BloodHound

Installation

Simple Way Setup Bloodhound

Install docker

sudo apt update
sudo apt install docker.io

Install docker-compose

sudo curl -SL https://github.com/docker/compose/releases/download/v2.29.6/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

# check with
sudo docker-compose

Run

curl -L https://ghst.ly/getbhce | sudo docker-compose -f - up

Locate the randomly generated password in the terminal output of Docker Compose.

In a browser, navigate to http://localhost:8080/ui/login. Login with a username of admin and the randomly generated password from the logs.

After this you will need to change the randomly generated password and you will have the new interface ready, from which you can directly download the ingestors.

Persistent Installation (Need effort to setup)

1. unzip or clone (https://github.com/BloodHoundAD/BloodHound.git)

2. ./bloodhound

or

sudo apt install bloodhound

Run neo4j

sudo neo4j console

(neo4j:neo4j) default creds:

Then change the password fist in the neo4j

If you forgot the password, reset it with this command:

# reset password neo4j
locate neo4j |grep auth

rm /usr/share/neo4j/data/dbms/auth

latest version:

1. Open the neo4j.conf file and set dbms.security.auth_enabled parameter to false to disable the authentication:

dbms.security.auth_enabled=false

1. Login to the browser, then reset password via console in the browser

ALTER USER neo4j SET PASSWORD 'mynewpassword'

Upload sharphound.exe

Analysis

Import data Drop zip file into bloodhound

Analysis

1. Find all Domain Admins

2. List all Kerberoastable Accounts

3. Find Principals with DCSync Rights

Attack path (while own a user)

1. Shortest Paths to Domain Admins from Owned Principals

2. Find Shortest Paths to Domain Admins

3. Node Info -> Group

Get Users from bloodhound json file

cat ...._users.json | jq '.data[].Properties | select( .enabled == true) |.name' -r > users.txt

Get Data

SharpHound.exe

.\SharpHound.exe -c all

.\SharpHound.exe --CollectionMethods All --ZipFileName output.zip

SharpHound.ps1

powershell -ep bypass . .\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All -Domain -ZipFileName file.zip

bloodhound.py

python3.8 bloodhound.py -ns <ip> -d <domain> -dc <domain controller> -u <username> -p <password> -c All