BloodHound ⚙️

Theory

BloodHound (Javascript webapp, compiled with Electron, uses Neo4j as graph DBMS) is an awesome tool that allows mapping of relationships within Active Directory environments. It mostly uses Windows API functions and LDAP namespace functions to collect data from domain controllers and domain-joined Windows systems.

Practice

Collection

BloodHound needs to be fed JSON files containing info on the objects and relationships within the AD domain. This information are obtained with collectors (also called ingestors). The best way of doing this is using the official SharpHound (C#) collector.

SharpHound (sources, builds) is designed targeting .Net 4.5. It can be used as a compiled executable.

It must be run from the context of a domain user, either directly through a logon or through another method such as runas (runas /netonly /user:$DOMAIN\$USER) (see Impersonation). Alternatively, SharpHound can be used with the LdapUsername and LdapPassword flags for that matter.

SharpHound.exe --collectionmethod All

When running SharpHound from a runas /netonly-spawned command shell, you may need to let SharpHound know what username you are authenticating to other systems as with the OverrideUserName flag

The previous commands are basic but some options (i.e. Stealth and Loop) can be very useful depending on the context

# Perform stealth collection methods
SharpHound.exe --collectionmethod All --Stealth

# Loop collections (especially useful for session collection)
# e.g. collect sessions every 10 minutes for 3 hours
SharpHound.exe --collectionmethod Session --Loop --loopduration 03:00:00 --loopinterval 00:10:00

# Use LDAPS instead of plaintext LDAP
SharpHound.exe --secureldap

More help on the CLI commands here.

Analysis

Once the collection is over, the data can be uploaded and analysed in BloodHound by doing the following.

  • Find paths between specified nodes

  • Run pre-built analytics queries to find common attack paths

  • Run custom queries to help in finding more complex attack paths or interesting objects

  • Run manual neo4j queries

  • Mark nodes as high value targets for easier path finding

  • Mark nodes as owned for easier path finding

  • Find information about selected nodes: sessions, properties, group membership/members, local admin rights, Kerberos delegations, RDP rights, outbound/inbound control rights (ACEs), and so on

  • Find help about edges/attacks (abuse, opsec considerations, references)

Using BloodHound can help find attack paths and abuses like ACEs abuse, Kerberos delegations abuse, credential dumping and credential shuffling, GPOs abuse, Kerberoast, ASREProast, domain trusts attacks, etc.

For detailed and official documentation on the analysis process, testers can check the following resources: the BloodHound GUI, nodes and edges.

Resources

Last updated

Was this helpful?