We will try to understand Installation and post exploitation using Bloodhound.
Bloodhound is an application used to visualize Active directory environments. Before the release of bloodhound the process was performed by penetration testers that were looking to exploit trust-based relationships within an active directory domain.
Since the release of bloodhound the process of identifying potential useful relationship for privilege esclation purposes has been largely automated.
The frontend of bloodhound is built on electron and the backend on Neo4j database. Neo4j is a graph database management system, which uses NoSql as a graph database.
Install bloodhound in kali machine
# apt-get install bloodhound
Now we will start Neo4j to see it works without any errors
# sudo neo4j console
If there is no errors we will navigate to http://localhost:7474 with a browser to update the database password that we will use to login to the bloodhound application.
Default credentials are neo4j:neo4j
Update Username and password
So neo4j is configured and ready to integrate with bloodhound.
Collecting The data
Now collecting the data can be a pain in the ass for that there is a prebuilt injestor which is called Sharphound. It comes as a regular command line .exe or poweshell script name SharpHound.ps1 containing the same assembly as the .exe
SharpHound collects all the information about active sessions, AD permissions and a lot more by only using the permisiions of a regular user.It even collects information about active sessions, AD permissions and a lot more by only using the permissions of a regular user.
SharpHound outputs JSON files that are then fed into the Neo4j databse and later visualized by the GUI.
Lets collect the data we are gonna use Powershell script because .exe file in real world scenerio can be easily detected by Antivirus because many a Antivirus have signature in them and consider sharphound as a potential threat.
cmd> powershell -ev bypassPS> . .\sharpHound.PS1PS> Invoke-BloodHound -CollectionMethod All -Domain Controller.local -zipFileName loot.zip
So we have collected loot but now we have to move the loot.zip from remote machine to kali machine for this we are gonna use sftp (SSH file transfer protocol). You can learn more about SFTP here
Use SFTP to transfer files
The SSH File Transfer Protocol (SFTP), also known as the Secure File Transfer Protocol, enables secure file transfer…
# sftp Administrator@10.101.10.10Then we can use get command to download zip file to our own kali machine
So we have got our loot.zip file in our kali machine lets start bloodhound to analyze the file.
Start BloodHound for Analysis
# sudo bloodhound
Start neo4j as well to connect database and use username and password we have set earlier while configuring the neo4j.
Uploading the Loot file
There is a upload button in the right corner of the bloodHound console.
Select the button and upload the file for analysis.
To view the graphical network open the menu and select queries this will give a list of precompiled Queries for Choose. These Queries are far sufficient for the time being but we can make our own custom queries.
- List all kerberoastable accounts.
- Shortest paths to unconstrained Delegation system.
There are tons of other queries as well you can try yourself.