This is the final part on the Bloodhound series and the most important for pen testers and red teamers.
Picking up from Part 2 where the results are imported into the database it is time for making sense of them and achieving the objectives of our testing.
The database info table on the left shows basic information about the current database and elements included.
The Queries tab BloodHound comes with a number of predefined queries. In many cases these should be adequate to complete the goals.
For example, if we need to find the shortest paths to Domain Admins we click the appropriate query and then select the domain to run this against in case we have multiple domains.
Depending on the domain size the output can be quite messy and confusing.
To make sense of the results lets take small branch as an example:
LBRUNGARDT is an Admin to the DATABASE2 workstation which has an established session with KCLARK. This means that we can go onto the DATABASE2 computer and run mimikatz and get the credentials for KCLARK. KCLARK is a member of the OFFICE2 group which has administrative access to the DESKTOP31 workstation. So LBRUNGARDT is a derivative local admin to the OFFICE2 workstation.
Following that path we can end up to a workstation that the domain admin is logged in and we have local administrative rights therefore extract the credentials from memory.
Another scenario is to select to find all Domain Admins. Clicking on the “Find all Domain Admins” query shows the following graph. In this example BGRIFFIN is a member of the “INFORMATION TECHNOLOGY” group and that group is a member of the “DOMAIN ADMINS” group therefore BGRIFFIN is a domain admin.
If we queried the DC directly for the domain administrators, we wouldn’t see the name of BGRIFFIN but instead the we would find the group “INFORMATION TECHNOLOGY” and then we would have to enumerate that group as well to find its members. This process is called unrolling group memberships. In large domains where there are multiple groups in groups this will be a time consuming task with the risk of missing key information. BloodHound makes this easy but it can be also done with PowerView and the Recurse flag.
In the example above you can see that TKINKHEAD is member of the “CONTRACTINGH” group which is a member of the “CONTRACTINGI” group which is a member of the “CONTRACTINGJ” group and so on and the process of manually of unrolling the group memberships would be tedious.
Clicking on a user opens up this menu. Alternatively, you can start typing a username/group/workstation in the search box and the autocomplete will show you the available options.
Definitions – Taken from https://github.com/adaptivethreat/Bloodhound/wiki/Users
The SAMAccount name, Display Name and Password Last Changed are not currently collected by the ingestor.
First Degree Group Memberships: These are the groups that the user is explicitly a member of. This is the information you would see when typing net user username /domain
Unrolled Group Memberships: These are all of the user’s effective group memberships. This is the equivalent of running Get-NetGroup -User username
Foreign Group Memberships: These are all of the foreign groups that the user belongs to.
First Degree Local Admin: These are the computers where the user itself is added explicitly as a local administrator on a system.
Group Delegated Local Admin Rights: These are the computers that the user gains administrator privileges to based on delegated group rights.
Derivative Local Admin Rights: These are the computers the user can gain administrator rights to by impersonating a user currently using a computer the user has administrator privileges to, regardless of how deep this chaining goes.
Sessions: These are all the computers the ingestor identified the user as logged onto during collection.
Pathfinding is the process of finding a path from one endpoint to another.
This feature requires you to enter a starting and an ending node like the image below.
If there is an availalble path BloodHound will display it.