Bloodhound/SharpHound πŸ•‍🦺 and ADDS

 

WARNING: Ensure that you have the necessary permissions and legal authorization to extract data from the Ntds.dit file and import it into BloodHound, you may wish to mount ADDS separately and scan the mounted version of ADDS - follow that guide here

Bloodhound is an absolutely fantastic way to check the security of your domain and be able to visualize weak points, weak authentication mechanisms, lateral movement to privileged accounts, lateral movement generally - not to mention a whole host of other benefits.

Security Warning

Yes,  when you do this it will make your security software, in this case Defender go absolutely nuts, which is great for normal circumstances but when you actually want to run these tools it is a pain.....



This alert was very common with file operations:


Then if you needed to amend the PowerShell, it was a very big pain when trying to do this for legitimate reasons:


This was trying to download the Sharphound powershell file:


Then you have the problem with trying to run the powershell:


In the end this needed to occur, I had to completely disabled the Defender antivirus and threat protection, however ironically the firewall did not even detect that malicious software talking to the ADDS services at all

Pingcastle

I would recommend before going straight to bloodhound that you run a ping castle report, This particular program will analyze your domain and advise you on security, weak points, and vulnerabilities, Dispute utility gets updated regularly, so make sure you Download the latest updates before you run it.

I would highly recommend you run this utility before you jump straight into bloodhound, As with bloodhound, you can get some very surprising results.

Pingcastle : Download

Lets get the software from the official website the download link is here

Pingcastle : Extraction

Once you have downloaded it, its just a ZIP file so go ahread and extract it to a folder of your choice, I have used on the folder c:\PingCastle and I have installed it locally on the "FakeDC" computer running "bear.local" as the domain.

That extraction should look like this and you will need to run the "pingcastle" executable highlighted below:

Pingcastle : Health Check

You will then need to choose the "healthcheck" option as shown below:


You will then be asked for the domain, if you press enter it will choose the local domain which here is bear.local, so I need press enter:


It will then run its tasks and you need to wait until its says completed then you can press enter this will quit the application as its job is done:


Pingcastle : Report

If you go back to the folder where you extracted Pingcastle in this case C:\PingCastle then you will not see a HTML file (and an XML file for the people interested in the XML content)


Pingcastle : Indicators

If you open this file you will get your report, and most people like the indicators, which for a out the box domain controller runnign Server 2022 is like this:


Pingcastle : Risk model

Personally, I prefer the risk model that tells you more interesting and intriguing data:

They type of risks you are exposed to here will give you a good indication as to how impacting bloodhound will be and how easy the advice you get from Bloodhound will be achievable by threat actors.

Bloodhound Prerequisites

 Note: Bloodhound will require a server and a client, in this example, I am using Kali For the server and Windows for the client.

Bloodhound is an interactive tool that has many interesting reports and queers that people are going to want to investigate themselves, it’s far safer to give people access to a Windows client then it is to give them access to your Kali server

  1. Access to Ntds.dit File: Obtain a copy of the Ntds.dit file from a domain controller.
  2. Sharphound : This needs to be run on the live domain to enumerate objects and get the data
  3. BloodHound: Have BloodHound installed and ready for use.

Sharphound : Online ADDS scan

First, you need to download the PowerShell file from this location, there is an executable as well, but this guide is about the PowerShell version.

Sharphound Collectors

This is a PowerShell script that is executed like this, first you need to put PowerShell in bypass mode 

powershell -ev bypass
. .\sharpHound.PS1
Import-Module .\SharpHound.ps1

That should look like this:


You will also need to import the module:


Then you need to run this to start the scan

Invoke-BloodHound -CollectionMethod All -Domain bear.local -zipFileName loot.zip

That will then run the script and get the "loot.zip" file:


Once complete it will either be in the folder where you ran Sharphound from or the folder above like this:


This "loot.zip" this is the file you need to give to Bloodhound, if you take a look inside this file it has all the files requires for Bloodhound:

Enable Bloodhound services (server)

This will be done from the Kali linux server that will host the server side of the software

sudo neo4j start

This will start the service like this, this will also give you the port you require, here for example its TCP:7474 as you can see below:


Download Bloodhound client (workstation)

Bloodhound can be downloaded from the link below just use the relevant binaries for your platform

Download Bloodhound Clients

Download Bloodhound x64 Windows Installer

Downloading this will not be as simple as it appears to be, if you try to download it via most browsers, it would be blocked as malicious, because what is to does he considered to be malicious



You also get no options to override this download to save it:


Browsers are actually quite active at protecting you these days, however if you need to use this application this can easily be fixed if you’re on Windows by starting PowerShell and using "wget" to download the file, that will require this command:

Invoke-WebRequest -Uri "https://github.com/BloodHoundAD/BloodHound/releases/download/v4.3.1/BloodHound-win32-x64.zip" -OutFile "C:\temp\BloodHound-win32-x64.zip"


That will immediately start the download to the current directory you are running the command from;



During the download or on completion of the download fully expect your protection software to also detect this as malicious, and it will immediately be quarantined (which just to be clear, is absolutely the correct action normally) however, if you wish to use this utility, you will need to make a security exception in your protection software - that procedure will absolutely not be covered in this guide.

Running Bloodhound Client

When you start Bloodhound you will see the login screen and you will need to enter the server connection address, if you enter the address correctly you will see a green tick next to the server name as below:


If you enter the connection incorrectly, you will be notified by a "database not found" error like below, check your connection settings:


We then need the valid username and password then click login, if correct the button will change to "Success".....


This will then give you the main interface, where it will query the database as below:


You will then notice the database will connect and the status will say "Done" as below:


Currently there is nothing in the database to query, so it should tell you "no data returned" and it would be correct we have not imported anything into the database yet!!!!


Sharphound : Import Data into BloodHound

  1. Open BloodHound.
  2. Go to "Data Import" within BloodHound.
  3. Choose the appropriate option to import data. BloodHound supports importing data from CSV files.
  4. Map the columns in the CSV file to the corresponding BloodHound properties during the import process.
  5. Once the data is successfully imported, BloodHound will process it and generate a graph visualizing the relationships, permissions, and attack paths within the Active Directory environment.
Import Errors?

If you get an talking about "Incompatible collector" then you may need to use Sharphound, if this has come from Sharphound and you were using the PowerShell collector, try the executable collector as well.



Confirm Import Successful

<coming soon>

Analyze the BloodHound Graph

Explore the generated BloodHound graph to identify potential attack paths, privilege escalation opportunities, vulnerable accounts, and other security-related insights within the Active Directory.

<more coming soon>

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„