Building Up AD and Running Bloodhound
Man’s best friend helps us fix AD
Welcome!
Sorry for the hiatus in writing! Leaving a job, starting a new job, finishing up with a graduating class; it’s been a hectic couple of weeks. But, we’re back!
To start off this post we are going to be building an AD structure with a bunch of users and workstations spread out in a big mess. We are going to do some poking around and figure out how to use a super cool tool called Bloodhound. I actually had some issues with finding a script that did what I was looking for, so I went ahead and wrote one myself, the intent is to expand on this script over time and add more functionality as I find more time or receive more suggestions. Currently the script is going to ask you how many organizational units (OU’s), users, and workstations you want to create. Once we get that put in the script will create random users with passwords from the first 100 most used passwords according to NCSC. Then it will randomly assign those users and workstations to various OU’s.
Let’s get into it! P.S. I Promise I don’t find new coffees every week…but this week I ran across an oldie but in premade cold brew form and I am a sucker for a cold brew! So if you like Cafe Bustelo, consider checking it out.
Prerequisites
I am setting this up on the home lab that I have been building up throughout my blog, I am using ProxMox but this will work on any network. If you need any references to that here are the links:
The script I created can be found on my GitHub here.
Setting Up The Environment
I highly recommend before we start that you take a “snapshot” of your VM, this would allow you to just roll back to how it was before you made changes.
I am going to start off by remoting into the Domain Controller that we set up and opening PowerShell as an administrator. This can be done by right-clicking on the start menu and selecting Powershell. Then go ahead and paste the below code into your session and it should start to run the script.
IEX((new-object net.webclient).downloadstring("https://raw.githubusercontent.com/jtoledo3970/Invoke-bAD/main/Invoke-bAD.ps1"));
Now you should be able to open “Active Directory Users and Computers” by searching for it at the start menu. Navigate to Users > Domain Admins > Members and see a bunch of new users there. This would be the same for other groups such as Remote Desktop Users.
Now we have an active directory environment set up with users, workstations, and a bunch of random permissions. Let’s get sniffing with BloodHound.
Running BloodHound
What is BloodHound?
Pulling this straight from the BloodHoundAD GitHub page:
BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector.
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.
BloodHound was created by @_wald0, @CptJesus, and @harmj0y.
BloodHound is maintained by the BloodHound Enterprise team.
It is an extremely powerful tool for both red teamers and blue teamers.
Running SharpHound
SharpHound is the tool used to collect data from a target machine. In this case we are going to once again be running it straight on our Domain Controller for the sake of simplicity.
- Disable Windows Defender from an admin powershell window with the command below before you get started, SharpHound is commonly used by bad actors and so by default it is blocked. I will have a point where we enable it at the end.
Set-MpPreference -DisableRealtimeMonitoring $true
2. Download the SharpHound utility to your Domain Controller from this link: https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors You can click on SharpHound.ps1 and download it from the upper right hand corner. If you get an error that it is unsafe, you can click “Keep”.
3. From an administrative PowerShell session we can go ahead and go to the directory of our file and run it. This should generate a zip file with some .json files in it, that is what we are going to be using.
cd Downloads # Change directory to downloads
Import-Module .\Sharphound.ps1
Invoke-Bloodhound # Default : Domains, Computers, Users, Groups
4. I have a Kali machine on my virtual network that I am going to be using since it has BloodHound on it. If you want to install BloodHound on your own machine, follow the directions here. I am going to be turning on my Kali machine and going from there. You have to get the zip file that was created by SharpHound from the target machine and save it to the Kali machine. If you have remote desktop on the Windows Machine you should be able to copy and paste, or you can access an SMB share from Windows on Kali. I went ahead and just did the copy and paste for the sake of simplicity. In order to install BloodHound on Kali go ahead and run the following commands in terminal, more information on the install can be found here:
└─$ sudo apt update && sudo apt install -y bloodhound
└─$ sudo neo4j console
5. Now you should be bale to go to the menu in the upper left and open BloodHound. Once we open it go ahead and click the “Upload Data” icon and select the zip file.
6. Now we can start running queries by click the hamburger menu in the upper left hand corner and headed over to Analysis. The image below shows “Find All Domain Admins”. Another good database generator to test the various features of BloodHound can be found on GitHub here.
Congrats on getting BloodHound up and running. I highly recommend poking around more and looking at the BloodHound documentation, this is a powerful tool for auditing and for pentesting. Here is the official documentation from BloodHound explaining their GUI and navigation of the software. Thanks for reading!
