BohanSec

AD Attack Lab Part Three (An Introduction of BloodHound and PowerView)

Alt

In part three of the AD attack lab series, we will learn how to use BloodHound and PowerView to enumerate the domain once you gain a foothold on the network. If you haven’t gotten the lab environment setup yet, go to Part One and Part Two to get the AD lab setup.

PowerView

Head over to one of your Windows 10 clients. Download the PowerView at here. Once the “powerview.ps1” is downloaded, open a terminal, execute “powershell -ep bypass” to enter the PowerShell bypassing execution policy mode, which allows executing any script we want.

Note, I used the old version of the PowerView because some flags not work properly in the newer version of the PowerView.

PowerView

powershell -ep bypass

Load the PowerView module into the current PowerShell session:

. .\PowerView.ps1

Now, let’s examine some basic flags and see how we can leverage them to enumerate the entire domain.

Get-NetDomain

The “Get-NetDomain” will show the basic information about the domain which includes Forest name, Domain Controller, and the Domain Owner.

PowerView

Get-NetDomainController

The “Get-NetDomainController” shows the properties of the Domain Controller, which includes its IP address, OS version, Host Name, and other properties.

PowerView

Get-NetDomainController

The “Get-DomainPolicy” lists all the domain policies, from here, we can see some interesting property includes “SystemAccess”. You can see the minimal password length is only 7 which made the password cracking relevant easy.

PowerView

(Get-DomainPolicy)."SystemAccess"

We can also narrow down and look for each property individually.

PowerView

Get-NetUser 

The “Get-NetUser” command will list all the users on the domain with their properties. One interesting user we can find here is the “SQL Service” with its description field. The password is in the description field with plaintext.

PowerView PowerView

Get-NetUser | select cn
Get-NetUser | select samaccountname
Get-NetUser | select description

We can use “select” to grab the specific property that we are interested in. The “select” is similar to “grep” in Linux.

PowerView PowerView PowerView

Get-UserProperty
Get-UserProperty -Properties pwdlastset
Get-UserProperty -Properties badpwdcount

The “Get-UserProperty” command can list all the user’s properties. We can use the “Properties” flag to show one property at a time.

PowerView PowerView PowerView

Get-NetComputer
Get-NetComputer -Fulldata | select operatingsystem

Show all the workstations on the domain with their properties.

PowerView PowerView PowerView

Get-NetGroup -GroupName "Domain Admins"
Get-NetGroupMember -GroupName "Domain Admins"

Show the Group names and Group members.

PowerView PowerView PowerView

Invoke-ShareFinder

Find all the shares on the domain. We can see the “Documents” and “Share” folder we created early are presented here.

PowerView

Get-NetGPO
Get-NetGPO | select displayname, whenchanged

Show the domain policy and use “select” to narrow down the property we are interested in. We can see the “Disable Windows Defender” Policy we set early presented here.

PowerView PowerView PowerView

You can find more useful commands for PowerView here.

BloodHound

BloodHound can be used for enumerating the entire domain. Based on the domain data, it can help you to determine what’s the shortest path to get the domain admin. It is a fantastic tool that aids you to see a bigger picture of the entire domain.

The BloodHound installation process is pretty straight forward.

Update your Kali APT repo:

sudo apt-get update

Install the BloodHound via the “apt-get”:

sudo apt-get install bloodhound

BloodHound

Setup the Neo4j once the installation process finished:

sudo neo4j console

BloodHound BloodHound BloodHound

Now run the BloodHound:

sudo bloodhound

BloodHound BloodHound

Now head over to one of your Windows 10 clients, download the “SharpHound Data Ingestor” here. Import the Powershell module then generate the zip file contains the data in the domain.

. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain kudos.local -ZipFilename file.zip

BloodHound

Move the zip file to the kali, and upload it to the BloodHound application.

BloodHound

We can see the data have already uploaded successfully.

BloodHound

Examine through the various queries, we see it can show us the shortest path to the domain admins, the shortest path to the high-value targets, the shortest path to the Kerberoastable Users, etc. I highly recommend you to check out all the queries listed here to get a feel of what they could do for you :)

BloodHound

BloodHound

BloodHound

BloodHound

BloodHound

BloodHound

In this post, we learned how to use PowerView and BloodHound to do some basic enumeration of the domain. In the following posts, I will continue to discuss other ways to enumerate and attack the AD environment. Thank you for reading :)