BloodHound

Bloodhound - Simple

$ sudo apt-get update

$ sudo apt install bloodhound

$ sudo neo4j console

Click the localhost link and sign into neo4j, then sign in

(Default creds are neo4j/neo4j. Recommended to change them)

Now, simply type $ bloodhound into the terminal and it should pop up with sign in credentials!

BloodHound Python Ingestor

• git clone https://github.com/fox-it/BloodHound.py

• cd /BloodHound.py

• python setup.py install

• python bloodhound.py -d -u -p -dc -gc -ns -c All,Session -v

SharpHound - Data Collection for Windows

• Configure your system DNS server to be the IP address of a domain controller in the target domain

• Spawn a CMD shell as a user in that domain using runas and its /netonly flag, like so: C:\> runas /netonly /user:CONTOSO\TestUser cmd.exe

• You will be prompted to enter a password. Enter the password and hit enter.

• A new CMD window will appear. If you type whoami, you will not see the name of the user you’re impersonating. This is because of the /netonly flag: the instance of CMD will only authenticate as that user when you authenticate to other systems over the network, but you are still the same user you were before when authenticating locally.

• Verify you’ve got valid domain authentication by using the net binary:

  C:\> net view \\contoso\

• If you can see the SYSVOL and NETLOGON folders, you’re good. Run SharpHound, using the -d flag to specify the AD domain you want to collect information from. You can also use any other flags you wish. C:\> SharpHound.exe -d contoso.local

After BloodHound is Running with Imported Data

Look for:

Sessions, servers within DA path, Users within DA path, Users linked with DA, Misconfigured AD structures.

i.e. DA accounts should only be restricted to logging into the Domain Controller - if not this is a misconfig

i.e Server Admins should be broken up -> Admin Accounts vs. Service Accounts Rights - if not this is a misconfig sessions

If no sessions, try to re-do the data collection

Cypher Query Language and Statistics

Go to http://localhost:7474

Custom queries

https://github.com/hausec/Bloodhound-Custom-Queries

BloodHound C2

• execute-assembly /path/to/sharphound.exe --CollectionMethod All --NoSaveCache --CompressData

• powershell-import sharphound.ps1

• powerpick Invoke-BloodHound -CollectionMethod Session -LoopDelay 120 MaxLoopTime 0d0h10m0s

• powerpick Invoke-BloodHound --CollectionMethod All --NoSaveCache --RandomFilenames

• powerpick Invoke-BloodHound --CollectionMethod All

• Download Bloodhound.zip