added bloodhound information
This commit is contained in:
parent
9be912401b
commit
d797981a6d
|
|
@ -1,3 +1,34 @@
|
||||||
# Bloodhound
|
# Bloodhound
|
||||||
|
|
||||||
* DNS
|
Bloodhound contain two parts of interest. One is Bloodhound itself including
|
||||||
|
the Neo4j database. The other are data collectors named `SharpHound.exe`,
|
||||||
|
`SharpHound.ps1`, `AzureHound.ps1` and `Bloodhound.py`.
|
||||||
|
|
||||||
|
## Data Collection
|
||||||
|
|
||||||
|
Sharphound is a portable executable which can be executed in the following way.
|
||||||
|
The runas command uses the user from the commandline parameter to respond to
|
||||||
|
network requests. So, runas is called as a cover up measurement.
|
||||||
|
|
||||||
|
```
|
||||||
|
runas /netonly /user:OnTheINTERNET\NobodyKnowsYoureADOG cmd.exe
|
||||||
|
SharpHound.exe --CollectionMethods All --Domain $TARGET_DOMAIN --ExcludeDCs
|
||||||
|
```
|
||||||
|
|
||||||
|
If there is no issue getting detected `--ExcludeDCs` can be ommited, so
|
||||||
|
information is gathered for DCs as well.
|
||||||
|
|
||||||
|
Alternativly, Bloodhound can be directly from the attacker or any other
|
||||||
|
machine. It connects to the the target network to collect information.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
bloodhound-python -u $USER -p $PASSWORD -d $TARGET_DOMAIN -ns $DNS_NAMESERVER -c All --zip
|
||||||
|
```
|
||||||
|
|
||||||
|
## Data Exploration
|
||||||
|
|
||||||
|
Once the data has been collected and has been uploaded to the BloodHound
|
||||||
|
database, insights can be gained through the `Explore` option. Further, there
|
||||||
|
is `Pathfinding` and `Cypher`. The former shows connection between users and
|
||||||
|
objects, the latter contains predefined queries, e.g. `All Domain Admins` ,
|
||||||
|
`Map OU Structure` or `Map domain trusts` and multiple others.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue