop View

To further demonstrate the power of Blood hound, this is a result of selecting Shortest Paths to High Value Targets. This is a lab with less than 10 users and computers. Imagine a coorperate network with hundreds… This post has shown a very small fraction of what BloodHound is capable of.

Desktop View

reference

  • https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644
  • https://swepstopia.com/bloodhound-enumeration/