In part three of the AD attack lab series, we will learn how to use BloodHound and PowerView to enumerate the domain once you gain a foothold on the network. If you haven’t gotten the lab environment setup yet, go to Part One and Part Two to get the AD lab setup.
Head over to one of your Windows 10 Clients. Download the PowerView here. Once the “powerview.ps1” is downloaded, open a terminal, execute “powershell -ep bypass” to enter the PowerShell bypassing execution policy mode, which allows executing any script we want.
Note, I used the old version of the PowerView because some flags not work properly in the newer version of the PowerView.
powershell -ep bypass
Load the PowerView module into the current PowerShell session:
Now, let’s examine some basic flags and see how we can leverage them to enumerate the entire domain.
The “Get-NetDomain” will show the basic information about the domain which includes Forest name, Domain Controller, and the Domain Owner.
The “Get-NetDomainController” shows the properties of the Domain Controller, which includes its IP address, OS version, Host Name, and other properties.
The “Get-DomainPolicy” lists all the domain policies, from here, we can see some interesting property includes “SystemAccess”. You can see the minimal password length is only 7 which made the password cracking relevant easy.
We can also narrow down and look for each property individually.
The “Get-NetUser” command will list all the users on the domain with their properties. One interesting user we can find here is the “SQL Service” with its description field. The password is in the description field with plaintext.
Get-NetUser | select cn Get-NetUser | select samaccountname Get-NetUser | select description
We can use “select” to grab the specific property that we are interested in. The “select” is similar to “grep” in Linux.
Get-UserProperty Get-UserProperty -Properties pwdlastset Get-UserProperty -Properties badpwdcount
The “Get-UserProperty” command can list all the user’s properties. We can use the “Properties” flag to show one property at a time.
Get-NetComputer Get-NetComputer -Fulldata | select operatingsystem
Show all the workstations on the domain with their properties.
Get-NetGroup -GroupName "Domain Admins" Get-NetGroupMember -GroupName "Domain Admins"
Show the Group names and Group members.
Find all the shares on the domain. We can see the “Documents” and “Share” folder we created early are presented here.
Get-NetGPO Get-NetGPO | select displayname, whenchanged
Show the domain policy and use “select” to narrow down the property we are interested in. We can see the “Disable Windows Defender” Policy we set early presented here.
You can find more useful commands for PowerView here.
BloodHound can be used for enumerating the entire domain. Based on the domain data, it can help you to determine what’s the shortest path to get the domain admin. It is a fantastic tool that aids you to see a bigger picture of the entire domain.
The BloodHound installation process is pretty straight forward.
Update your Kali APT repo:
sudo apt-get update
Install the BloodHound via the “apt-get”:
sudo apt-get install bloodhound
Setup the Neo4j once the installation process finished:
sudo neo4j console
Now run the BloodHound:
Now head over to one of your Windows 10 clients, download the “SharpHound Data Ingestor” here. Import the Powershell module then generate the zip file contains the data in the domain.
. .\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All -Domain kudos.local -ZipFilename file.zip
Move the zip file to the kali, and upload it to the BloodHound application.
We can see the data have already uploaded successfully.
Examine through the various queries, we see it can show us the shortest path to the domain admins, the shortest path to the high-value targets, the shortest path to the Kerberoastable Users, etc. I highly recommend you to check out all the queries listed here to get a feel of what they could do for you :)
In this post, we learned how to use PowerView and BloodHound to do some basic enumeration of the domain. In the following posts, I will continue to discuss other ways to enumerate and attack the AD environment. Thank you for reading :)