BloodHound
BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.
ingestion
┌──(kali㉿kali)-[~/…/htb/labs/flight/bloodhound]
└─$ KRB5CCNAME=../svc_apache@g0.flight.htb.ccache bloodhound-python -d FLIGHT.HTB -u svc_apache -k -no-pass -dc g0.flight.htb --dns-tcp -ns $IP --zip -c All
INFO: Found AD domain: flight.htb
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: g0.flight.htb
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: g0.flight.htb
INFO: Found 16 users
INFO: Found 54 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: g0.flight.htb
INFO: Ignoring host g0.flight.htb since its reported name does not match
INFO: Done in 00M 13S
INFO: Compressing output into 20231211211447_bloodhound.zipUsing the TGT of the svc_apache account, the entire domain data can be ingested through bloodhound-python
Prep
┌──(kali㉿kali)-[~/…/htb/labs/flight/bloodhound]
└─$ sudo neo4j console
directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /usr/share/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /usr/share/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /usr/share/neo4j/run
Starting Neo4j.
┌──(kali㉿kali)-[~/…/htb/labs/flight/bloodhound]
└─$ bloodhoundFiring up neo4j and bloodhound
Ingestion data upload complete
Domain
Not much could be identified
The target domain is not configured around OUs and ACLs
Exiting BloodHound