Advertisements

Bloodhound – Six Degrees of Domain Admin

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths

Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but standard methodology dictates a manual and often tedious process – gather credentials, analyze new systems we now have admin rights on, pivot, and repeat until we reach our objective. Then, and only then, we can look back and see the path we took in its entirety. But that may not be the only, nor shortest path we could have taken.

By combining the concept of derivative admin (the chaining or linking of administrative rights), Active Directory object control relationships, existing tools, and graph theory, we have developed a capability called BloodHound, which can reveal the hidden and unintended relationships in Active Directory domains. BloodHound is operationally-focused, providing an easy-to-use web interface and PowerShell ingestor for memory-resident data collection and offline analysis.

BloodHound offers several advantages to both attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. Most possible escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. BloodHound has the power and the potential to dramatically change the way you think about and approach Active Directory domain security.

 

Windows

  1. Download and install neo4j community edition.

    Optional: configure the REST API to accept remote connections if you plan to run neo4j and the PowerShell ingestor on different hosts.

  2. Clone the BloodHound GitHub repo.

    git clone https://github.com/adaptivethreat/Bloodhound

  3. Start the neo4j server, pointing neo4j to the provided sample graph database.
  4. Run BloodHound.exe from the release found here or build BloodHound from source.
  5. Authenticate to the provided sample graph database at bolt://localhost:7687. The username is “neo4j”, and the password is “BloodHound”.

You’re now ready to get started with data collection!


Linux

For much better instructions on setting up BloodHound on Linux, see this blog post: https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/

  1. Download and install neo4j community edition.

    Optional: configure the REST API to accept remote connections if you plan to run neo4j and the PowerShell ingestor on different hosts.

  2. Clone the BloodHound GitHub repo.

    git clone https://github.com/adaptivethreat/Bloodhound

  3. Start the neo4j server, pointing neo4j to the provided sample graph database.
  4. Run BloodHound from the release found here or build BloodHound from source.

    ./BloodHound

  5. Authenticate to the provided sample graph database at bolt://localhost:7687. The username is “neo4j”, and the password is “BloodHound”.

You’re now ready to get started with data collection!


OSX

  1. Download and install neo4j community edition.

    Optional: configure the REST API to accept remote connections if you plan to run neo4j and the PowerShell ingestor on different hosts.

  2. Clone the BloodHound GitHub repo.

    git clone https://github.com/adaptivethreat/Bloodhound

  3. Start the neo4j server, pointing neo4j to the provided sample graph database.
  4. Run the BloodHound App from the release found here or build BloodHound from source.
  5. Authenticate to the provided sample graph database at bolt://localhost:7687. The username is “neo4j”, and the password is “BloodHound”.

 

Data Collection Intro

BloodHound requires three sets of information from an Active Directory environment in order to function:

  1. Who is logged on where?
  2. Who has admin rights where?
  3. What users and groups belong to what groups?
  4. (Optionally) What principals have control over other user and group objects?

In most instances, collecting this information does not require Administrator privileges, and does not require executing code on remote systems. The PowerShell ingestor, based on PowerView, makes data collection fast and simple. The ingestor is located in the BloodHound repo at /PowerShell/BloodHound.ps1.


PowerShell execution policy

PowerShell by default will not allow execution of PowerShell scripts; however, bypassing this restriction is very simple in most instances. Typically you will be able to enter a PowerShell runspace without this restriction by running:

PS C:\> PowerShell -Exec Bypass

For more options, see this great blog post from NetSPI on 15 different ways to bypass PowerShell execution policy.

Advertisements
Advertisements
Advertisements
Advertisements
Advertisements
%d bloggers like this: