On your trail

This post is also available in Russian

My dad always says that there are two types of malfunction in any electronic device – presence of contact where it should not be and absence where it must be. I think it summarizes pretty much all the cybersec in the first place because it also applies to privileges. Our goal in general is to make sure that people with right privileges were able to access data and others were not.

Privileges management is not an easy task, although it may look straight forward at first. You start with list of resources and list of accounts, you match them and get some sort of access matrix. When it grows, and grows, and changes and in a couple of years no one remembers what privileges were given and why. Sad but true, no one documents anything. And it’s no surprise that fired employee still has access to some resource, and group for remote access is filled with accounts no one knows where came from.


Active Directory is a standard today for user management. I don’t know any organization that doesn’t use it one way or another. And it has its point since most of workstations are Windows based, it’s so easy to manage them with Active Directory tools. But popular things are number one targets to every hacker.

Long time ago I was conducting a penetration test for a relatively small company. Management was concerned about malicious insider most of all so our scenario was an inside job. So, I was sitting on a regular workstation for several hours looking for something important to snatch and at some point, grabbed hashes of an administrative account (some scripts were running with admin account for some reason and mimikatz worked like a charm). By this time network scanning was completed and I realized that there are more than 100 workstations and servers that have meaningless hostnames. Where to go next? In real life malicious insider can spend months crawling network looking to raise privileges. But pentest takes days, how can I speed Up the process? Derivative local admin concept won’t work for me, because you’re basically guessing here and it’s very time consuming. I found a way that time, I just got lucky =) But today we don’t need that much luck.

Du riescht so gut

John Lambert from Microsoft Threat Intelligence Center once wrote in his blog that, “Defenders thinks in lists. Attackers think in graphs. As long as this is true, attackers win”.

Instead of guessing hacker might use tool to build a graph of relations between users, workstations, groups, servers and so on. This way he will know for sure where to go next. Most popular tool today is Bloodhound and basically it runs all the typical tasks of enumeration but serves results as a neat graph.

Let’s start with a straight forward installation. First check that you have Java installed and fix if it’s not:

java -version

Bloodhound uses neo4j as a database so let’s download freeware community edition from official website https://neo4j.com/ and unzip:

tar zxvf neo4j-community-3.4.7-unix.tar.gz

and start

./neo4j start

Now we must visit its page to reset the password. Choose a creative one, please =)

Next thing is a Bloodhound itself, which can be downloaded from https://github.com/BloodHoundAD/BloodHound/ . We’ll need an appropriate release for our operating system and an ingestor. The ingestor has to be run on a target system to collect the data. When the data is collected let’s call our Bloodhound.

Scooby-Doo, Where Are You!


First thing we see is a summary:


It’s the first and foremost indicator Of that we got data to analyze. This data is from a test lab, not a real-life scenario. Most of the time you’ll see an insane number of users and computers, but not all of them are relevant.

Bloodhound works with queries so the first one to run is to find domain admins. They are our primary targets:


Great, we have default account and users, members of domain admins group – Slava and Admin. Next query will reveal the shortest path to domain admin.


So, every vertex here is a user, pc, group or domain, edges are relations like group membership, rights, sessions and domain trusts and paths lead to a right escalation. In most basic scenario it will show you the shortest path to become a domain administrator. It won’t hack things for you, but it will give you an idea where to look.

Look, this Slava has a session on some server called mail-01.lab.local. And this is our big chance, because if we’ll get his session token we can elevate our privilege even more. Of course we can put our effort to administrator account and dc-01.lab.local, but most of the time it’s a waste of time. Administrator account in most cases has a pretty decent password and protected with other measures. Domain controller might have its own defense. Slava and mail-01.lab.local on other hand might be much easier targets and we can save great amount of time.

Bloodhound is a great tool for a red team or pentesters but it also has great advantages to blue teams. You can run this tool on regular basis to check for security misconfiguration.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: