BloodHound-Python
If you have access to DC, need admin creds - Github
Linux:
proxychains python3 bloodhound.py -d Steins.local -u admin -p p@$$W0rd! -c all -dc dc.steins.local -gc dc.steins.local -v -ns 10.10.10.10 --dns-tcp
Few files will appear in the same location, import them into bloodhound
Kali: apt-get install bloodhound
sudo neo4j console
go to localhost:7474
neo4j: neo4j #login in browser and change the password
bloodhound #bloodhoun login will pop-up, login with new creds
Windows:
Download this on Windows target: SharpHound.ps1
powershell -ep bypass
..\SharpHound.ps1
invoke-Bloodhound -CollectionMethod All -Domain Steins.local -ZipfileName file.zip
invoke-Bloodhound -CollectionMethod LoggedOn -Verbose
or
SharpHound.exe -c All -d Steins.local --zipfilename test.zip
OR
.\SharpHound.exe -d steins.local --domaincontroller 192.168.168.168 --ldapusername admin --ldappassword P@$$W0rd! --zipfilename domain.zip - c All
open the file in bloodhound --> click on upload --> select file
For Testing:
git clone https://github.com/BloodHoundAD/BloodHound-Tools
cd DBCreator
pip install neo4j-driver
sudo pip3 install neo4j
python3 DBCreator.py
sudo neo4j console
dbconfig
Invoke-BloodHound Commands
#specify detailed collection methods
Invoke-BloodHound -CollectionMethod ACL,ObjectProps
#Change the frequency of the requests sent by BloodHound
Invoke-BloodHound -Throttle 1500 -Jitter 10
#increase the stealthiness of theBloodHound ingestor is to minimize its disk footprint.
Invoke-BloodHound -CompressData -RemoveCSV and –NoSaveCache
Bloodhound Ingestor - Linux/Python
git clone https://github.com/dirkjanm/BloodHound.py
pip install
bloodhound-python -u UserName -p "P@SSW)RD!" -d steins.local -ns 10.10.10.10 -c All
Bloodhound Rust Ingestor
git clone https://github.com/NH-RED-TEAM/RustHound.git
#install cargo
curl https://sh.rustup.rs -sSf | sh
. "$HOME/.cargo/env"
#Compile RustHound
make install
#Run it
rusthound -d domain.local -i 10.10.10.10 -u 'username@domain.local' -p 'P@ssw0rd!' -o . -z
# Kerberos authentication (Linux)
export KRB5CCNAME="/tmp/Username.ccache"
rusthound -d domain.local -f dc01.domain.local -k -z
Custom Queries
#Find AllowedToAct|AllowedToDelegate Permissions
MATCH p=(n)-[r:AllowedToAct|AllowedToDelegate]->(m) RETURN p
#Find Accounts Trusted for Delegation
MATCH (n)-[r:TrustedForDelegation]->(m) RETURN n, r, m
#Find RBAC Paths
MATCH p=(n)-[r:AllowedToAct|AllowedToDelegate]->(m) RETURN p
#Find Accounts with SPN That allows Delegation
MATCH (n)-[r:HasSPN]->(m) WHERE n.TrustedToAuthForDelegation = True RETURN n, r, m
Custom Commands
Click on custom queries and edit the json file, we can add as many queries as required
Example 1
{
"name": "CUSTOM",
"queryList": [
{
"final": true,
"query": "MATCH (n:User) RETURN n"
}
]
}
List all Domain Admins
{
"name": "CUSTOM",
"queryList": [
{
"final": true,
"query": "MATCH (n:Group) WHERE n.name =~ \"(?i).*DOMAIN ADMINS.*\" WITH n MATCH (n)<-[r:MemberOf*1..]-(m) RETURN n,r,m"
}
]
}
Display all the users that are part of administrators group
{
"name": "CUSTOM",
"queryList": [
{
"final": true,
"query": "MATCH (u:User)-[MemberOf]->(g:Group {name: \"ADMINISTRATORS@ELS-CHILD.ELS.LOCAL\"}) RETURN u"
}
]
},
Comments
Post a Comment