hacktricks/windows-hardening/active-directory-methodology/bloodhound.md
and7es 171d882f4d
Update bloodhound.md
Added new updated Bloodhound CE tool
Changed the old Bloodhound to Legacy
2024-01-02 23:27:06 +01:00

12 KiB

BloodHound & Other AD Enum Tools

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

AD Explorer

AD Explorer is from Sysinternal Suite:

An advanced Active Directory (AD) viewer and editor. You can use AD Explorer to navigate an AD database easily, define favourite locations, view object properties, and attributes without opening dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.

Snapshots

AD Explorer can create snapshots of an AD so you can check it offline.
It can be used to discover vulns offline, or to compare different states of the AD DB across the time.

You will be requires the username, password, and direction to connect (any AD user is required).

To take a snapshot of AD, go to File --> Create Snapshot and enter a name for the snapshot.

ADRecon

****ADRecon is a tool which extracts and combines various artefacts out of an AD environment. The information can be presented in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis and provide a holistic picture of the current state of the target AD environment.

# Run it
.\ADRecon.ps1

BloodHound

BloodHound is a monolithic web application composed of an embedded React frontend with Sigma.js and a Go based REST API backend. It is deployed with a Postgresql application database and a Neo4j graph database, and is fed by the SharpHound and AzureHound data collectors.

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.

BloodHound CE is created and maintained by the BloodHound Enterprise Team. The original BloodHound was created by @_wald0, @CptJesus, and @harmj0y.

From https://github.com/SpecterOps/BloodHound

So, Bloodhound is an amazing tool which can enumerate a domain automatically, save all the information, find possible privilege escalation paths and show all the information using graphs.

Booldhound is composed of 2 main parts: ingestors and the visualisation application.

The ingestors are used to enumerate the domain and extract all the information in a format that the visualisation application will understand.

The visualisation application uses neo4j to show how all the information is related and to show different ways to escalate privileges in the domain.

Installation

After the creation of BloodHound CE, the entire project was updated for ease of use with Docker. The easiest way to get started is to use its pre-configured Docker Compose configuration.

  1. Install Docker Compose. This should be included with the Docker Desktop installation.
  2. Run:
curl -L https://ghst.ly/getbhce | docker compose -f - up
  1. Locate the randomly generated password in the terminal output of Docker Compose.
  2. In a browser, navigate to http://localhost:8080/ui/login. Login with a username of admin and the randomly generated password from the logs.

After this you will need to change the randomly generated password and you will have the new interface ready, from which you can directly download the ingestors.

SharpHound

They have several options but if you want to run SharpHound from a PC joined to the domain, using your current user and extract all the information you can do:

./SharpHound.exe --CollectionMethods All
Invoke-BloodHound -CollectionMethod All

You can read more about CollectionMethod and loop session here

If you wish to execute SharpHound using different credentials you can create a CMD netonly session and run SharpHound from there:

runas /netonly /user:domain\user "powershell.exe -exec bypass"

Learn more about Bloodhound in ired.team.

Legacy Bloodhound

Installation

  1. Bloodhound

To install the visualisation application you will need to install neo4j and the bloodhound application.
The easiest way to do this is just doing:

apt-get install bloodhound

You can download the community version of neo4j from here.

  1. Ingestors

You can download the Ingestors from:

  1. Learn the path from the graph

Bloodhound come with various queries to highlight sensitive compromission path. It it possible to add custom queries to enhance the search and correlation between objects and more!

This repo has a nice collections of queries: https://github.com/CompassSecurity/BloodHoundQueries

Installation process:

$ curl -o "~/.config/bloodhound/customqueries.json" "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/BloodHound_Custom_Queries/customqueries.json"

Visualisation app Execution

After downloading/installing the required applications, lets start them.
First of all you need to start the neo4j database:

./bin/neo4j start
#or
service neo4j start

The first time that you start this database you will need to access http://localhost:7474/browser/. You will be asked default credentials (neo4j:neo4j) and you will be required to change the password, so change it and don't forget it.

Now, start the bloodhound application:

./BloodHound-linux-x64
#or
bloodhound

You will be prompted for the database credentials: neo4j:<Your new password>

And bloodhound will be ready to ingest data.

Python bloodhound

If you have domain credentials you can run a python bloodhound ingestor from any platform so you don't need to depend on Windows.
Download it from https://github.com/fox-it/BloodHound.py or doing pip3 install bloodhound

bloodhound-python -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all

If you are running it through proxychains add --dns-tcp for the DNS resolution to work throught the proxy.

proxychains bloodhound-python -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all --dns-tcp

Python SilentHound

This script will quietly enumerate an Active Directory Domain via LDAP parsing users, admins, groups, etc.

Check it out in SilentHound github.

RustHound

BloodHound in Rust, check it here.

Group3r

Group3r **** is a tool to find vulnerabilities in Active Directory associated Group Policy.
You need to run group3r from a host inside the domain using any domain user.

group3r.exe -f <filepath-name.log> 
# -s sends results to stdin
# -f send results to file

PingCastle

****PingCastle evaluates the security posture of an AD environment and provides a nice report with graphs.

To run it, can execute the binary PingCastle.exe and it will start an interactive session presenting a menu of options. The default option to use is healthcheck which will establish a baseline overview of the domain, and find misconfigurations and vulnerabilities.

☁️ HackTricks Cloud ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥