Reconaissance

Bloodhound, SharpADWS

Bloodhound

To get all data in Bloodhound, use SharpHond.exe - Exegol compatible version https://github.com/BloodHoundAD/SharpHound/releases/download/v1.0.4/SharpHound-v1.0.4.zip

Bloodhound.py don't get all data, probably because of DNS resolution

$ sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all 

INFO: Found AD domain: inlanefreight.local
INFO: Connecting to LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 1 domains
INFO: Found 2 domains in the forest
INFO: Found 564 computers
INFO: Connecting to LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 2951 users
INFO: Connecting to GC LDAP server: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
INFO: Found 183 groups
INFO: Found 2 trusts
INFO: Starting computer enumeration with 10 workers

Timeout errors - add dns-tcp

bloodhound.py --zip -c All -d "INLANEFREIGHT.LOCAL" -u "forend" -p "Klmcargo2" -ns "172.16.5.5" --dns-tcp

Even better

$ cat /etc/resolv.conf 

# Generated by Docker Engine.
# This file can be edited; Docker Engine will not make further changes once it
# has been modified.

nameserver 127.0.0.53
search lan
options edns0 trust-ad

# Based on host file: '/etc/resolv.conf'
# Overrides: []

domain FREIGHTLOGISTICS.LOCAL
nameserver 172.16.5.238
bloodhound.py --zip -c All -d FREIGHTLOGISTICS.LOCAL -ns 172.16.5.238 -c All -u forend@inlanefreight.local -p Klmcargo2 --dns-tcp
INFO: Found AD domain: freightlogistics.local
INFO: Getting TGT for user

Windows

For Exegol compatible version: https://github.com/BloodHoundAD/SharpHound/releases/download/v1.0.4/SharpHound-v1.0.4.zip

PS C:\htb> .\SharpHound.exe -c All --zipfilename ILFREIGHT

Run Bloodhound

Then upload zip file generate from Sharphound or bloodhound-python

Bloodhound-quickwin

bloodhound-quickwin -u neo4j -p exegol4thewin

AD Miner

SharpADWS

PreviousPassword SprayNextBloodhound

Last updated