InfoSec LAB

nara_BloodHound

Created: 2 min read

BloodHound

BloodHound is a powerful tool used by adversaries to visualize and analyze Active Directory relationships, allowing them to quickly identify and exploit potential attack paths and privilege escalation opportunities within a network. It automates the reconnaissance phase of an attack, helping attackers pinpoint weak points and ultimately compromise Active Directory environments.

Ingestion

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara/bloodhound]
└─$ KRB5CCNAME=../tracy.white@nara.nara-security.com.ccache bloodhound-python -d NARA-SECURITY.COM -u tracy.white -k -no-pass --auth-method kerberos -ns $IP -dc nara.nara-security.com --zip -c Experimental,LoggedOn,All -op python_
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: nara-security.com
INFO: Using TGT from cache
INFO: Found TGT with correct principal in ccache file.
INFO: Connecting to LDAP server: nara.nara-security.com
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: nara.nara-security.com
INFO: Found 14 users
INFO: Found 55 groups
INFO: Found 2 gpos
INFO: Found 3 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Nara.nara-security.com
INFO: User with SID S-1-5-21-914744703-3800712539-3320214069-1113 is logged in on Nara.nara-security.com
INFO: Done in 00M 06S
INFO: Compressing output into 20250701161155_bloodhound.zip

Using the TGT of the compromised tracy.white user, domain ingestion complete.

Preps

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara/bloodhound]
└─$ neo4j_kickstart                                
2025-07-01 14:13:07.959+0000 INFO  Starting...
2025-07-01 14:13:08.427+0000 INFO  This instance is ServerId{823c0986} (823c0986-8860-45ad-af0e-a0f1316bef16)
2025-07-01 14:13:09.535+0000 INFO  ======== Neo4j 4.4.26 ========
2025-07-01 14:13:10.428+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2025-07-01 14:13:10.429+0000 INFO  Updating the initial password in component 'security-users'
2025-07-01 14:13:11.821+0000 INFO  Bolt enabled on localhost:7687.
2025-07-01 14:13:12.519+0000 INFO  Remote interface available at http://localhost:7474/
2025-07-01 14:13:12.522+0000 INFO  id: F22BE6505A50EE3B6AE80482B39DD2B6A7082E68C916A87DF6F1CD7ECA4DD942
2025-07-01 14:13:12.522+0000 INFO  name: system
2025-07-01 14:13:12.522+0000 INFO  creationDate: 2024-09-01T10:39:20.089Z
2025-07-01 14:13:12.522+0000 INFO  Started.
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/nara/bloodhound]
└─$ bloodhound-legacy

Starting neo4j and bloodhound

Ingested domain data uploaded.

Domain

tracy.white User

The compromised domain user, tracy.white is part of the staff group. This was also enumerated from ldapdomaindump.

The user also has an on-going session to the DC host; nara.nara-security.com This was how the user was able to open the phishing payloads.

The tracy.white user has GenericAll privilege over the Remote Access group and the Remote OU

Remote Access Group

jodie.summers is the sole member to the Remote Access group.

The Remote Access group is part of the Remote Maanagement Users group. This allows WinRM access to the DC host; nara.nara-security.com(192.168.209.30)

Interactive Graph View

Backlinks