BloodHound
BloodHound
- https://github.com/SpecterOps/BloodHound
- Attack Path: https://morimori-dev.github.io/posts/tech-bloodhound-attack-paths/
NOTE: sometimes the outputed zipfile doesn’t get properly ingested… trying extracting and uploading the individual JSON files
BloodHound is THE TOOL for AD enumeration. “[L]everages graph theory to reveal hidden and often unintended relationships across identity and access management systems…” visually along with other pre-built queries to find weakness in domain structures.
Pre-Requisites
Collecting Info
- Collection Methods: https://bloodhound.specterops.io/collect-data/ce-collection/sharphound-flags
Uploading Info
- Transfer Bloodhound data to attacker
- Upload zipfile to Bloodhound: http://127.0.0.1:8080/ui/login
- Upload to Bloodhound: http://127.0.0.1:8080/ui/administration/file-ingest
Analysis and Queries
| BEST QUERIES | Why |
|---|---|
| Find Shortest Paths to Domain Admins | Primary attack path |
| Find Principals with DCSync Rights | Instant game over if found |
| Find Kerberoastable Users | Most common foothold |
| Shortest Paths to DA from Kerberoastable Users | Combined path |
| Find AS-REP Roastable Users | No creds needed |
| Find Computers where Domain Users are Local Admin | Easy lateral movement |
Domain Trusts
- Pre-built Query
- Analysis > Domain Information > Map Domain Trusts
Enumerating ACLs of User
- Select starting node user
- Select Node Info > Scroll to
Outbound Control Rights First Degree Object Control- Right-Click edge > Help for more info
Transitive Object Control- Analysis > Dangerous Rights
CanRDP
- BloodHound CanRDP:
- Search for User > Node Info > Execution Rights
- Analysis
Find Workstations where Domain Users can RDPFind Servers where Domain Users can RDP