# BloodHound

## Installation

### Simple Way Setup Bloodhound

#### Install docker

```
sudo apt update
sudo apt install docker.io
```

#### Install docker-compose

```bash
sudo curl -SL https://github.com/docker/compose/releases/download/v2.29.6/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

# check with
sudo docker-compose
```

#### Run

```
curl -L https://ghst.ly/getbhce | sudo docker-compose -f - up
```

<figure><img src="https://1855963211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDjlLLsWaat1v8p89kgM%2Fuploads%2F8qg8LvTdLsGuO0esvHJg%2Fimage.png?alt=media&#x26;token=209c972f-c36f-440c-a9ef-f46afa1e0543" alt=""><figcaption></figcaption></figure>

Locate the randomly generated password in the terminal output of Docker Compose.

<figure><img src="https://1855963211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDjlLLsWaat1v8p89kgM%2Fuploads%2F5fAPrm4HxMYwMxZY9W6n%2Fimage.png?alt=media&#x26;token=429e78de-b092-4693-ad5b-a52729f991e9" alt=""><figcaption></figcaption></figure>

In a browser, navigate to <mark style="background-color:green;"><http://localhost:8080/ui/login></mark>. Login with a username of **admin** and the randomly generated password from the logs.

<figure><img src="https://1855963211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDjlLLsWaat1v8p89kgM%2Fuploads%2FOfpZoprIZUV8u5Gt2TqU%2Fimage.png?alt=media&#x26;token=c40715b6-5002-4a34-ab98-902c7d255886" alt=""><figcaption></figcaption></figure>

After this you will need to change the randomly generated password and you will have the new interface ready, from which you can directly download the ingestors.

<figure><img src="https://1855963211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDjlLLsWaat1v8p89kgM%2Fuploads%2FbdO9PUiiJha3cSKf8G1P%2Fimage.png?alt=media&#x26;token=4b39d197-8fd0-4b03-abca-536edba02a90" alt=""><figcaption></figcaption></figure>

### Persistent Installation (Need effort to setup)

1. **unzip or clone (**[**https://github.com/BloodHoundAD/BloodHound.git**](https://github.com/BloodHoundAD/BloodHound.git)**)**
2. **./bloodhound**

or

```
sudo apt install bloodhound
```

**Run neo4j**&#x20;

```
sudo neo4j console
```

(neo4j:neo4j) default creds:

Then change the password fist in the neo4j

If you forgot the password, reset it with this command:

```bash
# reset password neo4j
locate neo4j |grep auth

rm /usr/share/neo4j/data/dbms/auth
```

latest version:

1. Open the *neo4j.conf* file and set `dbms.security.auth_enabled` parameter to `false` to disable the authentication:

```properties
dbms.security.auth_enabled=false
```

2. Login to the browser, then reset password via console in the browser

```
ALTER USER neo4j SET PASSWORD 'mynewpassword'
```

<figure><img src="https://1855963211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDjlLLsWaat1v8p89kgM%2Fuploads%2FDiGXSyaNqviEnT9mQksJ%2Fimage.png?alt=media&#x26;token=b4c7d826-d4c9-44e3-81a7-196a41c76a17" alt=""><figcaption></figcaption></figure>

Upload sharphound.exe

## Analysis

### Import data Drop zip file into bloodhound

**Analysis**

1. Find all Domain Admins
2. List all Kerberoastable Accounts
3. Find Principals with DCSync Rights

**Attack path (while own a user)**

1. Shortest Paths to Domain Admins from Owned Principals
2. Find Shortest Paths to Domain Admins
3. Node Info -> Group

Get Users from bloodhound json file

```bash
cat ...._users.json | jq '.data[].Properties | select( .enabled == true) |.name' -r > users.txt
```

## Get Data

**SharpHound.exe**

<pre><code>.\SharpHound.exe -c all

<strong>.\SharpHound.exe --CollectionMethods All --ZipFileName output.zip
</strong></code></pre>

**SharpHound.ps1**

```powershell
powershell -ep bypass . .\SharpHound.ps1 Invoke-BloodHound -CollectionMethod All -Domain -ZipFileName file.zip
```

**bloodhound.py**

```
python3.8 bloodhound.py -ns <ip> -d <domain> -dc <domain controller> -u <username> -p <password> -c All
```