If SID is displayed it is a local account. BloodHound uses this representation of a principal when the domain identifier of the SID is from a local machine
Use Collection Loops to not miss information
- Bloodhound ingestor
bloodhound.py -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all --zip
can also use -dns-tcp
- If error try dnschef:
dnschef --fakeip 10.10.225.134
bloodhound.py -u 'rsmith' -p 'IHateEric2' -d lab.trusted.vl -dc labdc.lab.trusted.vl -c all -ns 127.0.0.1
- Manual commands: Format for cypher:
(NODES)-[:RELATIONSHIP]->(NODES)
All computers in domain:
MATCH (m:Computer) RETURN m
All Users in domain:
MATCH (m:User) RETURN m
To get active sessions:
MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p
- If access to cmd or powershell:
SharpHound.exe -c All
--Loop --LoopDuration 00:10:00 to loop
- To get all users
cat 20240302180235_users.json | jq '.data[].Properties | .samaccountname + ":" + .description' -r
- If object-id of a group is above 1000 it is non default
- Bloodhound doesn't collect Info so check that with ldapsearch
- Raw query to enumerate users with SQLAdmin:
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2
- Raw query to enumerate users with CanPSRemote:
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
{% code overflow="wrap" %}
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2
{% endcode %}
{% code overflow="wrap" %}
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2
{% endcode %}
If found:
Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain
Then use mssqlclient:
mssqlclient.py <domain>/<user>@<ip> -windows-auth