AD Attack Lab Part Three (An Introduction of BloodHound and PowerView)
In part three of the AD attack lab series, we will learn how to use BloodHound and PowerView to enumerate the domain once you gain a foothold on the network. If you haven’t gotten the lab environment setup yet, go to Part One and Part Two to get the AD lab setup.
PowerView
Head over to one of your Windows 10 clients. Download the PowerView at here. Once the “powerview.ps1” is downloaded, open a terminal, execute “powershell -ep bypass” to enter the PowerShell bypassing execution policy mode, which allows executing any script we want.
Note, I used the old version of the PowerView because some flags not work properly in the newer version of the PowerView.
Load the PowerView module into the current PowerShell session:
Now, let’s examine some basic flags and see how we can leverage them to enumerate the entire domain.
The “Get-NetDomain” will show the basic information about the domain which includes Forest name, Domain Controller, and the Domain Owner.
The “Get-NetDomainController” shows the properties of the Domain Controller, which includes its IP address, OS version, Host Name, and other properties.
The “Get-DomainPolicy” lists all the domain policies, from here, we can see some interesting property includes “SystemAccess”. You can see the minimal password length is only 7 which made the password cracking relevant easy.
We can also narrow down and look for each property individually.
The “Get-NetUser” command will list all the users on the domain with their properties. One interesting user we can find here is the “SQL Service” with its description field. The password is in the description field with plaintext.
We can use “select” to grab the specific property that we are interested in. The “select” is similar to “grep” in Linux.
The “Get-UserProperty” command can list all the user’s properties. We can use the “Properties” flag to show one property at a time.
Show all the workstations on the domain with their properties.
Show the Group names and Group members.
Find all the shares on the domain. We can see the “Documents” and “Share” folder we created early are presented here.
Show the domain policy and use “select” to narrow down the property we are interested in. We can see the “Disable Windows Defender” Policy we set early presented here.
You can find more useful commands for PowerView here.
BloodHound
BloodHound can be used for enumerating the entire domain. Based on the domain data, it can help you to determine what’s the shortest path to get the domain admin. It is a fantastic tool that aids you to see a bigger picture of the entire domain.
The BloodHound installation process is pretty straight forward.
Update your Kali APT repo:
Install the BloodHound via the “apt-get”:
Setup the Neo4j once the installation process finished:
Now run the BloodHound:
Now head over to one of your Windows 10 clients, download the “SharpHound Data Ingestor” here. Import the Powershell module then generate the zip file contains the data in the domain.
Move the zip file to the kali, and upload it to the BloodHound application.
We can see the data have already uploaded successfully.
Examine through the various queries, we see it can show us the shortest path to the domain admins, the shortest path to the high-value targets, the shortest path to the Kerberoastable Users, etc. I highly recommend you to check out all the queries listed here to get a feel of what they could do for you :)
In this post, we learned how to use PowerView and BloodHound to do some basic enumeration of the domain. In the following posts, I will continue to discuss other ways to enumerate and attack the AD environment. Thank you for reading :)