Active Directory Houndsquad
The good, the blood and the plumhound.
BloodHound AD is a tool used to map and analyze relationships within a computer network that uses Microsoft Active Directory (AD). It can be used both for penetration testing / Offensive security, or also for blue teamers to audit their own schema of object permissions in a given domain. I’ve never seen anyone using it for other purpose other than pentesting, though, which is kind of interesting… 🤔 If I was ever a Domain Admin I’d use it every now and then.
This post assumes you know what Bloodhound is. It is not a “How to install bloodhound” one (Infosec space is already flooded with thousands of them). It’s not about Bloodhound itself either (I might write a post about BH and less-known functionalities one day). Instead, this post serves as a quick compendium of utilities and useful references. In fact, I’ve used this post to support me a little bit in some engagements I’ve made.
Here we’ll use some functionality in Sharphound, and establish a common ground for using it. At the end, we explore briefly some additional tools:
- Plumhound
- Goodhound
If you’re new to Bloodhound/Sharphound, take a look here:
or here, John Hammond showcasing the setup and exploration in Bloodhound:
or here, SANS’ comprehensive intro to Bloodhound:
If you’re absolutely new to this and in need of a playground:
- Check out this Tryhackme free room for AD: https://tryhackme.com/room/postexploit
or
- Populate your lab AD with random objects with BadBlood, quick and easy: https://github.com/davidprowe/BadBlood
About Bloodhound
SharpHound is the data collection tool used by BloodHound, a powerful graph-based tool used in Microsoft’s Active Directory (AD) environments. It is used for analyzing security risks and attack paths between AD objects. SharpHound, written in C#, basically gathers the data that BloodHound visualizes (So they are 2 different pieces of Software). It collects data about AD objects (users, computers, groups, etc.) and their relationships, and packages this data into a format that BloodHound can ingest. Without Bloodhound, we would take A LONG time to discover the risks or misconfigurations we usually see with it.
BloodHound was first introduced in 2016 by security researchers Rohan Vazarkar, Will Schroeder, and Andy Robbins. It was developed to help understand complex AD environments, identify security risks, and uncover hidden attack paths that could be exploited by attackers (Shadow admins, unintended privileges, and other risky misconfigurations). The tool uses graph theory to reveal the hidden and often unintended relationships within an AD environment.
Of course, Bloodhound is a breed of dog that has an excellent sense of smell and tracking abilities. Very fitting.
Another interesting fact is that the creators of BloodHound initially faced some skepticism and criticism from the security community when they first introduced the tool, as some people were concerned that it could be used maliciously by attackers. It did. However, the creators argued that the tool could also be a valuable resource for defenders, helping them to identify and remediate security risks in their AD environments. Over time, BloodHound has indeed proven to be a valuable tool for both offensive and defensive security operations.
I’ve seen Bloodhound more in “Offensive” related content, courses, etc. Than in the Blue Team side of cybersecurity, which I have found very interesting over the years.
Sharphound
Option 1: You’re engaging from a Windows machine:
- Sharphound.ps1 - PowerShell script for running Sharphound. However, the latest release of Sharphound has stopped releasing the Powershell script version. This version is good to use with RATs since the script can be loaded directly into memory, evading on-disk AV scans.
- Sharphound.exe - A Windows executable version for running Sharphound.
- AzureHound.ps1 - PowerShell script for running Sharphound for Azure (Microsoft Cloud Computing Services) instances. Bloodhound can ingest data enumerated from Azure to find attack paths related to the configuration of Azure Identity and Access Management.
To download a pre-compiled version of Sharphound, as well as the PS version: https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
Option2: You’re engaging from a Linux machine:
- Check out bloodhound.py, created by Dirk-jan Mollema: https://bloodhound.readthedocs.io/en/latest/data-collection/bloodhound-py.html
- Check out also bloodhound.py’s limitations, as it does not support some sharphound commands (Looping, GPO-related checks, etc.).
Resources
GREAT Tips for filtering, querying, and general analysis in Bloodhound:
Part 3. Windows security: reconnaissance of Active Directory environment with BloodHound. - research.securitum.com
Official Documentation for Sharphound Usage:
All SharpHound Flags, Explained - BloodHound 3.0.3 documentation
SharpHound - BloodHound 3.0.3 documentation
Using Runas.exe
Running SH from a non-joined computer (Not encouraged by Bloodhound’s devs, but I’ve never had an issue):
runas.exe /netonly /user:contoso.com\username powershell.exe
# And then execute Bloodhound in a domain-joined PS session
# Or simply:
runas.exe /netonly /user:contoso.com\username .\sharphound.exe <ARGS>General usage
There seems to be an 80/20 ratio of 20% of the functionalities being used for 80% of the times, so we can just:
# Explore the AD with a single sweep:
Sharphound.exe --CollectionMethods All --Domain contoso.com-ExcludeDCsif Necessary to avoid some detection mechanisms: Excludes requests to the DC
And then, having some initial data to work with, we can continually grab the sessions made on the computers, servers and by whom.
Sharphound.exe --CollectionMethods Session --Domain contoso.com --Loop --LoopDuration 12:30:12Notes about “Session” methods:
The rationale is that collecting session data over a period of time (For example, from 9 am to 9 pm or something, in a productive day), will show relationships that would have been less likely to catch in a single sweep ("–CollectionMethods All"):
Since the general structure of an AD is relatively static, but sessions are always changing (We see in Bloodhound an Admin connecting to a Workstation, which may log out in seconds and make sharphound data unreliable, it is recommended to run —CollectionMethods All sometimes, and —collectionMethods session very often. The first one will take all the infrastructure information (Groups, OU, Users, Domain) and sessions (Who’s where), and the latter will update the sessions only, which will be changed very often so requires updating.
Last time I checked, the maximum Loop session time was 23:59:00 - Anything larger than that throws C errors.
More Resources on Bloodhound
Edges - BloodHound 3.0.3 documentation
Bloodhound 2.2 - How to Setup and Use it
PlumHound
BloodHoundAD Report Engine for Security Teams - A little bit old and unsupported now, but it is very good at having a clear and easy look to the data gathered by Sharphound.
GitHub - PlumHound/PlumHound: Bloodhound for Blue and Purple Teams
Requirements:
- Neo4j running + Bloodhound already loaded with the graphs
- It only runs on Python3.8, so I use Docker to run Plumhound, with Bloodhound/Neo4j running in my host. Like this:
docker run -it --network="host" --rm python:3.8 /bin/bashgit clone https://github.com/PlumHound/PlumHound.git && \
cd PlumHound && pip3 install -r requirements.txt
# Or Python3 -m pip install -r requirements.txt./PlumHound.py -x tasks/default.tasks -s "bolt://127.0.0.1:7687" \
-u "neo4j" -p "neo4j" -v 0 --HTMLCSS template/html.css
# Default Bolt port. DO NOT CHANGEUPDATE: The project seems active again as of 2023, and it seems to support Python3.10 now.
BloodHound + PlumHound = ❤ -> https://cesidt.medium.com/bloodhound-plumhound-bbd5f8a60f00
GoodHound
GoodHound is a tool that works with BloodHound data to produce an actionable list of attack paths for targeted remediation. It’s a quick look at Bloodhound, and designed to help security teams prioritize their remediation efforts by identifying the most critical attack paths in an Active Directory environment.
“produce an actionable list of attack paths for targeted remediation”
Install: https://github.com/idnahacks/GoodHound.git
Intro to Goodhound: GoodHound v1.1.2 releases: produce an actionable list of attack paths for targeted remediation