BloodHound
BloodHound (9.3k β) is a reference when pentesting Active Directory. The tool can collect data, display results as a Neo4J, and provide Neo4J queries to identify attack vectors and attack paths.
They seem to be moving to an paid and a community version (0.7k β).
On the target, run a data collector such as SharpHound (0.6k β):
PS> .\SharpHound.exe -c All --zipfilename results
PS> .\SharpHound.exe -c Session --zipfilename results
PS> .\SharpHound.exe --CollectionMethods All --Domain example.com --ExcludeDCs
There is also an unofficial python collector (1.7k β):
$ sudo apt install -y bloodhound.py
$ bloodhound-python -u 'username' -p 'password' -ns DC_IP -d domain -c all
$ bloodhound-python -u 'username@example.com' -p 'password' -d domain -dc DC_IP -c all
<user sessions, users and groups, object properties, ACLS>
$ zip -r results.zip *.json
You can use nxc with LDAP credentials:
$ nxc ldap DC01.example.com -u username -p password --bloodhound -ns DCIP --collection All # add DC01.example.com to /etc/hosts
On your host, run bloodhound and import the zip using 'Import Data.'
$ sudo neo4j console& # neo4j:neo4j, change password
$ sudo apt install bloodhound -y
$ # Need a custom version such as 4.1.0 below?
$ wget https://github.com/BloodHoundAD/BloodHound/releases/download/4.1.0/BloodHound-linux-x64.zip && unzip BloodHound-linux-x64.zip && rm -rf BloodHound-linux-x64.zip && cd BloodHound-linux-x64 && chmod +x BloodHound
$ bloodhound
$ ./BloodHound --no-sandbox # locally installed
β οΈ The collection version must match your BloodHound version, or results may not be correctly parsed leading to missing attacks paths.
β οΈ Ideally, a collector should be run once to capture everywhere, then twice a day (10 a.m. and 14p.m.) to ensure sessions data is correct.
BloodHound Overview
A few notes:
- π¬ Click on 'Import Data' or drag and drop your zip to import it.
- π Navigate to Analysis to run saved queries
- π Click on objects (don't hesitate!) to load them in the view
- π Use the search bar to search objects. There is a path icon to search for a path between objects (e.g., from current user to admin).
- π¨οΈ Press CTRL to see labels below each node
Node information:
- Outbound Object Control: ACL attacks, refer to this
Useful queries:
- Find Shortest Paths To Domain Admins
- Find Computers with Unsupported Operating Systems
- Find Computers where Domain Users are Local Admin
- Find Users with Foreign Domain Group Membership
- Find Sessions On Hosts (which means hashes we can dump)
π» To-do π»
Stuff that I found, but never read/used yet.
- For Azure instances, there is AzureHound (0.5k β)
- CrackHound
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
Extract the list of usernames from bloodhound collected data.
$ cat XXX_users.json | jq | grep samaccountname | cut -d '"' -f4 > valid_users.txt