Bloodhound and Active Directory fortifying mechanism

  1. 1 purpose In Active Directory exploitation, a basic step is the analysis of Group Policy Objects (GPOs). A key stage is the examination of Group Policy Objects (GPOs). For the most part, this movement is planned for recognizing the following:
  • Local group membership.
  • Misconfigurations that could allow further compromise, such as lack of SMB signing.
  • Password policies
  • Opportunities for lateral movement via misconfigurations of remote access policies and UAC
  • Privilege Assignment
  • Local Administrators
  • Sessions
  • ACL’s
  • Unconstrained delegation
  • Shorten paths to domain admins
  • User’s name
  • Computer’s name
  • Group’s name
  • Domain’s name
  • Owned — This node can be compromised using LLMNR, Mimi Katz, and Password reuse.
  • Wave — The number speaking to the request where this hub was possessed (ex: 1, 2, 3, etc.)
Fig-1: Representation of connection to nodes.
Fig-2: Representation of the shortest attack path defined using Bloodhound.
Fig-3: Vulnerable system path identification
Fig-4: Admin and Member vulnerable path.
Fig-5: Custom query tab
  • Locate all possessed Domain Admins: Same as the “Discover all Domain Admins” inquiry, yet rather just show Users with the claimed property.
  • Find Shortest Paths from claimed hub to Domain Admins: Same as the “Find Shortest Paths to domain Admins” inquiry, yet rather just show ways starting from a possessed hub.
  • Show wave: Show just the hubs traded off in a chose wave. Valuable for concentrating in on recently undermined hubs.
  • Show delta for wave: Show all undermined hubs up to a chose wave, and will feature the hubs picked up in that wave. Valuable for picturing benefit gains as access extends.

Wanna connect:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store