Automated Information Gathering

SharpHound

You can run sharphound in loop to gain additional data.

You can get sharphound from here:https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1

Import SharpHound:

Import-Module .\Sharphound.ps1

Collect data:

Invoke-BloodHound -CollectionMethod All -OutputDirectory <SAVE_DIRECTORY_PATH> -OutputPrefix "audit"

LDAPDomainDump

Make and enter the directory to store output.

mkdir contoso.com && cd contoso.com

Run LDAPDomainDump.

sudo ldapdomaindump ldap://<victim_ip> -u '<domain\<user>' -p '<password>'

Bloodhound

Neo4j is required to run Bloodhund. Click the link from command output.

sudo neo4j console

Run Bloodhound:

sudo bloodhound

In bloodhound you can access data using custom queries. Sample queries:

MATCH (m:Computer) RETURN m # get computers
MATCH (m:User) RETURN m # get users

Cheatsheet: https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

Run Bloodhound-python:

sudo bloodhound-python -d contoso.com -u user -p Password1 -ns 10.10.10.10 -c all # ns = nameserver

Then import the data into Bloodhound.

In order to exploit security flaws you may need the PowerView module on the victims machine.

Import-Module ./PowerView.ps1

Plumhound

You can enumerate the domain using Plumhound tool and get response in format of html file.

See if the Plumhound works properly:

sudo python3 PlumHound.py --easy -p neo4j1 # change neo4j1 to password that you set during Bloodhound set up

Execute tasks:

sudo python3 PlumHound.py -x tasks/default.tasks --easy -p neo4j1 # change neo4j1 to password that you set during Bloodhound set up

PingCastle

Another tool for domain enumeration. Useful after compromising the machine.

Just run the pingcastle.exe.

Download link: https://www.pingcastle.com/download/