• SharpHound: Evolution of the BloodHound Ingestor

    September 19, 2017 - 11 minute read
    Intro Over the past few months, the BloodHound team has been working on a complete rewrite of the C# ingestor. One of the biggest problems end users encountered was with the current (soon to be replaced) PowerShell ingestor, particularly in speed of enumeration as well as crippling memory usage. In moderately sized environments, the ingestor would happily eat up gigabytes of memory. There’s lots of reasons for this, almost all to do with the limitations of using PowerShell V2 as the base language. Limitations of the Current Ingestor A huge problem with the current ingestor is that...
    -
    bloodhound
  • BloodHound: Intro to Cypher

    February 19, 2017 - 12 minute read
    Intro One of the most overlooked features of BloodHound is the ability to enter raw Cypher queries directly into the user interface. Likely, a lot of that has to do with the fact that it’s not a very emphasized feature, not to mention it requires learning Cypher. However, with a bit of work, using raw Cypher queries can let you manipulate and examine BloodHound data in custom ways that will help you further understand your network or identify interesting relationships. What is Cypher? Just like SQL exists for MSSQL and other databases, the Neo4j graph database has its...
    -
    bloodhound
  • MS14-068 and KrbCredExport

    March 30, 2015 - 6 minute read
    Intro On a past assessment, we found a Domain Controller that was vulnerable to the infamous MS14-068 exploit. While trying to get the exploit working properly, we ran into some random issues that we had to work through. I wanted to document the process we used for successful exploitation, as well as the fixes we developed along the way. I don’t intend to go in depth on exactly how MS14-068 works. If you want a detailed explanation, you can find a fantastic one here. At a high level, the logic that verifies the cryptographic signing of a certain...
    -
    tradecraft