How to use BloodHound and BeRooT for privilege escalation in Red Teaming Assessment.

-

BloodHound 

BloodHound is a tool designed for offensive security and is widely used in Red Teaming exercises. It can help identify privileged access paths in an Active Directory (AD) environment and is a powerful tool for finding potential attack vectors. In this practical writing, we will go through the basics of how to use BloodHound and demonstrate some of its features.

First, let's start by installing the BloodHound tool. BloodHound is built to run on Windows, so it is recommended to install it on a Windows machine. The latest version of BloodHound can be downloaded from the official GitHub repository. After downloading and extracting the files, you should install the Neo4j database and set up the BloodHound client.

Once BloodHound is installed, the first step is to gather data from the Active Directory environment. To do this, we need to run the BloodHound Ingestor on a machine that is part of the domain. The Ingestor is a PowerShell script that collects data from the AD environment and stores it in a format that can be used by BloodHound. To run the Ingestor, we need to execute the following command:
  • .\SharpHound.ps1 -CollectionMethod All -Domain <DomainName> -OutFile <OutputFileName>
This command collects data using all available collection methods and stores it in the specified output file. The <DomainName> parameter should be replaced with the name of the domain, and <OutputFileName> should be replaced with the name of the output file.

After running the Ingestor, we can import the collected data into BloodHound. To do this, we need to start the Neo4j database and import the data using the BloodHound client. The following commands can be used to start the database and import the data
  • .\BloodHound --no-sandbox
  • Import-BloodHoundData -ZipPath <OutputFileName> -CollectionMethod All
The --no-sandbox parameter is required to disable the sandbox mode of the BloodHound client, which is used to prevent malicious code from being executed.

Once the data is imported, we can start using BloodHound to analyze the AD environment. The main interface of BloodHound is a graph that shows the relationships between various objects in the AD environment. The graph can be navigated using the mouse and keyboard, and various filters and search options are available to help find specific objects.
One of the most useful features of BloodHound is the ability to identify potential attack paths in the AD environment. To do this, we can use the AttackPath feature, which shows the shortest path from a user to a target object with the highest level of privileges. For example, if we want to find the shortest path from a user named user1 to the Domain Admins group, we can use the following steps:
  1. Search for the user1 object in BloodHound.
  2. Right-click on the user1 object and select Find Attack Paths.
  3. In the AttackPath window, select the Domain Admins group as the target object and click Start.
BloodHound will then analyze the AD environment and show the shortest path from user1 to the Domain Admins group. This can be useful for identifying potential attack vectors and finding ways to improve the security of the AD environment.

Another useful feature of BloodHound is the ability to analyze the permissions of individual objects in the AD environment. For example, if we want to find all the objects that have the GenericAll permission, we can use the following steps:
  1. Click on the Nodes tab in BloodHound.
  2. Click on the `Permissions
In the Permissions window, select GenericAll from the dropdown menu and click Search.
BloodHound will then show all the objects in the AD environment that have the GenericAll permission. This can be useful for identifying potentially risky objects and ensuring that their permissions are properly configured.
One more useful feature of BloodHound is the ability to identify and visualize domain trusts. Trusts are relationships between domains that allow users from one domain to access resources in another domain. To visualize domain trusts in BloodHound, we can use the following steps:
  1. Click on the Edges tab in BloodHound.
  2. Click on the Trusts button.
BloodHound will then show all the domain trusts in the AD environment, along with the direction of the trust and the type of trust (e.g. one-way or two-way). This can be useful for identifying potential attack vectors that involve exploiting trust relationships between domains.
In conclusion, BloodHound is a powerful tool for Red Teaming exercises that can help identify potential attack vectors in an Active Directory environment. By collecting and analyzing data from the AD environment, BloodHound can help identify privileged access paths, analyze permissions, and visualize domain trusts. While the tool has a steep learning curve, it is well worth the effort for those involved in Red Teaming exercises.

Tips and Tricks that professional Red Teaming experts use for the usage of BloodHound

  • Start small: BloodHound can be overwhelming at first, so start by focusing on a few specific tasks, such as identifying high-privilege users or visualizing domain trusts. As you become more familiar with the tool, you can start exploring more advanced features.
  • Use filters: BloodHound allows you to filter nodes and edges based on various criteria, such as object type, permission type, or trust direction. Using filters can help you narrow down the data and focus on specific areas of interest.
  • Automate data collection: Collecting data from an AD environment can be time-consuming, so consider using automated tools such as PowerShell scripts or BloodHound's built-in collection methods to speed up the process.
  • Use custom queries: BloodHound allows you to write custom queries using the Cypher query language. This can be useful for performing complex searches or identifying specific types of objects.
  • Work collaboratively: BloodHound can be used by multiple team members simultaneously, so consider working collaboratively to share insights and findings. You can also use BloodHound's tagging and commenting features to document your work and communicate with your team.
  • Keep up-to-date: BloodHound is constantly evolving, so make sure to stay up-to-date with the latest releases and features. Follow the BloodHound GitHub repository and community forums to stay informed about updates and best practices.

Advanced real world examples for using BloodHound in a Red Teaming exercise

  • Identifying lateral movement paths: BloodHound can be used to identify potential paths that an attacker could use to move laterally through an AD environment. By analyzing group membership and permission relationships, BloodHound can identify user accounts and computers that have access to sensitive resources, and can help identify potential paths for an attacker to take.
For example, a Red Teamer could use BloodHound to identify a high-privilege user who has local administrator rights on a domain controller, and then identify other computers or user accounts that this user has access to. By doing this, the Red Teamer can identify potential paths for lateral movement within the AD environment.
  • Identifying privilege escalation paths: BloodHound can also be used to identify potential paths for privilege escalation within an AD environment. By analyzing group membership and permission relationships, BloodHound can identify users and computers that have elevated privileges, and can help identify potential paths for an attacker to escalate their privileges.
For example, a Red Teamer could use BloodHound to identify a user account that has write access to a sensitive file share, and then identify other user accounts that have read access to the same file share. By doing this, the Red Teamer can identify potential paths for an attacker to escalate their privileges and gain access to sensitive data.
  • Visualizing trust relationships: BloodHound can be used to visualize trust relationships between different domains in an AD environment. By analyzing trust relationships, BloodHound can identify potential attack vectors that involve exploiting trust relationships.
For example, a Red Teamer could use BloodHound to identify two domains that have a two-way trust relationship, and then identify user accounts or computers that have access to resources in both domains. By doing this, the Red Teamer can identify potential paths for lateral movement or privilege escalation that involve exploiting the trust relationship between the two domains.

BeRooT 


BeRoot (also known as "WinPwnage") is a post-exploitation tool used to escalate privileges in Windows systems. It is designed to be used by red teams and penetration testers to demonstrate the risk of privilege escalation attacks in Windows environments. In this practical writing, we will go through the steps required to use BeRoot for privilege escalation, with an example.

Step 1: Obtain BeRoot
The first step is to download and obtain BeRoot from GitHub. BeRoot is an open-source tool and is available for free on GitHub. You can clone or download the repository from the following link: https://github.com/AlessandroZ/BeRoot 

Step 2: Transfer BeRoot to the Target Machine
After obtaining BeRoot, the next step is to transfer it to the target machine. This can be done using various methods, such as file transfer protocols like FTP or SMB, or by using a reverse shell.

Step 3: Execute BeRoot
Once BeRoot has been transferred to the target machine, the next step is to execute it. This can be done by running the following command in a command prompt or PowerShell:
C:\Path\To\BeRoot.bat
This will launch BeRoot and start the privilege escalation process.

Step 4: Analyze the Output
As BeRoot runs, it will output various messages to the command prompt or PowerShell window. These messages will provide information about the current privilege level, as well as any vulnerabilities that BeRoot has identified.

Step 5: Exploit Vulnerabilities
Based on the output of BeRoot, you can identify vulnerabilities that can be exploited to escalate privileges. BeRoot provides various methods for privilege escalation, such as exploiting weak permissions on files and directories, exploiting weak registry permissions, exploiting weak service permissions, and more.

Step 6: Escalate Privileges
Once you have identified vulnerabilities that can be exploited, the next step is to escalate privileges. BeRoot provides various methods for privilege escalation, depending on the vulnerability being exploited. For example, if weak permissions on a file are being exploited, BeRoot can use the file to execute code with higher privileges.

Tips and Tricks that professional Red Teaming experts use for the usage of BeRoot

  • Understand the tool's capabilities: Beroot is a tool that is designed to provide a stealthy way to gain system-level access to a Windows system. Before using Beroot in a Red Teaming exercise, it's important to understand how the tool works and what its capabilities are.
  • Use it in combination with other tools: Beroot is just one tool in a Red Teamer's toolkit. To maximize its effectiveness, it should be used in combination with other tools, such as Mimikatz or Metasploit, to achieve specific objectives.
  • Choose the right version: Beroot has several different versions, each designed for a specific version of the Windows operating system. Before using Beroot, it's important to choose the version that is appropriate for the target system.
  • Customize the tool: Beroot is an open-source tool, which means that it can be customized to suit the needs of a particular Red Teaming exercise. For example, the tool can be modified to use a different port for communication, or to encrypt its traffic.
  • Stay under the radar: Beroot is designed to be stealthy, so it's important to use it in a way that avoids detection. This may involve using techniques such as steganography or obfuscation to hide the tool's presence.
  • Test the tool thoroughly: Before using Beroot in a Red Teaming exercise, it's important to test it thoroughly to ensure that it works as expected. This may involve setting up a test environment and running a series of tests to ensure that the tool is effective and reliable 

Advanced real world examples for using BeRoot in a Red Teaming exercise

Let's take a simple example of how BeRoot can be used to escalate privileges on a Windows machine.

Suppose that you have obtained access to a Windows machine with a low-privileged user account. After gaining access, you run BeRoot and analyze the output. BeRoot identifies a vulnerability in the permissions of the "C:\Windows\System32\config" directory. Specifically, it finds that the permissions allow write access for all authenticated users.
Using this vulnerability, BeRoot can escalate privileges by creating a new user account with administrative privileges. To do this, you can run the following command in a command prompt or PowerShell:
  • C:\Path\To\BeRoot.bat -r C:\Windows\System32\config\ -c "net user hacker hacker123 /add && net localgroup Administrators hacker /add"
This command creates a new user account named "hacker" with the password "hacker123", and adds it to the local Administrators group. This gives you administrative privileges on the machine, which can be used to further exploit and pivot within the network.

In conclusion, BeRoot is a powerful tool for demonstrating the risk of privilege escalation attacks in Windows environments. By identifying vulnerabilities and exploiting them, BeRoot can escalate privileges and provide a clear demonstration of the risks associated with weak security configurations. However, it should be noted that BeRoot should only be used in controlled environments by authorized personnel, as it can cause damage if used improperly.



Comments

Post a Comment

Popular posts from this blog

Most Important Linux commands that Nobody Teaches You

-
Image
Linux is a powerful operating system with a vast array of tools and utilities available to users. These tools make Linux an attractive option for system administrators, developers, and power users who require a flexible and customizable environment. In this article, we will look at some essential Linux tools and utilities that can help you manage your system more efficiently. Rsync Rsync is a popular command-line utility that is used for file synchronization and data backup. It allows users to copy files and directories to a destination, similar to the cp command, but with some added features. One of the key benefits of using Rsync is that it allows you to copy files to remote locations, making it an excellent choice for backup purposes. Example usage : $ rsync -vap --ignore-existing <source_file> <destination_file> Key flags: v = verbose r = recursive p = preserve permissions g = group o = owner a = archive --progress = progress bar Mkpasswd Mkpasswd is a simple but useful
Read more

Unleashing Bug Bounty Success: Subdomain Enumeration, Content Discovery, and Vulnerability Scanning Approach

-
Image
Subdomain Enumeration  Subdomain enumeration is a critical aspect of robust cybersecurity practices. By employing effective tools and techniques, professionals can enhance their ability to identify potential vulnerabilities and uncover valuable information. In this article, we will explore recommended tools and methodologies for subdomain enumeration to optimize your security efforts. Knockpy, an exceptional subdomain enumeration tool, provides valuable insights into response codes and server details. To leverage its capabilities, execute the following command using Python3: python3 knockpy example.com While encountering response codes such as 404 or 403 may initially appear discouraging, it is crucial to thoroughly investigate these subdomains. Hidden within these seemingly unremarkable sites, valuable discoveries may await. For comprehensive subdomain enumeration, we highly recommend the utilization of "assetfinder." This powerful tool can be executed using the following co
Read more

Enhance Your Bug Bounty Journey with the Tools and Binaries of Bughunt3r Virtual Machine

-
Bug bounty hunting requires a comprehensive toolkit to uncover vulnerabilities and secure web applications. In this blog post, we will explore the top 20 tools and binaries that can supercharge your bug bounty efforts. These powerful tools cover a wide range of functionalities, from web vulnerability scanning to subdomain enumeration and source code analysis. We will focus on how these tools can be leveraged to optimize your bug bounty workflow, with specific examples targeting the domain *.example.com. Let's dive in! A virtual machine (.ova) file where almost all bug bounty tools are installed; specially burpsuite pro with license :) OS: Kali-Linux Version: 2022.1 Download link: https://drive.google.com/file/d/1Tkj3jKOvL7M08zG5JGVoqhZh50VMyM3X/view File size: 6 GB Installed top 20 tools and binaries [1]burpsuite professional [2]zaproxy [3]crlfuzz [4]ffuf [5]kite [6]dalfox [7]nuclei [8]rustscan [9]sqlmap [10]nmap [11]waybackurls [12]subfinder [13]xsstrike [14]nosqlmap [15]gitdu
Read more