Listen to this Post
2025-02-15
Bloodhound is an indispensable tool for identifying privilege escalation paths in Active Directory (AD) environments. However, one common issue users face is the small font size and cluttered graph edges, which can strain the eyes. To address this, BHQC (BloodHound Query Converter) is a game-changer. It extracts critical information from Bloodhound and presents it directly in your terminal, making analysis faster and more efficient.
Key Features of BHQC:
- SPNs (Service Principal Names): Identify accounts with SPNs for potential Kerberoasting attacks.
- AS-REP Roastable Accounts: Detect accounts with Kerberos pre-authentication disabled.
- Constrained Delegation: Find accounts configured for constrained delegation, which can be exploited.
- DACLs (Discretionary Access Control Lists): Analyze DACLs for misconfigurations that could lead to privilege escalation.
- Non-Admins with DCSYNC Privileges: Highlight non-admin accounts with dangerous DCSYNC rights.
Practical Commands and Usage:
1. Install BHQC:
git clone https://github.com/your-repo/bhqc.git cd bhqc pip install -r requirements.txt
2. Run BHQC with Bloodhound Data:
python bhqc.py -f bloodhound_data.json
3. Filter Specific Data (e.g., AS-REP Roastable Accounts):
python bhqc.py -f bloodhound_data.json --asreps
4. Export Results to a File:
python bhqc.py -f bloodhound_data.json --output results.txt
Example Output:
[plaintext]
AS-REP Roastable Accounts:
– [email protected]
– [email protected]
Constrained Delegation:
– [email protected] -> MSSQLSvc/db.domain.com
DCSYNC Privileges:
– [email protected]
[/plaintext]
What Undercode Say:
Bloodhound remains a cornerstone in AD security assessments, but its usability can be improved with tools like BHQC. By leveraging BHQC, security professionals can streamline their analysis, reduce eye strain, and focus on critical attack vectors. Here are some additional commands and tips to enhance your AD security practices:
- Kerberoasting Attack:
GetUserSPNs.py -request -dc-ip 192.168.1.1 domain.com/user
Check for AS-REP Roastable Accounts:
Get-NetUser -PreauthNotRequired -Domain domain.com
Detect Constrained Delegation Misconfigurations:
Get-DomainUser -TrustedToAuth -Domain domain.com
Audit DACLs for Sensitive Objects:
Get-ObjectAcl -Identity "CN=Admin,DC=domain,DC=com" -ResolveGUIDs
Identify DCSYNC Privileges:
Get-ObjectAcl -Identity "DC=domain,DC=com" -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "Replicating Directory Changes" }
For further reading and advanced techniques, refer to the following resources:
– Bloodhound Official Documentation
– BHQC GitHub Repository
– Active Directory Security Best Practices
By integrating BHQC into your workflow, you can significantly enhance your AD security assessments and ensure a more efficient and effective privilege escalation analysis.
References:
Hackers Feeds, Undercode AI
