Pentest List Wiki
  • What is Pentest List Wiki?
  • OFFENSIVE SECURITY
    • External Infrastructure
      • Discovery
        • Email Address Discovery
        • Subdomain Discovery
        • Data Discovery
        • Port & Service Discovery
      • Exploitation
        • Password Spraying
        • Vulnerability Scanning
    • Internal Infrastructure
      • General Discovery
        • AD Attack Path Discovery
        • Port & Service Discovery
      • Credential Discovery
        • Passwords and NetNTLM
        • SAM & LSA secrets
        • NTDS.dit secrets
        • LSASS secrets
        • DCSync
        • DPAPI secrets
      • Movement
        • Credential Spraying
        • SMB Relaying
        • Pass The Hash
      • Infiltration/Exfiltration
        • Pivoting (Proxying)
    • Web Application
      • Discovery
        • Testing API Keys
        • Vulnerability Scan
        • Web Content Discovery
        • Parameter Discovery
        • VHOST Discovery
        • CMS Scanners
      • Exploitation
        • Authentication
          • Email Address Forms
          • AWS Cognito
        • JSON Web Tokens
        • Injection Attacks
          • SQL Injection
          • Cross-Site Scripting
          • HTTP Headers
      • Bypasses
        • Cloudflare Bypass
        • HTTP 403 Bypass
    • Mobile (iOS/Android)
      • iOS
        • IPA Decryption
        • Filesystem Analysis
        • Static Analysis
    • Cloud
      • AWS
        • Vulnerability Scanners
        • S3 Buckets
      • Azure
        • Vulnerability Scanners
        • m365 & Entra ID
  • DEFENSIVE SECURITY
    • Forged Kerberos Tickets
    • Logon Event Visualisation
Powered by GitBook
On this page
  • BloodHound
  • SharpHound Collector
  • Analysis
  1. OFFENSIVE SECURITY
  2. Internal Infrastructure
  3. General Discovery

AD Attack Path Discovery

How to find exploitable active directory paths.

PreviousGeneral DiscoveryNextPort & Service Discovery

Last updated 11 months ago

BloodHound

BloodHound can be used to map the relationships within Active Directory environments. It works by collecting data from any associated domain controllers and domain-joined Windows systems, and then plots the relationships within a queryable Neo4j graph. Attack paths can then be visualised.

BloodHound works by using a data collector and an analysis tool.

SharpHound Collector

To compile the Active Directory objects and relationships, a BloodHound collector needs to be used within the target Active Directory environment. Typically, SharpHound, a C# data collector is used.

SharpHound will create several JSON files to use with the BloodHound analysis tool. The following command will execute SharpHound and collect all types of data:

SharpHound.exe --collectionmethods All

  • Python Collector (Python)

  • RustHound (Rust)

Analysis

Following collection and now having compiled the Active Directory data, this can now be uploaded into the BloodHound analysis tool. Once uploaded, BloodHound will do the following things:

  • Map out the paths between Active Directory objects

  • Execute in-built queries to find common attack paths

To ensure the best use of BloodHound, the following should be conducted:

  • Execute custom queries to find other attack paths

  • Mark nodes as "high value" or "owned" for best attack path finding

For more information on using the analysis tooling, as well as SharpHound, do see the official docs:

https://github.com/BloodHoundAD/BloodHound
https://github.com/BloodHoundAD/SharpHound
https://github.com/dirkjanm/BloodHound.py
https://github.com/NH-RED-TEAM/RustHound
https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html