RED EXPLOIT DEV/SEC BLOG

def contact_me() :

    print("https://github.com/r3dxpl0it")

    print("return_root@protonmail.com")

    print("Discord : )

Analysis of Windows Active Directory environment using BloodHound

Mar 13, 2020 • Windows,ActiveDirectory


alt text

INTRODUCTION

This article examines the analysis of a Windows Active Directory environment using BloodHound .

BloodHound ( https://github.com/BloodHoundAD/BloodHound ) is a tool for clarifying unintended relationships in the Active Directory environment based on graph theory. This allows you Domain Adminsto discover paths for migrating to other users or groups, such as elevating privileges to low-privileged users .


Installation of BloodHound

Here, Kali Linux 2020.1with respect to BloodHound Version: 3.0.2you through the installation of apt BloodHound can be installed using the package management command . The command syntax is, apt-get install bloodhoundis. In advance, apt-get updateand apt-get dist-upgraderun the command, you must have the system up-to-date state.

root@kali:~$ sudo apt-get install bloodhound
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  neo4j
The following NEW packages will be installed:
  bloodhound neo4j
0 upgraded, 2 newly installed, 0 to remove and 501 not upgraded.
Need to get 154 MB of archives.
After this operation, 350 MB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://ftp.jaist.ac.jp/pub/Linux/kali kali-rolling/main amd64 neo4j all 3.5.3-0kali1 [98.1 MB]
Get:2 http://linux3.yz.yamagata-u.ac.jp/pub/linux/kali kali-rolling/main amd64 bloodhound amd64 3.0.2-0kali1 [55.5 MB]
Fetched 154 MB in 18s (8,640 kB/s)                                                            
Selecting previously unselected package neo4j.
(Reading database ... 255564 files and directories currently installed.)
Preparing to unpack .../neo4j_3.5.3-0kali1_all.deb ...
Unpacking neo4j (3.5.3-0kali1) ...
Selecting previously unselected package bloodhound.
Preparing to unpack .../bloodhound_3.0.2-0kali1_amd64.deb ...
Unpacking bloodhound (3.0.2-0kali1) ...
Setting up neo4j (3.5.3-0kali1) ...
Setting up bloodhound (3.0.2-0kali1) ...
Processing triggers for kali-menu (2020.1.7) ...



BloodHound settings

BloodHound relies on Neo4j ( https://neo4j.com/ ). Neo4j is a graph database management system. Is installed with apt-get install bloodhound command syntax . After the installation with the command is completed, configure Neo4j. First, at the command syntax, to start the Neo4j.BloodHound Version: 3.0.2neo4j 3.5.3 aptsudo neo4j console

times @ times: ~ $ sudo neo4j console
Active database: graph.db
Directories in use:
  home:         /usr/share/neo4j
  config:       /usr/share/neo4j/conf
  logs:         /usr/share/neo4j/logs
  plugins:      /usr/share/neo4j/plugins
  import:       /usr/share/neo4j/import
  data:         /usr/share/neo4j/data
  certificates: /usr/share/neo4j/certificates
  run:          /usr/share/neo4j/run
Starting Neo4j.
WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.
2020-02-29 12: 39: 25,465 + 0000 INFO ======== Neo4j 3.5.3 ========
2020-02-29 12:39:25.538+0000 INFO  Starting...
2020-02-29 12:39:34.831+0000 INFO  Bolt enabled on 127.0.0.1:7687.
2020-02-29 12:39:40.123+0000 INFO  Started.
2020-02-29 12:39:44.086+0000 INFO  Remote interface available at http://localhost:7474/

Next, access http://localhost:7474/ with a browser. After entering the default password ( neo4j / neo4j ), you will be prompted to change the password. Follow the instructions to enter a new password. The account entered here will also be used to log in to BloodHound.

This section uses the following settings.

Database URL: bolt://localhost:7687 DB Username: neo4j DB Password: blood


Launch Bloodhound

From a terminal, bloodhoundexecute a command and launch it (must be open in the background).

times @ times: ~ $ bloodhound


BloodHound operation check

A DBCreator.pyscript to create random test data is provided to confirm the operation of BloodHound ( https://github.com/BloodHoundAD/BloodHound-Tools/tree/master/DBCreator ).

Use the following command syntax to duplicate a repository.

times @ times: ~ $ git clone https://github.com/BloodHoundAD/BloodHound-Tools
Cloning into 'BloodHound-Tools'...
remote: Enumerating objects: 1, done.
remote: Counting objects: 100% (1/1), done.
remote: Total 111 (delta 0), reused 0 (delta 0), pack-reused 110
Receiving objects: 100% (111/111), 1.59 MiB | 552.00 KiB/s, done.
Resolving deltas: 100% (46/46), done.


pip In command, neo4j-driverto install.

$ sudo apt install python-pip
$ pip -V
pip 18.1 from /usr/lib/python2.7/dist-packages/pip (python 2.7)

$ pip install neo4j-driver
Collecting neo4j-driver
  Downloading https://files.pythonhosted.org/packages/0e/96/bc81664d87975948713f7e4d3d4c3a21a3a6a813d03a161637573a587817/neo4j-driver-1.7.6.tar.gz
Collecting neobolt~=1.7.15 (from neo4j-driver)
  Downloading https://files.pythonhosted.org/packages/0d/b2/eb7c33e1f02cd7bbaf4c237619dd8dc43fa6081f331c2d35b28deb78e259/neobolt-1.7.16.tar.gz (183kB)
    100% |████████████████████████████████| 184kB 1.2MB/s 
Collecting neotime~=1.7.1 (from neo4j-driver)
.
.
.
Successfully built neo4j-driver neobolt neotime
Installing collected packages: neobolt, pytz, neotime, neo4j-driver
Successfully installed neo4j-driver-1.7.6 neobolt-1.7.16 neotime-1.7.4 pytz-2019.3

DBCreator.py The script is python2 described in. Therefore, specify python2 and execute explicitly .

kali@kali:~$ cd BloodHound-Tools/
kali@kali:~/BloodHound-Tools$ ls
bloodhoundanalytics.pbix  bloodhoundanalytics.py  DBCreator  LICENSE  README.md
kali@kali:~/BloodHound-Tools$ cd DBCreator/
kali@kali:~/BloodHound-Tools/DBCreator$ python2 DBCreator.py
================================================================
BloodHound Sample Database Creator
================================================================

Documented commands (type help <topic>):
========================================
clear_and_generate  connect   exit      help       setnodes
cleardb             dbconfig  generate  setdomain

(Cmd)

DBCreator.py dbconfig Executes commands according to the script’s user interface . neo4jEnter your credentials.

(Cmd) dbconfig
Current Settings:
DB Url: bolt://localhost:7687
DB Username: neo4j
DB Password: neo4jj

Enter DB URL [bolt://localhost:7687] 
Enter DB Username [neo4j] 
Enter DB Password [neo4jj] blood

New Settings:
DB Url: bolt://localhost:7687
DB Username: neo4j
DB Password: blood

Testing DB Connection
Database Connection Successful!

**DBCreator.py generate ** Executes commands according to the script’s user interface . Generate test data.

(Cmd) generate
Starting data generation with nodes=500
Populating Standard Nodes
Adding Standard Edges
Generating Computer Nodes
Creating Domain Controllers
Generating User Nodes
Generating Group Nodes
Adding Domain Admins to Local Admins of Computers
Creating 25 Domain Admins (5% of users capped at 30)
Applying random group nesting
Adding users to groups
Calculated 7 groups per user with a variance of - 6
Adding local admin rights
Adding RDP/ExecuteDCOM/AllowedToDelegateTo
Adding sessions
Adding Domain Admin ACEs
Creating OUs
Creating GPOs
Adding outbound ACLs to 3 objects
Marking some users as Kerberoastable
Adding unconstrained delegation to a few computers
Database Generation Finished!

After Bloodhound you create the test data and log on, BloodHound draws a group named “Domain Admins” and shows the valid users belonging to that group.

In the* [Database Info]* tab on the left corner, you can see the statistics of the registered data. The information that can be confirmed on the tab is as follows.

[Database Info]

  • Users – Users on the network extracted from Active Directory
  • Computers – various endpoints on networks, servers, workstations and other devices
  • Groups- Various AD groups extracted from Active Directory
  • Sessions- The amount of user sessions on computers on the network extracted by Ingestors
  • ACL -access control list, various permissions and access for users and groups
  • Relationships -Group memberships, users, user sessions, other relevant information, etc.

In the [Queries] tab in the left corner, you can see the display with some prepared analytic queries.

[Queries] > [Pre-Built Analytics Queries] > [Shortest Paths to High Value Targets] Screen when a query is selected.


Data collection with Ingestors

So far, BloodHound and neo4j have been installed and configured. From here, we will use BloodHound to analyze the data of the target network.

Use “ Ingestors “ on the target system or domain . Ingestors queries the domain controller and Active Directory to retrieve all trust relationships, group policy settings, and Active Directory objects.

The BloodHound git repository ( https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors ) contains two different Ingestors.

  • SharpHound.exe: A program written in C #
  • Invoke-BloodHound: PowerShell script that loads C # binaries by reflection


SharpHound

SharpHound.exe Data is collected using a program that is BloodHound’s Ingestors . Here, Https://Github.Com/BloodHoundAD/BloodHound/tree/master/Ingestors

SharpHound.exe Use to collect data from Active Directory. First, powershell launch Then, SharpHound.exe run :)

The collected data is compressed in ZIP format ( 20200306061240_BloodHound.zip) SharpHound.exeand created in the folder where the was executed.

PS C:\Tools> .\SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
----------------------------------------------
Initializing SharpHound at 6:12 AM on 3/6/2020
----------------------------------------------

Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain ACTIVE.HTB using path CN=Schema,CN=Configuration,DC=ACTIVE,DC=HTB
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Enumeration finished in 00:02:52.3983535
Compressing data to .\20200306061240_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 6:16 AM on 3/6/2020! Happy Graphing!

*20200306061240_BloodHound.zip Load the collected data ( ) with BloodHound. From the BloodHound GUI screen [Upload Data], select the menu on the right and load the generated ZIP file. Data can also be read by dragging and dropping a ZIP file onto the BloodHound GUI screen.


Utilities that use BloodHound data

  • CypherDog, https://github.com/SadProcessor/CypherDog
  • GoFetch, https://github.com/GoFetchAD/GoFetch
  • ANGRYPUPPY, https://github.com/vysecurity/ANGRYPUPPY
  • gt-generator, https://github.com/audrummer15/gt-generator

Did you Like the post? Get the feed Or Share on : { Twitter, Linkedin, Facebook, Reddit, Email } !!