# BloodHound ## Bloodhound - Simple $ sudo apt-get update $ sudo apt install bloodhound $ sudo neo4j console Click the localhost link and sign into neo4j, then sign in (Default creds are neo4j/neo4j. Recommended to change them) Now, simply type $ bloodhound into the terminal and it should pop up with sign in credentials! ## BloodHound Python Ingestor * [ ] git clone * [ ] cd /BloodHound.py * [ ] python setup.py install * [ ] python bloodhound.py -d -u -p -dc -gc -ns -c All,Session -v ## SharpHound - Data Collection for Windows * [ ] Configure your system DNS server to be the IP address of a domain controller in the target domain * [ ] Spawn a CMD shell as a user in that domain using *runas* and its */netonly* flag, like so:\ C:\\> runas /netonly /user:CONTOSO\TestUser cmd.exe * [ ] You will be prompted to enter a password. Enter the password and hit enter. * [ ] A new CMD window will appear. If you type *whoami*, you will not see the name of the user you’re impersonating. This is because of the */netonly* flag: the instance of CMD will only authenticate as that user when you authenticate to other systems over the network, but you are still the same user you were before when authenticating locally. * [ ] Verify you’ve got valid domain authentication by using the *net* binary: C:\\> net view \\\contoso\\ * [ ] If you can see the SYSVOL and NETLOGON folders, you’re good. Run SharpHound, using the *-d* flag to specify the AD domain you want to collect information from. You can also use any other flags you wish. C:\\> SharpHound.exe -d contoso.local ## After BloodHound is Running with Imported Data Look for: Sessions, servers within DA path, Users within DA path, Users linked with DA, Misconfigured AD structures. i.e. DA accounts should only be restricted to logging into the Domain Controller - if not this is a misconfig i.e Server Admins should be broken up -> Admin Accounts vs. Service Accounts Rights - if not this is a misconfig sessions If no sessions, try to re-do the data collection ## Cypher Query Language and Statistics Go to #### Custom queries ## BloodHound C2 * [ ] execute-assembly /path/to/sharphound.exe --CollectionMethod All --NoSaveCache --CompressData * [ ] powershell-import sharphound.ps1 * [ ] powerpick Invoke-BloodHound -CollectionMethod Session -LoopDelay 120 MaxLoopTime 0d0h10m0s * [ ] powerpick Invoke-BloodHound --CollectionMethod All --NoSaveCache --RandomFilenames * [ ] powerpick Invoke-BloodHound --CollectionMethod All * [ ] Download Bloodhound.zip
\