Bloodhound is a network tool that maps the possible privilege escalation attack paths in an active directory domain. The tool performs the task by exploiting the Active directory protocol. Active directory is a Windows utility that manages permissions and resources in the network. There are certain set of permissions in an active directory domain. These include resetting users’ passwords, changing roles, changing objects ownership, and Write permissions. Bloodhound reveals the paths that lead an attacker to gain access to these permissions.
Bloodhound requires Neo4j graph database management system to reveal the users, network machines, and the relationships. The Windows users need to install Neo4j from the official Neo4j website before installing Bloodhound. After installing the dependencies, Bloodhound can be cloned from Github using the following command.
git clone https://github.com/adaptivethreat/Bloodhound
Linux users can directly install the tool using the following command. However, repository cloning is still required to use some resources like PowerShell ingestors. The command also installs Neo4j automatically with the Bloodhound package.
apt-get install bloodhound
It is recommended to run the following update commands before installing Bloodhound tool.
apt-get update apt-get dist-upgrade
After installing Bloodhound, the next step is the configuration of Neo4j database management system. In order to start Neo4j database, type the following command in Linux terminal.
The command runs the Neo4j database with a remote interface available at http://localhost:7474. Open the preferred browser and type the remote interface address in order to change the default Neo4j database credentials. Following are the default Neo4j database login credentials.
User: neo4j Password: neo4j
Once logged in to the database with default credentials, the interface gives the option to change the default credentials in order to secure the database.
After changing the credentials, open Bloodhound interface by typing bloodhound in a new terminal, while keeping the database running in the browser.
The command opens the Bloodhound interface prompting for database credentials in order to view the Bloodhound dashboard. Provide the updated database credentials in order to log into the Bloodhound dashboard.
The following screenshot shows Bloodhound dashboard with no data. There are three main sections of the dashboard.
The top left corner reveals database information along with Node Info and pre-built Queries tabs. The database information tab shows network information like network entities, their roles, permissions, sensitive paths etc. The Node info reveals the information about nodes being explored. The Queries tab allows to automatically run database queries without any programming knowledge. The left sidebar of Bloodhound dashboard has the options of importing data files to the tool, exporting data files, and few other configuration settings. The central wide portion of the dashboard displays the entities and their relationships in a graphical manner.
Data Collection Using Bloodhound
Bloodhound is used in scenarios where the attacker has some access to the network. It can be an insider attack by the disgruntled employee or an adversarial attack where the attacker manages to gain access to the network. Bloodhound uses Sharphound to collect data from the network. Sharphound is C# Ingestor, located in Ingestors folder of the repository. There are two versions of the Ingestor available in Bloodhound i-e the executable (.exe) and the PowerShell script (.ps1). The PowerShell version can be set into action by running the Invoke-Bloodhound command in the terminal.
Invoke-BloodHound <optional flag>
The optional flag determines the type of network data that shall be exported into the .CSV file using the above command. For example, the following command exports all Active directory permissions data.
Invoke-Bloodhound –CollectionMethod ACLs
As mentioned earlier, an attacker must have access to one of the machines on the network in order to collect the data in .CSV file. The attacker needs to execute the following command in order to connect to the network via compromised network machine and collect data.
runas.exe /netonly /user:<DOMAIN>\Username cmd.exe
The following command collects all the data including Group, Session, ACL, Trusts, Container data via compromised machine, with the IP address 192.168.10.55, using the sharphound.exe ingestor.
sharphound.exe –DomainController 192.168.10.55 –CollectionMethod All
The command prompts for user credentials. If credentials are correct, the tool opens command prompt that allows the attacker to launch Sharphound ingestor to collect data.
Once data is imported into Bloodhound, it is loaded in the Bloodhound dashboard in the form of graphs and tables. Following screenshot is a graphical representation of network with users, machines, user roles, and other vital information.
The detail about the imported network data can be seen in the top left section having database information.
Clicking on each data option gives valuable information about the network entities. For instance, if we click on the shortest path to the administrative account, the tool displays it in the following manner.
If we click on an entity, we get a handful of information including the entity role and set of permissions he has in the network.
Similarly, clicking a machine in the network gives all the admin accounts associated with that machine.
These are some of the ways to explore the network attack paths in Active directory domain.
Bloodhound plays crucial role in network penetration testing by exposing the vulnerable paths in Active directory environment that can be exploited by the attackers.