BloodHound Reconnaissance

overview

Description

Active Directory (AD) reconnaissance is a crucial step in assessing the security of an Active Directory environment. It involves gathering information about the Active Directory infrastructure to identify potential vulnerabilities and security weaknesses. One powerful tool for conducting such reconnaissance is BloodHound.

BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# or PowerShell data collector. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.

Source: https://github.com/BloodHoundAD/BloodHound

Tasks

Lab Environment

In this lab environment, you will be provided with GUI access to a Windows machine (2012). This machine will serve as your attacker machine. Your task in this lab is to enumerate the Active Directory environment using BloodHound.

Objective: Perform Active Directory enumeration using BloodHound and answer the following questions.

Questions:

1. Find all Domain Admins and their SID’s.

2. Find all Kerberoastable accounts.

3. Find AS-REP Roastable users.

4. Can ROXANNE_SULLIVAN perform a DCSync attack on the current domain?

5. Which Kerberoastable user is a member of a high valued group - “Account Operators”?

6. Find the members of the “Backup Operators” group.

7. Find the group membership of a user named “CHADWICK_YORK”.

8. To what OU is the “NewCompPolicy2” GPO linked to?

9. Find the shortest path to Domain Admins from a Kerberoastable user “BEATRIZ_MATHEWS”.

10. Find all the reachable high value targets from the “CR-NOWAYIAMT-DISTLIST1” group.

11. List the outbound object control for “HELENE_CARPENTER”.

The following credentials may be useful:

• Username: neo4j

• Password: Password@123

Note: All the tools are present in the C:\Tools directory.

Tools

The best tools for this lab are:

• PowerShell

• SharpHound

• BloodHound

solutions

Solution

Step 1: Open the lab link to access the attacker machine:

Step 2: We will use SharpHound which is the official data collector for BloodHound. Run the following commands:

Commands:

All the data collected will be stored as a zip file in the current directory.

Now, we can directly upload this file in BloodHound.

Step 3: Run the following commands to open the BloodHound GUI:

Commands:

Use the following credentials to log in:

• Username: neo4j

• Password: Password@123

Step 4: Next, click on Upload Data and then upload the zip file generated before. In this case, it is present in C:\Tools\BloodHound\BloodHound\resources\app\Collectors.

Once the upload is complete, click on Clear Finished and close the Upload Progress box.

Next, expand the top left menu. On the Database Info tab, scroll down the menu and click on Refresh Database Stats once to refresh the object counts and other stats as shown below:

We are now ready to explore the environment. Let's answer the questions one by one.

1. Find all Domain Admins and their SID’s.

Step 5: Go to the Analysis tab. This contains a list of pre-built queries that we can directly run. Click on Find all Domain Admins query to run it. You will be presented with a graph that shows that there are 3 members in the Domain Admins group.

Note: Hit CTRL to show/hide node labels.

You can click on any node to view all the information regarding that node under the Node info tab on the left menu. The SID of each of the member is listed under Node Properties as highlighted below.

The SID of ELISE_GUZMAN is S-1-5-21-1693200156-3137632808-1858025440-1745. Similary, you can view the SID for other members.

1. Find all Kerberoastable accounts.

Step 6: On the Analysis tab, click on List all Kerberoastable accounts query to run it. This will show all the users that are Kerberoasatable. Click on any user node to view more information regarding that user.

You can find the associated Service Prinicipal Name (SPN) under Node Properties as shown below.

1. Find AS-REP Roastable users.

Step 7: On the Analysis tab, click on Find AS-REP Roastable Users (DontReqPreAuth) query to run it. This will show all the users that are AS-REP roasatable.

Note that for a user that is AS-REP roasatable, the AS-REP Roasatable parameter under Node Properties of that user will be set to True.

1. Can ROXANNE_SULLIVAN perform a DCSync attack on the current domain?

DCSync is an attack technique that allows an attacker to simulate the behaviour of a domain controller and extract password data through domain replication. The primary purpose of this attack is often to obtain the KRBTGT hash, which can be a prelude for launching a Golden Ticket attack. It is implemented as a command in tools like Mimikatz, leveraging the Directory Replication Service Remote Protocol (MS-DRSR) to mimic a domain controller's behavior and request replication from other domain controllers.

Step 8: Let's list all the principals that hold DCSync rights. For this, click on Find Principals with DCSync Rights query to run it. Choose the current domain i.e. research.SECURITY.local.

You will be presented with the following graph.

You can zoom in or zoom out as per your convenience. We can see that ROXANNE_SULLIVAN does have DCSync rights on the current domain using which she can perform a DCSync attack. You can right click on the edge and click on Help to view more information as shown below.

You can also find details regarding the abuse and other references here.

1. Which Kerberoastable user is a member of a high valued group - “Account Operators”?

Step 9: For this, simply run the Find Kerberoastable Members of High Value Groups query from the Analysis tab.

We can see from the graph that TESSA_HAHN is a Kerberoastable user who is a member of the Account Operators group.

1. Find the members of the “Backup Operators” group.

Step 10: For this, search for the “Backup Operators” group from the search bar. Once you have it on the graph, click on the node.

Next, navigate to the Group Members section under the Node info tab.

You will find three types of group members:

Direct Members: The number of principals that have been directly added to this group.

Unrolled Members: The actual number of users that effectively belong to this group, no matter how many layers of nested group membership that goes.

Foreign Members: The number of users from other domains that belong to this group.

Source: https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html#group-members

You can click on each of them to see the desired members. In our case, there are only 3 direct members to the “Backup Operators” group as shown below.

1. Find the group membership of a user named “CHADWICK_YORK”.

Step 11: Search for “CHADWICK_YORK” and once you have the user node on the graph, click on it. Scroll down to the Group Membership section under the Node Info tab.

We have three types of group memberships:

First Degree Group Memberships: AD security groups the user is directly added to.

Unrolled Group Membership: Groups can be added to groups, and those group nestings can grant admin rights, control of AD objects, and other privileges to many more users than intended. These are the groups that this user effectively belongs to, because the groups the user explicitly belongs to have been added to those groups.

Foreign Group Membership: Groups in other Active Directory domains this user belongs to.

Source: https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html#group-membership

Viewing the First Degree Group Memberships of “CHADWICK_YORK”:

Viewing the Unrolled Group Membership of “CHADWICK_YORK”:

1. To what OU is the “NewCompPolicy2” GPO linked to?

Step 12: For this, type GPO: in the search bar to view the available GPO's and then select “NewCompPolicy2” from it, as shown below.

Once you have it on the graph, click on it and then navigate to the Affected Objects section under Node Info.

Now, click on Directly Affected OUs. From the graph, it is clear that the the “NewCompPolicy2” GPO is linked to the OU - AZR.

An OU can contain other OUs within that may be affected by the GPO. Click on Affected OUs to view them as well.

You can also click on an OU for more information regarding it. Let's click on the AZR OU. And then, click on See OU Within Domain Tree as shown below, to understand the hierarchial structure if any. It can been see that the AZR OU is under another OU named STAGE.

1. Find the shortest path to Domain Admins from a Kerberoastable user “BEATRIZ_MATHEWS”.

Step 13: There can be multiple ways to do this. Let's look at the first method. Click on the Pathfinding icon on the left menu. Type and select “BEATRIZ_MATHEWS” as the start node and then type and select Domain Admins as the target node. Run it.

The graph above shows the path that could be exploited by "BEATRIZ_MATHEWS" to reach the Domain Admins group. You can always click on Change Layout Type option on the right to view the graph differently.

Another method is to first search for the “BEATRIZ_MATHEWS” user. Now, let's say you have compromised the “BEATRIZ_MATHEWS” user account. You can mark this user as compromised or owned by right clicking on the node and selecting Mark User as Owned.

A little skull icon will appear on the node indicating that you have control over this object. After that, you can go to Analysis tab and run the Shortest Paths to Domain Admins from Owned Principals query.

This will again show you the same graph as before.

1. Find all the reachable high value targets from the “CR-NOWAYIAMT-DISTLIST1” group.

Step 14: For this, search for the “CR-NOWAYIAMT-DISTLIST1” group and then click on the node. Now, simply click on Reachable High Value Targets in the Overview section under Node info.

The graph above shows the path to all the reachable high value targets from the “CR-NOWAYIAMT-DISTLIST1” group.

1. List the outbound object control for “HELENE_CARPENTER”.

Step 15: Search for “HELENE_CARPENTER” and then click on the user node. On the Node info tab, scroll down to the Outbound Object Control section.

We have three types of outbound object control:

First Degree Object Control: The number of objects in AD where this user is listed as the IdentityReference on an abusable ACE. In other words, the number of objects in Active Directory that this user can take control of, without relying on security group delegation.

Group Delegated Object Control: The number of objects in AD where this user has control via security group delegation, regardless of how deep those group nestings may go.

Transitive Object Control: The number of objects this user can gain control of by performing ACL-only based attacks in Active Directory. In other words, the maximum number of objects the user can gain control of without needing to pivot to any other system in the network, just by manipulating objects in the directory.

Source: https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html#outbound-object-control

Viewing the First Degree Object Control for “HELENE_CARPENTER”:

Viewing the Group Delegated Object Control for “HELENE_CARPENTER”:

You can also view the Transitive Object Control for “HELENE_CARPENTER”. Note that the graph will become too much crowded due to the large number of mappings.

Conclusion

In this lab, we explored the capabilities of BloodHound in enumerating the Active Directory Environment by solving the given questions.

References

• BloodHound

• BloodHound documentation

• BadBlood