Simple Bloodhound Tutorial
Checkout my personal notes on github, it’s a handbook i made using cherrytree that consists of many usefull commands for passing the OSCP or even doing an actual penetration tests.
What is BloodHound
BloodHound is a single page Javascript web application uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
Enumeration & Data Ingestion
BloodHound is a data visualisation tool, meaning without any data is not at all useful. BloodHound is very good at visualising Active Directory object relationships and various permissions between those relationships.
In order for BloodHound to do its magic, we need to enumerate a victim domain. The enumeration process produces a JSON file that describes various relationships and permissions between AD objects as mentioned earlier, which can then be imported to BloodHound. Once the resulting JSON file is ingested/imported to BloodHound, it will allow us to visually see the ways (if any) how Active Directory and its various objects can be (ab)used to elevate privileges, ideally to Domain Admin.
SharpHound
The tool that does the aforementioned AD enumeration is called SharpHound.
I tried running the SharpHound (the BloodHound ingestor, just a confusing name) from an account that was not a domain member, so I got the following message:
If you are on a machine that is a member, but you are authenticated as a local user, but have credentials for a domain user, get a shell for that user like so:
runas /user:spotless@offense powershell
// if machine is not a domain member
runas /netonly /user:spotless@offense powershell
We can now proceed to AD enumeration:
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -JSONFolder "c:\experiments\bloodhound"
The above command will produce the previously mentioned JSON file, albeit zipped:
We can now take the .zip file that was generated by Invoke-BloodHound and just drag and drop it to the BloodHound interface for ingestion. Once the ingestion is complete, we can play around with Pre-canned queries that actually visualise the provided data:
Execution:
Once the data is ingested, as mentioned, we can play around with the built in queries to find things like All Domain Admins
, Shortest Path to Domain Admins
and similar, that may help us as an attacker to escalate privileges and compromise the entire domains/forest.
Example #1: User to Exchange Trusted Subsytem
A contrived and maybe not entirely realistic, but still — the below shows how an attacker could assume privileges of Exchange Trusted Subsystem
group when on the victim network as user spotless:
The above indicates that offense\spotless
is admin to the DC01$
(could use mimikatz to pass the machine account hash to get an elevated shell) where offense\administrator
session is observed (dump lsass or token impersonation for administrator) and this way assume rights of the Exchange Trusted Subsystem group!
net group "Exchange Trusted Subsystem"
Group name Exchange Trusted Subsystem
Comment This group contains Exchange servers that run Exchange cmdlets on behalf of users via the management serv
ice. Its members have permission to read and modify all Exchange configuration, as well as user accounts and groups. Thi
s group should not be deleted.
Example #2: User to Domain Admin via AdminTo and MemberOf:
The below shows how the user spotless could assume privileges of a Domain Admin.
Similarly to the previous example, spotless is admin of the DC01$ where admin session is established. If that session is compromised (it is), it makes the user spotless a Domain Admin:
Example #3: User to Domain Admin via Weak ACEs
The below shows how the user spotless can become a Domain Admin by abusing weak ACEs of the said group. In this particular example, the user spotless can essentially add themselves to domain admins group with net group "domain admins" spotless /add /domain
and it is gamer over:
Credits to ired team