Prerequisites

• DNS entry for DC
• Bloodhound for kali (sudo apt install bloodhound)
• Bloodhound-python (sudo pip install bloodhound)

Gathering Information

Bloodhound.py

There are two options regarding the collection of information for Bloodhound:

• Sharphound .exe on Windows
• Bloodhound.py on Linux

I prefer the Linux version due to the absence of an AV on my Kali.

Here is an example usage: At first you have to enter the ip address from the domaincontroller to your kali.

sudo nano /etc/resolv.conf

bloodhound-python -c ALL -u 'enduser' -p 'Pa$$w0rd' -d 'domain.local' -dc 'dc.domain.local' --zip
INFO: Found AD domain: domain.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: dc.domain.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 4 computers
INFO: Connecting to LDAP server: dc.domain.local
INFO: Found 60 users
INFO: Found 60 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: fileserver.domain.local
INFO: Querying computer: DESKTOP-T3GAI3Q.domain.local
INFO: Querying computer: 
INFO: Querying computer: WIN-9DMEA2KARL9.domain.local
INFO: Done in 00M 02S
INFO: Compressing output into 20240428090108_bloodhound.zip

-c ALL collects everything except LoggedOn (requires local admin privileges on the target). If you want to combine multiple collection methods use a comma, for example: -c Group,LocalAdmin.

--zip returns a .zip file with the output. Makes it easier to import it into Bloodhound.

Analysing the Output

There is only one option for analysis: Bloodhound

Start Bloodhound

neo4j

Start neo4j with

sudo neo4j console

Go to http://localhost:7474 and login with default credentials.

username: neo4j
password: neo4j

After login, change the password. The password will be used later to login into Bloodhound.

Bloodhound

Start Bloodhound (either via GUI or with bloodhound in the terminal) and enter the credentials.

username: neo4j
password: [previously set password]

Import Data & Custom Queries

Click on Upload Data and select the .zip output from Bloodhound and open it.

Now we have the collected data and the standard queries.

I highly recommend the installation of custom queries from CompassSecurity that can be installed via this one-liner:

curl -o ~/.config/bloodhound/customqueries.json "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/BloodHound_Custom_Queries/customqueries.json"

Mark pwnd Users

Because we don't write 'pwnd!' in some user description, we need to set them as Owned. That could be done in the graph, or a little bit faster with the following query:

// Single user
// Set as owned
MATCH (u:User) WHERE (u.samaccountname contains 'enduser') SET u.owned = true

// Return the user
MATCH (u:User) WHERE (u.samaccountname contains 'enduser') RETURN u

// multiple user 
// Set as owned
MATCH (u:User) WHERE (u.samaccountname in ['enduser', 'user']) SET u.owned = true

//Return the users
MATCH (u:User) WHERE (u.samaccountname in ['enduser', 'user']) RETURN u

Plotting Attack Path

For the scenario we assume that we have the following:

• One user enduser
• Compromised PC

When looking around the compromised PC, we find a note:

Hi, I have changed the password for Opaline.Herta back to the default password.

An insider leaked the default password to us: Changeme123!. We now have a 2nd user.

When generating the graph for Principals with DCSync Rights, we can see that Opaline.Herta is a member of DCSync admins.

Luckily we can pwn the user and verify that the default credentials are Opaline.Herta:Changeme123!. After marking the user we can see, that we could perform a DCSync to get the DC database. This is our attack path to get the domain admin and to generate a golden ticket plus a user with domain admin rights.