Active Directory BloodHound
Active Directory BloodHound
Neo4j is written in Java and requires a Java Virtual Machine (JVM) to run.
BloodHound can be installed on Windows, Linux, and macOS. We will need to install Java
and Neo4j and then download the BloodHound GUI. We can also build the BloodHound GUI
from the source, but we won't cover that step in this section. If you want to build from the
source, you can read BloodHound official documentation.
1. Install Java.
2. Install Neo4j.
3. Install BloodHound.
Note: BloodHound 4.2 is installed in PwnBox and ready to use. Both binaries are in the path,
you can use sudo neo4j console to start the Neo4j database and bloodhound to launch
BloodHound GUI.
BloodHound is installed on the target machine. It is not necessary to install it. To run it we
would only need to start the database with the following command net start neo4j and
execute bloodhound.exe which is in the C:\Tools folder.
Windows Installation
We first need to download and install Java Oracle JDK 11. We need to register an account
before downloading Java from their website. Once we download the installation file, we can
silently install it using the following command:
PS C:\htb> .\jdk-11.0.17_windows-x64_bin.exe /s
https://t.me/offenciveSec
Next, we need to install Neo4j . We can get the complete list of available versions in the
Neo4j Download Center. We will use Neo4j 4.4, the latest version at the time of writing is
Neo4j 4.4.16. Once downloaded, open Powershell, running as administrator, and extract the
content of the file:
Unzip Neo4j
Note: Neo4j 5, the latest version, suffers from severe performance regression issues, this is
why we are not using version 5. For more information visit: BloodHound Official
Documentation.
Next, we need to install Neo4j. To install it as a service, we need to move to the .\neo4j-
community-*\bin\ directory and execute the following command neo4j.bat install-
service :
Note: At this point, we may see an error about Java not being found or the wrong version of
Java running. Ensure your JAVA_HOME environment variable is set to the JDK folder
(example: C:\Program Files\Java\jdk-11.0.17); this is done automatically after installation.
Still, if the installation fails, we must ensure everything is configured correctly.
Start Service
https://t.me/offenciveSec
Authenticate to Neo4j in the web console with username neo4j and password neo4j , leave
the database empty, and once prompted, change the password.
https://t.me/offenciveSec
Download BloodHound GUI
1. Download the latest version of the BloodHound GUI for Windows from
https://github.com/BloodHoundAD/BloodHound/releases.
Note: We may get a warning from the Browser or the AV that the file is malicious. Ignore and
allow the download.
https://t.me/offenciveSec
Linux Installation
The first thing we need to do is download and install Java Oracle JDK 11 . We will update
our apt sources to install the correct package:
With this update, if Java is not installed when we try to install Neo4j, it will automatically
install it as part of the Neo4j installation. Let's add the apt sources for Neo4j installation:
Before installing Neo4j, we need to install the apt-transport-https package with apt:
Now we can install Neo4j. Let's first list the available options and pick the latest 4.4.X
version.
Installing Neo4j
At the time of writting. The latest version is Neo4j 4.4.16, let's install that version with the
following command:
https://t.me/offenciveSec
neo4j
1 upgraded, 0 newly installed, 0 to remove, and 236 not upgraded.
Need to get 106 MB of archives.
After this operation, 1,596 kB of additional disk space will be used.
Get:1 https://debian.neo4j.com stable/4.4 amd64 neo4j all 1:4.4.16 [106
MB]
Fetched 106 MB in 2s (55.9 MB/s)
...SNIP...
Next, we need to make sure we are using Java 11. We can update which java version our
operating system will use with the following command:
Note: Option 1 correspond to Java 11. The option may be different in your system.
cd /usr/bin
sudo ./neo4j console
Directories in use:
home: /var/lib/neo4j
config: /etc/neo4j
logs: /var/log/neo4j
plugins: /var/lib/neo4j/plugins
import: /var/lib/neo4j/import
data: /var/lib/neo4j/data
certificates: /var/lib/neo4j/certificates
licenses: /var/lib/neo4j/licenses
https://t.me/offenciveSec
run: /var/lib/neo4j/run
Starting Neo4j.
2023-01-05 20:04:26.679+0000 INFO Starting...
2023-01-05 20:04:27.369+0000 INFO This instance is ServerId{fb3f5e13}
(fb3f5e13-5dfd-49ee-b068-71ad7f5ce997)
2023-01-05 20:04:29.103+0000 INFO ======== Neo4j 4.4.16 ========
2023-01-05 20:04:30.562+0000 INFO Performing postInitialization step for
component 'security-users' with version 3 and status CURRENT
2023-01-05 20:04:30.562+0000 INFO Updating the initial password in
component 'security-users'
2023-01-05 20:04:30.862+0000 INFO Bolt enabled on localhost:7687.
2023-01-05 20:04:31.881+0000 INFO Remote interface available at
http://localhost:7474/
2023-01-05 20:04:31.887+0000 INFO id:
613990AF56F6A7BDDA8F79A02F0ACED758E04015C5B0809590687C401C98A4BB
2023-01-05 20:04:31.887+0000 INFO name: system
2023-01-05 20:04:31.888+0000 INFO creationDate: 2022-12-12T15:59:25.716Z
2023-01-05 20:04:31.888+0000 INFO Started.
To start and stop the service, we can use the following commands:
Start Neo4j
Stop Neo4j
Note: It is very common for people to host Neo4j on a Linux system but use the BloodHound
GUI on a different system. Neo4j, by default, only allows local connections. To allow remote
connections, open the neo4j configuration file located at /etc/neo4j/neo4j.conf and edit
this line:
#dbms .default_listen_address=0.0.0.0
Remove the # character to uncomment the line. Save the file, then start neo4j up again
Open a web browser and navigate to the Neo4j web console at http://localhost:7474/:
https://t.me/offenciveSec
Change Neo4j default credentials. Authenticate to neo4j in the web console with username
neo4j and password neo4j , leave the database empty, and once prompted, change the
password.
https://t.me/offenciveSec
Download BloodHound GUI
1. Download the latest version of the BloodHound GUI for Linux from
https://github.com/BloodHoundAD/BloodHound/releases.
1. Unzip the folder, then run BloodHound with the --no-sandbox flag:
Unzip BloodHound
https://t.me/offenciveSec
unzip BloodHound-linux-x64.zip
Archive: BloodHound-linux-x64.zip
creating: BloodHound-linux-x64/
inflating: BloodHound-linux-x64/BloodHound
...SNIP...
Execute BloodHound
cd BloodHound-linux-x64/
./BloodHound --no-sandbox
MacOS Install
To install BloodHound in MacOS, we can follow the steps provided in BloodHound official
documentation.
https://t.me/offenciveSec
Updating BloodHound requirements (Linux)
In case we have already installed BloodHound, and we need to update it to support the
latest version, we can update Neo4j and Java with the following commands:
Update Neo4j
Note: Make sure to change the Java version to 11 as mention in the installation steps.
https://t.me/offenciveSec
1. edit /etc/neo4j/neo4j.conf , and uncomment
dbms.security.auth_enabled=false .
2. Start neo4j console:
Next Steps
https://t.me/offenciveSec
In the following sections, we will start working with BloodHound and using SharpHound to
collect data from the Active Directory.
BloodHound Overview
Attackers and defenders commonly have difficulty discovering or auditing all the accesses of
a user or how these accesses are interconnected to give privileges to a user that are not
supposed to exist.
Because the attack surface and the amount of data produced in Active Directory
environments are highly complex and evolving, and because we needed a way to automate
the collection and analysis of this data, @_wald0, @harmj0y, and @CptJesus created
BloodHound.
Note: To understand more about Active Directory, we can look at these modules Introduction
to Active Directory and Active Directory Enumeration & Attacks.
BloodHound Overview
BloodHound is an open-source tool used by attackers and defenders alike to analyze Active
Directory domain security. The tool collects a large amount of data from an Active Directory
domain. It uses the graph theory to visually represent the relationship between objects and
identify domain attack paths that would have been difficult or impossible to detect with
traditional enumeration. As of version 4.0, BloodHound now also supports Azure. Although
the primary purpose of this module will be Active Directory, we will introduce AzureHound in
the section Azure Enumeration.
https://t.me/offenciveSec
nodes and edges further in another section, but let's do an example to see how BloodHound
works.
The tool uses Cypher Query Language to analyze relationships. Cypher is Neo4j’s graph
query language that lets us retrieve data from the graph. It is like SQL for graphs, and was
inspired by SQL so it lets us focus on what data we want out of the graph (not how to go get
it). It is the easiest graph language to learn by far because of its similarity to other languages
and intuitiveness. We will discuss more about Cypher queries later in this module.
The below diagram shows two nodes, A and B . In this example, we can only go from node
A to node B , not the other way.
This could simulate A as the user Grace and B as the group SQL Admins , the line
between the two is the edge, which in this case is MemberOf . The next graphic show us that
in BloodHound, where the user Grace is a member of the SQL Admins group.
Let's see a more complex relationship between nodes. The following graphic shows eight (8)
nodes and ten (10) edges. Node H can reach node G , but no node has a direct path to
node H . To get to node C from node A , we can hop to node G , move to node F , and then
to node C , but that's not the shortest path. One of the BloodHound capabilities is to look for
the shortest path. In this example, the shortest path from node A to node C is one hop
through node B .
https://t.me/offenciveSec
In the previous example, we used BloodHound to find that Grace is a member of SQL
Admins , which is pretty simple to discover. We can use the Active Directory Users and
Computers GUI or the net user grace /domain command. With only this information, we
can conclude that Grace doesn't have any path to the Domain Admins group, but that is
where BloodHound is much more helpful in helping us identify those relationships between
nodes that are not easy to locate.
Let's use BloodHound as our map navigator and ask how to get from the user Grace to the
Domain Admins group. Here's the result:
This means that Grace , as a member of the SQL Admins group, can change Peter 's
password. Authenticate with Peter 's new password and perform operations as a member of
the Domain Admins group. Although Peter is not a member directly, he is a member of a
group that is.
https://t.me/offenciveSec
BloodHound for Enterprise
The SpecterOps team that created BloodHound also created BloodHound Enterprise. An
Attack Path Management solution that continuously maps and quantifies Active Directory
Attack Paths. Ideal for enterprises that want to constantly monitor the different types of on-
premises and cloud attack paths, prioritize their actions, obtain remediation guidance, and
continuously measure their security posture.
The good thing about this project is that the BloodHound for Enterprise team uses a
common library between the commercial and the FOSS project and introduces SharpHound
Common: one code base from which both FOSS SharpHound and SharpHound Enterprise
are built. This code base enables, among other things:
Improved documentation.
Improves the quality and stability of SharpHound for everyone.
Note: To learn more you can read: Introducing BloodHound 4.1 — The Three Headed
Hound.
Moving On
Now that we have covered graph theory and how BloodHound works with nodes and edges
to find the shortest paths, let's move on and collect some data that we can ingest into
BloodHound and start manipulating.
Module Exercises
Throughout this module, you will connect to various target hosts via the Remote Desktop
Protocol (RDP) to complete the exercises. We will provide any necessary credentials with
each exercise, and the RDP connection can be made via xfreerdp from the Pwnbox as
follows:
After logging in to the target host, all tools can be found in the C:\Tools directory.
https://t.me/offenciveSec
Next Steps
In the following sections, we will see how to collect Active Directory information from
Windows and Linux and how to analyze the information we collect.
Neo4j is written in Java and requires a Java Virtual Machine (JVM) to run.
BloodHound can be installed on Windows, Linux, and macOS. We will need to install Java
and Neo4j and then download the BloodHound GUI. We can also build the BloodHound GUI
from the source, but we won't cover that step in this section. If you want to build from the
source, you can read BloodHound official documentation.
1. Install Java.
2. Install Neo4j.
3. Install BloodHound.
Note: BloodHound 4.2 is installed in PwnBox and ready to use. Both binaries are in the path,
you can use sudo neo4j console to start the Neo4j database and bloodhound to launch
BloodHound GUI.
BloodHound is installed on the target machine. It is not necessary to install it. To run it we
would only need to start the database with the following command net start neo4j and
execute bloodhound.exe which is in the C:\Tools folder.
Windows Installation
We first need to download and install Java Oracle JDK 11. We need to register an account
before downloading Java from their website. Once we download the installation file, we can
silently install it using the following command:
PS C:\htb> .\jdk-11.0.17_windows-x64_bin.exe /s
https://t.me/offenciveSec
Next, we need to install Neo4j . We can get the complete list of available versions in the
Neo4j Download Center. We will use Neo4j 4.4, the latest version at the time of writing is
Neo4j 4.4.16. Once downloaded, open Powershell, running as administrator, and extract the
content of the file:
Unzip Neo4j
Note: Neo4j 5, the latest version, suffers from severe performance regression issues, this is
why we are not using version 5. For more information visit: BloodHound Official
Documentation.
Next, we need to install Neo4j. To install it as a service, we need to move to the .\neo4j-
community-*\bin\ directory and execute the following command neo4j.bat install-
service :
Note: At this point, we may see an error about Java not being found or the wrong version of
Java running. Ensure your JAVA_HOME environment variable is set to the JDK folder
(example: C:\Program Files\Java\jdk-11.0.17); this is done automatically after installation.
Still, if the installation fails, we must ensure everything is configured correctly.
Start Service
https://t.me/offenciveSec
Authenticate to Neo4j in the web console with username neo4j and password neo4j , leave
the database empty, and once prompted, change the password.
https://t.me/offenciveSec
Download BloodHound GUI
1. Download the latest version of the BloodHound GUI for Windows from
https://github.com/BloodHoundAD/BloodHound/releases.
Note: We may get a warning from the Browser or the AV that the file is malicious. Ignore and
allow the download.
https://t.me/offenciveSec
Linux Installation
The first thing we need to do is download and install Java Oracle JDK 11 . We will update
our apt sources to install the correct package:
With this update, if Java is not installed when we try to install Neo4j, it will automatically
install it as part of the Neo4j installation. Let's add the apt sources for Neo4j installation:
Before installing Neo4j, we need to install the apt-transport-https package with apt:
Now we can install Neo4j. Let's first list the available options and pick the latest 4.4.X
version.
Installing Neo4j
At the time of writting. The latest version is Neo4j 4.4.16, let's install that version with the
following command:
https://t.me/offenciveSec
neo4j
1 upgraded, 0 newly installed, 0 to remove, and 236 not upgraded.
Need to get 106 MB of archives.
After this operation, 1,596 kB of additional disk space will be used.
Get:1 https://debian.neo4j.com stable/4.4 amd64 neo4j all 1:4.4.16 [106
MB]
Fetched 106 MB in 2s (55.9 MB/s)
...SNIP...
Next, we need to make sure we are using Java 11. We can update which java version our
operating system will use with the following command:
Note: Option 1 correspond to Java 11. The option may be different in your system.
cd /usr/bin
sudo ./neo4j console
Directories in use:
home: /var/lib/neo4j
config: /etc/neo4j
logs: /var/log/neo4j
plugins: /var/lib/neo4j/plugins
import: /var/lib/neo4j/import
data: /var/lib/neo4j/data
certificates: /var/lib/neo4j/certificates
licenses: /var/lib/neo4j/licenses
https://t.me/offenciveSec
run: /var/lib/neo4j/run
Starting Neo4j.
2023-01-05 20:04:26.679+0000 INFO Starting...
2023-01-05 20:04:27.369+0000 INFO This instance is ServerId{fb3f5e13}
(fb3f5e13-5dfd-49ee-b068-71ad7f5ce997)
2023-01-05 20:04:29.103+0000 INFO ======== Neo4j 4.4.16 ========
2023-01-05 20:04:30.562+0000 INFO Performing postInitialization step for
component 'security-users' with version 3 and status CURRENT
2023-01-05 20:04:30.562+0000 INFO Updating the initial password in
component 'security-users'
2023-01-05 20:04:30.862+0000 INFO Bolt enabled on localhost:7687.
2023-01-05 20:04:31.881+0000 INFO Remote interface available at
http://localhost:7474/
2023-01-05 20:04:31.887+0000 INFO id:
613990AF56F6A7BDDA8F79A02F0ACED758E04015C5B0809590687C401C98A4BB
2023-01-05 20:04:31.887+0000 INFO name: system
2023-01-05 20:04:31.888+0000 INFO creationDate: 2022-12-12T15:59:25.716Z
2023-01-05 20:04:31.888+0000 INFO Started.
To start and stop the service, we can use the following commands:
Start Neo4j
Stop Neo4j
Note: It is very common for people to host Neo4j on a Linux system but use the BloodHound
GUI on a different system. Neo4j, by default, only allows local connections. To allow remote
connections, open the neo4j configuration file located at /etc/neo4j/neo4j.conf and edit
this line:
#dbms .default_listen_address=0.0.0.0
Remove the # character to uncomment the line. Save the file, then start neo4j up again
Open a web browser and navigate to the Neo4j web console at http://localhost:7474/:
https://t.me/offenciveSec
Change Neo4j default credentials. Authenticate to neo4j in the web console with username
neo4j and password neo4j , leave the database empty, and once prompted, change the
password.
https://t.me/offenciveSec
Download BloodHound GUI
1. Download the latest version of the BloodHound GUI for Linux from
https://github.com/BloodHoundAD/BloodHound/releases.
1. Unzip the folder, then run BloodHound with the --no-sandbox flag:
Unzip BloodHound
https://t.me/offenciveSec
unzip BloodHound-linux-x64.zip
Archive: BloodHound-linux-x64.zip
creating: BloodHound-linux-x64/
inflating: BloodHound-linux-x64/BloodHound
...SNIP...
Execute BloodHound
cd BloodHound-linux-x64/
./BloodHound --no-sandbox
MacOS Install
To install BloodHound in MacOS, we can follow the steps provided in BloodHound official
documentation.
https://t.me/offenciveSec
Updating BloodHound requirements (Linux)
In case we have already installed BloodHound, and we need to update it to support the
latest version, we can update Neo4j and Java with the following commands:
Update Neo4j
Note: Make sure to change the Java version to 11 as mention in the installation steps.
https://t.me/offenciveSec
1. edit /etc/neo4j/neo4j.conf , and uncomment
dbms.security.auth_enabled=false .
2. Start neo4j console:
Next Steps
https://t.me/offenciveSec
In the following sections, we will start working with BloodHound and using SharpHound to
collect data from the Active Directory.
SharpHound is the official data collector tool for BloodHound, is written in C# and can be run
on Windows systems with the .NET framework installed. The tool uses various techniques to
gather data from Active Directory, including native Windows API functions and LDAP queries.
The data collected by SharpHound can be used to identify security weaknesses in an Active
Directory environment to attack it or to plan for remediation.
This section will discover the basic functionalities of enumerating Active Directory using
SharpHound and how to do it.
Basic Enumeration
By default SharpHound, if run without any options, will identify the domain to which the user
who ran it belongs and will execute the default collection. Let's execute SharpHound without
any options.
Note: To follow the exercise start the target machine and connect via RDP with the following
credentials htb-student:HTBRocks! .
C:\tools> SharpHound.exe
2023-01-10T09:10:27.5517894-06:00|INFORMATION|This version of SharpHound
is compatible with the 4.2 Release of BloodHound
2023-01-10T09:10:27.6678232-06:00|INFORMATION|Resolved Collection Methods:
Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps,
DCOM, SPNTargets, PSRemote
2023-01-10T09:10:27.6834781-06:00|INFORMATION|Initializing SharpHound at
9:10 AM on 1/10/2023
2023-01-10T09:11:12.0547392-06:00|INFORMATION|Flags: Group, LocalAdmin,
Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets,
PSRemote
2023-01-10T09:11:12.2081156-06:00|INFORMATION|Beginning LDAP search for
INLANEFREIGHT.HTB
2023-01-10T09:11:12.2394159-06:00|INFORMATION|Producer has finished,
closing LDAP channel
2023-01-10T09:11:12.2615280-06:00|INFORMATION|LDAP channel closed, waiting
for consumers
2023-01-10T09:11:42.6237001-06:00|INFORMATION|Status: 0 objects finished
(+0 0)/s -- Using 35 MB RAM
https://t.me/offenciveSec
2023-01-10T09:12:12.6416076-06:00|INFORMATION|Status: 0 objects finished
(+0 0)/s -- Using 37 MB RAM
2023-01-10T09:12:42.9758511-06:00|INFORMATION|Status: 0 objects finished
(+0 0)/s -- Using 37 MB RAM
2023-01-10T09:12:43.2077516-06:00|INFORMATION|Consumers finished, closing
output channel
2023-01-10T09:12:43.2545768-06:00|INFORMATION|Output channel closed,
waiting for output task to complete
Closing writers
2023-01-10T09:12:43.3771345-06:00|INFORMATION|Status: 94 objects finished
(+94 1.032967)/s -- Using 42 MB RAM
2023-01-10T09:12:43.3771345-06:00|INFORMATION|Enumeration finished in
00:01:31.1684392
2023-01-10T09:12:43.4617976-06:00|INFORMATION|Saving cache with stats: 53
ID to type mappings.
53 name to SID mappings.
1 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2023-01-10T09:12:43.4617976-06:00|INFORMATION|SharpHound Enumeration
Completed at 9:12 AM on 1/10/2023! Happy Graphing!
The 2nd line in the output above indicates the collection method used by default: Resolved
Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP,
ObjectProps, DCOM, SPNTargets, PSRemote . Those methods mean that we will collect
the following:
To get the information for local groups and sessions, SharpHound will attempt to connect to
each domain-joined Windows computer from the list of computers it collected. If the user
from which SharpHound is running has privileges on the remote computer, it will collect the
following information::
https://t.me/offenciveSec
1. The members of the local administrators, remote desktop, distributed COM, and remote
management groups.
2. Active sessions to correlate to systems where users are interactively logged on.
Note: Gathering information from domain-joined machines, such as local group membership
and active sessions, is only possible if the user session from which SharpHound is being
executed has Administrator rights on the target computer.
Once SharpHound terminates, by default, it will produce a zip file whose name starts with
the current date and ends with BloodHound. This zip archive contains a group of JSON files:
Start Service
Username: neo4j
Password: Password123
https://t.me/offenciveSec
1. Click the upload button on the far right, browse to the zip file, and upload it. You will see
a status showing upload % completion.
https://t.me/offenciveSec
Note: We can upload as many zip files as we want. BloodHound will not duplicate the data
but add data not present in the database.
1. Once the upload is complete, we can analyze the data. If we want to view information
about the domain, we can type Domain:INLANEFREIGHT.HTB into the search box. This
will show an icon with the domain name. If you click the icon, it will display information
about the node (the domain), how many users, groups, computers, OUs, etc.
1. Now, we can start analyzing the information in the bloodhound and find the paths to our
targets.
Note: If the computers names do not appear when importing the files, we can import the file
again to correct it.
Next Steps
The following sections will discuss other options SharpHound includes to collect Active
Directory data.
SharpHound Options
https://t.me/offenciveSec
all entries
https://t.me/offenciveSec
--jitter Add jitter to throttle (percent)
Collection Methods
The option -collectionmethod or -c allows us to specify what kind of data we want to
collect. In the help menu above, we can see the list of collection methods. Let's describe
some of them that we haven't covered:
Depending on the scenario we are in, we will choose the method that best suits our needs.
Let's see the following use case:
https://t.me/offenciveSec
We are in an environment with 2000 computers, and they have a SOC with some network
monitoring tools. We use the Default collection method but forget the computer from where
we run SharpHound, which will try to connect to every computer in the domain.
Our attack host started generating traffic to all workstations, and the SOC quarantined our
machine.
In this scenario, we should use DCOnly instead of All or Default , as it generates only
traffic to the domain controller. We could pick the most interesting target machine and add
them to a list (e.g: computers.txt ). Then, we would rerun SharpHound using the
ComputerOnly collection method and the --computerfile option to try to enumerate only
the computers in the computers.txt file.
It is essential to know the methods and their implications. The following table, created by
SadProcessor, shows a general reference of the communication protocols used by each
method and information on each technique, among other things:
Note: This table was created for an older version of SharpHound. Some options no longer
exist, and others have been modified, but it still provides an overview of the collection
methods and their implications. For more information, visit the BloodHound documentation
page.
https://t.me/offenciveSec
If we get credentials from a user other than the context from which we are running, we can
use the --ldapusername and --ldappassword options to run SharpHound using those
credentials.
Another flag we find helpful is -d or --domain . Although this option is assigned by default,
if we are in an environment where multiple domains exist, we can use this option to ensure
that SharpHound will collect the information from the domain we specify.
SharpHound will capture the domain controller automatically, but if we want to target a
specific DC, we can use the option --domaincontroller followed by the IP or FQDN of the
target domain controller. This option could help us target a forgotten or secondary domain,
which may have less security or monitoring tools than the primary domain controller. Another
use case for this flag is if we are doing port forward, we can specify an IP and port to target.
We can use the flag --ldapport to select a port.
Option Description
--memcache Keep cache in memory and don't write to disk.
--randomfilenames Generate random filenames for output, including the zip file.
--outputprefix String to prepend to output file names.
--outputdirectory Directory to output file too.
--zipfilename Filename for the zip.
--zippassword Password protects the zip with the specified password.
For example, we can use the --outputdirectory to target a shared folder and randomize
everything. Let's start a shared folder in our PwnBox:
https://t.me/offenciveSec
[*] Config file parsed
[*] Config file parsed
Now let's connect to the shared folder and save SharpHound output there:
https://t.me/offenciveSec
Unzipping the file
unzip ./HTB_20230111113143_5yssigbd.w3f
Archive: ./HTB_20230111113143_5yssigbd.w3f
[./HTB_20230111113143_5yssigbd.w3f] HTB_20230111113143_hjclkslu.2in
password:
inflating: HTB_20230111113143_hjclkslu.2in
inflating: HTB_20230111113143_hk3lxtz3.1ku
inflating: HTB_20230111113143_kghttiwp.jbq
inflating: HTB_20230111113143_kdg5svst.4sc
inflating: HTB_20230111113143_qeugxqep.lya
inflating: HTB_20230111113143_xsxzlxht.awa
inflating: HTB_20230111113143_51zkhw0e.bth
Note: If we set a password to the zip file, we will need to unzip it first, but if we didn't, we
could import the file as is, with the random name and extension and it will import it anyway.
Let's open a command prompt in the target machine and type net session to identify if
there are any session active:
https://t.me/offenciveSec
Looking for Active Sessions
There are no active sessions, which means that if we run SharpHound right now, it will not
find any session on our computer. When we run the SharpHound default collection method,
it also includes the Session collection method. This method performs one round of session
collection from the target computers. If it finds a session during that collection, it will collect it,
but if the session expires, we won't have such information. That's why SharpHound includes
the option --loop . We have a couple of options to use with loops in SharpHound:
Option Description
--Loop Loop computer collection.
-- Duration to perform looping (Default 02:00:00).
loopduration
--stealth Perform "stealth" data collection. Only touch systems are the most
likely to have user session data.
If we want to search sessions for the following hour and query each computer every minute,
we can use SharpHound as follow:
Session Loop
https://t.me/offenciveSec
2023-01-11T14:16:00.7424755-06:00|INFORMATION|Output channel closed,
waiting for output task to complete
Closing writers
2023-01-11T14:16:00.9587384-06:00|INFORMATION|Status: 4 objects finished
(+4 Infinity)/s -- Using 35 MB RAM
2023-01-11T14:16:00.9587384-06:00|INFORMATION|Enumeration finished in
00:00:00.3535475
2023-01-11T14:16:01.0434611-06:00|INFORMATION|Creating loop manager with
methods Session
2023-01-11T14:16:01.0434611-06:00|INFORMATION|Starting looping
2023-01-11T14:16:01.0434611-06:00|INFORMATION|Waiting 30 seconds before
starting loop
2023-01-11T14:16:31.0598479-06:00|INFORMATION|Looping scheduled to stop at
01/11/2023 15:16:31
2023-01-11T14:16:31.0598479-06:00|INFORMATION|01/11/2023 14:16:31 -
01/11/2023 15:16:31
2023-01-11T14:16:31.0598479-06:00|INFORMATION|Starting loop 1 at 2:16 PM
on 1/11/2023
2023-01-11T14:16:31.0754340-06:00|INFORMATION|Beginning LDAP search for
INLANEFREIGHT.HTB
2023-01-11T14:16:31.0754340-06:00|INFORMATION|Producer has finished,
closing LDAP channel
2023-01-11T14:16:31.0754340-06:00|INFORMATION|LDAP channel closed, waiting
for consumers
2023-01-11T14:16:42.1893741-06:00|INFORMATION|Consumers finished, closing
output channel
2023-01-11T14:16:42.1893741-06:00|INFORMATION|Output channel closed,
waiting for output task to complete
...SNIP...
Watch the video How BloodHound's session collection works from the SpecterOps team for
a deeper explanation of this collection method. Here is another excellent blog post from
Compass Security regarding session enumeration by Sven Defatsch.
Note: BloodHound video was recorded before Microsoft introduced the requirement to be an
administrator to collect session data.
https://t.me/offenciveSec
Let's use a computer that is not a member of the domain for this and complete the following
steps:
1. Connect via RDP to the target IP and port 13389 using the following credentials:
haris:Hackthebox .
Before using SharpHound, we need to be able to resolve the DNS names of the target
domain, and if we have network access to the domain's DNS server, we can configure our
network card DNS settings to that server. If this is not the case, we can set up our hosts file
and include the DNS names of the domain controller.
Note: Note that even when using the DNS name in the host file, you may introduce some
errors due to name resolution issues that do not exist in the file or are misconfigured.
1. Configure the DNS server to the IP 172.16.130.3 (Domain Controller Internal IP). In
this exercise the DNS are already configured, there is no need to change them.
https://t.me/offenciveSec
1. Run cmd.exe and execute the following command to launch another cmd.exe with the
htb-student credentials. It will ask for a password. The password is HTBRocks! :
https://t.me/offenciveSec
Note: runas /netonly does not validate credentials, and if we use the wrong credentials,
we will notice it while trying to connect through the network.
--------------------------------------------------------------------------
-----
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
The command completed successfully.
https://t.me/offenciveSec
PSRemote
2023-01-12T09:25:22.2541585-08:00|INFORMATION|Beginning LDAP search for
INLANEFREIGHT.HTB
2023-01-12T09:25:22.3010985-08:00|INFORMATION|Producer has finished,
closing LDAP channel
2023-01-12T09:25:22.3010985-08:00|INFORMATION|LDAP channel closed, waiting
for consumers
2023-01-12T09:25:52.3794310-08:00|INFORMATION|Status: 0 objects finished
(+0 0)/s -- Using 36 MB RAM
2023-01-12T09:26:21.3792883-08:00|INFORMATION|Consumers finished, closing
output channel
2023-01-12T09:26:21.4261266-08:00|INFORMATION|Output channel closed,
waiting for output task to complete
Closing writers
2023-01-12T09:26:21.4885564-08:00|INFORMATION|Status: 94 objects finished
(+94 1.59322)/s -- Using 44 MB RAM
2023-01-12T09:26:21.4885564-08:00|INFORMATION|Enumeration finished in
00:00:59.2357019
2023-01-12T09:26:21.5665717-08:00|INFORMATION|Saving cache with stats: 53
ID to type mappings.
53 name to SID mappings.
1 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2023-01-12T09:26:21.5822432-08:00|INFORMATION|SharpHound Enumeration
Completed at 9:26 AM on 1/12/2023! Happy Graphing!
Up Next
We explore some use cases of SharpHound on Windows and how we can collect
information from the domain we are attacking.
The following section will see how we can collect information from Linux.
SharpHound does not have an official data collector tool for Linux. However, Dirk-jan
Mollema created BloodHound.py, a Python-based collector for BloodHound based on
Impacket, to allow us to collect Active Directory information from Linux for BloodHound.
Installation
https://t.me/offenciveSec
We can install BloodHound.py with pip install bloodhound or by cloning its repository
and running python setup.py install . To run, it requires impacket , ldap3 , and
dnspython . The tool can be installed via pip by typing the following command:
Install BloodHound.py
To install it from the source, we can clone the BloodHound.py GitHub repository and run the
following command:
BloodHound.py Options
We can use --help to list all BloodHound.py options. The following list corresponds to
version 1.6.0:
BloodHound.py options
python3 bloodhound.py
usage: bloodhound.py [-h] [-c COLLECTIONMETHOD] [-d DOMAIN] [-v] [-u
USERNAME] [-p PASSWORD] [-k] [--hashes HASHES] [-no-pass] [-aesKey hex
https://t.me/offenciveSec
key]
[--auth-method {auto,ntlm,kerberos}] [-ns NAMESERVER]
[--dns-tcp] [--dns-timeout DNS_TIMEOUT] [-dc HOST] [-gc HOST]
[-w WORKERS] [--exclude-dcs] [--disable-pooling] [--
disable-autogc] [--zip] [--computerfile COMPUTERFILE]
[--cachefile CACHEFILE]
optional arguments:
-h, --help show this help message and exit
-c COLLECTIONMETHOD, --collectionmethod COLLECTIONMETHOD
Which information to collect. Supported: Group,
LocalAdmin, Session, Trusts, Default (all previous), DCOnly (no computer
connections), DCOM, RDP,PSRemote, LoggedOn,
Container, ObjectProps, ACL, All (all except LoggedOn). You can specify
more
than one by separating them with a comma.
(default: Default)
-d DOMAIN, --domain DOMAIN
Domain to query.
-v Enable verbose output
authentication options:
Specify one or more authentication options.
By default Kerberos authentication is used and NTLM is used as fallback.
Kerberos tickets are automatically requested if a password or hashes are
specified.
collection options:
-ns NAMESERVER, --nameserver NAMESERVER
Alternative name server to use for queries
--dns-tcp Use TCP instead of UDP for DNS queries
--dns-timeout DNS_TIMEOUT
https://t.me/offenciveSec
DNS query timeout in seconds (default: 3)
-dc HOST, --domain-controller HOST
Override which DC to query (hostname)
-gc HOST, --global-catalog HOST
Override which GC to query (hostname)
-w WORKERS, --workers WORKERS
Number of workers for computer enumeration
(default: 10)
--exclude-dcs Skip DCs during computer enumeration
--disable-pooling Don't use subprocesses for ACL parsing (only for
debugging purposes)
--disable-autogc Don't automatically select a Global Catalog (use
only if it gives errors)
--zip Compress the JSON output files into a zip archive
--computerfile COMPUTERFILE
File containing computer FQDNs to use as allowlist
for any computer based methods
--cachefile CACHEFILE
Cache file (experimental)
Using BloodHound.py
To use BloodHound.py in Linux, we will need --domain and --collectionmethod options
and the authentication method. Authentication can be a username and password, an NTLM
hash, an AES key, or a ccache file. BloodHound.py will try to use the Kerberos authentication
method by default, and if it fails, it will fall back to NTLM.
Another critical piece is the domain name resolution. If our DNS server is not the domain
DNS server, we can use the option --nameserver , which allows us to specify an alternative
name server for queries.
Running BloodHound.py
https://t.me/offenciveSec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Connecting to LDAP server: dc01.inlanefreight.htb
INFO: Found 6 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 3 computers
INFO: Found 0 trusts
INFO: Done in 00M 11S
Note: Kerberos authentication requires the host to resolve the domain FQDN. This means
that the option --nameserver is not enough for Kerberos authentication because our host
needs to resolve the DNS name KDC for Kerberos to work. If we want to use Kerberos
authentication, we need to set the DNS Server to the target machine or configure the DNS
entry in our hosts' file.
https://t.me/offenciveSec
INFO: Found 0 trusts
INFO: Done in 00M 11S
Note: Kerberos Authentication is the default authentication method for Windows. Using this
method instead of NTLM makes our traffic look more normal.
ls
20230112171634_computers.json 20230112171634_domains.json
20230112171634_groups.json 20230112171634_users.json
20230112171634_containers.json 20230112171634_gpos.json
20230112171634_ous.json
We will explore BloodHound graphical interface and see how we can take advantage of it.
This area is known as the Graph Drawing Area , where BloodHound displays nodes and
their relationship using edges. We can interact with the graph, move objects, zoom in or
zoom out (with the mouse scroll or the bottom right buttons), click on nodes to see more
information, or right-click them to perform different actions.
https://t.me/offenciveSec
Command Description
Set as Starting Set this node as the starting point in the pathfinding tool. Click this,
Node and we will see this node’s name in the search bar. Then, we can
select another node to target after clicking the pathfinding button.
Set as Ending Node Set this node as the target node in the pathfinding tool.
Shortest Paths to This will perform a query to find all shortest paths from any
Here arbitrary node in the database to this node. This may cause a long
query time in neo4j and an even longer render time in the
BloodHound GUI.
Shortest Paths to Find attack paths to this node from any node you have marked as
Here from Owned owned.
Edit Node This brings up the node editing modal, where you can edit current
properties on the node or even add our custom properties to the
node.
Mark Group as This will internally set the node as owned in the neo4j database,
Owned which you can then use in conjunction with other queries such as
“Shortest paths to here from Owned”.
Mark/Unmark Some nodes are marked as “high value” by default, such as the
Group as High domain admins group and enterprise admin group. We can use
Value this with other queries, such as “shortest paths to high-value
assets”.
Delete Node Deletes the node from the neo4j database.
The Graph Drawing Area lets us also interact with Edges . They represent the link between
two nodes and help us understand how we will move from one object to another. As
BloodHound has many edges is challenging to keep track of how we can abuse every single
one. The BloodHound team included a help menu under edges, where we can see
information, examples, and references on how to abuse every single edge.
https://t.me/offenciveSec
Search Bar
The search bar is one of the elements of BloodHound that we will use the most. We can
search for specific objects by their name or type. If we click on a node we searched, its
information will be displayed in the node info tab.
If we want to search for a specific type, we can prepend our search with node type, for
example, user:peter or group:domain . Let's see this in action:
Here's the complete list of node types we can prepend to our search:
Active Directory
https://t.me/offenciveSec
Group
Domain
Computer
User
OU
GPO
Container
Azure
AZApp
AZRole
AZDevice
AZGroup
AZKeyVault
AZManagementGroup
AZResourceGroup
AZServicePrincipal
AZSubscription
AZTenant
AZUser
AZVM
Pathfinding
Another great feature in the search bar is Pathfinding . We can use it to find an attack path
between two given nodes.
For example, we can look for an attack path from ryan to Domain Admins . The path result
is:
Ryan > Mark > HelpDesk > ITSecurity > Domain Admins
This path contains the edge ForceChangePassword ; let's say we want to avoid changing
users' passwords. We can use the filter option, uncheck ForceChangePassword , and search
for the path without this edge. The result is:
Ryan > AddSelf > Tech_Support > Testinggroup > HelpDesk > ITSecurity > Domain
Admins
https://t.me/offenciveSec
Upper Right Menu
We will find various options to interact with in the top right corner. Let's explain some of
these options:
https://t.me/offenciveSec
Upload Data : Uploads SharpHound, BloodHound.py, or AzureHound data to Neo4j.
We can select the upload data with the upload button or drag and drop the JSON or zip
file directly into the BloodHound window.
Note: When we upload, BloodHound will add any new data but ignore any duplicated data.
https://t.me/offenciveSec
Node Collapse Threshold : Collapse nodes at the end of paths that only have
one relationship. 0 to Disable, Default 5.
Edge Label Display : When to display edge labels. If Always Display, edges
such as MemberOf, Contains, etc., will always be said.
Node Label Display : When to display node labels. If Always Display, node
names, user names, computer names, etc., will always be displayed.
Query Debug Mode : Raw queries will appear in Raw Query Box. We will discuss
more on this in the Cypher Queries section.
Low Detail Mode : Graphic adjustments to improve performance.
Dark Mode : Enable Dark mode for the interface.
About : Shows information about the author and version of the software.
Shortcuts
There are four (4) shortcuts that we can take advantage from:
Shortcut Description
CTRL Pressing CTRL will cycle through the three different node label display
settings - default, always show, always hide.
Spacebar Pressing the spacebar will bring up the spotlight window, which lists all
currently drawn nodes. Click an item in the list, and the GUI will zoom into
and briefly highlight that node.
Backspace Pressing backspace will return to the previous graph result rendering. This
is the same functionality as clicking the Back button in the search bar.
https://t.me/offenciveSec
Shortcut Description
S Pressing the letter s will toggle the expansion or collapse of the information
panel below the search bar. This is the same functionality as clicking the
More Info button in the search bar.
Database Info
The BloodHound Database Info tab gives users a quick overview of their current
BloodHound database status. Here, users can view the database's number of sessions,
relationships, ACLs, Azure objects and relationships, and Active Directory Objects.
Additionally, there are several options available for managing the database.:
Option Description
Clear Lets users completely clear the database of all nodes, relationships,
Database and properties. This can be useful when starting a new assessment or
dealing with outdated data.
Clear Lets users clear all saved sessions from the database.
Sessions
Refresh Updates the displayed statistics to reflect any changes made to the
Database database.
Stats
Warming Up Is a process that puts the entire database into memory, which can
Database significantly speed up queries. However, this process can take some
time to complete, especially if the database is large.
Next Section
In this section, we learned how to use BloodHound's graphical interface and its most useful
features. In the next section we will see in detail the different BloodHound nodes for Active
Directory.
Nodes
Nodes are the objects we interact with using BloodHound. These represent Active Directory
and Azure objects. However, this section will only focus on Active Directory objects.
When we run SharpHound, it collects specific information from each node based on its type.
The nodes that we will find in BloodHound according to version 4.2 are:
https://t.me/offenciveSec
Node Description
Users Objects that represent individuals who can log in to a network and access
resources. Each user has a unique username and password that allows
them to authenticate and access resources such as files, folders, and
printers.
Groups Used to organize users and computers into logical collections, which can
then be used to assign permissions to resources. By assigning permissions
to a group, you can easily manage access to resources for multiple users at
once.
Computers Objects that represent the devices that connect to the network. Each
computer object has a unique name and identifier that allows it to be
managed and controlled within the domain.
Domains A logical grouping of network resources, such as users, groups, and
computers. It allows you to manage and control these resources in a
centralized manner, providing a single point of administration and security.
GPOs Group Policy Objects, are used to define and enforce a set of policies and
settings for users and computers within an Active Directory domain. These
policies can control a wide range of settings, from user permissions to
network configurations.
OUs Organizational Units, are containers within a domain that allow you to group
and manage resources in a more granular manner. They can contain users,
groups, and computers, and can be used to delegate administrative tasks to
specific individuals or groups.
Containers Containers are similar to OUs, but are used for non-administrative
purposes. They can be used to group objects together for organizational
purposes, but do not have the same level of administrative control as OUs.
We will briefly describe each node type and discuss some essential elements to consider.
We will share reference links to the official BloodHound documentation, where all the nodes'
details, properties, and descriptions are available.
Nodes Elements
The Node Info tab displays specific information for each node type, categorized into
various areas. We will highlight similarities shared among different types of nodes.
Users
The following example shows the sections for the user node type:
https://t.me/offenciveSec
Category Description
Overview General information about the object.
Node This section displays default information about the node
Properties
Extra This section displays some other information about the node, plus all
Properties other non-default, string-type property values from Active Directory if
you used the –CollectAllProperties flag.
Group This section displays stats about Active Directory security groups the
Membership object belongs to.
Local Admin Displays where the object has admin rights
Rights
Execution Refers to the permissions and privileges a user, group, or computer
Rights has to execute specific actions or commands on the network. This can
include RDP access, DCOM execution, SQL Admin Rights, etc.
Outbound Visualize the permissions and privileges that a user, group, or
Object Control computer has over other objects in the AD environment
Inbound Visualize the permissions and privileges of other objects (users,
Control Rights groups, domains, etc.) over a specific AD object.
https://t.me/offenciveSec
Within the node info tab, we can identify where this user is an administrator, what other
object it controls, and more.
Note: For the following node types , we will only describe the sections that are unique for
each one.
Computers
The following example shows the sections for the computer node type:
https://t.me/offenciveSec
Category Description
Local Admins Refers to the users, groups, and computers granted local
administrator privileges on the specific computer.
Inbound Display all the objects (users, groups, and computers) that have
Execution Rights been granted execution rights on the specific computer
Outbound Refers to the rights of the specific computer to execute commands
Execution Rights or scripts on other computers or objects in the network.
Groups
The following example shows the sections for the Groups node type:
Category Description
Group Refers to the users, groups, and computer members of the specific
Members group.
Domains
The following example shows the sections for the Domains node type:
https://t.me/offenciveSec
Category Description
Foreign Are users or groups that belong to a different domain or forest than the
Members one currently being analyzed
Inbound Refers to trust relationships where another domain or forest trusts the
Trusts current domain. This means that the users and groups from the trusted
domain can access resources in the current domain and vice versa.
Outbound Refers to trust relationships where the current domain or forest trusts
Trusts another domain. This means that the users and groups from the current
domain can access resources in the trusted domain and vice versa.
In the Domain Overview section, we had an option named Map OU Structure . This one is
helpful if we want a high-level overview of the Active Directory and how it is organized.
https://t.me/offenciveSec
Organizational Units (OUs)
The following example shows the sections for the OU node type:
Category Description
Affecting GPOs Refers to the group policy objects (GPOs) affecting the specific OU or
container.
Descendant Refers to all objects located within a specific OU or container in the
Objects Active Directory (AD) environment.
Containers
https://t.me/offenciveSec
The following example shows the sections for the Containers node type:
GPOs
The following example shows the sections for the GPO node type:
Category Description
Affected Refers to the users, groups, and computers affected by the specific group
Objects policy object (GPO) in the Active Directory (AD) environment.
If we want to know which objects are affected by a GPO, we can quickly do this from here,
as we can see in the following image:
https://t.me/offenciveSec
Next Steps
We can use the BloodHound official documentation for more information about each
property.
In the next section, we will discuss Edges and see some attacks. We will also be able to use
this section to practice and attack different BloodHound edges.
Questions: If you are using PwnBox, an option to transfer the file is to open this section
within PwnBox and download the file.
Edges
BloodHound uses edges to represent the relationships between objects in the Active
Directory (AD) environment. These relationships can include user-to-user, user-to-group,
group-to-group, user-to-computer, and many others. Each edge represents a line that
connects two objects, with the direction of the line indicating the direction of the relationship.
https://t.me/offenciveSec
Example: Domain Admins has the AdminTo edge on WS01 .
Edges represent the privileges, permissions, and trust relationships between objects in an
AD environment. These edges create a graph representation of the AD environment,
allowing red and blue teamers to visualize and quickly analyze the relationships between
objects. This can be useful in identifying potential security vulnerabilities, such as users with
excessive privileges or access to the sensitive server. It can also help determine the possible
attack paths that adversaries can use to move laterally and escalate privileges.
List of Edges
The following is a list of the edges available for Active Directory in BloodHound:
List of Edges
AdminTo MemberOf HasSession
ForceChangePassword AddMembers AddSelf
CanRDP CanPSRemote ExecuteDCOM
SQLAdmin AllowedToDelegate DCSync
GetChanges/GetChangesAll GenericAll WriteDacl
GenericWrite WriteOwner WriteSPN
Owns AddKeyCredentialLink ReadLAPSPassword
ReadGMSAPassword Contains AllExtendedRights
GPLink AllowedToAct AddAllowedToAct
TrustedBy SyncLAPSPassword HasSIDHistory
WriteAccountRestrictions
https://t.me/offenciveSec
How to abuse an edge
An edge will allow us to move from one object to another. Let's see the following example.
We are in an internal pentest, and the company gave us Grace credentials. Our goal is to
get access to SRV01 . We executed SharpHound and used the pathfinding option to see if
there was a path from Grace to SRV01 , and we got the following result:
Although Grace does not have direct privileges to connect to SRV01 , Grace is a member of
the PasswordReset group, which has privileges to change Rosy's account password. Rosy
has privileges to connect to SRV01 via RDP .
To abuse these edges, we need to change the password to the user Rosy and use his
account to connect to SRV01 . We don't need to do anything with the first edge, MemberOf ,
because being members of the PasswordReset group, we inherit its privileges, therefore we
only need to worry about abusing the ForceChangePassword edge and then connect via
RDP to the target machine.
If we don't know how to abuse an edge, we can right-click the edge and see the help
provided in BloodHound.
https://t.me/offenciveSec
Let's do the same for ForceChangePassword :
https://t.me/offenciveSec
The Abuse Info tab said we had two methods to abuse this edge. The first is to use the
built-in net.exe binary in Windows (e.g., net user rosy NewRossyCreds! /domain ) or use
PowerView or SharpView function Set-DomainUserPassword . Both methods have their
opsec consideration.
Note: Opsec Consideration refers to the potential risks an attack may pose. We can relate
to how easy it would be to detect the attack we are executing. It is important to read the
Opsec Consideration tab if we want to go under the radar.
Let's use PowerView to change Rosy's password using the Grace account.
https://t.me/offenciveSec
Create a PSCredential object with Grace's credentials:
Then create a secure string object for the password we want to set to Rosy:
Use the function Set-DomainUserPassword with the option -Identity , which corresponds
to the account we want to change its password (rosy), add the option -AccountPassword
with the variable that has the new password, use the option -Credential to execute this
command using Grace's credentials. Finally, set the option -Verbose to see if the change
was successful.
BloodHound Playground
One of the things we wanted to achieve with this BloodHound module was to create a
playground to test as many BloodHound edges as possible. This is because sometimes we
want to try a concept before applying it in a Pentest or understand why a specific command
fails during a CTF. So we created multiple vulnerabilities in this lab for these tests and
practiced as many edges as we wanted.
The following table contains a list of credentials and the edges that can be exploited.
https://t.me/offenciveSec
Username Password Edge Target
rosy Password99 CanRDP, CanPSRemote, SRV01
ExecuteDCOM
sarah Password12 AdminTo SRV01
martha Password13 AddMembers ITManagers
victor Password14 AddSelf ITManagers
ester Password15 AllowedToDelegate SRV01
peter Licey2023 DCSync INLANEFREIGHT
pedro Password17 GenericAll (User) ester
pedro Password17 GenericAll (Group) ITAdmins
pedro Password17 GenericAll (Computer) WS01
pedro Password17 GenericAll (Domain) INLANEFREIGHT
carlos Password18 WriteDacl (User) juliette
carlos Password18 WriteDacl (Group) FirewallManagers
carlos Password18 WriteDacl (Computer) SRV01
carlos Password18 WriteDacl (Domain) INLANEFREIGHT
indhi Password20 WriteOwner (User) juliette
indhi Password20 WriteOwner (Group) FirewallManagers
indhi Password20 WriteOwner (Computer) SRV01
indhi Password20 WriteOwner (Domain) INLANEFREIGHT
svc_backups BackingUpSecure1 WriteDacl BACKUPS (GPO)
svc_backups BackingUpSecure1 WriteOwner BACKUPS (GPO)
svc_backups BackingUpSecure1 GenericWrite BACKUPS (GPO)
indhi Password20 WriteSPN nicole
nicole Password21 GenericWrite albert
sarah Password12 AddKeyCredentialLink indhi
elieser Password22 Owns (User) nicole
daniela Password23 AddKeyCredentialLink SRV01
cherly Password24 ReadLAPSPassword LAPS01
cherly Password24 ReadGMSAPassword svc_devadm
elizabeth Password26 AllExtendedRights (User) elieser
gil Password28 AddAllowedToAct DC01
To find the attack path use the search box and the path-finding option.
https://t.me/offenciveSec
Next Steps
This is a useful section to learn if you need to practice any BloodHound attack vector. Take
the time to practice and come back to this section when you need to refresh any concept.
In the following section, we will see some additional options that BloodHound offers to
analyze the information and look for methods to achieve our goal.
Exercises
Neo4j Database Credentials: User: neo4j Password: Password123 .
Lab: There are 3 active machines in this lab to practice: WS01, SRV01 and DC01.
All of the AD enumeration data we collect is only useful if we know how to analyze it and use
it to find misconfigurations and plan attack paths. Until now, we have used SharpHound
ingestor to obtain all of this information, including user and computer properties, sessions,
local admin rights, remote access privileges, etc. We can sort through this data and plan
targeted attacks, but BloodHound provides a powerful tool to visualize links between all the
data points we have collected so far. This can help plan an initial escalation/attack path or
provide extra value to a client by finding more paths to obtain the "keys to the kingdom" or
https://t.me/offenciveSec
finding other misconfigurations or privilege issues that, once fixed, will further strengthen
their AD environment.
From the results of the query, we can see the following information about the
INLANEFREIGHT.HTB domain:
INLANEFREIGHT.HTB
Domain functional level 2016
Users 34
Groups 60
Computers 7
OUs 6
GPOs 5
https://t.me/offenciveSec
This is a relatively small domain (and not 100% realistic with the few computers), but it gives
us enough data to work with. The domain functional level 2016 makes us think that there
may not be legacy servers in the domain (though they may still exist).
The next step is to look at the Domain Users group and see the rights the group has. This is
important because every user in the domain will inherit any rights granted to this group,
meaning that even a minor misconfiguration could have a major effect on the domain's
security.
Domain users have sessions on 2 hosts in the domain, have 31 direct members, and belong
to 45 groups due to nested group membership. If we go to the Local Admin Rights section
we see that it says we have 0, this is because the Domain Users group is not a member of
the Administrators group on any of the machines. However, if we move to the Outbound
Object Control section and click on Transitive Object Control " we will find all the
objects that as Domain Users we have control over.
https://t.me/offenciveSec
Next, we can click on the pathfinding button and enter DOMAIN [email protected] in
the top field and DOMAIN [email protected] in the bottom to see if we have any direct
paths to Domain Admin for all users. The query returns no data, which means a path does
not exist.
Next, we can start running some of the Pre-Built Analytics Queries to find additional
interesting information.
It is a good idea to obtain a list of all Domain Admins . Here we see 3 direct members of the
group and 4 unrolled members due to the peter user being a member of the nested group
ITSecurity .
Next, look at the Find Shortest Paths to Domain Admins query. This returns a few
paths. We can see some paths from users who are not members of the "Domain Admins"
group. User Gil has AddAllowedToAct privileges on domain controller DC01 , user Pedro
has GenericAll permissions on container Users , Sarah can gain control of user Pedro
and service account svc_backups has control over a GPO that is applied on domain
controllers.
https://t.me/offenciveSec
Other interesting queries include:
Query Result
Find Principals with Find accounts that can perform the DCSync attack, which
DCSync Rights will be covered in a later module.
Users with Foreign Find users that belong to groups in other domains. This can
Domain Group help mount cross-trust attacks.
Membership
Groups with Foreign Find groups that are part of groups in other domains. This
Domain Group can help mount cross-trust attacks.
Membership
Map Domain Trusts Find all trust relationships with the current domain.
Shortest Paths to Find the shortest path to hosts with Unconstrained
Unconstrained Delegation.
Delegation Systems
Shortest Paths from Show the shortest path to Domain Admins by selecting from
Kerberoastable Users all users in a dropdown that can be subjected to a
Kerberoasting attack.
Shortest Path from If we right-click a node and select Mark user as owned or
Owned Principals Mark computer as owned , we can then run this query to
see how far we can go from any users/computers that we
have marked as "owned". This can be very useful for
mounting further attacks.
Shortest Paths to Find the shortest path to Domain Admin access from any
Domain Admins from user or computer marked as "owned".
Owned Principals
Shortest Paths to This will give us the shortest path to any objects that
High-Value Targets BloodHound already considers a high-value target. It can
also be used to find paths to any objects that we right-click
on and select Mark X as High Value.
https://t.me/offenciveSec
Finding Sessions
BloodHound indicates the sessions we collect in the Database Info tab. We can also see
the active sessions in nodes such as users, groups, or computers.
In the image above, we can see that we have captured a session from the Domain Admins
group. Clicking on the session number will show us the computer to which the user member
of the Domain Admins group was connected during the enumeration:
https://t.me/offenciveSec
Similarly, we can find sessions for other users searching in groups or on computers. In the
cypher query section, we will learn tricks to help us search for specific relationships in
BloodHound.
Owned Principals
BloodHound's Mark as Owned feature allows a user to mark a node as owned or controlled,
indicating that the node is under their control. This feature is particularly useful for Red Team
assessments as it allows them to mark nodes they have compromised or have control over,
and quickly identify other nodes in the environment they may be able to target.
To use Mark as Owned , a user can simply right-click on a node in the BloodHound interface
and select Mark as Owned . The node will then be marked with a skull icon, indicating that it
is owned.
https://t.me/offenciveSec
Now we can go to the Analysis tab and select Shortest Path from Owned Principals
and we can see what activities to perform with the users, group or teams that we have
compromised.
Next Steps
We have now seen how BloodHound works, how to ingest data and import it into the GUI
tool, find interesting information and perform pathfinding, and use pre-built queries to assess
the security posture of the domain. It is worth practicing all aspects of the tool with the
provided INLANEFREIGHT.HTB data.
Before writing custom queries, we will walk through a few exercises to further analyze the
data and test our understanding of the tool.
Exercises
https://t.me/offenciveSec
Questions: If you are using PwnBox, an option to transfer the file is to open this section
within PwnBox and download the file.
Cypher Queries
As mentioned earlier, BloodHound uses the graph database Neo4j with Cypher Query
Language to analyze relationships, not a relational database like MSSQL and other
databases. Cypher is based on SQL but was designed and optimized for graph theory. In
graph theory, data is structured as nodes and relationships to show how objects are
connected and related. BloodHound uses Cypher to identify relationships among the
hundreds or thousands of objects that may be present in a domain environment. Cypher was
initially developed with the graph database Neo4j , which BloodHound uses to store data
collected via the SharpHound ingestor, but was made open source in 2015 through
openCypher.
BloodHound comes with many powerful pre-built queries and supports custom queries. By
understanding Cypher, we can manipulate and examine BloodHound data in greater detail to
better understand AD environments. This will enable us to identify relationships that
attackers could exploit, which may have otherwise gone unnoticed for months or years.
Armed with all built-in tools, tools such as PowerView and BloodHound with the ability to
extend them to bend them to meet our needs, allowing for the extraction of data and
identifying misconfigurations that others miss, will set us apart from other security
professionals.
Instead of relying solely on the tool to detect obvious issues, we can leverage it to identify
more nuanced and complex scenarios. By doing so, we can offer our clients added value
and establish a trusted advisor relationship with them.
Before diving into some ways to extend BloodHound with custom Cypher queries , let's
look at Cypher syntax to understand the language better.
Cypher Syntax
The syntax of the Cypher query language is based on ASCII art, making it highly visual and
easy to read. Cypher shows patterns of notes and relationships. It also includes filters based
on labels and properties. To better understand how it works, let's start the neo4j database
and connect to the database using the browser. Navigate to http://localhost:7474/browser/.
We need to ensure that we import BloodHound data through the BloodHound application.
We can download a BloodHound.zip from resources and upload it to BloodHound.
https://t.me/offenciveSec
Once we upload the database and connect to the Neo4j web console, we can execute the
following query:
This query uses the MATCH keyword to find all nodes labeled as User in the graph. We then
use the RETURN keyword to return all the nodes found. Let's examine another query:
The above query uses the MATCH keyword to find the user with the property name equal to
[email protected] and returns the user.
https://t.me/offenciveSec
Let's see one last example and include relationships. We will query which group the user
peter is MemberOf and save it to a variable named peterGroups .
https://t.me/offenciveSec
Attribute Definition
Nodes Represented with parentheses around the corresponding attributes
and information.
Variable A placeholder represents a node or a relationship in a query. For
example, in the query MATCH (n:User) RETURN n , the variable n
represents the node labeled User .
Relationships Depicted by dashes and arrows, with the relationship type in brackets.
These show the direction of the relationship. Ex: -> shows a
relationship going one way, while - depicts a relationship going in
both directions. In BloodHound , relationships are usually shown
toward other privileges.
Label Used to group nodes based on their properties or characteristics.
Labels are denoted by a colon : and are added to a variable. For
example, in the query MATCH (n:User) RETURN n , the label User is
used to group nodes with a user's characteristics.
Property Used to store additional information about a node or a relationship and
is denoted by a curly brace {} . For example, in the query MATCH
(n:User {name:"[email protected]", enabled:TRUE}) RETURN n ,
the properties name and enabled are associated with the node n to
store additional information about the user.
https://t.me/offenciveSec
To do this graph in the BloodHound application, we can use the Raw Query bar, but We will
need to add another variable, p , and wrap the query inside it, as follow:
https://t.me/offenciveSec
Cypher Keywords
Like SQL, Cypher uses keywords for specifying patterns, filtering, and returning results. The
most common keywords are MATCH , WHERE , and RETURN .
Keyword Description
MATCH Used before describing the search pattern for finding one or more nodes or
relationships.
WHERE Used to add more constraints to specific patterns or filter out unwanted
patterns.
RETURN Used to specify the results format and organizes the resulting data. We can
return results with specific properties, lists, ordering, etc.
Here we assign the variables u and g to User and Group, respectively, and tell
BloodHound to find matching nodes using the MemberOf relationship (or edge). We are
using something new, 1..* , in this query. In this case, it indicates that the path can have a
minimum depth of 1 and a maximum depth of any number. The * means that there is no
upper limit on the depth of the path. This allows the query to match paths of any depth that
https://t.me/offenciveSec
start at a node with the label User and traverse through relationships of type MemberOf to
reach a node with the label Group .
We can also use a specific number instead of * to specify the maximum depth of the path.
For example, MATCH p=(n:User)-[r1:MemberOf*1..2]->(g:Group) will match paths with
a minimum depth of 1 and a maximum depth of 2 , meaning that the user must traverse
through precisely one or two "MemberOf" relationships to reach the group node.
Back to the query, the result is assigned to the variable p and will return the result of each
path that matches the pattern we specified.
Let's play a little bit with this query, and instead of showing both paths, let's match a path
where the first group's name contains the substring ITSECURITY :
MATCH p=(n:User)-[r1:MemberOf*1..]->(g:Group)
WHERE nodes(p)[1].name CONTAINS 'ITSECURITY'
RETURN p
We have two nodes in the first group, Domain Users and ITSECURITY . The part nodes(p)
[1].name refers to the name property of the first node in the path p obtained from the
variable nodes(p) . We use the CONTAINS keyword only to return the path where the first
group's name contains the substring ITSECURITY .
Instead of the CONTAINS keyword, we can also use the =~ operator to check if a string
matches a regular expression . To match a path where the first group's name contains the
substring ITSECURITY , we can use the following query:
MATCH p=(n:User)-[r1:MemberOf*1..]->(g:Group)
WHERE nodes(p)[1].name =~ '(?i)itsecurity.*'
RETURN p
https://t.me/offenciveSec
We used two elements of a regular expression (?i) tells the regular expression engine to
ignore the case of the characters in the pattern, and .* to match any number of characters.
Note: We can also use regular expressions in properties or any other element in a cypher
query.
There are many other tricks we can use with the cypher query. We can find the cypher query
cheat sheet here.
https://t.me/offenciveSec
Note: The query return by BloodHound includes all relationship (edges) hardcoded which is
faster, as it doesn't include Azure Edges. We use the *.. expression, which means we are
looking for any relationship. We did it to make it shorter for the example.
This query comes with a function shortestPath is a Cypher function that finds the shortest
path between two nodes in a graph. It is used in the MATCH clause of a Cypher query to find
the shortest path between a starting node n and an ending node m that match certain
conditions.
We use the WHERE NOT n=m condition to exclude the possibility of the starting node and the
ending node being the same node, as a node cannot have a path to itself.
The first query we will show is the most important one. With this query, we can find almost
any path in the domain shared by PlainText. He has been using this script to compromise
any Active Directory during engagements, labs, and certifications labs.
MATCH p = shortestPath((n)-[*1..]->(c))
WHERE n.name =~ '(?i)peter.*' AND NOT c=n
https://t.me/offenciveSec
RETURN p
This script search for the shortestPath from any node to any node. In this example, if we
manage to compromise Peter, but he doesn't have a path to Domain Admin or a High-Value
Target, most likely, we won't get any results using default queries in BloodHound. However,
by utilizing this query, we can determine if peter has access to a machine, a user, a group,
GPO, or anything in the domain.
The purpose of this script is to streamline the process of exploring our options after
successfully compromising a user, computer, or group. If we compromise a user, we employ
the query to determine the potential paths we can pursue with that user. Likewise, if we
compromise a computer or group, we use the same script to identify the available
opportunities for further exploitation.
Note: We can replace the function shortestPath with allshortestpaths to get every
single relationship available.
If we compromise a user and this script doesn't give you any result, we can use PowerView
or SharpView to display user privileges over another object in AD.
https://t.me/offenciveSec
...SNIP...
Note: The latest version of BloodHound includes Self privileges, which were not included
in previous versions. For more information about using this PowerView method, we can take
a look at: ACL Enumeration section in Active Directory Enumeration & Attacks module.
Finds specific rights that the Domain Users group should not
have
MATCH p=(g:Group)-
[r:Owns|WriteDacl|GenericAll|WriteOwner|ExecuteDCOM|GenericWrite|AllowedTo
Delegate|ForceChangePassword]->(c:Computer)
WHERE g.name STARTS WITH "DOMAIN USERS"
RETURN p
Some custom queries can only be run against the database from the Neo4j console via the
browser accessible at http://localhost:7474/browser with the same credentials when
starting BloodHound . For example, we can run this query to find all users with a description
field that is not blank. This is an edge case, but it is common for account passwords to be
stored in this field.
MATCH (u:User)
WHERE u.description IS NOT NULL
RETURN u.name,u.description
https://t.me/offenciveSec
We can use the following query to find all local administrators and the host they are admin.
This query can help present to a client the extent of local admin privileges in their network.
Find all local administrators and the host they are admin
Finally if we are looking for an edge, we can use cypher query too. For example, if we want
to get any node that has WriteSPN we can use the following cypher query:
https://t.me/offenciveSec
MATCH p=((n)-[r:WriteSPN]->(m)) RETURN p
There are many cheat sheets out there with useful BloodHound queries.
https://gist.github.com/jeffmcjunkin/7b4a67bb7dd0cfbfbd83768f3aa6eb12
https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
ls /root/.config/bloodhound
https://t.me/offenciveSec
blob_storage Cookies Dictionaries 'Local Storage'
Cache Cookies-journal GPUCache 'Network Persistent
State'
'Code Cache' 'Crash Reports' images Preferences
config.json customqueries.json images.json
The config.json file holds the current BloodHound configuration, including performance
options, included edges, etc.
{
"performance": {
"edge": 4,
"lowGraphics": false,
"nodeLabels": 1,
"edgeLabels": 1,
"darkMode": true,
"debug": true
},
"edgeincluded": {
"MemberOf": true,
"HasSession": true,
"AdminTo": true,
"AllExtendedRights": true,
"AddMember": true,
"ForceChangePassword": true,
"GenericAll": true,
"GenericWrite": true,
"Owns": true,
"WriteDacl": true,
"WriteOwner": true,
"CanRDP": true,
"ExecuteDCOM": true,
"AllowedToDelegate": true,
"ReadLAPSPassword": true,
"Contains": true,
"GpLink": true,
"AddAllowedToAct": true,
...SNIP...
}
}
The other file that we will focus on is the customqueries.json file. By default, it is blank.
Default customqueries.json
https://t.me/offenciveSec
{"queries": []}
We can add to this file as we build and test queries. Clicking on the pencil icon next to
Custom Queries in the Queries tab will open this file. As we add custom queries, the list
will populate.
Let's create a custom cypher query to identify allshortestpaths from peter to any node.
MATCH p = allshortestPaths((n)-[*1..]->(c))
WHERE n.name =~ '(?i)peter.*' AND NOT c=n
RETURN p
{
"queries": [
{
"name": "From Peter to Anything",
"category": "Shortest Paths",
"queryList": [
{
"final": true,
https://t.me/offenciveSec
"query": "MATCH p = allshortestPaths((n)-[*1..]->(c))
WHERE n.name =~ '(?i)peter.*' AND NOT c=n RETURN p",
"allowCollapse": true
}
]
}
]
}
We can make this Custom Query even more interesting. BloodHound has functionality that
allows us to mark a node as Owned , we can mark any user, computer, etc,. in the
BloodHound GUI as Owned by right-clicking it and clicking Mark User as Owned . This
means that we somehow get control of this object.
We can customize this script to ask us to select a user marked as owned and perform the
search to avoid hardcoding the name.
BloodHound queries in the Analysis tab are loaded from the PrebuiltQueries.json file.
We can find it in the BloodHound directory or Github.
To accomplish our goal, we will use a variation of the Find Shortest Paths to Domain
Admins . We need to replace the content of customqueries.json with the following text:
{
"queries": [
{
"name": "Search From Owned to Anything",
"category": "Shortest Paths",
"queryList": [
{
"final": false,
"title": "Select the node to search...",
"query": "MATCH (n {owned:true}) RETURN n.name",
"props": {
"name": ".*"
}
},
{
"final": true,
"query": "MATCH p = allshortestPaths((n)-[*1..]->(c))
WHERE n.name = $result AND NOT c=n RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
https://t.me/offenciveSec
}
]
}
This script has two queries. The first search for all nodes marked as owned and provides a
list where we can select any node. The second use the selection and saves it into a variable
named $result and then run the second query.
Wrapping it all up
As we have seen, BloodHound is a powerful tool for analyzing Active Directory data and
finding relations among the various users, groups, computers, or any other node present in
the network. Both red and blue teams can use BloodHound to find permissions issues and
misconfigurations that may otherwise go unnoticed. BloodHound provides a wealth of
helpful information, but we can fully harness the tool's power by writing custom Cypher
queries to access the data others miss. For further reading on this topic, the paper The Dog
Whisper's Handbook is a great resource.
https://t.me/offenciveSec
provide a general idea of how BlueTeamers can use BloodHound to identify weaknesses
and create a plan of action to remedy them.
In this section, we will discuss how BloodHound information can help us better protect our
Active Directory infrastructure and share some tools that will make it easier to use
BloodHound defensively.
BloodHound can be used in various ways to help improve an organization's security. For
example, it can be used to understand complex relationships between users, groups, and
permission. BlueTeams can also identify misconfigurations and possible attack vectors within
the Active Directory environment with cipher queries. By regularly monitoring changes in the
active directory, BlueTeams can proactively identify potential risks. This proactive approach
helps defense teams to stay ahead of the game and create a plan to remediate any security
weaknesses before attackers can exploit them.
This section will use two open-source projects that use BloodHound data for BlueTeams.
The first one will be BlueHound , which will help automatically collect, analyze, and report
data from the BloodHound database. The 2nd is PlumHound , which we will mainly use to
identify how to break paths from one node to another.
BlueHound
BlueHound is an open-source tool that helps blue teams identify critical security issues by
combining information about user permissions, network access, and unpatched
vulnerabilities. BlueHound reveals the paths attackers would take if they were inside
network.
Full Automation: We can perform the entire cycle of collection, analysis, and reporting
with just a click of a button.
Community Driven: The tool facilitates sharing, making it easy to share knowledge,
best practices, collection methodologies, and more by exporting and importing
BlueHound configuration.
Easy Reporting: We can create a customized report intuitively without the need to
write any code.
https://t.me/offenciveSec
Easy Customization: Users can add any custom collection method to BlueHound, and
even include their custom parameters or icons for their graphs.
Note: Although we can combine multiple tools in BlueHound, in this section, we will use only
the functionality to automate SharpHound's data collection, analysis, and reporting.
Installing BlueHound
We can download BlueHound's compiled version for Windows from the github releases link,
but we can also use it on Linux or MacOS.
Unzip BlueHound
After extracting it, we need to open the file BlueHound.exe , click Login and use the
BloodHound credentials we use to set up the database. In our example, credentials are user
neo4j password Password123 .
https://t.me/offenciveSec
Using BlueHound
The Data Import option in BlueHound allows us to automatically import data from sources
such as SharpHound, ShotHound, Vulnerability Scanners, etc. We will disable all options but
SharpHound.
Next, we need to download SharpHound, click edit settings, and set the Tool path and the
Arguments . We can find SharpHound at C:\Tools\SharpHound.exe . To see the
arguments, we need to type the SharpHound's options and press Enter.
https://t.me/offenciveSec
We can also automate SharpHound collection using the schedule option and select its
frequency (daily, weekly, or monthly):
Once we have data loaded, we can use the Configurations tab to set up the basic
information used by the queries (e.g., Domain Admins group, crown jewels servers). Let's
use the following configuration:
https://t.me/offenciveSec
Next, we can use the Query Runner option in the menu and click RUN ALL to prepare the
reports.
All tabs should now have some data. Default reports for BlueHound include data from other
sources such as ShotHound and Vulnerability Scanners. Since we are not using those tools,
some reports will remain unfilled.
https://t.me/offenciveSec
Now our job as BlueTeamers is to understand the data that makes sense to monitor in our
environment, and this could be:
The list can be much longer and will depend on each environment. The advantage that
BlueHound offers is that it allows us to create our Cypher queries to monitor what is most
important to us.
BlueHound Customization
BlueHound allows us to modify existing queries, add new queries, create new tabs, and
visualize the data according to our needs.
To create a new query, we can click on the box with the + sign, define a report name, click
on the three vertical dots, define the type and size, and include our query. In the following
example, we will create a table that consists of the number of enabled users of the active
directory with the following query:
https://t.me/offenciveSec
We can add/delete any char or tab and create our dashboards. We can also import and
export dashboards.
Go to Import Config .
Select the file to import and import it.
Go to the Configurations tab and complete the information (Domain Controllers,
Domain Admins, and SRV for this example).
Close BlueHound (some times BlueHound freeze while trying to run some queries. If it
happens, we can close and re-open it).
Open BlueHound and click on Query Runner .
Click on RUN ALL to fill all reports with data.
https://t.me/offenciveSec
To get more information about BlueHound, check out their introductory video, blog post and
Nodes22 conference talk.
PlumHound
PlumHound operates by wrapping BloodHoundAD's powerhouse graphical Neo4J backend
cypher queries into operations-consumable reports. Analyzing the output of PlumHound can
steer security teams in identifying and hardening common Active Directory configuration
vulnerabilities and oversights.
Installing PlumHound
We need Python installed and download the released zip file, unzip it, and install the
requirements with pip.
We can confirm if it works with the --easy option and the -p option to specify the
password.
PlumHound 1.5.2
For more information: https://github.com/plumhound
--------------------------------------
Server: bolt://localhost:7687
https://t.me/offenciveSec
User: neo4j
Password: *****
Encryption: False
Timeout: 300
--------------------------------------
Task: Easy
Query Title: Domain Users
Query Format: STDOUT
Query Cypher: MATCH (n:User) RETURN n.name, n.displayname
--------------------------------------
INFO Found 1 task(s)
INFO --------------------------------------
on 1:
on 1: n.name n.displayname
------------------------------- ---------------
[email protected]
[email protected]
[email protected] julio
[email protected] htb-student
[email protected] peter
[email protected] david
[email protected] mark
[email protected] ryan
[email protected] jared
[email protected] grace
on 1:
Executing Tasks |██████████████████████████████████████████████████| Tasks
1 / 1 in 2.1s (0.84/s)
Completed 1 of 1 tasks.
The Analyze Path function requires a label , or a start node and an end node , and then
iterates through all paths to identify which relationship(s) to remove to break the attack path.
This is useful when you want to provide your AD Admins with concrete actions they can take
to improve your overall AD Security Posture.
Let's take as an example the dangerous Domain Users permissions between Domain Users
and WS01 , and identify which privilege we need to remove to break the path:
https://t.me/offenciveSec
PlumHound 1.5.2
For more information: https://github.com/plumhound
--------------------------------------
Server: bolt://localhost:7687
User: neo4j
Password: *****
Encryption: False
Timeout: 300
--------------------------------------
Task: Analyzer Path
Start Node: DOMAIN [email protected]
---------------------------------------------------------------------
Analyzing paths between DOMAIN [email protected] and
WS01.INLANEFREIGHT.HTB
---------------------------------------------------------------------
Removing the relationship GpLink between [email protected] and [email
protected] breaks the path!
Removing the relationship Contains between [email protected] and
WS01.INLANEFREIGHT.HTB breaks the path!
INFO Tasks Generation Completed
Tasks: []
Executing Tasks |██████████████████████████████████████████████████| Tasks
0 / 0 in 0.1s (0.00/s)
Completed 0 of 0 tasks.
Next Steps
We discovered that BloodHound is a powerful tool for BlueTeams to improve their
cybersecurity. By using cypher queries to identify misconfigurations and proactively
monitoring for changes, Blueteams can stay ahead of potential threats. While BloodHound is
a valuable tool, other tools like ImproHound and GoodHound can provide additional insights
using BloodHound data. ImproHound helps identify AD attack paths by breaking down the
AD tier model, while GoodHound helps prioritize remediation efforts by determining the
busiest paths to high-value targets.
In the next section, we will delve into the use of BloodHound in Azure, exploring how to use it
for identifying attack paths in the Microsoft cloud.
https://t.me/offenciveSec
Exercises
Neo4j Database Credentials: User: neo4j Password: Password123 .
Azure Enumeration
We've learned how to use BloodHound to identify misconfigurations in Active Directory
environments, but in this section, we'll focus on Azure and how we can use BloodHound to
identify attack paths and potential weaknesses in the Azure environment.
While the main focus of this section will be on the offensive usage of BloodHound in Azure,
it's important to note that both Red and Blue Teams can benefit from this tool. Red Teams
can use the information gathered by BloodHound to identify attack paths, and Blue Teams to
prioritize remediation efforts and secure their Azure environment. BloodHound provides
valuable insights into the security of Azure environments, whether for offensive or defensive
purposes.
Overview AzureHound
Just as we discussed attacks on Active Directory environments and the different components
that BloodHound includes to allow us to identify attack paths, in the same way, we can use
BloodHound to identify Attack paths in Azure.
The approach to identify attacks and abuse edges are similar to Active Directory. For Azure,
we will have nodes and edges that start with Az exclusive to the Microsoft cloud.
Node Description
AZTenant Represents an Azure AD tenant, which is a dedicated instance of
Azure AD that an organization owns and uses to manage access to
applications and resources.
AZUser Represents a user in Azure Active Directory (Azure AD) and
contains information about the user such as their email address,
display name, and job title.
AZGroup Represents a group in Azure AD, which can be used to manage
access to resources and applications.
AZApp Represents an application in Azure AD, which can be used to
provide secure access to resources and APIs.
AZSubscription Represents an Azure subscription, which is a logical container for
resources in Azure.
AZResourceGroup Represents a resource group in Azure, which is a container for
resources that share a lifecycle and are managed together.
https://t.me/offenciveSec
Node Description
AZVM Represents a virtual machine (VM) in Azure, which is a virtualized
computing environment used to deploy and run applications.
AZDevice Represents a device in Azure AD, which can be used to manage
access to resources and applications.
AZServicePrincipal Represents a service principal in Azure AD, which is a security
identity used by applications and services to access resources in
Azure.
Edge Description
AZAddMembers Indicates that a principal can add members to a group or
directory role.
AZAddOwner Indicates that a principal can add other users as owners of
a subscription or management group.
AZAppAdmin Indicates that a principal is assigned to an administrative
role for an Azure AD application.
AZCloudAppAdmin Indicates that a principal is assigned to an administrative
role for a cloud application.
AZContains Indicates that a group or directory role contains a member.
AZContributor Indicates that a principal has been assigned the
Contributor role at a resource scope, allowing them to
manage all resource types within that scope.
AZExecuteCommand Indicates that a principal has permission to execute a
command on a virtual machine.
AZGetCertificates Indicates that a principal has permission to retrieve
certificates.
AZGetKeys Indicates that a principal has permission to retrieve keys.
AZGetSecrets Indicates that a principal has permission to retrieve secrets.
AZGlobalAdmin Indicates that a principal is assigned to the Global
Administrator role in Azure AD.
AZKeyVaultContributor Indicates that a principal has been assigned the Key Vault
Contributor role at the resource group or resource level,
allowing them to manage key vaults.
AZManagedIdentity Indicates that a resource has an associated managed
identity, allowing it to authenticate with other Azure
services.
AZOwns Indicates that a principal owns a resource.
https://t.me/offenciveSec
Edge Description
AZPrivilegedRoleAdmin Indicates that a principal is assigned to a built-in role that
grants full access to Azure AD and all Azure services.
AZResetPassword Allows a user to reset passwords for other users
AZRunAs Represents the ability to run as an account, either through
a scheduled task, service, or any other impersonation
AZUserAccessAdministrator Allows a user to manage user access to Azure resources
AZVMAdminLogin Allows a user to log in as a VM administrator
Note: Keep in mind that not all edges are documented. Most of them have different details
for their attack path than we had in Active Directory. Cloud environments can change rapidly,
and we must keep up to date with the changes as they occur.
For additional information about these nodes, their uses, and definitions, we can refer to the
official BloodHound documentation.
Note: These exercises are optional, but it is recommended that they be performed to
familiarize yourself with cloud attacks. To complete these exercises, we will need to create
the free Azure account using the link above.
You can follow the process based on the Azure Free Account page. The following example is
a reference, but the process may differ for you and the region where you are.
1. Go to the Azure Free Account portal and follow the process starting by clicking on
Start free .
https://t.me/offenciveSec
1. Create a new account:
1. We can use an existing email or create a new one. For this exercise, we will use an
already existing email.
https://t.me/offenciveSec
1. Set a Password:
https://t.me/offenciveSec
1. Use the code you receive to verify your email:
https://t.me/offenciveSec
1. Add your information:
https://t.me/offenciveSec
1. Verify your phone:
Note: If you had an error while registering, it could be for multiple reasons. One of the most
common is that you had already used Azure Free.
You could use Pay-As-You-Go to complete the exercise. The average cost will be around
~5.00 USD if you use it for a week. However, you will have to manually delete the created
resources and cancel your subscription so that it does not generate additional costs.
https://t.me/offenciveSec
Using TheEdgeMaker
Once we have created our Azure account and subscription, we can use TheEdgeMaker. A
PowerShell script that allows us to create Azure Edges for use in BloodHound automatically.
Note: By using this Script, we are creating weak configurations in Azure to perform the
practices. Make sure to use it in a controlled environment. It is not recommended for use in
production, development, or an environment not created for this purpose.
1. Connect to the target machine and run PowerShell as Administrator and execute the
Script:
Execute TheEdgeMaker
PS C:\Tools\TheEdgeMaker> .\TheEdgeMaker.ps1
https://t.me/offenciveSec
Execute TheEdgeMaker
PS C:\Tools\TheEdgeMaker> .\TheEdgeMaker.ps1
## Tenant Information
Tenant: plaintexthacktheboxgmail.onmicrosoft.com
https://t.me/offenciveSec
The current location is 'East US'. Do you want to change it? (Y/N): N
...SNIP...
The Script stops to inform us which is the location of the resources we will create in Azure.
By default, it uses East US . We will keep this location by pressing N .
PS C:\Tools\TheEdgeMaker> .\TheEdgeMaker.ps1
...SNIP...
## Creating Users
[+] AAD Account Created Successfully - Emily Smith
[+] AAD Account Created Successfully - Madison Johnson
[+] AAD Account Created Successfully - Avery Williams
[+] AAD Account Created Successfully - Sophia Jones
[+] AAD Account Created Successfully - Olivia Brown
[+] AAD Account Created Successfully - Abigail Davis
[+] AAD Account Created Successfully - Isabella Miller
[+] AAD Account Created Successfully - Mia Wilson
[+] AAD Account Created Successfully - Charlotte Moore
[+] AAD Account Created Successfully - Ava Taylor
ResourceGroupName : RG-KeyVault
Location : eastus
ProvisioningState : Succeeded
Tags :
TagsTable :
ResourceId : /subscriptions/4c30dd8a-ea98-4d0b-bb15-
86f011cafc17/resourceGroups/RG-KeyVault
ManagedBy :
...SNIP...
Using AzureHound
https://t.me/offenciveSec
AzureHound is a Go binary that collects data from AzureAD and AzureRM via the MS Graph
and Azure REST APIs. It does not use external dependencies and will run on any operating
system. We can build AzureHound from the source or download it from their github
repository. AzureHound is in the C:\Tools directory in the target machine.
For this exercise, we will use a username and password. To learn more about other
methods, please visit AzureHound official documentation.
Running AzureHound
https://t.me/offenciveSec
assignments
2023-02-17T11:09:22-06:00 INF finished listing all key vault role
assignments
2023-02-17T11:09:22-06:00 INF finished listing all devices count=0
2023-02-17T11:09:22-06:00 INF finished listing all device owners
2023-02-17T11:09:22-06:00 INF finished listing all users count=11
2023-02-17T11:09:22-06:00 INF finished listing all apps count=1
2023-02-17T11:09:22-06:00 INF warning: unable to process azure management
groups; either the organization has no management groups or azurehound
does not have the reader role on the root management group.
2023-02-17T11:09:22-06:00 INF finished listing all management group role
assignments
2023-02-17T11:09:22-06:00 INF finished listing all management group
descendants
2023-02-17T11:09:22-06:00 INF finished listing members for all groups
2023-02-17T11:09:22-06:00 ERR unable to continue processing role
assignments for this role
error="map[error:map[code:Request_ResourceNotFound innerError:map[client-
request-id:a09b506e-758c-4bce-9c49-2f6df2e4776e date:2023-02-17T17:09:11
request-id:a09b506e-758c-4bce-9c49-2f6df2e4776e] message:Resource
'a0b1b346-4d3e-4e8b-98f8-753987be4970' does not exist or one of its
queried reference-property objects are not present.]]"
roleDefinitionId=a0b1b346-4d3e-4e8b-98f8-753987be4970
2023-02-17T11:09:22-06:00 INF finished listing all group owners
2023-02-17T11:09:22-06:00 INF finished listing all app owners
2023-02-17T11:09:23-06:00 INF finished listing all tenants count=2
2023-02-17T11:09:23-06:00 INF finished listing all service principals
count=54
2023-02-17T11:09:23-06:00 INF finished listing all roles count=97
2023-02-17T11:09:23-06:00 INF finished listing all app role assignments
2023-02-17T11:09:23-06:00 INF finished listing all role assignments
2023-02-17T11:09:23-06:00 INF finished listing all service principal
owners
2023-02-17T11:09:23-06:00 INF collection completed duration=2.192815s
https://t.me/offenciveSec
We can start using BloodHound to identify different attack paths since there are no pre-built
queries for Azure. We will use the Transitive Object Control option to determine what
privileges we have from Isabella's account.
We can identify that Isabel has the Password Administrator role, which allows us to reset
the passwords of non-administrator users.
One thing to consider when working with Azure is that, by default, users do not have the
privilege to read all Azure objects. There may be objects in Azure that, if the user we
authenticate with does not have rights to read, we will not be able to enumerate. For
https://t.me/offenciveSec
example, if we search and type AZSubscription: or AZVM: , BloodHound will not return
any data because Isabella doesn't have the right to read the subscription object.
Next Steps
In the next section, we will explore how to abuse those edges and compromise an account
with read privileges over the subscription to enumerate the Azure environment further.
Note: To avoid any cost after you finish your Azure testing, we recommend you cancel your
Azure subscription following these steps: Cancel your Azure subscription.
Optional Exercises
Challenge your understanding of the Module content and answer the optional
question(s) below. These are considered supplementary content and are not
required to complete the Module. You can reveal the answer at any time to check
your work.
Repeat the examples in the section and type DONE as the answer when you are finished.
Submit
Reveal Answer
Azure Attacks
We have learned how to enumerate Azure resources using AzureHound, and now we need
to understand how to abuse those privileges and misconfigurations to attack the Microsoft
Azure cloud.
While PowerZure simplifies some offensive operations in Azure, some features may not be
available in PowerZure. Due to updates in the Azure cloud, they may only work once they
are updated. In such cases, we can use AzureAD and Az Microsoft PowerShell modules to
accomplish our goals.
For more information on using these tools, refer to the official documentation for the
AzureAD and Az modules, and the PowerZure project.
PowerZure
https://t.me/offenciveSec
To use PowerZure, we need to sign in to Azure. Open a new PowerShell window as
administrator and sign in using Isabella's account:
Connecting to Azure
Account SubscriptionName
TenantId Environm
ent
------- ----------------
-------- --------
[email protected] 92e13faa-6af8-4501-80b9-421271bc3e38
Azure..
Note: In case we had issues using the option -Credential we can still use Connect-
AzAccount without options to bring up the Azure authentication window.
Importing PowerZure
https://t.me/offenciveSec
function table.
PS C:\Tools\PowerZure> Invoke-PowerZure -h
List of Functions
------------------Operational --------------
To compromise this group, we must abuse two edges: AZResetPassword and AZOwns . Let's
start by modifying Charlotte's password and then using her account to add herself to the
Subscription Reader group.
Connect as Charlotte
https://t.me/offenciveSec
Account SubscriptionName
TenantId Environment
------- ----------------
-------- -----------
[email protected] 92e13faa-6af8-4501-80b9-421271bc3e38
AzureCloud
With Charlotte's access, we can now add any user as a member of "Subscription Reader" for
simplicity, we will add herself:
@odata.type : #microsoft.graph.user
id : 0bdf0dca-c1bc-4172-857b-c7b4e539c47b
deletedDateTime :
accountEnabled : True
ageGroup :
businessPhones : {}
city :
createdDateTime : 2023-02-17T15:44:10Z
creationType :
companyName :
consentProvidedForMinor :
country :
department :
displayName : Charlotte Moore
...SNIP...
Now, we can enumerate the Azure tenant again with Charllote's credentials. If the group has
read access for the subscription, we should discover new objects and attack paths:
https://t.me/offenciveSec
C:\Users\julio\.config\azurehound\config.json
No configuration file located at
C:\Users\julio\.config\azurehound\config.json
2023-02-17T13:49:52-06:00 INF collecting azure objects...
2023-02-17T13:49:53-06:00 INF finished listing all groups count=9
2023-02-17T13:49:53-06:00 INF finished listing all devices count=0
2023-02-17T13:49:53-06:00 INF finished listing all device owners
2023-02-17T13:49:53-06:00 INF finished listing all users count=11
2023-02-17T13:49:53-06:00 INF finished listing all apps count=1
2023-02-17T13:49:53-06:00 INF warning: unable to process azure management
groups; either the organization has no management groups or azurehound
does not have the reader role on the root management group.
2023-02-17T13:49:53-06:00 INF finished listing all management group role
assignments
2023-02-17T13:49:53-06:00 INF finished listing all management group
descendants
2023-02-17T13:49:53-06:00 INF finished listing all tenants count=2
2023-02-17T13:49:54-06:00 INF finished listing members for all groups
2023-02-17T13:49:54-06:00 INF finished listing all group owners
2023-02-17T13:49:54-06:00 INF finished listing all app owners
2023-02-17T13:49:54-06:00 INF finished listing all subscriptions count=1
2023-02-17T13:49:54-06:00 INF finished listing all resource groups
2023-02-17T13:49:54-06:00 INF finished listing all subscription role
assignments
2023-02-17T13:49:54-06:00 INF finished listing all subscription user
access admins
2023-02-17T13:49:54-06:00 ERR unable to continue processing role
assignments for this role
error="map[error:map[code:Request_ResourceNotFound innerError:map[client-
request-id:e7dac294-f86e-4685-8a90-533ff35a8f37 date:2023-02-17T19:49:43
request-id:e7dac294-f86e-4685-8a90-533ff35a8f37] message:Resource
'a0b1b346-4d3e-4e8b-98f8-753987be4970' does not exist or one of its
queried reference-property objects are not present.]]"
roleDefinitionId=a0b1b346-4d3e-4e8b-98f8-753987be4970
2023-02-17T13:49:54-06:00 INF finished listing all resource group role
assignments
2023-02-17T13:49:54-06:00 INF finished listing all service principals
count=54
2023-02-17T13:49:54-06:00 INF finished listing all virtual machines
2023-02-17T13:49:55-06:00 INF finished listing all roles count=97
2023-02-17T13:49:55-06:00 INF finished listing all app role assignments
2023-02-17T13:49:55-06:00 INF finished listing all key vaults
2023-02-17T13:49:55-06:00 INF finished listing all service principal
owners
2023-02-17T13:49:55-06:00 INF finished listing all key vault role
assignments
2023-02-17T13:49:55-06:00 INF finished listing all virtual machine role
assignments
2023-02-17T13:49:55-06:00 INF finished listing all role assignments
2023-02-17T13:49:55-06:00 INF collection completed duration=2.6605923s
https://t.me/offenciveSec
shutting down gracefully, press ctrl+c again to force
Let's import the output all-charlote.json to BloodHound and search for the Transitive
Object Control option for Isabella one more time.
We had 3 new object a Key Vault, a Resource Group and a Virtual Machine. Let's explore
how we can read the contents of the Azure Key Vault and how to execute commands in
Azure VM. We will leave the resource group exercise so you can investigate how to abuse it.
We can use BloodHound to identify the attack path from Isabella to the Key Vault HTB-
SECRETPLAINTEXT96519 :
https://t.me/offenciveSec
To execute this attack, we will have to reset Ava Taylor's credentials, log in as Ava Taylor and
then use the Powershell Az module to read the contents of the Key Vault.
Connect as Isabella
Account SubscriptionName
TenantId Environment
------- ----------------
-------- -----------
[email protected] 92e13faa-6af8-4501-80b9-421271bc3e38
AzureCloud
Account SubscriptionName
TenantId Environment
------- ---------------- -
------- -----------
[email protected] Azure subscription 1 92e13faa-6af8-4501-80b9-
421271bc3e38 AzureCloud
https://t.me/offenciveSec
To retrieve the password, we will use the Az PowerShell module instead of PowerZure. A
Key Vault can have multiple secrets, keys, and certificates. We need to get the name of the
secret within the Key Vault:
The name is HTBKeyVault . Now we need to get the secret. The secret is stored as a secure
string, and we need to convert its value back to plain text.
Note: There's an option in PowerZure to read the content of the Key Vault, but it was not
working properly at the time of writing this module.
We can use BloodHound to identify the attack path from Isabella to the Key Vault AZVM-
01 :
https://t.me/offenciveSec
To execute this attack, we will have to reset Madison Johnson's credentials, log in as
Madison Johnson and then use the PowerZure module to execute command in the VM. We
will also demonstrate how to do the same with the PowerShell Az module.
Account SubscriptionName
TenantId Environment
------- ----------------
-------- -----------
[email protected] 92e13faa-6af8-4501-80b9-421271bc3e38
AzureCloud
Account SubscriptionName
TenantId Environment
------- ----------------
-------- -----------
[email protected] Azure subscription 1 92e13faa-6af8-4501-80b9-
421271bc3e38 AzureCloud
Value[0] :
Code : ComponentStatus/StdOut/succeeded
Level : Info
DisplayStatus : Provisioning succeeded
Message : nt authority\system
Value[1] :
Code : ComponentStatus/StdErr/succeeded
Level : Info
DisplayStatus : Provisioning succeeded
Message :
Status : Succeeded
Capacity : 0
Count : 0
https://t.me/offenciveSec
Next Steps
We have had the opportunity to explore how to use BloodHound to enumerate Active
Directory and Azure environments and understand the uses we can put this tool to from the
perspective of red and blue teams to attack and defend.
However, these environments are constantly evolving, so we must keep up to date with the
changes and how BloodHound incorporates new capabilities to help us enumerate Microsoft
environments.
In the next section, we will use the knowledge gained to enumerate an Active Directory and
Azure environment and answer questions using BloodHound data.
Note: To avoid any cost after you finish your Azure testing, we recommend you cancel your
Azure subscription following these steps: Cancel your Azure subscription.
Optional Exercises
Challenge your understanding of the Module content and answer the optional
question(s) below. These are considered supplementary content and are not
required to complete the Module. You can reveal the answer at any time to check
your work.
Repeat the examples in the section and type DONE as the answer when you are finished.
Submit
Reveal Answer
Skills Assessment
The INLANEFREIGHT organization has contracted your firm to perform an Active Directory
and Azure security assessment. To provide maximum coverage and provide the client with
visual representations of potential misconfigurations, your team has chosen to use the
BloodHound tool for part of the assessment.
The customer must answer some questions about the security of particular Active Directory
and Azure users, groups, and assets.
Your team collected the information using SharpHound and AzureHound and placed it in the
SA.zip file. Your job is to be able to respond to the customer's concerns regarding the
security of the environment your team has already analyzed.
Download the SA.zip file containing the BloodHound and AzureHound data, unzip it, and
analyze it using BloodHound to answer these questions to complete this module.
https://t.me/offenciveSec
Questions: If you are using PwnBox, an option to transfer the file is to open this section
within PwnBox and download the file.
https://t.me/offenciveSec