# BloodHound ⚙️

## Theory

[BloodHound](https://github.com/BloodHoundAD/BloodHound) (Javascript webapp, compiled with Electron, uses [Neo4j](https://neo4j.com/) as graph DBMS) is an awesome tool that allows mapping of relationships within Active Directory environments. It mostly uses Windows API functions and LDAP namespace functions to collect data from domain controllers and domain-joined Windows systems.

## Practice

### Collection

BloodHound needs to be fed JSON files containing info on the objects and relationships within the AD domain. This information are obtained with collectors (also called ingestors). The best way of doing this is using the official SharpHound (C#) collector.

{% tabs %}
{% tab title="Windows" %}
SharpHound ([sources](https://github.com/BloodHoundAD/SharpHound), [builds](https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors)) is designed targeting .Net 4.5. It can be used as a compiled executable.

It must be run from the context of a domain user, either directly through a logon or through another method such as runas (`runas /netonly /user:$DOMAIN\$USER`) (see [Impersonation](https://red.infiltr8.io/redteam/credentials/impersonation)). Alternatively, SharpHound can be used with the `LdapUsername` and `LdapPassword` flags for that matter.

```bash
SharpHound.exe --collectionmethod All
```

{% hint style="info" %}
When running SharpHound from a `runas /netonly`-spawned command shell, you may need to let SharpHound know what username you are authenticating to other systems as with the `OverrideUserName` flag
{% endhint %}

The previous commands are basic but some options (i.e. Stealth and Loop) can be very useful depending on the context

```bash
# Perform stealth collection methods
SharpHound.exe --collectionmethod All --Stealth

# Loop collections (especially useful for session collection)
# e.g. collect sessions every 10 minutes for 3 hours
SharpHound.exe --collectionmethod Session --Loop --loopduration 03:00:00 --loopinterval 00:10:00

# Use LDAPS instead of plaintext LDAP
SharpHound.exe --secureldap
```

More help on the CLI commands [here](https://github.com/BloodHoundAD/SharpHound#cli).

{% hint style="success" %}
Here are a few **tips and tricks** on the collection process

* Testers can absolutely run SharpHound from a computer that is not enrolled in the AD domain, by running it in a domain user context (e.g. with runas, [pass-the-hash](https://red.infiltr8.io/ad/movement/ntlm/pth) or [overpass-the-hash](https://red.infiltr8.io/ad/movement/kerberos/ptk)). This is useful when domain computers have antivirus or other protections preventing (or slowing) testers from using enumerate or exploitation tools.
* When obtaining a foothold on an AD domain, testers should first run SharpHound with all collection methods, and then start a loop collection to enumerate more sessions.
  {% endhint %}
  {% endtab %}

{% tab title="UNIX-like" %}

#### BloodHound.py

From UNIX-like system, a non-official (but very effective nonetheless) Python version can be used.

[BloodHound.py](https://github.com/fox-it/BloodHound.py) is a Python ingestor for BloodHound.

```bash
bloodhound.py --zip -c All -d $DOMAIN -u $USERNAME -p $PASSWORD -dc $DOMAIN_CONTROLLER
```

[NetExec](https://github.com/Pennyw0rth/NetExec) also includes the bloodhound.py ingestor and can be run as follows.

```bash
netexec ldap $TARGET -u $USERNAME -p $PASSWORD --bloodhound --dns-server $DC_IP -c All [--dns-tcp]
```

{% hint style="info" %}
This ingestors is not as powerful as the C# one. It mostly misses GPO collection methods **but** a good news is that it can do pass-the-hash. It becomes really useful when compromising a domain account's NT hash.
{% endhint %}

#### Bloodhound.py for Trusted domains

The official `bloodhound.py` package does not retrieve data across all trusted or child domains. However, you can use [@n3rada's fork](https://github.com/n3rada/BloodHound.py) to achieve this.

```bash
bloodhound-python --crawl --zip -c All -d $DOMAIN -u $USERNAME -p $PASSWORD -dc $DOMAIN_CONTROLLER
```

#### Ldapsearch to Bloodhound

If this is necessary for any reason, we can use [LDAP dumps](https://red.infiltr8.io/network-pentesting/protocols/ldap), also known as LDIF files, and covert them into JSON files ingestible by BloodHound using [ldif2bloodhound](https://github.com/SySS-Research/ldif2bloodhound).

```bash
# Dump LDAP with ldapsearch
# The second -E argument is needed so that ACLs are also dumped.
# In case StartTLS does not work, remove the -ZZ flag and replace ldap:// with ldaps://
$ for base in "" "CN=Schema,CN=Configuration," ; do \
    LDAPTLS_REQCERT=never ldapsearch \
    -H ldap://<DC> \
    -D <USERNAME>@corp.local \
    -w <PASSWORD> \
    -b "${base}DC=corp,DC=local" \
    -x \
    -o ldif-wrap=no \
    -E pr=1000/noprompt \
    -E '!1.2.840.113556.1.4.801=::MAMCAQc=' \
    -LLL \
    -ZZ \
    '(objectClass=*)' \
    ; done >> output_$(date +%s).ldif
    
# Convert LDIF to JSON files ingestible by BloodHound
$ ldif2bloodhound output_*.ldif -o /tmp/OutputFolder
```

{% endtab %}
{% endtabs %}

### Analysis

Once the collection is over, the data can be uploaded and analysed in BloodHound by doing the following.

* Find paths between specified nodes
* Run pre-built analytics queries to find common attack paths
* Run custom queries to help in finding more complex attack paths or interesting objects
* Run manual neo4j queries
* Mark nodes as high value targets for easier path finding
* Mark nodes as owned for easier path finding
* Find information about selected nodes: sessions, properties, group membership/members, local admin rights, Kerberos delegations, RDP rights, outbound/inbound control rights (ACEs), and so on
* Find help about edges/attacks (abuse, opsec considerations, references)

Using BloodHound can help find attack paths and abuses like [ACEs abuse](https://github.com/v4resk/red-book/blob/main/ad/recon/tools/broken-reference/README.md), [Kerberos delegations abuse](https://red.infiltr8.io/ad/movement/kerberos/delegations), [credential dumping](https://red.infiltr8.io/ad/movement/credentials/dumping) and [credential shuffling](https://red.infiltr8.io/ad/movement/credentials/credential-shuffling), [GPOs abuse](https://red.infiltr8.io/ad/movement/group-policies), [Kerberoast](https://red.infiltr8.io/ad/movement/kerberos/kerberoast), [ASREProast](https://red.infiltr8.io/ad/movement/kerberos/asreproast), [domain trusts attacks](https://red.infiltr8.io/ad/movement/domain-trusts), etc.

![](https://329872044-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMdUKdzuqIuObdvCB3mUR%2Fuploads%2Fgit-blob-2642465958ca32056061c79d1d53dda8a7cea46e%2FScreenshot%20from%202020-12-08%2015-29-30.png?alt=media)

For detailed and official documentation on the analysis process, testers can check the following resources: [the BloodHound GUI](https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-gui.html), [nodes](https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html) and [edges](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html).

{% hint style="success" %}
Here are some examples of quick wins to spot with BloodHound

* **shadow admins**: users that are not members of privileged Active Directory groups but have sensitive privileges over the domain (run graph queries like "find principals with [DCSync](https://red.infiltr8.io/redteam/credentials/os-credentials/windows-and-active-directory/dcsync) rights", "users with most local admin rights", or check "inbound control rights" in the domain and privileged groups node info panel)
* **other over-privileged users**: user that can control many objects ([ACEs](https://github.com/v4resk/red-book/blob/main/ad/recon/tools/broken-reference/README.md)) and that often leads to admins, shadow admins or sensitive servers (check for "outbound control rights" in the node info panel)
* **over-privileged computers**: find computers that can do [(un)constrained Kerberos delegation](https://red.infiltr8.io/ad/movement/kerberos/delegations) (run graph queries like "find computer with unconstrained delegations")
* **admin computers**: find computers (A) that have admin rights against other computers (B). This can be exploited as follows: computer A triggered with an [MS-RPRN abuse (printerbug),](https://red.infiltr8.io/ad/movement/mitm-and-coerced-authentications/ms-rprn) authentication is then [relayed](https://red.infiltr8.io/ad/movement/ntlm/relay), and credentials are [dumped](https://red.infiltr8.io/ad/movement/credentials/dumping) on the computer B.

Other quick wins can be easily found with the [bloodhound-quickwin](https://github.com/kaluche/bloodhound-quickwin) Python script

```bash
bhqc.py -u $neo4juser -p $neo4jpassword
```

{% endhint %}

{% hint style="success" %}
[CrackHound](https://github.com/trustedsec/CrackHound) (Python) can be used to populate BloodHound's database with password obtained during a pentest. This can help sort and report attack paths.
{% endhint %}

## Resources

![https://github.com/SadProcessor/HandsOnBloodHound/blob/master/BH21/BH4\_SharpHound\_Cheat.pdf](https://329872044-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMdUKdzuqIuObdvCB3mUR%2Fuploads%2Fgit-blob-3368e77875158bb908771eab94e21f876af9f150%2FBH4_SharpHound_Cheat.png?alt=media)

{% embed url="<https://blog.riccardoancarani.it/bloodhound-tips-and-tricks/>" %}

{% embed url="<https://bloodhound.readthedocs.io/en/latest/>" %}

{% embed url="<https://porterhau5.com/blog/extending-bloodhound-track-and-visualize-your-compromise/>" %}