Domain Enumeration, Red Teaming

Active Directory Enumeration: BloodHound

In the article, we will focus on the Active Directory Enumeration tool called BloodHound. It takes the data from any device on the network and then proceeds to plot the graph that can help the attacker to strategize their way to the Domain Admins.

Table of Content

  • Introduction
  • Linux Installation
  • Extracting Data from Domain
  • Enumerating with BloodHound
  • BloodHound on Windows
  • Extracting Data from Domain
  • Windows Installation
  • Enumerating with BloodHound
  • SharpHound on PowerShell
  • SharpHound on PowerShell Empire
  • Conclusion

Introduction

BloodHound is programmed to generate graphs that reveal the hidden and relationships within an Active Directory Network. It also supports Azure. BloodHound enables the Attackers to identify complex attack paths that would otherwise be not possible to identify. The Blue Team can use BloodHound to identify and fix those same attack patterns.

Linux Installation

Multiple guides and methods can help you set up and install BloodHound on your host machine. We’ll follow the official documentation from BloodHound’s GitHub while refining the process. As always, before you install any tool on your Linux machine, make sure to update and upgrade your software packages. Also, if Java isn’t already installed, install it to proceed. However, we won’t install Java here since Kali Linux already includes it. BloodHound’s configuration involves three steps. BloodHound consists of a GUI, a data scrapper, and the Neo4j database. So, we must configure each of them individually. We’ll begin with the BloodHound GUI, which you can install directly using the apt command.

apt install bloodhound

Next, you need to configure the Neo4j service, which stores the data displayed graphically. When you ran apt install bloodhound, it also installed Neo4j. If that didn’t happen in your case, install it using:

apt install neo4j

Setting Up Neo4j Remote Access

Now configure authentication and other settings on Neo4j. To do that, run the Neo4j console, which hosts the remote interface accessible through a web browser. By default, Neo4j runs on port 7474:

neo4j console

When you enter the displayed URL in a web browser, the Neo4j remote interface will appear. Some fields already contain default values, while others remain blank. Enter a username—let’s say neo4j—and a password. After entering the details, you’ll connect to the Neo4j database.

Before connecting, the system asks you to change the password because it’s your first login. Enter any password of your choice and then connect to the Neo4j Remote Interface.  

Running BloodHound GUI

Now that Neo4j runs correctly, you can start the BloodHound GUI. To launch it, type bloodhound in your terminal and press Enter. Alternatively, open the BloodHound application from Kali Linux’s application menu.

As soon as the BloodHound GUI kicks in, it asks for a set of credentials that we just set up in the neo4j configuration. Use the same set of credentials and you will be able to login into this interface. You can save your credentials so that you don’t need to log in each time you want to use bloodhound.

Once you log in, BloodHound opens a blank screen with action buttons on the right and a search box with modules on the left. This screen marks the completion of GUI setup. As we explained earlier, BloodHound displays domain data through interactive graphs. To generate these graphs, it needs domain data collected by a scrapper—which we now need to install.

Installing BloodHound Python Data Collector

To install this data Ingestor which is so unusually named bloodhound. This can lead to some confusion but to make it clear once again. We installed BloodHound GUI in previous steps that plot graphs based on the data. Now we are installing a bloodhound that will extract the data from the Domain. As it is made in Python, we can use pip3 to install bloodhound as shown in the image below.

pip3 install bloodhound

Extracting Data from Domain

We will run the Python BloodHound that we just installed using pip3 and extract the data from the Domain. It is a good time to mention that here the Domain setup is in such a way that we have connected the Domain Controller, Clients, and our Attacker Machine essentially in the same network. To get data from the Domain, any user can be used. We will use the Administrator account to extract maximum data for this enumeration.

In a realistic scenario, you will end up with a normal user and then you will run BloodHound and use the data enumerated to get to the Administrator. We need to provide the following parameters to extract data from the Domain: username, password, Name Server (IP Address of Domain Controller), Domain, and data we want to extract (we are using “All” to extract maximum data from the Domain). The data extracted will be in the form of .json files that BloodHound will create based on the queries that run across the Domain in search of possible paths and permissions of various groups and users.

bloodhound-python -u administrator -p Ignite@987 -ns 192.168.1.172 -d ignite.local -c All

Loading Extracted Data into BloodHound GUI

After you run bloodhound-python, you will have json files in your current directory. You can check them with the ls command. To analyze them in the BloodHound GUI, you need to drag and drop those json files onto the GUI. As it can be observed from the image below, we have the computers.json, domains.json, groups.json, users.json.

Now that you have uploaded all the json files, BloodHound GUI can start plotting the graphs. The way BloodHound works is that now that it is loaded with the data files from the domain, you can either enter queries to plot graphs or use the Pre-Built Queries. In this guide, we will use Pre-Built Queries.

Enumerating with BloodHound

Let’s begin our enumeration with the Pre-Built Analytics Queries. First of them that we use is the Find all Domain Admins. This Query will fetch all the Domain Admins it can find in its database and plot them on the graph as shown in the image below. Since our Domain has only one Domain Admin, it shows one node and then for 2 groups under that Domain Admin.

Finding Shortest Paths to Domain Admins

Next, the one that we use is pretty interesting. This one is called Find Shortest Paths to Domain Admins. This means that BloodHound will plot the Domain Admins and the users that it can find and then we will be able to deduce what kind of path we want to take to go on exploiting so that we can reach the Domain Admin with the least Resistance.

As we can see in the image below, there are 4 paths among which two (yellow nodes) are equidistant. Therefore, this means we can either use any one of them to get to the Domain Admins and we know that there is Generic Write permission that we can use to exploit to get to the Domain Admin. Hence, this is how in a particularly complicated and big Domain Environment, it can help the attacker to figure out their way into the mess and get that Domain Admin Access.

Finding AS-REP Roastable Users

Another Prebuilt Query that we will be using is the Find AS-REP Roastable Users (DontReqPreAuth) Query. AS-REP roasting is an offensive technique against Kerberos that allows password hashes to be retrieved for users that do not require pre-authentication. If the user has “Do not use Kerberos pre-authentication” enabled, then an attacker can recover a Kerberos AS-REP encrypted with the user’s RC4-HMAC’d password. The attacker can then attempt to crack this ticket offline.

Additionally, pre-authentication is the initial stage in Kerberos authentication. It is managed by the KDC Authentication server and is meant to prevent brute-force attacks.

From the image, we can see that the Japneet user is vulnerable to the AS-REP Roasting attack.

Learn More: AS-REP Roasting

Conclusion on AS-REP Roasting Enumeration

The conclusion that we came to according to our Enumeration with BloodHound is that the Japneet user is vulnerable to AS-REP Roasting. This claim can be verified by browsing the Active Directory Users and Computers and then further descending into the user Properties of the Japneet user. In the Japneet user Properties Window, there is an Account Tab. Inside the Account tab, we can see that the Japneet user does not require Kerberos preauthetication.

Enumerating for DCSync Attack

Another attack for which we can enumerate using the BloodHound is the DC Sync Attack. This attack allows an attacker to replicate Domain Controller (DC) behavior. Typically, the attacker impersonates a domain controller and requests other DC’s for user credential data via GetNCChanges. But compromised account should be a member of administrators, Domain Admin, or Enterprise Admin to retrieve account password hashes from the others domain controller.

From the BloodHound graph, we can see that Geet user is vulnerable to this attack.

Learn More: DCSync Attack

The conclusion that we came to according to our Enumeration with BloodHound is that Geet user is vulnerable to DCSync Attack. This claim can be verified by browsing the Active Directory Users and Computers and then further descending into the user Properties of the Geet user. In the Geet user Properties Window, there is a Member Of Tab. Inside the Member Of tab, we can see that the Geet user is a part of Domain Admins which makes that user vulnerable to DC Sync Attack.

Enumerating Kerberoastable Accounts

The next enumeration that we are going to perform using BloodHound is the Listing of all Kerberoastable Accounts. Kerberoasting is a technique that allows an attacker to steal the KRB_TGS ticket, which is encrypted with RC4, to brute force application services hash to extract its password. From the graph plotted by the BloodHound, it can be said that KRBTGT and SVC_SQLSERVICE are the two users that are vulnerable to this attack.

Learn More: Kerberoasting Attack

There are a lot of different custom queries and built-in queries that can be used to enumerate using BloodHound. Once you are done with the Enumeration and Analysis, you can clear the database of values and add new JSON files of different values by browsing the Database Info tab on BloodHound GUI and Clicking the Clear Database Button as demonstrated below.

BloodHound on Windows

It is possible to analyze and enumerate BloodHound directly from a Windows machine as well. This can be helpful in the Environments that restrict the deployment of Kali Linux and other attacker tools. The process remains more or less the same. We need to set up the Data Ingestor, BloodHound GUI, and neo4j database on Windows Machine as we did in Linux earlier. To begin, we will be installing the Data Ingestor for Windows that is named Sharphound. The difference between the Linux Investor and Windows Investor is that instead of crafting JSON files, the SharpHound creates a compressed file that includes CSV files. The data collection method remains the same.

SharpHound can be Downloaded for GitHub.     

Extracting Data from Domain

In the image presented below, it can be observed that when the attacker runs the SharpHound on the machine connected to Domain, it created a compressed file with the BloodHound name as highlighted.

sharphound.exe 
dir

Windows Installation

From the Linux setup, we remember that BloodHound requires the neo4j service. It can be downloaded for Windows and then run using a batch file that comes with the installation package. This service runs on port 7474 as well.

Download Neo4j Windows 
dir 
neo4j.bat console

We take the URL from the neo4j console and open it in our Web Browser. If we remember correctly, we require to configure the credentials at this stage which will also be used for the BloodHound as well.

After the configuration of the password, we try and log in for the first time in the neo4j service. This requires us to rest the password as shown in the screenshot below.

After resetting the password and connecting to the neo4j service that we configured on our Windows device, we can access the service from our Web browser. The panel tells us that we are connected successfully to the neo4j service.

Now that we have installed the SharpHound Ingestor and Neo4j service on our Windows device, we are now left with the process of installing the BloodHound GUI. This is quite simple as we have executable for the same. We use the Windows Command Prompt to run the GUI as shown in the image below.

Download BloodHound GUI Windows

dir 
BloodHound.exe

The BloodHound GUI gets executed and we have ourselves a Login panel as shown in the image below. We use the credentials that we set up in the Neo4j Configuration to login into BloodHound GUI.

Enumerating with BloodHound

From here onwards the process of analyzing and enumerating on BloodHound is the same as we discussed above. Using this set of instructions has made you able to run BloodHound on a Windows device.

SharpHound on PowerShell

As an extension to the BloodHound Enumeration process on Windows, we also want to demonstrate the process security professionals can follow when they want to use SharpHound on Windows through PowerShell. They can do this because we have the PowerShell scripts for the SharpHound Ingestor. After bypassing the script restriction on PowerShell, we import the modules from the SharpHound PowerShell script. It contains a cmdlet by the name of Invoke BloodHound. This can be used to collect data on the target machine. This is useful in the scenario where it is not possible to run an executable on the target machine. 

Download SharpHound PowerShell Script

powershell -ep bypass 
Import-Module .\SharpHound.ps1 
Invoke-BloodHound -CollectMethod All

SharpHound on PowerShell Empire

The SharpHound script that we used previously on PowerShell can be found inside the Kali Linux as well. It is located inside the PowerShell Empire. After successfully gaining the initial foothold on a device that is part of a Domain, the attacker can directly use the Empire to run SharpHound and extract the data from there as well. To do this we need to use the bloodhound module in the Empire’s Situational Awareness Modules. After execution, it tells the attacker the location at which the data csv files are located at.

usemodule situtationa_awareness/network/bloodhound 
execute

An attacker can use the download command on PowerShell Empire to transfer the CSV files to the host machine, i.e., Kali Linux. We can use multiple CSV files in the same way we used the JSON files earlier. This allows us to plot graphs and enumerate an Active Directory.

ls 
download group_memberships.csv 
download local_admins.csv 
download trusts.csv 
download user_sessions.csv

Conclusion

We created this guide to help security professionals, whether on the Red Team or Blue Team, deploy, configure, and use BloodHound for Active Directory enumeration. BloodHound is a powerful tool that helps understand the mechanics of an Active Directory network. Once you gather that information, you can use it to elevate privileges or exploit the network.

AuthorGeet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information SecurityContact here