Skip to content

BloodHound

1. Installation in the attacking machine

(C# and PowerShell Collectors)

BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector.

Download github repo from: https://github.com/BloodHoundAD/BloodHound.

1
sudo apt-get install bloodhound

Initialize the console:

1
sudo neo4j console

Open the browser at the indicated address: http://localhost:7474/

The first time it will ask you for default user and password: neo4j:neo4j.

After loging into the application you will be prompted to change default password. We will use later this password to enter the Bloodhound tool.

2. Collecting data in the foothold machine

Upload and install the bloodhound binary into the foothold: releases.

2.1. Bloodhound.py

If bloodhound is already installed, you can run the bloodhound.py in the foothold machine: 

1
2
3
4
5
6
7
8
sudo bloodhound-python -u '$username' -p '$password' -ns $ip -d $domain -c all 
# -u: username
# -p: password
# -ns: name server
# -d: domain
# -c: checks. With -c all we are telling the tool to run all checks.

# Once the script finishes, we will see the output files in the current working directory in the format of <date_object.json>.

2.2. Sharphound.exe

Sharphound is the official data collector for BloodHound.

We run the SharpHound.exe collector from the attack host (our foothold).

1
2
3
.\SharpHound.exe -c All --zipfilename $zipName
# -c: checks. With -c all we are telling the tool to run all checks.
# --zipfilename: saves all to a file, named $zipName

3. Using bloodhound

In our attacker machine we had launched the neo4j database. Now we need to launch bloodhound, and import the generated by the collector files to be interpreted.

Move the json files to where you have your blodhound tool installed. Open bloodhound, we should have the BloodHound GUI tool loaded with a blank slate. 

1
2
3
# Launch Bloodhound interface from your kali attacker machine.
bloodhound
# enter user:password already set before for the neo4j console.

Now, we upload the data. We can either upload each JSON file one by one or zip them first with a command such as zip -r ilfreight_bh.zip *.json and upload the Zip file. We do this by clicking the Upload Data button on the right side of the window.

Along with the Analytics tab, we can do some  custom Cypher queries.

  • Find Computers with Unsupported Operating Systems is great for finding outdated and unsupported operating systems running legacy software.
  • Find Computers where Domain Users are Local Admin to quickly see if there are any hosts where all users have local admin rights.

We can also type domain: in the search bar and select one.

Enumerate Remote Desktop Users Group

In Bloodhound, we can use this Cypher query and add it as a custom query:

1
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2

Enumerate SQL Server Admin

Enumerate via Bloodhound and the SQLAdmin edge. We can check for SQL Admin Rights in the Node Info tab for a given user or use this custom Cypher query to search:

1
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2

Visualizing Trust Relationships in BloodHound

Last update: 2025-01-01
Created: May 9, 2023 17:16:52