Bloodhound (https://github.com/BloodHoundAD/BloodHound) provides an effective way to map Active Directory networks, and analyse the information for potential attack paths. In this scenario, we’re going to be looking at a practical example as to how the tool could be used to exploit trust relationships in a small domain environment.
To begin with we execute the BloodHound client, SharpHound on a system CLIENT1 under the ALICE user account. No special privileges are required to do this:
SharpHound collects two key pieces of information; Active Directory accounts and their groups, and it determines which accounts are logged into systems.
The tool exports it output to a Zip file. This can then be imported into the BloodHound graphical interface:
From this diagram, we can see a fairly clear attack path. ALICE is a member of the SUPPORT group, which in turn is a member of ITSUPPORT. This allows us access to the CLIENT2 system. User BOB is currently logged into this host, who is a member of the DOMAIN ADMINS group.
To exploit this attack path, from the CLIENT1 system where we ran BloodHound, we can use PSExec to connect to the CLIENT2 system as the SYSTEM account. This works since ALICE is a member of the local administrators on CLIENT2:
We can then run Mimikatz on the host to export the Kerberos ticket for the BOB account:
With the ticket output to file, we can then import the ticket into the current session to assume the BOB accounts identity:
Since BOB is a member of the “DOMAIN ADMINISTRATORS” group and as such has “Replicate Directory Changes All” permission, we are then able to execute a DCSync to extract password hashes from the domain controller: