🐶Bloodhound

If SID is displayed it is a local account. BloodHound uses this representation of a principal when the domain identifier of the SID is from a local machine

Use Collection Loops to not miss information

• Bloodhound ingestor

bloodhound.py -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all --zip

can also use -dns-tcp

• If error try dnschef:

dnschef --fakeip 10.10.225.134	

bloodhound.py -u 'rsmith' -p 'IHateEric2' -d lab.trusted.vl -dc labdc.lab.trusted.vl -c all -ns 127.0.0.1

• Manual commands: Format for cypher:

(NODES)-[:RELATIONSHIP]->(NODES)

All computers in domain:

MATCH (m:Computer) RETURN m

All Users in domain:

MATCH (m:User) RETURN m

To get active sessions:

MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

• If access to cmd or powershell:

SharpHound.exe -c All

--Loop --LoopDuration 00:10:00 to loop

• To get all users

cat 20240302180235_users.json | jq '.data[].Properties | .samaccountname + ":" + .description' -r

• If object-id of a group is above 1000 it is non default

• Bloodhound doesn't collect Info so check that with ldapsearch

• Raw query to enumerate users with SQLAdmin:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

• Raw query to enumerate users with CanPSRemote:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

To check users who can RDP

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

Check for SQLAdmin User:

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

If found:

Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain

Then use mssqlclient:

mssqlclient.py <domain>/<user>@<ip> -windows-auth