Bloodhound Usage

BloodHound-Python
If you have access to DC, need admin creds - Github

Linux:

proxychains python3 bloodhound.py -d Steins.local -u admin -p p@$$W0rd! -c all -dc dc.steins.local -gc dc.steins.local -v -ns 10.10.10.10 --dns-tcp 

Few files will appear in the same location, import them into bloodhound 

Kali: apt-get install bloodhound 
sudo neo4j console
go to localhost:7474
neo4j: neo4j 	#login in browser and change the password 

bloodhound   #bloodhoun login will pop-up, login with new creds

Windows:

Download this on Windows target: SharpHound.ps1

powershell -ep bypass 
..\SharpHound.ps1
invoke-Bloodhound -CollectionMethod All -Domain Steins.local -ZipfileName file.zip

invoke-Bloodhound -CollectionMethod LoggedOn -Verbose

or 

SharpHound.exe -c All -d Steins.local --zipfilename test.zip

OR 

.\SharpHound.exe  -d steins.local --domaincontroller 192.168.168.168 --ldapusername admin  --ldappassword P@$$W0rd! --zipfilename domain.zip - c All

open the file in bloodhound --> click on upload --> select file


For Testing: 
git clone https://github.com/BloodHoundAD/BloodHound-Tools
cd DBCreator
pip install neo4j-driver
sudo pip3 install neo4j
python3 DBCreator.py
sudo neo4j console 
dbconfig

Invoke-BloodHound Commands 

#specify detailed collection methods
Invoke-BloodHound -CollectionMethod ACL,ObjectProps

#Change the frequency of the requests sent by BloodHound 
Invoke-BloodHound -Throttle 1500 -Jitter 10

#increase the stealthiness of theBloodHound ingestor is to minimize its disk footprint. 
Invoke-BloodHound -CompressData -RemoveCSV and –NoSaveCache

Bloodhound Ingestor - Linux/Python 

git clone https://github.com/dirkjanm/BloodHound.py
pip install
bloodhound-python -u UserName -p "P@SSW)RD!" -d steins.local -ns 10.10.10.10 -c All

Bloodhound Rust Ingestor 

git clone https://github.com/NH-RED-TEAM/RustHound.git

#install cargo
curl https://sh.rustup.rs -sSf | sh
. "$HOME/.cargo/env" 

#Compile RustHound
make install

#Run it 
rusthound -d domain.local -i 10.10.10.10 -u 'username@domain.local' -p 'P@ssw0rd!' -o . -z

# Kerberos authentication (Linux)
export KRB5CCNAME="/tmp/Username.ccache"
rusthound -d domain.local -f dc01.domain.local -k -z

Custom Queries

#Find AllowedToAct|AllowedToDelegate Permissions 
MATCH p=(n)-[r:AllowedToAct|AllowedToDelegate]->(m) RETURN p

#Find Accounts Trusted for Delegation
MATCH (n)-[r:TrustedForDelegation]->(m) RETURN n, r, m

#Find RBAC Paths
MATCH p=(n)-[r:AllowedToAct|AllowedToDelegate]->(m) RETURN p

#Find Accounts with SPN That allows Delegation
MATCH (n)-[r:HasSPN]->(m) WHERE n.TrustedToAuthForDelegation = True RETURN n, r, m

Custom Commands

Click on custom queries and edit the json file, we can add as many queries as required 

Example 1

{
"name": "CUSTOM",
"queryList": [
{
"final": true,
"query": "MATCH (n:User) RETURN n"
}
]
}

List all Domain Admins

{
"name": "CUSTOM",
"queryList": [
{
"final": true,
"query": "MATCH (n:Group) WHERE n.name =~ \"(?i).*DOMAIN ADMINS.*\" WITH n MATCH (n)<-[r:MemberOf*1..]-(m) RETURN n,r,m"
}
]
}
 
Display all the users that are part of administrators group
{
"name": "CUSTOM",
"queryList": [
{
"final": true,
"query": "MATCH (u:User)-[MemberOf]->(g:Group {name: \"ADMINISTRATORS@ELS-CHILD.ELS.LOCAL\"}) RETURN u"
}
]
},

Steinz Security

Search This Blog

Bloodhound Usage

Labels

Comments

Post a Comment

Popular posts from this blog

POC Links for CVE's

Hash Extension Attacks

Cracking Password Protected 7z files