🤯
Hacker Mind
  • Penetration Testing Notes
    • 00 - Kali Linux Preparation
    • Page 1
    • Web Application (80/443)
      • XSS
      • LFI / Path Traversal
      • Wordpress
    • SMB (445)
    • LDAP
    • MSRPC (135)
    • MSSQL
    • Kerberos (88/tcp)
    • DNS (53)
    • IPv6
    • Import Nessus to Metasploit
  • STUCK? Look at this :D
  • Buffer Overflow
    • WinDbg
    • BoF Script Python
  • Active Directory Recon
    • Username Generation
    • PowerView
    • BloodHound
    • Flooding Attack
  • Payload
    • Sendemail
    • Phishing Payload
    • Bypass All The Things
      • AppLocker
      • MSBuild Shell
      • C# Runner
      • Payload Mod
      • Powershell
      • Bypass AV Linux
        • C Runner
  • Exploit
    • Brute Force
    • File Upload
    • Cracking
    • Shell & Stabilization
    • Database
    • MSSQL Injection
  • Tradecraft
    • Invoke-ReflectivePEInjection
  • Metasploit
    • Meterpreter Tricks
  • Privilege Escalation
    • Lateral Movement
    • Linux
    • Windows
  • Post Exploit
    • Active Directory
      • Kerberos
      • ACLs/ACEs
      • DCSync
      • Golden Ticket with krbtgt
      • LAPS
      • Page
      • Impersonate Token
    • Pivoting
      • Pivot in a Case
    • Transfer File
    • Exfiltration
    • Persistence
  • WiFi Pentesting
    • WPA-PSK
    • WPA-E (hostapd)
    • Attack WEP
    • Evil Twin - Wi-Fi
    • WPA3 Downgrade
  • Hardware Hacking
    • Information Gathering
  • Practice & Lab
Powered by GitBook
On this page
  • Installation
  • Simple Way Setup Bloodhound
  • Persistent Installation (Need effort to setup)
  • Analysis
  • Import data Drop zip file into bloodhound
  • Get Data
  1. Active Directory Recon

BloodHound

PreviousPowerViewNextFlooding Attack

Last updated 7 months ago

Installation

Simple Way Setup Bloodhound

Install docker

sudo apt update
sudo apt install docker.io

Install docker-compose

sudo curl -SL https://github.com/docker/compose/releases/download/v2.29.6/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

# check with
sudo docker-compose

Run

curl -L https://ghst.ly/getbhce | sudo docker-compose -f - up

Locate the randomly generated password in the terminal output of Docker Compose.

In a browser, navigate to http://localhost:8080/ui/login. Login with a username of admin and the randomly generated password from the logs.

After this you will need to change the randomly generated password and you will have the new interface ready, from which you can directly download the ingestors.

Persistent Installation (Need effort to setup)

  2. ./bloodhound

or

sudo apt install bloodhound

Run neo4j 

sudo neo4j console

(neo4j:neo4j) default creds:

Then change the password fist in the neo4j

If you forgot the password, reset it with this command:

# reset password neo4j
locate neo4j |grep auth

rm /usr/share/neo4j/data/dbms/auth

latest version:

  1. Open the neo4j.conf file and set dbms.security.auth_enabled parameter to false to disable the authentication:

dbms.security.auth_enabled=false

  1. Login to the browser, then reset password via console in the browser

ALTER USER neo4j SET PASSWORD 'mynewpassword'

Upload sharphound.exe

Analysis

Import data Drop zip file into bloodhound

Analysis

  1. Find all Domain Admins

  2. List all Kerberoastable Accounts

  3. Find Principals with DCSync Rights

Attack path (while own a user)

  1. Shortest Paths to Domain Admins from Owned Principals

  2. Find Shortest Paths to Domain Admins

  3. Node Info -> Group

Get Users from bloodhound json file

cat ...._users.json | jq '.data[].Properties | select( .enabled == true) |.name' -r > users.txt

Get Data

SharpHound.exe

.\SharpHound.exe -c all

.\SharpHound.exe --CollectionMethods All --ZipFileName output.zip

SharpHound.ps1

powershell -ep bypass . .\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All -Domain -ZipFileName file.zip

bloodhound.py

python3.8 bloodhound.py -ns <ip> -d <domain> -dc <domain controller> -u <username> -p <password> -c All

unzip or clone ()

https://github.com/BloodHoundAD/BloodHound.git