Learn Ethical Hacking and Penetration Testing Online

Learn ethical hacking, penetration testing, cyber security, best security and web penetration testing techniques from best ethical hackers in security field.

Menu

BloodHound (Visualizing AD and Unveiling Attack Surface)

So far, in the post-compromise AD enumeration, we have been using the PowerView tool to gather information. That tool was completely CLI-based and needed commands to gather the information. As specified in the previous article, the next tool we will be using is BloodHound.

BloodHound

BloodHound is a single-page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector.

It is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment. BloodHound uses graph theory to identify hidden relationships, user permissions, sessions, and attack paths in a source Windows domain. It visualizes the data in a graph and is super useful in identifying lateral movement paths.

BloodHound can enumerate a domain automatically and save all the information. It uses that information to find possible privilege escalation paths and shows all the information using graphs.

Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths.

Installing BloodHound

BloodHound is composed of 2 main components

  • Ingestor
  • Visualization application

The visualization application uses neo4j which is a graph database management system. We need to install bloodhound which also installs neo4j.

Installing BloodHound is fairly simple and you just need to run the following command in the terminal

sudo apt install bloodhound

Setting Up Neo4j

Since BloodHound runs on neo4j . Hence, for using BloodHound, we need to set up neo4j first. So, in the terminal, run the following command

neo4j console

Once it starts, you will be able to see the Remote interface available at http://localhost:7474/. Open the browser and navigate to this URL and you will see the neo4j site. To connect to it, the default credentials are as below

Username: neo4j
Password: neo4j

After connecting, it will ask for changing the default password. So, I set the new password to password

As soon you change the password, you will see successful connection feedback as below

Connecting BloodHound with Neo4j

Since we have set up the neo4j database, we now need to connect BloodHound to it. Open a new terminal window and simply type bloodhound that will open the bloodhound application. We need to provide the neo4j database credentials to log in as below

The green tick mark in the database URL shows that the database is connected.

After login, you will see a message as below

It indicates that no data is returned. This is because we have not provided any data to it yet.

Installing Ingestor for BloodHound

The ingestors are used to enumerate the domain and extract all the information in a format that the visualization application will understand. There are many ingestors available but we will use Invoke-BloodHound PowerShell method. You can grab the PowerShell script from here.

Simply run the following command on your kali machine

wget https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1

Make sure all of your 3 machines are up and running so that we can gather as much of the AD data

  • 1 Windows Server Machine
  • 2 Windows Enterprise Machines

After that, start a python HTTP server to transfer the downloaded ingestor to one of the Windows Enterprise machines.

python3 -m http.server

Go back to the Windows Enterprise machine and in the browser, type in the URL http://IP:8000/SharpHound.ps1 to download the ingestor.

Note: IP is the IP address of kali machine

Gathering data with ingestor

Now that we have ingestor in the windows machine, we need to run it and call Invoke-Bloodhound method. So, on the windows machine, open the command prompt and start PowerShell with Execution Policy set to bypass

powershell -ep bypass

Next, we need to load SharpHound script using the command

. .\SharpHound.ps1

Once it is loaded, we are good to go running the ingestor using the following command

Invoke-BloodHound -CollectionMethod All -Domain MARVEL.local -ZipFileName file.zip

Command Explanation

  • Invoke-BloodHound: This is the command to start the BloodHound data collection process
  • -CollectionMethod All: This option specifies that all the data collection methods available in BloodHound should be used to collect data. This includes group membership, domain trust, and local admin rights, among others.
  • -Domain MARVEL.local: This option specifies the Active Directory domain to collect data from. In this case, the domain is “MARVEL.local”
  • -ZipFileName: file.zip: This option specifies the name of the ZIP file where the collected data will be stored. In this case, the file name is “file.zip”.

Overall, this command runs BloodHound to collect data from the “MARVEL.local” domain using all available data collection methods and saves the output to a ZIP file named “file.zip”.

So we now have the zip file containing the data. We can now transfer this zip file to the Kali machine to feed it to BloodHound.

Note: You might not be able to directly transfer from Windows Enterprise VM to Kali Machine. So, transfer from Windows VM to your host Windows machine and then from there, transfer to Kali machine.

Uploading data to bloodhound

Open BloodHound and in the right corner, you will see an upload button among many others. Click on that and choose the zip file to upload

It will start unzipping the file and uploading the data

After all the processing, you will be able to see the database info from the left dropdown nav

Pre-Built Queries

BloodHound has some pre-built queries for common queries that an attacker might be needing. Head over to Analysis tab and there will be a bunch of these queries

We can click on each query to see the graph. For example, clicking on Find all Domain Admins we can see the graph and upon hovering over each node gives its information as below

  • Similarly, we can find the shortest path to Domain Admins as below

It tells us which machine has an administrator session that an attacker can use to escalate by using Token Impersonation and many other techniques. This also prioritizes the machines that we should target first to gain Admin.

  • We can find the shortest path from Kerberoastable users and visualize it to understand the attack surface

The graphs can be simpler and easier and can be complex depending on the query results. Like for Shortest Paths to High Value Targets, we can see the following complex graph

Conclusion

There is much more that can a BllodHound help to achieve. Since it’s all about gaining a foothold and gathering information, BloodHound is a pretty useful tool.

Did you enjoy this post?

Would you like to join our Insider's List and be notified when we post something or get FREE exclusive content?

Join Our Insider's List

Leave a Reply

Contact Us
Privacy Policy

Disclaimer
500 Westover Dr #8208 Sanford NC 27330