Offensive AD HoundSquad: Blood, Sharp, Plum, Good
This post is not a "How to install bloodhound" one (Infosec space is already flooded with thousands of them). It's not about Bloodhound either (I might write a post about BH and less-known functionalities one day). This post assumes you already have installed Bloodhound, and know your way around. It serves as a quick compendium of utilities and useful references.
Here we'll use some functionality in Sharphound, and establish a common ground for using it. At the end, we explore briefly some additional tools:
If you're new to Bloodhound/Sharphound, take a look here: https://blog.netwrix.com/2023/01/20/bloodhound-active-directory-html/
or here, John Hammond showcasing the setup and exploration in Bloodhound: https://www.youtube.com/watch?v=yp8fw72oQvY
or here, SANS' comprehensive intro to Bloodhound: https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-domains/
If you're absolutely new to this and in need of a playground:
Check out this Tryhackme free room for AD: https://tryhackme.com/room/postexploit,
Populate your lab AD with random objects with BadBlood, quick and easy: https://github.com/davidprowe/BadBlood
SharpHound is the data collection tool used by BloodHound, a powerful graph-based tool used in Microsoft's Active Directory (AD) environments. It is used for analyzing security risks and attack paths between AD objects. SharpHound, written in C#, is basically gathers the data that BloodHound visualizes (So they are 2 different pieces of Software). It collects data about AD objects (users, computers, groups, etc.) and their relationships, and packages this data into a format that BloodHound can ingest. Without Bloodhound, we would take A LONG time to discover the risks or misconfigurations we usually see with it.
BloodHound was first introduced in 2016 by security researchers Rohan Vazarkar, Will Schroeder, and Andy Robbins. It was developed to help understand complex AD environments, identify security risks, and uncover hidden attack paths that could be exploited by attackers (Shadow admins, unintended privileges, and other risky misconfigurations). The tool uses graph theory to reveal the hidden and often unintended relationships within an AD environment.
Of course, Bloodhound is a breed of dog that has an excellent sense of smell and tracking abilities. Very fitting.
Another interesting fact is that the creators of BloodHound initially faced some skepticism and criticism from the security community when they first introduced the tool, as some people were concerned that it could be used maliciously by attackers. However, the creators argued that the tool could also be a valuable resource for defenders, helping them to identify and remediate security risks in their AD environments. Over time, BloodHound has indeed proven to be a valuable tool for both offensive and defensive security operations.
I've seen Bloodhound more in "Offensive" related content, courses, etc. Than in the Blue Team side of cybersecurity, which I have found very interesting over the years.
Option 1: You're engaging from a Windows machine:
Sharphound.ps1 - PowerShell script for running Sharphound. However, the latest release of Sharphound has stopped releasing the Powershell script version. This version is good to use with RATs since the script can be loaded directly into memory, evading on-disk AV scans.
Sharphound.exe - A Windows executable version for running Sharphound.
AzureHound.ps1 - PowerShell script for running Sharphound for Azure (Microsoft Cloud Computing Services) instances. Bloodhound can ingest data enumerated from Azure to find attack paths related to the configuration of Azure Identity and Access Management.
To download a pre-compiled version of Sharphound, as well as the PS version: https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
Option2: You're engaging from a Linux machine:
Check out bloodhound.py, created by Dirk-jan Mollema: https://bloodhound.readthedocs.io/en/latest/data-collection/bloodhound-py.html
Check out also bloodhound.py's limitations, as it does not support some sharphound commands (Looping, GPO-related checks, etc.).
GREAT Tips for filtering, querying, and general analysis in Bloodhound:
Official Documentation for Sharphound Usage:
Running SH from a non-joined computer (Not encouraged by Bloodhound's devs, but I've never had an issue):
runas.exe /netonly /user:contoso.com\username powershell.exe
# And then execute Bloodhound in a domain-joined PS session
# Or simply:
runas.exe /netonly /user:contoso.com\username .\sharphound.exe <ARGS>
There seems to be an 80/20 ratio of 20% of the functionalities being used for 80% of the times, so we can just:
# Explore the AD with a single sweep:
Sharphound.exe --CollectionMethods All --Domain contoso.com
--ExcludeDCs if Necessary to avoid some detection mechanisms: Excludes requests to the DC
And then, having some initial data to work with, we can continually grab the sessions made on the computers, servers and by whom.
Sharphound.exe --CollectionMethods Session --Domain contoso.com --Loop --LoopDuration 12:30:12
Notes about "Session" methods:
The rationale is that collecting session data over a period of time (For example, from 9 am to 9 pm or something, in a productive day), will show relationships that would have been less likely to catch in a single sweep ("--CollectionMethods All"):
Since the general structure of an AD is relatively static, but sessions are always changing (We see in Bloodhound an Admin connecting to a Workstation, which may log out in seconds and make sharphound data unreliable, it is recommended to run —CollectionMethods All sometimes, and —collectionMethods session very often. The first one will take all the infrastructure information (Groups, OU, Users, Domain) and sessions (Who’s where), and the latter will update the sessions only, which will be changed very often so requires updating.
Last time I checked, the maximum Loop session time was 23:59:00 - Anything larger than that throws C errors.
More Resources on Bloodhound
BloodHoundAD Report Engine for Security Teams - A little bit old and unsupported now, but it is very good at having a clear and easy look to the data gathered by Sharphound.
Neo4j running + Bloodhound already loaded with the graphs
It only runs on Python3.8, so I use Docker to run Plumhound, with Bloodhound/Neo4j running in my host. Like this:
docker run -it --network="host" --rm python:3.8 /bin/bash
git clone https://github.com/PlumHound/PlumHound.git && \
cd PlumHound && pip3 install -r requirements.txt
# Or Python3 -m pip install -r requirements.txt
./PlumHound.py -x tasks/default.tasks -s "bolt://127.0.0.1:7687" \
-u "neo4j" -p "neo4j" -v 0 --HTMLCSS template/html.css
# Default Bolt port. DO NOT CHANGE
UPDATE: The project seems active again as of 2023, and it seems to support Python3.10 now.
BloodHound + PlumHound = ❤ -> https://cesidt.medium.com/bloodhound-plumhound-bbd5f8a60f00
GoodHound is a tool that works with BloodHound data to produce an actionable list of attack paths for targeted remediation. It's a quick look at Bloodhound, and designed to help security teams prioritize their remediation efforts by identifying the most critical attack paths in an Active Directory environment.
“produce an actionable list of attack paths for targeted remediation”