Setup BloodHound tool on Windows and enumerate Active Directory Objects
BloodHound is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors which come in PowerShell and C# flavours.
- It identifies different attack paths in Active Directory , maps access control lists (ACLs), users, groups, trust relationships and unique AD objects.
Setup
•BloodHound is supported by Linux, Windows, and MacOS. Bloodhound is built on neo4j and depends on it. Neo4j is a graph database management system, which uses NoSQL as a graph database.
•Download the Windows binary from Bloodhound GitHub Page
https://github.com/BloodHoundAD/BloodHound/releases
•Download Neo4J community Server
- Open Neo4j Folder and run the Neo4j database for the use of Bloodhound
● Run the bloodhound and connect to the neo4j database by giving username neo4j and password as neo4j
Usage
•Inorder to collect the data of Active Directory, should use Ingestiors like Sharphound and Powershell Script that is given in Bloodhound
https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors
•if you are running on non-AD member first you need to run it as AD member by issuing command
runas /netonly /user:ad.redacted.com\<username> “cmd.exe -nop -executionPolicy bypass”
•Connect to Pulsesecure(VPN) where you connect to your Active Directory to enumerate AD objects
SharpHound.exe Invoke-BloodHound — CollectionMethod All
•The default if this parameter is not supplied is Default:
Default — This performs a collection of the local admins on machines, group memberships, domain trusts, and sessions.
Group — Collects the group memberships only
LocalGroup — Collects just the local admins
GPOLocalGroup — Performs local admin collection using Group Policy Objects
ComputerOnly — Performs local admin collection and session collection
Session — Collects the user sessions on machines on the domain
LoggedOn — Performs privileged session collection (this requires local admin rights on target systems
Usage
Trusts — Enumerates the domain trusts for the specified target domain
ACL — Collects the access control lists from the domain
Container — Performs collection of Containers
All — Performs all Collection Methods listed above.
- Once the command successfully executed it gives you a zip folder , Import the zip in the Bloodhound
- Bloodhound has some default Queries which gives you understanding objects of Domain
Custom Queries Usage
•Custome Queries can also use to query the database
https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
- The command is intended for the graph/GUI or console. For the console, it means they cannot be executed via Bloodhound GUI and must be done via the neo4j console.
References
•https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/