BloodHound
/Practice/Hutch/3-Exploitation/attachments/{0DE63E14-886F-42B5-BEF2-B0D2067F6F13}.png)
BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.
Ingestion
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch/bloodhound]
└─$ KRB5CCNAME=../fmcsorley@hutchdc.hutch.offsec.ccache bloodhound-python -d HUTCH.OFFSEC -u fmcsorley -k -no-pass --auth-method kerberos -ns $IP -dc hutchdc.hutch.offsec --zip -c Experimental,LoggedOn,All -op python_
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: hutch.offsec
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: hutchdc.hutch.offsec
INFO: Found 18 users
INFO: Found 52 groups
INFO: Found 2 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: hutchdc.hutch.offsec
INFO: Done in 00M 06S
INFO: Compressing output into 20250501154245_bloodhound.zipUsing the TGT of the compromised fmcsorley account, domain ingestion complete
Preps
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch/bloodhound]
└─$ neo4j_kickstart
2025-05-01 13:44:11.989+0000 INFO Starting...
2025-05-01 13:44:12.404+0000 INFO This instance is ServerId{823c0986} (823c0986-8860-45ad-af0e-a0f1316bef16)
2025-05-01 13:44:13.438+0000 INFO ======== Neo4j 4.4.26 ========
2025-05-01 13:44:14.393+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-05-01 13:44:14.393+0000 INFO Updating the initial password in component 'security-users'
2025-05-01 13:44:15.178+0000 INFO Bolt enabled on localhost:7687.
2025-05-01 13:44:15.934+0000 INFO Remote interface available at http://localhost:7474/
2025-05-01 13:44:15.938+0000 INFO id: F22BE6505A50EE3B6AE80482B39DD2B6A7082E68C916A87DF6F1CD7ECA4DD942
2025-05-01 13:44:15.938+0000 INFO name: system
2025-05-01 13:44:15.938+0000 INFO creationDate: 2024-09-01T10:39:20.089Z
2025-05-01 13:44:15.939+0000 INFO Started.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch/bloodhound]
└─$ bloodhoundStarting neo4j and bloodhound
/Practice/Hutch/3-Exploitation/attachments/{3A88D1BF-9E50-47AA-9996-36F597D0AAC6}.png)
Ingested domain data uploaded
Domain
/Practice/Hutch/3-Exploitation/attachments/{FC8C0ABE-AE3B-40FF-B636-BBDE7BCDA1E9}.png)
/Practice/Hutch/3-Exploitation/attachments/{3FFB1AFB-484B-414E-9F61-F8BE655AF8B8}.png)
/Practice/Hutch/3-Exploitation/attachments/{F598ACCD-C03D-4007-8067-E81214CFAEC4}.png)
fmcsorley User
/Practice/Hutch/3-Exploitation/attachments/{40D847AD-3C8A-4F17-8011-C106CC457EE4}.png)
/Practice/Hutch/3-Exploitation/attachments/{A216A896-12EB-439D-9378-D02D5F7876FF}.png)
/Practice/Hutch/3-Exploitation/attachments/{1A17D36C-010C-4F85-A761-312AB47C370E}.png)
/Practice/Hutch/3-Exploitation/attachments/{FEFE57DF-7ECA-4D6A-95EE-C454D6503ACF}.png)
The fmcsorley user has the ReadLAPSPassword access to the hutchdc.hutch.offsec host