Mapping Network using Sharphound
Bloodhound is the de facto tool when it comes to mapping the network in the Internal Assessment's post exploitation phase. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
Earlier Bloodhound was using powershell (v2) script as ingestor to enumerate all the information. But this ps1 script was lacking threading capabilities, which plays important role in mapping large network's. So later that Sharphound a C# based ingestor was introduced which overcomes all and maps network seamlessly.
Lets see how to use this tool, suppose you compromised the valid internal Domain user credentials and you want to map the network to find path to privileged users. Download latest binary of Sharphound and from attacker machine you can connect to domain by typing runas.exe /netonly /user:<DOMAIN>\Username cmd.exe. If the credentials are correct, new cmd prompt would be launched with compromised user privileges. In newly opened cmd prompt, type below shown command were IP address represents DC IP and -c represents All (Group, LocalGroup, Session, LoggedOn, ComputerOnly, Trusts, ACL, ObjectProps, Container) collection methods.
Sharphound also have some new collection methods, to generate less requests over wire.
Stealth - Performs stealth collection methods. All stealth options are single threaded.
ExcludeDc - Excludes domain controllers from session enumeration (avoids Microsoft ATA flags :) )
Running above command would generate the multiple CSV's with all data. But if you want to enumerate more sessions in the network, Sharphound got new collection method called SessionLoop. It runs the session's collection loop for infinite time (or until you dont stop it), you would see the increase in size of sessions.csv file. This method enumerates more no. of sessions over the network in turn more path's to derivative admins.
Now you can take all the generated CSV and import in Bloodhound UI to draw different mapping and gain derivative admins. If you never installed Bloodhound, you can install using standalone powershell script by @SadProcessor on Windows 10 (64 bit machine).