BloodHound ⚙️

Theory

(Javascript webapp, compiled with Electron, uses as graph DBMS) is an awesome tool that allows mapping of relationships within Active Directory environments. It mostly uses Windows API functions and LDAP namespace functions to collect data from domain controllers and domain-joined Windows systems.

Practice

Collection

BloodHound needs to be fed JSON files containing info on the objects and relationships within the AD domain. This information are obtained with collectors (also called ingestors). The best way of doing this is using the official SharpHound (C#) collector.

SharpHound (, ) is designed targeting .Net 4.5. It can be used as a compiled executable.

It must be run from the context of a domain user, either directly through a logon or through another method such as runas (runas /netonly /user:$DOMAIN\$USER) (see ). Alternatively, SharpHound can be used with the LdapUsername and LdapPassword flags for that matter.

SharpHound.exe --collectionmethods All

When running SharpHound from a runas /netonly-spawned command shell, you may need to let SharpHound know what username you are authenticating to other systems as with the OverrideUserName flag

The previous commands are basic but some options (i.e. Stealth and Loop) can be very useful depending on the context

# Perform stealth collection methods
SharpHound.exe --collectionmethods All --Stealth

# Loop collections (especially useful for session collection)
# e.g. collect sessions every 10 minutes for 3 hours
SharpHound.exe --collectionmethods Session --Loop --loopduration 03:00:00 --loopinterval 00:10:00

# Use LDAPS instead of plaintext LDAP
SharpHound.exe --secureldap

More help on the CLI commands .

Here are a few tips and tricks on the collection process

Testers can absolutely run SharpHound from a computer that is not enrolled in the AD domain, by running it in a domain user context (e.g. with runas, or ). This is useful when domain computers have antivirus or other protections preventing (or slowing) testers from using enumerate or exploitation tools.
When obtaining a foothold on an AD domain, testers should first run SharpHound with all collection methods, and then start a loop collection to enumerate more sessions.

From UNIX-like system, a non-official (but very effective nonetheless) Python version can be used.

is a Python ingestor for BloodHound.

bloodhound.py --zip -c All -d $DOMAIN -u $USERNAME -p $PASSWORD -dc $DOMAIN_CONTROLLER

This ingestor is not as powerful as the C# one. It mostly misses GPO collection methods but a good news is that it can do pass-the-hash. It becomes really useful when compromising a domain account's NT hash.

An alternative called (Rust) can be used as well.

rusthound --zip -d "$DOMAIN" -i "$DC_IP" -u '$USER@$DOMAIN' -p '$PASSWORD' -o "OUTDIR"

Analysis

Once the collection is over, the data can be uploaded and analyzed in BloodHound by doing the following.

Find paths between specified nodes
Run pre-built analytics queries to find common attack paths
Run custom queries to help in finding more complex attack paths or interesting objects
Run manual neo4j queries
Mark nodes as high value targets for easier path finding
Mark nodes as owned for easier path finding
Find information about selected nodes: sessions, properties, group membership/members, local admin rights, Kerberos delegations, RDP rights, outbound/inbound control rights (ACEs), and so on
Find help about edges/attacks (abuse, OPSEC considerations, references)

Here are some examples of quick wins to spot with BloodHound

other over-privileged users: user that can control many objects (ACEs) and that often leads to admins, shadow admins or sensitive servers (check for "outbound control rights" in the node info panel)

bhqc.py -u $neo4juser -p $neo4jpassword

Resources

PreviousLDAP NextMS-RPC

Last updated 1 year ago

Was this helpful?