Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
339 views41 pages

BloodHound Unleashed

The document summarizes the BloodHound tool which uses graph theory and Neo4j to map Active Directory permissions and attack paths. It describes BloodHound's components including the ingestor, backend database, and frontend application. It also provides an overview of BloodHound's history and updates, data collection methods, the Cypher query language, and examples of attacking different object types like groups, computers, and users.

Uploaded by

r.dd.m
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
339 views41 pages

BloodHound Unleashed

The document summarizes the BloodHound tool which uses graph theory and Neo4j to map Active Directory permissions and attack paths. It describes BloodHound's components including the ingestor, backend database, and frontend application. It also provides an overview of BloodHound's history and updates, data collection methods, the Cypher query language, and examples of attacking different object types like groups, computers, and users.

Uploaded by

r.dd.m
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

BloodHound Unleashed

Esteban Rodriguez

Frank Scarpella
Esteban Rodriguez

● Senior Security Consultant at TrustedSec


● Blogs at https://www.n00py.io
● Twitter: @n00py1
● Github: https://github.com/n00py
Frank Scarpella

Principal Security Consultant - SwAG

Twitter: @ninjastyle82

GitHub: github.com/ninjastyle82
What is BloodHound?

● Released in 2016 at DEF CON 24 by Veris Group’s ● Ingestor


ATD Team ○ Collects data from Active Directory and saves
○ @_wald0 - Andy Robbins JSON data
○ @CptJesus - Rohan Vazarkar
○ @harmj0y - Will Schroeder ● Backend database
○ Neo4j graph database - stores nodes and
● Uses Graph Theory relationship data
○ Vertices (Nodes) - Objects like Users, Groups, ○ Uses Cypher query language
Computers, etc
○ Edges (Relationships) - Relationships between objects ● Frontend application
○ Paths - Connecting Objects for Privilege Escalation ○ JavaScript/HTML application for drawing graphs,
importing data, and performing queries
A Brief History https://i1.wp.com/wald0.com/wp-content/uploads/2016/08/Screen-Shot-2016-08-29-at-6.31.37-PM.png

● All About derivative local admin


○ Who is Admin to What?
○ Who is Logged on Where?

https://wald0.com/?p=68
https://www.slideshare.net/AndyRobbins3/six-degrees-of-domain-a
dmin-bloodhound-at-def-con-24

https://www.sixdub.net/?p=591 (Broken Link)


https://sixdub.medium.com/derivative-local-admin-cdd09445aac8
BloodHound 1.3 - The ACL Attack Path Update

● Completely game changing


● Tons of new attack paths
● https://wald0.com/?p=112

https://i0.wp.com/wald0.com/wp-content/uploads/2017/05/TransitiveControllers.png
BloodHound 1.5 - The Container Update

● Added Objects/Edges for Containers and GPOs


● https://posts.specterops.io/bloodhound-1-5-the-container-update-fdf1ed2ad9da

https://miro.medium.com/max/720/0*OcD5QlwNIcp_wAru.png
Ingestors
● AD Explorer Snapshot
○ https://github.com/c3c/ADExplorerSnapshot.py
○ Pro: AD Explorer is a Microsoft Signed Binary
● SharpHound ○ Con: Only collects “DCOnly” information
○ https://github.com/BloodHoundAD/SharpHound ○ More network intensive
○ The gold standard, use it if you can
○ Supports session looping ● ldif2bloodhound
○ Cons: AV = big mad ○ https://github.com/SySS-Research/ldif2bloodhound
● BloodHound.py ○ Convert an LDIF file to JSON files ingestible by
○ https://github.com/fox-it/BloodHound.py BloodHound
○ Almost just as good ○ LDIF file created with ldapsearch
○ Sometimes has memory issues on large orgs ○ Equivalent to DCOnly
○ Python
● RustHound ● SilentHound
○ https://github.com/OPENCYBER-FR/RustHound ○ https://github.com/layer8secure/SilentHound
○ Pro: Single Executable, no dependencies ○ One LDAP query: (objectClass=*)
○ Con: Missing some core functionality, such as session
collection ● Ldapdomaindump to BloodHound
○ Updated ldapdomaindump converter (BH 4.0)
○ https://github.com/blurbdust/ldd2bh
Collection Methods

All - Collect all data except GPOLocalGroup

Default - Collects ACL, Container, Group, LocalGroups, ObjectProps, Sessions, Trusts,


SPNTargets (from source code, documentation conflicting)

DcOnly - Collects ACL, Container, Group, ObjectProps, Trusts, DCOnly, GPOLocalGroup (from
source code, documentation conflicting)

LoggedOn - Collects session information using privileged methods (needs admin!)


Collection Methods

https://github.com/SadProcessor/HandsOnBloodHound/blob/master/BH21/BH4_SharpHound_Cheat.pdf
BloodHound Interface
Cypher Query Breakdown

MATCH p=shortestPath((n

{owned:true})-[:MemberOf|AdminTo|AllExtendedRights|AddMember|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|ReadLAPSPasswor

d|Contains|ReadGMSAPassword*1..]->(m:Group {name:"DOMAIN [email protected]"})) WHERE NOT n=m RETURN p

MATCH searches for nodes and RETURN defines the data returned from the query. WHERE (NOT) is adding constraints to the query.

p, n, m – Variables p is the result of the shortestPath function, n,m are variables that represent nodes.

Group – Node label. in BloodHound think of this as the node type: Group, Computer, User, OU, etc.

[:TYPE*minHops..maxHops] – Relationship types can be defined inside of a relationship arrow (-->, <--, --).

{key:value} – Node properties.

Learn Cypher - Dog Whisper Handbook: https://ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf


Using the Cypher Console Example
Neo4j Bulk Mark Owned/High Value

Mark Owned:

MATCH (n {name:'<[email protected]>'}) SET n.owned=true;

Mark High Value:

MATCH (n {name:'<[email protected]>'}) SET n.highvalue=true;


Relationship Types / AD ACL Implications

• GenericAll/GenericWrite/Owns -> User - Change Password, Targeted Kerberoast, Shadow Credentials*

• GenericAll/Owns -> Computer - Read LAPS/GMSA Password, RBCD*, Shadow Credentials*

• AllExtendedRights -> Computer - Read LAPS/GMSA Password

• GenericWrite -> Computer - RBCD*, Shadow Credentials*

• GenericAll/GenericWrite -> Group - Add/Change Membership

• WriteDacl -> Any - Grant any of the above permissions

● Shadow Credentials requires Server 2016 Domain Functional Level and ADCS
● Resource Based Constrained Delegation Requires Server 2012 Functional Level
Relationship Types / AD ACL Implications

Attack Methods (Simplified)

https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/acl-abuse
Relationship Types /
AD ACL Implications

https://www.thehacker.recipes/ad/movement/dacl
Attacking Groups

● Add/Change Group Membership


○ Net.exe Commands
○ PowerView's Add-DomainGroupMember
○ https://github.com/FuzzySecurity/StandIn (C#)
○ Net (Samba) and/or pth-toolkit
○ Python Based Tools
■ https://www.n00py.io/2020/01/managing-active-directory-groups-from-linux/
■ https://github.com/PShlyundin/ldap_shell
■ https://github.com/CravateRouge/bloodyAD
■ https://github.com/aniqfakhrul/powerview.py
■ https://github.com/zblurx/acltoolkit
Attacking Groups

● Leverage BloodHound/Neo4j to find groups with admin to computers

MATCH p=(n:Group)-[:AdminTo*1..]->(m:Computer) WHERE NOT


n.admincount RETURN p

MATCH p=(n:Group)-[:AdminTo*1..]->(m:Computer) WHERE not


n.admincount RETURN DISTINCT n.name
Attacking Groups

MATCH p=(n:Group)-[:AdminTo*1..]->(m:Computer) WHERE not n.admincount RETURN


DISTINCT n.name, n.admincount, COUNT(m.name) ORDER BY COUNT(m.name) DESC
Attacking Computers

● Read LAPS Passwords ● Resource Based Constrained Delegation (RBCD)


○ https://github.com/n00py/LAPSDumper ○ Modify
○ crackmapexec smb <ip> -u user -p pass --laps msDS-AllowedToActOnBehalfOfOtherIdentity
○ https://github.com/swisskyrepo/SharpLAPS Attribute
● Shadow Credentials ○ PowerView’s Set-DomainObject / Rubeus
○ Modify msDS-KeyCredentialLink Attribute ○ https://github.com/FuzzySecurity/StandIn
○ https://github.com/eladshamir/Whisker ○ https://github.com/CravateRouge/bloodyAD
○ https://github.com/ShutdownRepo/pywhisker ○ https://github.com/PShlyundin/ldap_shell
○ Impacket rbcd.py
○ https://github.com/NinjaStyle82/rbcd_permissions
Attacking Users

● Force a Password Reset ● Targeted AS-REP Roast


○ Net.exe Commands ○ https://github.com/FuzzySecurity/StandIn
○ PowerView's Set-DomainUserPassword
○ Rubeus.exe asreproast
○ Set-ADAccountPassword
○ Rpcclient ○ https://github.com/PShlyundin/ldap_shell
○ Net (Samba) and/or pth-toolkit ○ https://github.com/CravateRouge/bloodyAD
○ https://github.com/PShlyundin/ldap_shell ○ Impacket GetNPUsers.py
○ https://github.com/CravateRouge/bloodyAD
○ Cleanup:
● Shadow Credentials
https://www.trustedsec.com/blog/manipulating-user-passwor ○ Modify msDS-KeyCredentialLink Attribute
ds-without-mimikatz/ ○ https://github.com/eladshamir/Whisker
● Targeted Kerberoast ○ https://github.com/ShutdownRepo/pywhisker
○ Powerview’s Set-DomainObject and Get-DomainSPNTicket ● Modify Logon Script
○ Rubeus.exe kerberoast
○ https://github.com/ShutdownRepo/targetedKerberoast ○ Powerview’s Set-DomainObject
● Read gMSA Passwords ○
○ https://github.com/micahvandeusen/gMSADumper
○ crackmapexec smb <ip> -u user -p pass --gmsa
○ https://github.com/rvazarkar/GMSAPasswordReader
Attacking GPOs

● Adding Scheduled Task


○ https://github.com/X-C3LL/GPOwned
○ https://github.com/Hackndo/pyGPOAbuse
○ PowerView’s New-GPOImmediateTask
○ https://github.com/FSecureLABS/SharpGPOAbuse
● Creating Local Users
○ https://github.com/FuzzySecurity/StandIn
○ Use Remote Server Administration Tools (RSAT)
○ Group Policy Management Editor
● Probably a bunch of other ways, lots of things you can configure via GPO
Attacking Domain

● If you have GenericAll, AllExtendedRights, or


DS-Replication-Get-Changes-All + DS-Replication-Get-Changes:
○ DCSync
■ Impacket secretsdump.py
■ Mimikatz lsadump::dcsync
● If you have Owns or WriteDACL:
○ PowerView's Add-DomainObjectAcl
○ https://github.com/n00py/DCSync
○ https://github.com/CravateRouge/bloodyAD
○ https://github.com/PShlyundin/ldap_shell
● If you have WriteOwner:
○ PowerView's Set-DomainObjectOwner
○ https://github.com/CravateRouge/bloodyAD
○ https://github.com/PShlyundin/ldap_shell
ADCS - Certipy
● Certipy is a tool for abusing/exploiting ADCS
● Supported BloodHound ingestible output since version 2.0
○ Uses GPO objects to represent certificates in “Old BloodHound” mode
○ Forked GUI uses new vertices to represent CAs and Certificate templates

https://research.ifcr.dk/certipy-2-0-bloodh
ound-new-escalations-shadow-credentials-
golden-certificates-and-more-34d1c26f0dc
6

https://research.ifcr.dk/certipy-4-0-esc9-es
c10-bloodhound-gui-new-authentication-a
nd-request-methods-and-more-7237d8806
https://miro.medium.com/max/720/1*3RCynhxvuArY-6X2xWEqQg.png
1f7
Using BloodHound - Tips and Tricks
● Mark every compromised computer or user “Owned”.
○ Possible to automatically assign this with CrackMapExec and Cobalt Strike
■ https://github.com/NinjaStyle82/cme2bh (deprecated)
■ cme smb <ip> -u <user> -p <password> -M bh_owned
■ https://github.com/waffl3ss/bloodpath
■ https://github.com/Coalfire-Research/Vampire
● Run queries from Owned to High Value.

MATCH p=shortestPath((g {owned:true})-[*1..]->(n


{highvalue:true})) WHERE g<>n return p

● Use built-in filters to narrow to specific relationship types.


○ For example: fill out the filter checkboxes, then run “Shortest Paths to Domain Admins from
Owned Principals”
● query, and copy pasta what’s inside the square brackets.
● Use allShortestPaths if you think ShortestPath is showing you a bad relationship/edge.
(Shortest path only shows one relationship type)
High Value: Principals With DCSync Rights
● Find Objects with DCSync (built-in queries)

MATCH p=()-[:DCSync|AllExtendedRights|GenericAll]->(:Domain
{name: "DOMAIN.LOCAL"}) RETURN p

MATCH (n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name:


"DOMAIN.LOCAL"}) WITH n1,u MATCH
(n1)-[:MemberOf|GetChangesAll*1..]->(u) WITH n1,u MATCH p =
(n1)-[:MemberOf|GetChanges|GetChangesAll*1..]->(u) RETURN p

● Set them all as High Value

MATCH p=(n)-[:DCSync|AllExtendedRights|GenericAll]->(:Domain
{name: "DOMAIN.LOCAL"}) SET n.highvalue=True

MATCH (n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name:


"DOMAIN.LOCAL"}) WITH n1,u MATCH
(n1)-[:MemberOf|GetChangesAll*1..]->(u) WITH n1,u MATCH p =
(n1)-[:MemberOf|GetChanges|GetChangesAll*1..]->(u)
SET n1.highvalue=True
Tip: Adding Admin Groups to High Value

● Groups not marked as “High Value” already, but have the Admin Count Flag

MATCH p = (g:Group {admincount: True}) WHERE NOT EXISTS(g.highvalue)


OR g.highvalue = False RETURN g

● Groups that do NOT have the Admin Count flag, but do allow local admin to computers

MATCH p=(n:Group)-[:AdminTo*1..]->(m:Computer) WHERE NOT n.admincount


RETURN p
High Value: Groups That Can Reset Passwords

● Groups that can change user passwords, sorted by the amount of users

MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN m

MATCH p=(m:Group)-[r:ForceChangePassword]->(n:User) RETURN DISTINCT


m.name, COUNT(m.name) ORDER BY COUNT(m.name) DESC
High Value: Unconstrained Delegation

● Find all computers that can perform unconstrained delegation but are not DCs.

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS


WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH
(c2:Computer {unconstraineddelegation:true}) WHERE NOT c2.name IN
domainControllers RETURN c2

● Exploit with Rubeus.exe monitor (Windows)


● https://github.com/dirkjanm/krbrelayx (Python)

https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/
High Value: Azure AD Connect

● Synchronization service that keeps Active Directory and Office 365 in sync
● Under a default set-up, an account is created with DCSync permissions
○ MSOL_[HEX]
● This account plaintext password can be extracted from the AD Connect Server
○ https://blog.xpnsec.com/azuread-connect-for-redteam/
○ https://gist.github.com/xpn/f12b145dba16c2eebdd1c6829267b90c

● If you have access to Azure, you can find it under Azure Active Directory Connect Health -> Sync
Services -> Azure Active Directory Connect Servers
● MSOnline Powershell Module:
(Get-MsolCompanyInformation).DirSyncClientMachineName
High Value: Azure AD Connect

● Find Azure AD Connect servers and mark them as high value

MATCH (n:User) WHERE n.name STARTS WITH "MSOL" RETURN


split(n.description,' ')[15]

MATCH (u:User)WHERE u.name STARTS WITH "MSOL" WITH split(u.description, "


")[15] AS word UNWIND word AS w MATCH (c:Computer)WHERE c.name STARTS
WITH w RETURN c

● Note: This finds servers created with defaults, but there may be more, look for computers with
names like “azure”, “sync”, “AAD”, etc.
High Value: Cert Publishers

● Find all computers in the Cert Publishers group.

MATCH p=(n:Group)<-[:MemberOf*1..]-(m) WHERE n.name =~ "CERT


PUBLISHERS.*" RETURN p

● Pwn a CA -> Golden Certificate!


○ https://github.com/ly4k/Certipy#golden-certificates
○ https://pentestlab.blog/2021/11/15/golden-certificate

● SCCM Servers?
○ Provide “Updates” to High Value Targets
● https://github.com/Mayyhem/SharpSCCM

MATCH (n) WHERE n.name CONTAINS "SCCM" RETURN n UNION MATCH (n)
WHERE n.description CONTAINS "SCCM" RETURN n
Tip: Computers Admin to Other Computers

MATCH p =
(c1:Computer)-[r1:AdminTo]->(c2:Computer)
RETURN p UNION ALL MATCH p =
(c3:Computer)-[r2:MemberOf*1..]->(g:Group)-[
r3:AdminTo]->(c4:Computer) RETURN p

● Coerced authentication from one computer another


● SMB Signing must NOT be enforced

1. Printerbug/Coercer
2. Impacket Ntlmrleayx.py
3. Dump SAM/LSA

● Common to see on Exchange, SCCM, and SQL Servers


Tip: Outbound Object Control

● If all your owned users seem truly useless, try these queries to see if they can do
ANYTHING at all:

MATCH p = (g:User {owned: True})-[r]->(n) WHERE r.isacl=true RETURN p

MATCH p = (g1:User {owned:


True})-[r1:MemberOf*1..]->(g2:Group)-[r2]->(n) WHERE r2.isacl=true
RETURN p
Tip: LAPS non-enabled Computers for Lateral
Movement

If a computer has LAPS non-enabled, does it potentially share a password with a high-value
computer?

Do any high-value computers have LAPS non-enabled?

MATCH (c:Computer {haslaps:False}) WHERE c.highvalue=True RETURN c

Do any of our owned accounts have paths to computer nodes with LAPS non-enabled?

MATCH p=shortestpath((u
{owned:true})-[:MemberOf|AdminTo|Owns|AllExtendedRights|GenericAll|Gen
ericWrite|ReadLAPSPassword|AddKeyCredentialLink*1..]->(c:Computer
{haslaps:false})) RETURN p
Tip: Extending BloodHound

● There are some open source tools which can expand the data in available in BloodHound
● Max - https://github.com/knavesec/Max
○ Can set a list users/computers as owned or high value

● Add-spns
○ Adds the HasSPNConfigured relationship to objects
in the database
● Add-spw
○ Create SharesPasswordWith relationships
○ Visualizes local admin re-use

Note: Custom Edges will not show up on built-in queries

https://whynotsecurity.com/blog/max2/
Post-Ex: Shared Password Analysis

● Takes NTDS output and generates shared


password clusters
● Can be imported to BloodHound, creates new
edges (and thus new paths)
● Excellent at visualizing password sharing issues

https://github.com/SySS-Research/hashcathelper

https://github.com/SySS-Research/hashcathelper/blob/main/doc/bloodhound_clusters.png
Post-Ex: CrackHound MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWN0xl:,'.........',,:oOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWN0dl:;,,,,;;;::::::;;;,''',:okKWMMMMMWWWNWWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNXWMMMMMMMMMMWXkl;,,;::ccccccccccccccccccc;.
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWNOl:dXMMMMMMMMW0o;',:cc;..':cccccccccccccccccc:.
.,collcccc:ccldOXWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
..',;::::::;,,;o0WMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNOl' .lNMMMMMMMMXo'';:ccc:. ':cccccccccccccccccc:'.',:cccc::ccccccc:,,oXMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMKc. .oNMMMMMMWXx;';:ccccc:,. ..';:cccccccc:ccccccccccc:;'...;cccccccc;':0MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMX: .oNMMMMWKxc'.':ccccccccc;. ..',,'..';:ccccccccc:, .;cccccccc:';OWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMx. .cONMNKkl;. .:ccccccccccc;. .,::cccccccccc;. .;cccccccc:',kWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMx. 'dkdc,. .:ccccccc:;,,,. .,cccccccccccccc' .,::cccccc:''dNMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMXo. .''. .';:cccccc:,. .;ccccccccccccc:,. ...':cccc:,'cxkk0NMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWKxdodk0Oc'';:cccccccc:,. .ox; .;ccccc:::c:;'... .....';;'....:ONMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM0;.;cccccccccc:,. 'kWMXo. .:ccccc:,.... .','......';xWMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWK:.;cccccccccc:' ;0WMMM0, ..''',,,;;;,'... 'lc. .,;:;''',,'... .oXMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMWKkl' .;:ccc:;;,,'. .oXMMMMWo .......,::::::;,'...dWWO, ':ccc;,,;;...''...;OWMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNd. .,:c;',:. .:kXWMMMMMW0l;,,;;;.............,;.'kWW0; ':cc:'. .;:;,'......oNMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMNo. .....'''.;0WKx:. .:xKWMMMMMMMWWNNXd. .;o; .::.;KMMK: .,:ccc,. ';,.. .. ;KMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMNo. ':loodkXMMMMWXOo;. .:OWMMMMMMMMWk. .;d00kc. .,.:KMMXc.,:ccc:. .;:,,'. ';,..;0WMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMMMKc ,xXWMMMMMMMMMMMMMMNOl. '0MMMMMMMWk. ;ONMK: ,OMMNl.,:cccc, ..,;cc,..:c:,.,dKWMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMWO, .oXMMMMMMMMMMMMMMMMNo'. cXMMMMMMNx. .lXMMX: :0MMXl.,ccccc;. .;c:;;:cc::,''oNMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMKc. .xWMMMMMMMMMMMMMMMMKc. .lXMMMMMWKc. .,dNMMMNx;.',ckNMWK:.;ccccc:' .';:ccc:,... ;XMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMWo. .coxKMMMMMMMMMMMMMMk. 'xNMMMMMMX: ckONMMMMMWNNWWMWXd'.;cccccc;..;. ..';:,','. .dWMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMX: ...;0MMMMMMMMMMMMMW0doloxKWMMMMMMNo. .:KMMMMMMMWXkl'..;cccccc:'.oN0, ..';;,,',. .dWMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMWKc. .'.',.;0MMMMMMMMMMMMMMMMMMMMMMMMMMMXc ;0MMMMMXo,.',,;::::::;,.;KNk, ....,:;,;'....kMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMMMMMMMMMMMMMMMMMXl....'..'.,kWMMMMMMMMMMMMMMMMMMMMMMMMMMMXl.........'dWMMMM0:.',,,,,,,,,,'':OWXc..,,;;,;,,;,':O00NMMMMMMMMMMMMMMMMMMMMMMMMMM

● Allows you to add plaintext passwords to BloodHound, post-compromise


● Search out additional paths via weak passwords
○ What users with a cracked password are members of high value groups?
○ What users with weak passwords have VPN access?
○ What Kerberoastable users were cracked?
○ What users with a weak password have a path to Domain Admin?

https://www.trustedsec.com/blog/expanding-the-hound-introducing-plaintext-field-to-compromised-accounts/
https://github.com/trustedsec/CrackHound
A Slide For the Blue Team

Turning BloodHound Data into useful lists:

● Max: Domain Password Audit Tool


○ https://whynotsecurity.com/blog/max3/
○ Password audit enriched with BloodHound data
● PlumHound - BloodHound Report Engine
○ https://github.com/PlumHound/PlumHound
● Cypheroth
○ Spreadsheets!
○ https://github.com/seajaysec/cypheroth
● WatchDog
○ https://github.com/SadProcessor/WatchDog
○ https://insinuator.net/2019/10/blue-hands-on-bloodhound/
● PingCastle
○ https://www.pingcastle.com
Questions?

You might also like