Sharphound/Bloodhound is an exceptional open-source tool that can identify attack paths within an AD environment by analyzing the relationships between objects.
NOTE:** Make sure to use multiple versions of SharpHound if not working!**
SharpHound in Action
PS C:\htb> .\SharpHound.exe --help
SharpHound 1.0.3
Copyright (C) 2022 SpecterOps
-c, --collectionmethods (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup,
Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly
-d, --domain Specify domain to enumerate
-s, --searchforest (Default: false) Search all available domains in the forest
--stealth Stealth Collection (Prefer DCOnly whenever possible!)
-f Add an LDAP filter to the pregenerated filter.
--distinguishedname Base DistinguishedName to start the LDAP search at
--computerfile Path to file containing computer names to enumerate
\
PS C:\htb> .\SharpHound -c All --domain medtech.com --zipfilename MEDTECH.zip
2022-04-18T13:58:22.1163680-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-04-18T13:58:22.1163680-07:00|INFORMATION|Initializing SharpHound at 1:58 PM on 4/18/2022
2022-04-18T13:58:22.6788709-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-04-18T13:58:23.0851206-07:00|INFORMATION|Beginning LDAP search for INLANEFREIGHT.LOCAL
2022-04-18T13:58:53.9132950-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 67 MB RAM
2022-04-18T13:59:15.7882419-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-04-18T13:59:16.1788930-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-04-18T13:59:23.9288698-07:00|INFORMATION|Status: 3793 objects finished (+3793 63.21667)/s -- Using 112 MB RAM
2022-04-18T13:59:45.4132561-07:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2022-04-18T13:59:45.4601086-07:00|INFORMATION|Output channel closed, waiting for output task to complete
2022-04-18T13:59:45.8663528-07:00|INFORMATION|Status: 3809 objects finished (+16 46.45122)/s -- Using 110 MB RAM
2022-04-18T13:59:45.8663528-07:00|INFORMATION|Enumeration finished in 00:01:22.7919186
2022-04-18T13:59:46.3663660-07:00|INFORMATION|SharpHound Enumeration Completed at 1:59 PM on 4/18/2022! Happy Graphing
Viewing Data
Start Bloodhound
$ sudo neo4j start
We can then type "bloodhound" in cmd and login with our credentials and click "Upload Data". Select the newly created .zip file.
$ bloodhound
NOTE: Keep in mind as we go through the engagement, we should be documenting every file that is transferred to and from hosts in the domain and where they were placed on disk. This is good practice if we have to deconflict our actions with the customer. Also, depending on the scope of the engagement, you want to ensure you cover your tracks and clean up anything you put in the environment at the conclusion of the engagement.
Enumerating Data
Marking Users
When we have a user we can search for them, right-click and mark as Owned.
