Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Extending BloodHound for Red Teamers

Tom Porter

Next month at SecTor FusionX Red Team senior security consultant Tom Porter is presenting Extending BloodHound for Red Teamers, starting with what Bloodhound is and what it does.

“Then I go into underlying components to teach the query language – Cypher – in a way that people don’t feel intimidated about making modifications or their own extensions,” Porter said. “I’ll show how I’ve adapted the UI to do something completely different – mapping network connections across an environment, playing with new and different data sources, that are not necessarily Active Directory-based.”

Porter uses the BloodHound UI to map connection info of netstat data, trying to identify watering holes on the network. He’ll also show to use it to find places to cross network segmentation boundaries. 

Being a member of FusionX Red Team has shifted his mindset and how he operates. He’s noted that Blue Teamers are using BloodHound to harden their environments prior to Red Teams beginning their work.

“That’s why I want to do the education component— graph databases, how to put data in, get it out, and modify it to fit your workflow, whether you’re offensive or defensive,” he said. “My extensions are just one application of that process. If I can teach you how to change and use it for your benefit, you can build your own tools and extensions.”

The session represents a change that began with BloodHound, moving toward automation of lateral movement, sometimes referred to as the industrialization of lateral movement.

“Import to GoFetch, which uses PowerShell to execute that attack path that you’ve exported from BloodHound… that’s one example of automation of lateral movement,” said Porter. “Another is DeathStar, written to automate an attack path. When you have a foothold in an environment, you need to either escalate or move laterally to achieve your objective. Bad guys need lateral movement when abusing users’ accounts.”
 
Some tools only query Domain Controllers, so their purview is isolated to Active Directory. They don’t look at local accounts.

Seeking to add value to the back-end BloodHound database, Porter would compromise a machine, dump the local user hashes, take a local admin password or hash, and test it against other machines. Then he’d see a common local admin password in the environment. He wanted a way to represent that path in BloodHound, being able to hop from one computer to another. 

In that same vein, he found users reuse passwords across accounts, and wanted a way to represent that in BloodHound.

“How can I look at underlying data structures and how BloodHound was using them, and then modify or add to those?” he asked. “By creating new properties and new relationships – giving a property to a node.”

Also by creating new custom queries. There’s a section for custom queries in BloodHound, imported into the UI for you to try and to use.

“When I compromise a node, I want to know what else I have access to. I also want to see the deltas in access after I compromise new nodes. Those are some of the things I built into the extensions. I’ve also modified the UI itself to change the displays to help you visually track a compromise.”