Recon - AD scanners
BloodHound
BloodHound
uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. BloodHound
can be used to easily identify highly complex attack paths that would otherwise be impossible to quickly identify.
The official installation procedure is available on the GitHub
repository: https://github.com/BloodHoundAD/BloodHound/wiki/Getting-started
BloodHound ingestors
SharpHound
SharpHound
is a C# data ingestor used by BloodHound
to enumerate the Active Directory targeted domain. A PowerShell script SharpHound.ps1
, in-lining the C# DLL, is available as well.
By default, SharpHound
will output multiples JSON files in a compressed zip archive file that can directly be imported for graphical review and query in BloodHound
.
Multiples collection methods are available:
Default
Performs group membership collection, domain trust collection, local admin collection, and session collection
Group
Performs group membership collection
LocalAdmin
Performs local admin collection
LocalGroup
Performs local groups collection. No longer uses the NetLocalGroupGetMembers
Windows API, rely instead on lower-levels API calls to the SAMRPC
library to access the remote computer SAM
RDP
Performs Remote Desktop Users collection
DCOM
Performs Distributed COM Users collection
GPOLocalGroup
Performs local admin collection using Group Policy Objects
Session
Performs session collection
ComputerOnly
Performs local admin, RDP, DCOM and session collection
LoggedOn
Performs privileged session collection (requires admin rights on target systems)
Trusts
Performs domain trust enumeration
ACL
Performs collection of ACLs
Container
Performs collection of Containers
DcOnly
Performs collection using LDAP only. Includes Group, Trusts, ACL, ObjectProps, Container, and GPOLocalGroup.
All
Performs all Collection Methods except GPOLocalGroup
Usage:
BloodHound.py
bloodhound-python.py
is a Python based ingestor for BloodHound
, based on the Impacket
suite and only compatible with BloodHound 3.0
, or newer versions. bloodhound-python.py
presents the main advantage of being usable on Linux systems and thus easily integrates with proxychains
for pivoted Active Directory enumeration.
bloodhound-python.py
supports most of SharpHound
collect methods, specified above, except GPOLocalGroup
and LocalGroup
.
Sysinternals's AdExplorer and ADExplorerSnapshot.py
Active Directory domain snapshots taken with AdExplorer
can be converted to JSON
files supported by BloodHound
using the ADExplorerSnapshot.py
Python script. AdExplorer
can thus be used as an ingestor for BloodHound
. Refer to the [ActiveDirectory] Recon - Domain Recon
note for more information on AdExplorer
.
A few limitations are however to be noted:
the snapshot only contains information on Active Directory objects (assimilable to a
DcOnly
collection made withSharpHound
).Organizational Units
andGroup Policy Objects
information will be missing.
The resulting JSON
files can be imported normally through the BloodHound
graphical interface.
Multiple Neo4j databases to handle different environments
The Neo4j Desktop
application can be used to create and manage multiple databases. Due to Neo4j Community
limitations, the usage of the thick client is required as having multiple databases is otherwise a feature of the Enterprise
edition (as of 2022-01). Using multiple databases present the notable advantage of allowing oneself to work on different environments without requiring clears of the database and data reuploads.
The procedure to create multiple Neo4j databases through the Neo4j Desktop
application is as follow:
Create a new project:
Projects (left menu) -> New
.Adds a
Local DBMS
per environment, forest or domain (depending on the level of separation wished):Newly created project right panel -> (+) Add -> Local DBMS
. The name specified for theDBMS
can match the environment / forest / domain (for example), and the password should be identical betweenDBMS
.Each
Local DBMS
will be composed of the defaultsystem
andneo4j
databases.Switch between
DBMS
(Mouse over the DBMS in the project right panel -> Start
) and add data as needed through theBloodHound
interface.
Once the different databases are populated, simply starting a DBMS
through the Neo4j Desktop
application allows to switch to a different environment in BloodHound
(without having to login / logoff or restart BloodHound
).
BloodHound GUI
The following commands can be used to start BloodHound
. The default neo4j credentials are neo4j:neo4j
and must be changed for the first login.
The zip archive files produced by SharpHound
can simply be drag and dropped in the BloodHound
graphical interface for treatment. The Upload
button on the right may be used as well.
BloodHound / Neo4j Cypher queries
Neo4j Cyper 101
The Neo4j
graph databases implements its own query language: Cypher
. Raw Cypher
queries can be made directly through the BloodHound
GUI interface, in complement to the predefined BloodHound
queries. Queries may also be executed through the Neo4j
console (by default accessible using the Neo4j
web interface at http://localhost:7474/browser/
). The Neo4j
console automatically display by default all the edges between nodes, which may be useful in some case but is more resources intensive.
Cypher
is a "visual" language modeling a starting and ending nodes, linked by an edge. Queries are constructed using parenthesis, brackets, and arrow, with a very basic query looking like:
Cypher
implements two basic clauses, MATCH
and RETURN
:
The
MATCH
clause specify the patternsNeo4j
will search for in the database.MATCH
is often coupled to aWHERE
conditional statement that adds restrictions to the data retrieved.The
RETURN
clause defines what to include in the query result set, which can be nodes, relationships, or nodes / relationships properties.
The relationship type and depth can be specified inside the brackets. For instance, the following link -[r:MemberOf]->
specify that the starting node should be a direct member of the group ending node, while the link -[r:MemberOf*1..]->
indicate that the MemberOf
relationship may repeat any number of time and thus the starting node may be recursively a member of the group ending node.
Neo4j
Cypher
also implements the shortestPath
and allShortestPaths
functions that return, respectively, the shortest path and all the shortest paths (all paths with the same minimal amount of hops) from a starting node, or set of nodes, to an ending node, or set of nodes.
The following basic queries illustrate the use of the MATCH
and RETURN
clauses as well as the linking syntax:
The following operators are supported in the conditional WHERE
statements:
NOT
Negate the subsequent condition
=
Is equal to
<>
is different to
<
Is less than
<=
Is less or equal
>
Greater than
>=
Is greater or equal to
IS NULL
Is null
IS NOT NULL
Is not null
STARTS WITH
String starts with
ENDS WITH
String ends with
CONTAINS
String contains
=~
String RegEx search
The relationship between nodes can be of the following types:
AddAllowedToAct
AddMember
AdminTo
AllExtendedRights
AllowedToAct
AllowedToDelegate
CanPSRemote
CanRDP
Contains
ExecuteDCOM
ForceChangePassword
GenericAll
GenericWrite
GetChanges
GetChangesAll
GPLink
HasSession
HasSIDHistory
Owns
MemberOf
ReadGMSAPassword
ReadLAPSPassword
SQLAdmin
TrustedBy
WriteDACL
WriteOwner
For more information about the Neo4j
Cypher
language, its use in BloodHound
and BloodHound
in general, the following resource may be consulted:
BloodHound built-in Cypher queries
BloodHound
implements a number of Cypher
queries, titled:
Find all Domain Admins
Find Shortest Paths to Domain Admins
Find Principals with DCSync Rights
Users with Foreign Domain Group Membership
Groups with Foreign Domain Group Membership
Map Domain Trusts
Shortest Paths to Unconstrained Delegation Systems
Shortest Paths from Kerberoastable Users
Shortest Paths to Domain Admins from Kerberoastable Users
Shortest Path from Owned Principals
Shortest Paths to Domain Admins from Owned Principals
Shortest Paths to High Value Targets
Find Computers where Domain Users are Local Admin
Find Computers where Domain Users can read LAPS passwords
Shortest Paths from Domain Users to High Value Targets
Find All Paths from Domain Users to High Value Targets
Find Workstations where Domain Users can RDP
Find Servers where Domain Users can RDP
Find Dangerous Rights for Domain Users Groups
Find Kerberoastable Members of High Value Groups
List all Kerberoastable Accounts
Find Kerberoastable Users with most privileges
Find Domain Admin Logons to non-Domain Controllers
Find Computers with Unsupported Operating Systems
Find AS-REP Roastable Users (DontReqPreAuth)
Custom Cypher queries
Most of the queries below are from, or inspired from, previous work made by @Haus3c
.
The following queries were validated in the Neo4j
console.
(Dirty) Manual analysis of SharpHound results
For larger Active Directory domains, specifics search on the SharpHound
resulting JSON files may be used to more rapidly identify entry point, such as resources accessible to following groups:
Everyone
, SID:S-1-1-0
Anonymous
, SID:S-1-5-7
Authenticated Users
, SID:S-1-5-11
Users
, SID:S-1-5-32-545
Domain Users
, SID:S-1-5-<DOMAIN>-513
Domain Computers
, SID:S-1-5-<DOMAIN>-515
The following bash script can be used to convert the one-line JSON result of SharpHound
to a more human readable format:
[Linux] BloodHound Owned
The bh-owned.rb
ruby script can be used to automatically tag the provided users from a file as owned or blacklist.
Note that the usernames must correspond to the BloodHound
expected node format: UPPERCASE_USERNAME@UPPERCASE_DOMAIN_FQDN
.
PingCastle
PingCastle
is an C#
application designed to run a number of security checks, targeting the most common Active Directory security issues. PingCastle
generates an HTLM
report summarizing the findings for the healthcheck
mode or produces text files for the individual modules.
Note that the licensing model of PingCastle
specify the following:
"Except if a license is purchased, you are not allowed to make any profit from this source code"
"It is allowed to run PingCastle without purchasing any license on for profit companies if the company itself (or its ITSM provider) run it"
So in order to legally make use of PingCastle
, a license must be purchased by the auditor or the scans must be conducted by the audited company and the results communicated to the auditors.
The healthcheck
mode runs more that fifty checks, including:
Enumeration of the members of the domain privileged groups (
Enterprise Admins
,Domain Admins
, built-inOperators
groups, etc.).Creation of a limited Active Directory control path graph to privileged groups, similar in nature but not as complete to what can be accomplished using
BloodHound
.PingCastle
's control path graphs are based on group memberships,GPO
mapping andAccess Control List (ACL)
on privileged objects and can be visualized in theControl Paths Analysis
section by clicking on theAnalysis
link of each privileged group.Enumeration of the operating systems in use on the computers integrated to the Active Directory domain.
Enumeration of Active Directory privileges group memberships and users with the
admincount
bit set to 1 (accounts protected by theAdminSdHolder
mechanism).Verification of privileges security principals' and GPO's ACLs.
Search of
GPP
passwords and restricted groups definition in GPO.Verification of the implementation of
Local Administrator Password Solution (LAPS)
andWindows Event Forwarding
solutions.Enumeration of privileged accounts that define a
ServicePrincipalName (SPN)
(and are thus prone toKerberoasting
attack).Listing of user and machine accounts that can have an empty password as well as user accounts that do not require
Kerberos
pre-authentication (and are thus vulnerable toASP-Roast
attacks).Enumeration of domain configured trusts.
Verification if the
Exchange Windows Permissions
security principal has theWriteDacl
right in the root domain security descriptoretc.
PingCastle
can also be used to run a number of specific security scans through various modules
:
aclcheck
Check authorization related to users or groups. Default to everyone, authenticated users and domain users.
antivirus
Check for computers without known antivirus installed. It is used to detect unprotected computers but may also report computers with unknown antivirus.
export_user
Export all users of the AD with their creation date, last logon and last password change.
foreignusers
laps_bitlocker
Check on the AD if LAPS and/or BitLocker has been enabled. Default check for all the computers in the domain.
localadmin
Enumerate the local Administrators of the specified computer or all computers in the domain.
nullsession
Check if null sessions are enabled.
nullsession-trust
Attempts to enumerate the Active Directory domain trusts through a null session.
remote
Checks for the presence of a remote desktop solution (RDP, TeamViewer, VNC, etc.) on the targeted computer(s).
share
List all shares published on the specified computer or all computers in the domain and determine if the share can be accessed by anyone.
smb
Scan the specified computer or all computers in the domain and determine the smb version available. Also check if SMB signing is enabled.
spooler
Check if the spooler service is remotely active on the specified computer or all computers in the domain.
startup
Get the last startup date of the specified computer or all computers in the domain. Can be used to determine if latest patches have been applied.
zerologon
Enumerates the Domain Controllers through AD requests and check for presence of the ZeroLogon vulnerability on all the enumerated Domain Controllers
In order to execute PingCastle
on a computer with out the .NET framework 3.5
installed, the PingCastle.pdb
and PingCastle.exe.config
files must be present in the same directory as the PingCastle.exe
binary.
PingCastle
can be launched in interactive mode
using the current user security context or with a specified account using the following commands. Before running the PingCastle
's healthcheck
mode, it is recommended to remove the limitation of 100 users in the generated HTML
report: 5-advanced -> 4-noenumlimit
.
References
https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf#page=45&zoom=100,92,390
https://beta.hackndo.com/bloodhound/
https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
https://neo4j.com/docs/cypher-manual/current/clauses/match/
Last updated