BloodHound Overview: AD Mapping, Attack Paths, and Defense Strategies

BloodHound

BloodHound is a powerful Active Directory (AD) enumeration tool used by penetration testers and red teamers to identify and visualize relationships and permissions within a Windows domain. It helps uncover hidden paths to privilege escalation and lateral movement by mapping out how users, groups, computers, and permissions interact.

What BloodHound Does

BloodHound uses graph theory to analyze AD environments. It collects data on users, groups, computers, sessions, trusts, ACLs (Access Control Lists), and more, then builds a graph showing how an attacker could move through the network to gain elevated privileges.

Key Features

• Visual Graph Interface: Displays relationships between AD objects in an intuitive, interactive graph.
• Attack Path Discovery: Identifies paths like “Shortest Path to Domain Admin” or “Users with Kerberoastable SPNs.”
• Custom Queries: Supports Cipher queries (from Neo4j) to search for specific conditions or relationships.
• Data Collection: Uses tools like SharpHound (its data collector) to gather information from the domain.

How BloodHound Works

1. Data Collection

• SharpHound collects data via:
• LDAP queries
• SMB enumeration
• Windows API calls
• It can run from a domain-joined machine with low privileges.

2. Data Ingestion

• The collected data is saved in JSON format and imported into BloodHound’s Neo4j database.

3. Graph Analysis

• BloodHound visualizes the domain structure and highlights potential attack paths.

Common Attack Paths Identified

• Kerberoasting: Finding service accounts with SPNs that can be cracked offline.
• ACL Abuse: Discovering users with write permissions over other users or groups.
• Session Hijacking: Identifying computers where privileged users are logged in.
• Group Membership Escalation: Finding indirect paths to privileged groups.

Use Cases

• Red Team Operations: Mapping out attack paths and privilege escalation strategies.
• Blue Team Defense: Identifying and remediating risky configurations.
• Security Audits: Understanding AD structure and permissions.

Defensive Measures

• Limit excessive permissions and group memberships.
• Monitor for SharpHound activity.
• Use tiered administrative models.
• Regularly audit ACLs and session data.

Rubeus: Kerberos Exploitation for Penetration Testers

 Rubeus

Rubeus is a powerful post-exploitation tool designed to abuse Kerberos in Windows Active Directory (AD) environments. It’s widely used by penetration testers and red teamers to manipulate authentication mechanisms, extract credentials, and move laterally across compromised networks.

What Is Kerberos?

Kerberos is a network authentication protocol used in AD environments. It uses tickets to allow nodes to prove their identity securely. Rubeus interacts with these tickets to perform various attacks.

Key Capabilities of Rubeus

1. Kerberoasting

• Extracts service account hashes from service tickets (TGS).
• These hashes can be cracked offline to reveal plaintext passwords.

2. Ticket Harvesting

• Dumps Kerberos tickets from memory (e.g., using sekurlsa::tickets via Mimikatz).
• Useful for replay or pass-the-ticket attacks.

3. Pass-the-Ticket

• Injects stolen Kerberos tickets into memory to impersonate users.
• Enables lateral movement without needing passwords.

4. Overpass-the-Hash

• Uses NTLM hashes to request Kerberos tickets.
• Bridges NTLM and Kerberos authentication methods.

5. Golden Ticket Attack

• Creates forged TGTs using the KRBTGT account hash.
• Grants unrestricted access to the domain.

6. Silver Ticket Attack

• Creates forged service tickets (TGS) for specific services.
• Less detectable than Golden Tickets.

7. AS-REP Roasting

• Targets accounts that don’t require pre-authentication.
• Extracts encrypted data that can be cracked offline.

8. Ticket Renewal and Request

• Requests new tickets or renews existing ones.
• Useful for maintaining persistence.

Why Rubeus Is Valuable

• Written in C#, making it easy to compile and modify.
• It can be executed in memory to evade antivirus detection.
• Integrates well with other tools like Mimikatz and Cobalt Strike.

Ethical Use

Rubeus should only be used in environments where you have explicit permission to test. Unauthorized use is illegal and unethical.

Kerberoasting Explained: Understanding the Threat to Active Directory Security

 Kerberoasting

Kerberoasting is a post-exploitation attack technique targeting Active Directory environments. It exploits the Kerberos authentication protocol to obtain and crack password hashes of service accounts, allowing attackers to escalate privileges and move laterally within a network. Here's a detailed breakdown:

1. What is Kerberoasting?

Kerberoasting focuses on extracting password hashes of service accounts associated with Service Principal Names (SPNs) in Active Directory. These accounts often have elevated privileges, making them valuable targets for attackers. The attack is conducted offline, allowing attackers to crack the hashes without triggering alerts or account lockouts.

2. How Kerberoasting Works

• Initial Compromise: The attacker gains access to a domain user account.
• Requesting Service Tickets: Using tools like Rubeus or GetUserSPNs.py, the attacker requests Kerberos service tickets for SPNs.
• Extracting Ticket Hashes: The Kerberos tickets are encrypted with the hash of the service account's password. The attacker captures these hashes.
• Offline Cracking: The attacker uses brute force tools like Hashcat or John the Ripper to crack the password hashes offline.
• Privilege Escalation: Once the plaintext password is obtained, the attacker can impersonate the service account and access its resources.

3. Why Kerberoasting is Dangerous

• Stealthy: The attack is conducted offline, avoiding detection by network monitoring tools.
• Minimal Privileges Required: Any authenticated domain user can initiate the attack.
• High Impact: Compromised service accounts often have access to critical systems and data.

4. Mitigation Strategies

• Strong Passwords: Use complex, long passwords for service accounts.
• Password Rotation: Regularly change service account passwords.
• Monitor Ticket Requests: Detect unusual patterns in Kerberos ticket requests.
• Limit Privileges: Minimize the permissions of service accounts.
• Multi-Factor Authentication (MFA): Add an extra layer of security to service accounts.

5. Tools Used in Kerberoasting

• Rubeus: A tool for Kerberos ticket manipulation and extraction.
• GetUserSPNs.py: A script to identify SPNs and request service tickets.
• Hashcat: A powerful password-cracking tool.
• John the Ripper: Another popular password-cracking tool.

Kerberoasting is a significant threat in Active Directory environments, but organizations can reduce their risk by taking proper security measures.