Hacking with Bloodhound: Map Your Environment

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone thanks so much for tuning in and look I am super excited to be chatting with Andy and Justin over at Spectre Ops who are doing absolutely incredible research and great things and I'll admit I'm a little bit of a fanboy I was so excited when hey we got a chance to hang out in banter for a bit um but Andy Justin I'm curious what are you guys up to what's going on and what are the I don't know any things you got some tricks up your sleeve we could dig into yeah so there I there's there's a lot there's a lot going on I think for me the headline is all about blood hound Community Edition we'll talk about blood hound Enterprise later Justin Justin can talk about that stuff but what I'm excited about is is blood hound Community Edition which is the free version of Blood Hound it's it's the evolution of the free version of Blood Hound that we initially released back in 2016 there's a lot to love about it there's a lot of pain that it has solved for us internally which means faster development time easier deployment easier development just all positives it's also like we also honestly look at it as a way of giving back to the community as well because because yes we have blood hound Enterprise yes we make money off of that software however The Blood Hound Community Edition it's actually kind of a groundup rewrite of of blood hound and it's now derivative of that Enterprise code base so all of the great Enterprise grade Enterprise quality features that you would expect for legitimate actual software made by real software Engineers uh not me you can expect with with blood hound Community Edition so there's a lot to love about it I've got a couple cool things I think that you know your viewers might want to look at I guess before I show any of that like does that kind of set the stage pretty well do you think totally look I am more than happy like I love to te you up for some of those demos um but could you actually maybe even just level set if folks are tuning in like hey what the heck is that word Blood Hound what is that uh what are you using it for and I know look the new Community Edition launch and release was something look we're super excited about and that was pretty recent I don't know was that black hat time around then but super stoked to see how much easier it is now and just the fact that like you mentioned look it's it's free it's accessible to everyone and it's giving back to the community that I know tons of penetration testers and even Defenders like hey blue team folks that are like I want to use Blood Hound as my knee-jerk reaction in an environment just to see the lay of the land but I'll let you color the picture if you'd like sure so what do you think like should I explain kind of like what blood hound is in the first place and what problem we set out to solve let's do it and if you've got any visuals along the way that would be super cool but all you yeah well why don't we you know like in uh in Wayne's World when they're like dude so like flashback back to like 2010 2015 like that era of pen testing and red teaming so I'm old enough that I was around back then Justin is old enough that he was around back then some of your viewers probably are you know from that time as well back then it was like ms0 8067 was it for a while it was like you get into a network you throw ms0 8067 you're done right the report the client needs better V management patch management you're done that kind of started to go away after a while as full management patch management beh more mature I remember like there have been moments in pin testing and red teaming where we all on the red team side we took a step back and we were like oh my God red teaming is over I remember when Microsoft put laps out there and now all of a sudden you can't just pass the hash of the red 500 from Local Host to other systems and I remember we were all like it's it's done it's over Microsoft did it they solved it they solved security we we can no longer red team we can no longer pentest obviously that's not the case but that's kind of the time that we found ourselves in was this kind of existential dread of what are we going to do how are we going to get da when people have lapsed they got they got B management they got patch management and everything is like really really strong so at that time there was this methodology that came about uh that a lot of different teams kind of independently all discovered simultaneously we called it derivative local abmin so Justin Warner poined that phrase uh and then then Microsoft called it the credential Shuffle or the identity snowball attack but it was basically get local admin somewhere dump creds out of that box pivot somewhere else dump creds pivot somewhere else dump creds over and over and over and over and over until finally you get da and so that worked it was tedious but it was extremely reliable and kind of the missing link of taking that methodology and making it a real thing was collection and automation of of the data that you could get back we we needed a map you know we were all just kind of like feeling around in the dark like guessing like well maybe I'll pivot to that box and maybe there's a DA logged on or maybe that user has you know a lot of privilege we didn't know we had no way of telling um outside of like maybe they're in a group called local admins whatever so that's why we created Blood Hound in the first place back in 2016 is we wanted a way to collect all this data that at the time was accessible by anybody who's doain authenticated put it into the computer and let the computer do the work of finding those attack paths and so I always say blood hound is like Google Maps for active directory it's pretty good analogy I think awesome you know it's I'm here I want to go over there how do I do it Blood Hound will tell you if there's if there's a way to get there it will tell you exactly how to get there that was back in 2016 since then a lot has been added lots of new attack Primitives added however you know the the big thing that I think I'm most excited to talk about right now is this newest version the newest free version which is blood hound C Blood Hound Community Edition and uh yeah I I do have some demos to show if we're uh ready to look at that let's do it all forward if F So for anybody who may be new to Blood Hound or anybody who's bu been using it for a long time and just hasn't used Blood Hound CE yet one of the biggest pain points with using any software is just the initial installation and getting started I know python based tools can be a real pain even Powershell based tools can be a real pain even though Powershell is the best scripting language ever invented by anybody and I will die on that hill but anybody who used Blood Hound in the past knows how think of a pain it was so you got to you got to download Java you got to download and install the correct version of neo4j you got to make sure your environment variables are set up correctly and you got to do this this this and this you know at the time when Rohan will and I put Blood Hound out there that was the best that we could do so you know we had to choose are we going to make the software as good as we can or are we going to try to reduce friction on the installation now that we have this Enterprise level of engineering talent in our team we don't have to make those kind of choices anymore we can have things that are great in every part of the user Journey so getting started it is so easy even Justin can do it that was literally one of the tests like before we launched yeah can Justin launch it and and I I did it it was took me like seven minutes yeah so uh this is our documentation support. Bloodhound enterprise. this is this documentation for bhe and bhce so installing Bloodhound Community Edition you need to have Docker okay so that's free that's that's not a big deal once you have Docker if you're you're running in bash you can literally copy this command paste hit enter so this will download the images it will configure the containers start them up get them talking to each other create the neop forj database with the correct version all that stuff it it'll do everything for you uh spin up the API server there's also a postgres database in here so it'll do all that and at some point it's going to tell us what our credential is for reference this previously was like three hours and like mainly reserved for like uh penetration testers that were like patient enough to like go through the process right anybody on the on the defender side unless they similarly like stuck through it they were kind of out of luck I have a uh an old video I know what I was trying to Showcase blood hound and it was that exact same structure of like all right let's get Java let's get neo4j like hey let's double check kind of guess and check the neo4j version so the fact that this can just fire up in one command is beautiful yeah so it was actually done here um however however uh when I was doing this earlier today when it creates the database for the first time it will tell you what your credential to log in with is right here so you can see earlier today ran the same command and eventually it says your initial password is this this is randomly generated there is no default credential so the next step is take this credential and log into the web interface which will be at local host on 8080 and I did this before so I'm going to try with the password that I set uh before okay yeah so you know in the cooking program when they're like here's the turkey that's been in the oven the entire time yeah this is this is that turkey but if I didn't have that credential already set you just get like a password change prompt and you just change the password to something better that's it it's now running it is it is ready to receive data it is ready for you to do searches uh if you already have data there it's ready to be explored Blood Hound C has a whole lot of other like Enterprise E features that we decided to just include in Blood Hound CE as well um so just like a little quick couple of examples so you have user management so I can create a user for you John and you know with network access I could give you access to my instance here there's also samle authentication so you can let a different identity provider handle identity and authentication file inest works very similarly to like Legacy blood hound and then data quality which isn't going to show anything here because this database is is totally empty right now you can also download the correct version of the data collector just right here so if you want sharp pound boom there it is if you want Azure Hound boom there it is you don't have to worry about oh I used the wrong version like this is the right version for you know it's your instance that you're running right there it's all apid driven and so the guey is essentially a very very very fancy API client but if you want to write your own API client in Powershell the best language of all time or if you're insane in Python then the documentation is all here in these uh automatically generated Swagger docks for the API that is basically it as far as like getting up and running it was literally one command heck yeah and change a credential and that's it so like it's night and day for getting started I love the fact hey super easy to kick the tires and I know you were kind of teasing hey look at all this quality of life like user management you can do samle were those and and if I may ask was that just look we want to have this multiplayer support for handful of different operators for like a real red team engagement and campaign that I have to think had to have been some inspiration pulled from Enterprise is that right yeah so I think it's I think it's two things I think one is like you said is you're on an assessment there's going to be more than one operator most of the time and we already had this user management built into blood hound Enterprise so it's like why not just carry that over into blood hound CE and make that available to everybody for free like what does that cost us nothing security is not something you should charge for exactly yeah oh you can also do MFA uh here as well in Blood Hound CE and then like samle configuration you know it's like for me what it comes down to is yes we we have the free version and yes we have the paid version but if the features of the of the paid version are things like MFA or Sam authentication and that's the differentiator like that's not enough agreed like the bar has to be a whole lot higher for for paid software like Justin said you shouldn't have to pay for security or even just like Baseline like multiplayer software features like that yeah um yeah I didn't mean to stop on you though I'll let you keep cruising no worries yeah it's a good question yeah all right yeah so here's my other turkey that has been in the oven even longer and this is actually a blood hound Enterprise instance so this is running up in uh AWS but the performance and the features that you'll see with what I'm going to show here are exactly what you could expect with a modern laptop where everything's just running locally so as a pen tester as a red teamer what is my favorite thing to look for domain admins so I'm going to search for domain admins and I'm going to look in the Titan Corp domain got them boom on the right hand side over here this is our entity panel so this tells you information about this node that I just clicked on which represents obviously the domain admins in this uh active directory domain got different information about it here's the Sid does it you know have AAL inheritance denied does it have the admin count set for true or false what I can also see are some things that would be familiar to uh most users or maybe new if you're if you're new to Blood Hound domain admins I'm a pen tester I want to Target those users I want to know what computers they're log on to so I can click on sessions right here and I Can See For any user that is a member of the domain admin's group whether directly or through nested Security Group membership what computers are they logged on to so if I'm looking at this and I see this computer right here called app 6 it's got all these different domain admins logged on to it like you better believe that computer is going to be at the top of mind for my entire time looking at that environment like that computer is like Target number one um and and this computer too maybe even maybe this computer even more so this like app five computer other interesting things that you can see within this entity panel so we clicked on this computer we can see who were the admins on that computer I prefer the sequential or the stat layout personally also kind of brushing over but the performance difference from this version of the guey to the old version is kind of crazy um like drawing out this number of nodes that quickly is is kind of insane that was smooth as butter super super smooth yeah so the local admins on that computer so we've got the domain admins group and all all those people but then you have these other like one-off users and then any other group that's going to be listed here the members of those groups are also going to be represented so office admins and then you know there's group nesting there etc etc etc so I can see for that computer who the local admins are I can see it visually but then what I can also look at is I can see the list representation here as well anything in this list right here I can click on just like you can click on a node in the graph you can click on a node right here to see you know a a zoomed in view of of that particular thing all right you know it's Monday morning it's 9:25 a.m. I don't have domain admin yet the Imposter syndrome is setting in so I want to find out how am I going to get from domain user to domain admin switch this to the pathf finding feature and we're going to start off from domain users at Titan Corp our Target is domain admins at Titan Corp and there is our attack path and actually I want to rewind real quick and I want to reenable this and then rerun that query so domain users which will include basically everybody most of the time has RDP rights on this computer right here called app 4 so with RDP rights I can RDP to the computer as almost anybody in this domain and then as the pen tester your job then is to either escalate rights or already be escalated in our experience escalating rights in most Windows systems it's just a matter of time of finding an unquoted service path or a d hijack opportunity or something you know like there will be something there that will that will let you escalate to the system user once you do that the computer has three different users who were logged on to it interactively so dump their credentials and then they are each members of The Domain admins group so then you get a domain admin clear text password however let's say that I don't want to RDP for some reason well we can change the rules of how this path finding works just like Google Maps you can say like avoid toll roads avoid highways you know whatever so we can say avoid RDP so I'll bring up the filter model and this is organized into platforms and then tactic I guess you could say RDP is a leral movement tactic so we'll uncheck can RDP and then when I hit apply it's going to rerun the search but it's going to say don't include RDP and see if there's a path then so when we do that then we see that yes there is so now instead of RDP being our first step the domain users group actually has generic all over a user which there's many many ways to skin that cat that user has abmin rights on app five the computer from earlier that was like Target number one where all those domain admins are logged on this path is relatively simple but even this relatively simple path would have taken days to find by hand because active directory when Windows it doesn't know for any given Identity or any given principle what privileges that thing has like that question doesn't even make sense to ask with built-in tooling and windows and active directory what if you don't know how to execute the a path using generic all I am so glad you asked uh Justin I was going to be my next question yeah so yeah like there can be things here that might seem kind of esoteric or they might seem more complicated than they actually are so any of these edges so the things that connect the dots these are called edges or relationships you can click on them and it will bring up instead of the entity panel now we have the relationship panel so it tells us the source the target whether it's uh an ace type Edge it was if it was inherited and the last time this was collected and then also we have just general information about what this means just a plain English statement so the members of this group have generic all on that user okay this is also known as full control the privilege allows the trustee to manipulate the target object however they wish okay well what if I want more detail what if I don't really know what that means so we have two different options you can see Windows abuse so maybe you are running a beacon you know with Cobalt strike on a Windows host here are the actual commands that you could run in order to execute this part of the attack path okay well what if I'm not on Windows what if I'm in Linux got you covered there too so Linux tooling is covered here as well okay so that's nice and this goes into it goes into like command by command exactly what to what to run or what an attacker can run and then also for each of those we'll have opset considerations including maybe even an event ID that will be generated if it's enabled and then also references for further reading and generic all like there's so many references but um yeah just like you know what what I think about is you know I forget how to execute these attack paths you know like there's a lot of them there's a lot of different kinds and there's a lot of different scenarios that you can find yourself in so these references can be very very helpful for refreshing your memory or for going deeper into you know how exactly would a real adversary abuse this so a couple other things to show if we have time absolutely I would love to say though look I know there's a whole lot to love with blood hound but man that is by far my favorite feature because you know I think a good amount of the audience like may very well just be students or folks really uh super duper interested in security and want to get into this ethical hacking pen testing work but when they're taking like a lot of those Security based exams like Hands-On application based stuff and they're working in an active directory environment Blood Hound is again the necessity it is such a vital critical part of that work and then look it's not just the map I love when you can right click the edge and take a look at those abuse options because like that's your compass here's how to do it and look it's the whole guide for everything that you need there so I love it I'm sorry I'm fanboying again yeah you know I think one of the things that we've tried to get really good at is reducing friction so if someone is a student if someone's like Junior chipmunk pen tester we know the friction we know what stands in the way of that person being successful because we've been there and the same is true on the defender side which Justin will touch on with the Enterprise so a a really big part of what we try to do is reduce that friction for our users as much as possible by understanding what exactly is it that they're trying to get done in the first place and if we can reduce that friction for them then that means that they can be a better security professional for their organization and then they can improve their organization's security posture which is just that's the outcome that we want to create right so let me show a couple other things I have a couple other turkeys to pull out of the oven so let's take a look at this user called R vo and just like kind of an interesting thing to look at we talk about Security Group memberships in active directory and anybody who's tried to unravel those by hand knows how huge of a pain that is so I found this user in our data set that has a pretty interesting Security Group membership map to look at so this user they belong to all these groups right here but then because this group has been added to these other groups and because this group added to that group etc etc etc you wind up with these chains of Security Group membership that you know for an attacker this is interesting but also just for an active directory administrator if you're wanting to do some hygiene on maybe overlapping or redundant Security Group memberships this can be a good way to like start to discover some of those and things spiral out of control so quickly because of security group nestings and for me I'm a visual person person looking at this visually is the only way that I can really get my arms around this and understand this and I think a lot of other people work that same way um some people are happy to be in a terminal all day every day and just have nothing graphical I'm not that person and that's okay so I think that's pretty interesting also for where a particular user has local admin rights there's this user which if we come down to local admin privileges we can see kind of a another example where this user is added to a group that group is added to a group group that group is added to a group The Domain admins uh which this is a small environment and the domain admins has local admin everywhere there a typical audit where you're trying to see who's a local admin on any of these systems you're going to do like net local group administrators and call it a day but that's not even close to the real story and this is a good example showing why that is okay couple other things I want to showare real quick so we have the cipher input box back in Blood Hound CE now which includes syntax highlighting it includes some Auto complete suggestions and all that kind of stuff and then in this little folder right here we've got the pre-built searches so for example I can find all the domain admins and that will cover all of the environments that I have any data for so I can see this is a very large domain admins group this is a pretty small one these are distinct from one another related to that I can also map the active directory domain trusts or Forest trusts and I can identify clusters where these domains trust one another but not any of the other ones these four domains are in a forest and trust one another and so as a red teamer if you're looking for doing a sid history attack or like Sid hopping golden ticket Etc like this is the kind of data that you need to do that intelligently and quickly one last thing I want to show so we're looking at just uh active directory right now which has been our bread and butter for a long time we also have support for Azure and so I've got a cool attack path to show in our Azure environment and it's going to start off from an application or an app registration object this one right here and it's going to end let's say at my user so my a Robins user in that tenant okay so let me just walk through this real quick and then I'm going to hand it over to Justin to start talking about blood hound Enterprise so here is our Azure app registration object and we'll say that this has been compromised or maybe even it's like a foreign app that somebody has consented to certain rights for that app in the tenant so that app if it wants to authenticate into the tenant it will do that using a service principle so the app runs as the service principle meaning I can authenticate as the service principle if I control the app this service principle has the VM admin login rooll assignment on a virtual machine within Azure RM well what does that mean that means this it means you can RDP to it you'll be a local admin on that system this VM has several different managed identity assignments including these two right here so these map back up to intra ID can't say Azure ad anymore intra ID service principles these service principles there are many many many different options from here where you could go this path right here this service principle owns this other service principle so it can add a credential to the service principle this service principle has lots of different options including the abusable Microsoft graph app app roll of app roll assignment. read write. all which means that it can give itself roll assignment. read write. directory which means that it can promote itself to Global admin and then once you're Global admin you have control of everything which means you have control of all the descendant objects under that tenant which then lands you finally at the destination which was my user there so little demonstration of our Azure support there I'm probably ready to pass it over to Justin to talk about bhe if he's ready for that yeah absolutely guys this is is just too cool though it it's it's wild to me like look there can be like one idiosyncrasy uh or just any of like you mentioned the overlapping groups or how one thing could accidentally and unknowingly fall into something else and there's like that domino effect and just seeing it visually is absolutely incredible so yeah it's powerful so what Andy was showing you was the explore tab which the explore tab is In The Blood Hound Community Edition and that's why he was he was demonstrating it because we have you know data and tenant they wanted to play through but that everything you saw him do you can do in Blood Hound Community Edition in Blood Hound Enterprise there's two other tabs the attack pass View and the poster view before I get back I'm going to go back to Andy's analogy of Google Maps so let's say you're active directory uh let's let's think a bit about about the map of the United States right um and as a pentester I'm trying to get to my destination and this analogy imagine that's the island of Manhattan in New York well let's say I land in LA and I'm going to find a route right to to Manhattan and I can take any route I want I can go through you know multiple cities to get to that destination and eventually I get to domain admin right Manhattan as a Defender it's a completely different problem I got to reverse it I got to defend the island of manh hun so previously when you know before we had blood hun Enterprise it was like well what road do you shut down here it's just kind of silly it's like well is removing this road between Kansas and St Louis going to do anything to prevent me from going to LA to New York like no right so we had this idea well Manhattan is an island why don't we identify all the bridges in to Manhattan and blow them up right like Dark Knight right like Dark Knight exactly I'm going to get put on a list for saying that you added the Dark Knight cavat so we're good yeah dark eyy was very important caveat so that's that's the concept behind blood hunt Enterprise um we're doing this from the CR like Crown Jewel assets if you're uh Watchers or like viewers are familiar with like privileged access like in the Enterprise access model if they've ever heard of tearing like tier zero we do all of our analysis from those crown jewels or the things that we want to remove the ability for an adversary to get to above all else right like domain adment domain controllers any Group Policy object that applies to those things all the members of those groups so when we deploy blend hun Enterprise we automatically pull every one of these assets out of the domain and I can add additional ones so if I have an Azure sync server I'm going to add that into because it has rights that it needs to hold like EDR orchestration server that can do a a system shell everywhere secm server like all that kind of stuff yeah so we have this like core set of assets and these these these assets you see in blood hun Enterprise on this view are collections of multiple assets um I can expand all the attack paths through the domain now this domain is super tiny I mean like 50 you know users or whatever but in a like this is running in clients that we have that's like million plus users and they see all of this on one page now all of you know there's attack pads that will Traverse their environment U super deep but what you should see here is we can take action here and remove all of these attack paths right it's like that CH Point that's our Bridge to Manhattan so if we can cut it off here we don't have to worry about that that underlying risk yeah so for Enterprise customers we're going to explain the attack path very similar to how we do uh on the edge context view we're going to pull out the affected users there could be multiple for individual attack paths like this or like the choke points and importantly we're going to quantify the risk so like there's this exposure calculation which uh calculates the users that are actually connected to that choke point like think analogy how many people can get to the Brooklyn Bridge or the the Lincoln Tunnel right in New Jersey so I want to take action on certain choke points faster than others like you know big clients they they have tons of stuff going on every day you know if I have 10 total choke points that I'm looking at um what's the one that I can shut down today or the the top three that might be able to have the greatest reduction in Risk yeah I think there's like for the past 20 years with active directory I think security Auditors red teamers have always been kind of stuck with two different sides of the same kind of extreme which is on one side you say well you should enforce SNB signing because that will increase your security like okay yes however most people who have been in operations know how difficult it actually is to sell that to the people who keep the lights on in active directory and then also it's like does it does it really increase the security posture like it's really hard to measure that and things that are hard to measure are hard to like sell internally to the people who actually have to go do do those things and then on the Other Extreme is like well you're just going to have to burn it all down and rebuild or you're going to have to migrate from active directory to some other identity platform yeah that's like that's never going to happen almost no organization is going to buy into that and then you're you're also kind of stuck with the same problem is like did that really have an effect on our security posture or are we just out of the frying pan and into a different frying pan you know with with a different brand name and so what we're trying to do is we're trying to we're trying to solve the problem of attack paths and by presenting the information this way the findings are prescriptive so they're precise you know it's not turn on SMB signing everywhere it's get rid of this one particular privilege and then it's also empirically measured so it's the so what like well okay well what if I don't do that if you don't do that that means that if anybody lands anywhere in the network they're going to be able to escalate to tier zero through this one particular connection and then they're going to be able to do anything they want deploy ransomware everywhere like have access to all the data all that kind of stuff so that combination of it being prescriptive and precise and empirical means that our customers they're actually making progress on this attack path problem yeah then and like here I you know I I have this administrator account who logged into this machine that kind of spawned this you know terrible attack path I can explore that just like you know pivot right to that view that Andy was showing earlier I can see oh he has a session on this box uh you can see you know who else is local admin there so kind of again same context like I want to dive deeper I can get detailed information on every node in active directory or an aure now that's great right like we want to cut this this attack path but um how right like it says restrict tier zero well for every finding that we surface in Blood Hound Enterprise we go super deep in how to fix it one because like we find a lot of security people and and I you know active directory admins don't know um specific configurations or how to put them in place and we want to like remove that research element show you another one here like where we we go like we try to put pictures in this is super important with Azure I'll show you an example from our like a test Azure tenant Azure is something you feel like you kind of got to relearn every month because that you know something changes out from under you it's a you know it's a living and breathing directory so we try to go super detailed in all the like click here click here click here so yeah it you shouldn't have to relearn anything um whenever you come in here and and you should understand exactly where to go to fix the problem and also we're like we're we're adding new research in all the time right into both Community addition and Enterprise and so we're going to try to give you as much detail as possible to take action and kind of the final thing that I want to touch on is key thing about like Defenders is you got to report on like the so what right like you're taking action in uh your environment and so like how did you make my organization safer today we track that over time like you can go back 3 6 n months you name it to see how you've improved now this is a little demo environment that we never fix anything in so it just gets worse and worse and worse but in a real customer environment this drops and I I would say like you know most people start out at like 100% exposed and we take uh that down by 30 or more perc within the first two to four weeks I mean there's always something like Wi-Fi account that they've had for 20 years that has like some ridiculous permission and we get to rip that out and you you do that across your you know your your entire directory so this is showing like Andy was showing you kind of earlier on how you can map domain Tru TRS in Enterprise you can see your entire risk footprint over all your active directory domains or Azure tenants and you know like we again we have like Global organizations have like 100 plus environments in here and so you can just fix the right problem right like Focus your team on what matters yeah so that's the kind of extended my my side of this yeah I love that I I know it's so key and especially I absolutely want to emphasize and iterate like it's everything it's your entire environment uh and being able to like as you mentioned look be precise drill down down into what to do what problems there are and then especially how to fix it even those remediation steps are like again the most key part in my mind because like so many orgs so many hey I don't you could get some alert or some notice or some security tooling that tells you this bad point of redit alert this is a bad thing go fix it but they're like how I need to know how uh so Game Changer here guys seriously it uh phenomenal stuff we're super proud of it like to be honest with you when we when we first started getting our customers for bhe I thought those charts that Justin was showing you I thought it was going to be like months and months and months and months of like 100% 100% like it was going to take forever for that to go down that's not what happened like our customers they started making progress on getting that number down way faster than I thought was possible which was a nice surprise and then it was also kind of like oh no what are we going to do now like all like all of this risk is going away but it's like you think about like vul management like if if your if your vul scanner is telling you like hey you're at a pretty good level you're at like you know you're missing some critical patches but it's not that bad that's that's the position that you want to be in and it's the position you want to stay in and know that you're in so this risk level going down it doesn't mean that the product isn't like providing any value anymore it's like you know what your security posture is related to attack paths permanently so and like Justin said we're also adding other attack paths as well like yeah usually usually it's not like staying down forever like somebody goes make a configuration change something happens and it could Spike all the way back up and then someone can do something about that usually it goes down like we we get down you know people to a low State our goal is to get everybody down below 20% and we we I remember like the first time we got somebody to zero it was like Yay you know wow but like once you go down you spike like this because people are constantly making changes in in a directory creating some new application granting some new privilege and so they see it right but they shut it down right away which is like way easier than seeing it like on a pentest a year or two later where you have all this politics and business process built on top and it gets really hard to like change things so we're like that monitoring layer that like continues that that little yeah and usually honestly like these systems are so insanely complicated like a Fortune 500 active directory is just more complex than one person could ever hope to really fully understand so somebody makes a configuration and that increases the risk that's not that person's fault it's nobody's fault that that happens like these are extremely complicated networks and systems so it's kind of like I don't know forgive the pun but it's kind of a watchdog like in that sense right like hey this thing happened here's the outcome of that maybe let's revert that change you know back to watch dog I see what you do there yeah yeah thank you perhaps a blood hound yeah yeah we have a lot of dog based puns uh on our team yeah yeah well look guys or not I feel like I don't know in my mind and I'd love if hey help me clarify if need be but there are two super cool angles here that like hey the hackers the pentesters the red teamers the students that want to like get their hands on this and play with it the best way to learn not only like local on premise active directory but even Azure is just play with it fire up those sharp pound collectors fire up those Azure ingesting tools look the Community Edition is immediately accessible super easy to get it run at just a single command and just play and look for those uh other folks over on maybe the other side of the coin look Defenders look security administrators the folks that are locking down our environments you know what you can get great visibility with Community Edition you can see your posture but you can get even more visibility and great Insight with a little bit of that sweet stuff from Enterprise so yeah I mean like if you if you're looking to like do it across like a big domain if you're like trying to manage identity like attack paths across like a big environment you can you can make changes using the community Edition but if you want to like sustained stuff with like an Enterprise 24/7 SLA and all that kind of stuff yeah like continuous collection that's like another thing in the Enterprise side um that you know like for Defenders we're that's why we built it so yeah excellent well hey I could sing your Praises for like days uh but I would love to include some links in the description to let folks know hey me how they might be able to get their hands on blood hound and chat more with you all at Spectre Ops uh but look am I forgetting anything is there's anything else that you think is really cool hey here's a resource here's a reference for you or I think we're sitting pretty guys this is phenomenal yeah we're always working on cool stuff yeah stay tuned for the end of the year Blood Hound slack is that a is that a thing that's always popping off okay blood hound slack yep so that's a good place to get support not only for our stuff but um there are other like I think probably the best goang security Channel yeah might be in The Blood Hound King slack we're working on new features all the time we're working on uh incorporating the adcs research now we're going to try to have that out as soon as possible I don't know if I want to say more than that yeah I heard that little teaser from Justin like hey stay tuned for the end of the year so we we might have to hang out again guys yeah yeah we're constantly working on on new stuff and trying to make we're trying we're trying to solve the problem of attack paths like it's honestly we've been talking about PS exac for too long on the red team side it's kind of boring these days like if we're if we're talking about PS exec 20 years from now I Mark that as a personal failure and so we want the whole lateral movement privilege escalation story to fundamentally change that's what we want and we're trying to be part of that and we're trying to do what we can to make that happen absolutely you are on the front lines and you guys are crushing it so hey h hats off for me and uh this has been an awesome conversation I love the show Intel fireworks thank you so much Indie and Justin keep in touch and I hope hey we'll get some other new eyes coming in from our chat today thanks so much yeah thank you thanks John
Info
Channel: John Hammond
Views: 61,629
Rating: undefined out of 5
Keywords: cybersecurity for beginners, cybersecurity, hacking, ethical hacking, dark web, john hammond, malware, malware analysis, programming, tutorial, python programming, beginners, how-to, education, learn, learn cybersecurity, become a hacker, penetration testing, career, start a career in cybersecurity, how to hack, capture the flag, ctf, zero to hero, cybersecurity for noobs, ethical hacking for noobs, networkchuck, learn to hack, how to do cybersecurity, cybersecurity careers
Id: 0gK8t7Kk7ZI
Channel Id: undefined
Length: 39min 25sec (2365 seconds)
Published: Thu Nov 09 2023
Related Videos
How Hackers Hide From Memory Scanners
John Hammond
55K
How Hackers Move Through Networks (with Ligolo)
John Hammond
235K
Day in the Life of a Software Engineer | AWS Cloud Practitioner tips + AWS debugging tools I use
Kyla Quilos
349
How Hackers Compromise BIG Networks (with NetExec)
John Hammond
27K
The Anti-Virus Tier List
Chris Titus Tech
565K
Password Hacking in Kali Linux
John Hammond
690K
NVIDIA Is On a Different Planet
Gamers Nexus
466K
Mozi Malware - Finding Breadcrumbs...
John Hammond
195K
17 Hacker Tools in 7 Minutes - ALL Hak5 Gear
Hak5
313K
Tracking Cybercriminals on Telegram
John Hammond
143K
Find Privilege Escalation Paths in Microsoft Azure with AzureHound
Beau Bullock
9.6K
Bloodhound Enterprise
Risky Biz Product Demos
277
Is this the best OSINT tool out there?!
stuffy24
268K
The Apex Legends Hack.
John Hammond
70K
I Stole a Microsoft 365 Account. Here's How.
John Hammond
305K
Remotely Control Any Phone and PC with this Free tool!
Loi Liang Yang
542K
How the Most Expensive Swords in the World Are Made
Veritasium
2.9M
This Hacker Makes $160K a Day ⁠— After He Got Out of Federal Prison🎙Darknet Diaries Ep. 60: dawgyg
Jack Rhysider
467K
The Secrets of The Tor Browser
John Hammond
57K
How To Crack WPA2 WiFi Password With AirCrack-NG - WiFi Pentesting Video 2023
InfoSec Pat
529K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.