maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/windows-hardening/active-directory-methodology/bloodhound.md

2.6 KiB
Raw Blame History

BloodHound & Other Active Directory Enumeration Tools

{{#include ../../banners/hacktricks-training.md}}

{{#ref}} adws-enumeration.md {{#endref}}

KUMBUKA: Ukurasa huu unakusanya baadhi ya zana muhimu zaidi za kuorodhesha na kuonyesha uhusiano wa Active Directory. Kwa ukusanyaji kupitia njia ya siri ya Active Directory Web Services (ADWS) angalia rejeleo hapo juu.

AD Explorer

AD Explorer (Sysinternals) ni mtazamaji wa AD wa hali ya juu na mhariri ambao unaruhusu:

  • Kuangalia mti wa directory kwa GUI
  • Kuedit mwelekeo wa vitu na maelezo ya usalama
  • Uundaji wa picha za wakati / kulinganisha kwa uchambuzi wa mbali

Matumizi ya haraka

  1. Anza zana na uungane na dc01.corp.local kwa akidi yoyote ya domain.
  2. Unda picha ya mbali kupitia File ➜ Create Snapshot.
  3. Linganisha picha mbili kwa File ➜ Compare ili kugundua mabadiliko ya ruhusa.

ADRecon

ADRecon inatoa seti kubwa ya vitu kutoka kwa domain (ACLs, GPOs, imani, templeti za CA …) na inazalisha ripoti ya Excel.

# On a Windows host in the domain
PS C:\> .\ADRecon.ps1 -OutputDir C:\Temp\ADRecon

BloodHound (kuonyesha grafu)

BloodHound inatumia nadharia ya grafu + Neo4j kufichua uhusiano wa mamlaka yaliyofichika ndani ya AD ya ndani na Azure AD.

Usanidi (Docker CE)

curl -L https://ghst.ly/getbhce | docker compose -f - up
# Web UI ➜ http://localhost:8080  (user: admin / password from logs)

Wakusanyaji

  • SharpHound.exe / Invoke-BloodHound toleo la asili au PowerShell
  • AzureHound uainishaji wa Azure AD
  • SoaPy + BOFHound ukusanyaji wa ADWS (angalia kiungo kilichoko juu)

Njia za kawaida za SharpHound

SharpHound.exe --CollectionMethods All           # Full sweep (noisy)
SharpHound.exe --CollectionMethods Group,LocalAdmin,Session,Trusts,ACL
SharpHound.exe --Stealth --LDAP                      # Low noise LDAP only

Wakusanyaji wanazalisha JSON ambayo inachukuliwa kupitia GUI ya BloodHound.

Group3r

Group3r inataja Group Policy Objects na kuonyesha makosa ya usanidi.

# Execute inside the domain
Group3r.exe -f gpo.log   # -s to stdout

PingCastle

PingCastle inafanya ukaguzi wa afya wa Active Directory na kuunda ripoti ya HTML yenye alama za hatari.

PingCastle.exe --healthcheck --server corp.local --user bob --password "P@ssw0rd!"

{{#include ../../banners/hacktricks-training.md}}