Bloodhound
Last updated
Was this helpful?
Last updated
Was this helpful?
we need to configure neo4j - mainly just change default passwords, so let's run:
Nav to http://localhost:7474
Config a DB user account by changing default passwords from neo4j:neo4j to something else
If you run into an issue in which your system informs you that your java version is wrong and you have more than one openjdk installed you can switch which one is used by default.
Run bloodhound with:
Now log into the DB with the user and password you just set up
In order for BloodHound to do its magic, we need to enumerate a victim domain. The enumeration process produces a JSON file that describes various relationships and permissions between AD objects as mentioned earlier, which can then be imported to BloodHound. Once the resulting JSON file is ingested/imported to BloodHound, it will allow us to visually see the ways (if any) how Active Directory and its various objects can be (ab)used to elevate privileges, ideally to Domain Admin.
Above paragraph taken from this great guide:
The tool that does the AD enumeration is SharpHound.
It can be downloaded in release form here
It comes in a .exe or .ps1 file
If you are on a machine that is a member of a domain but are authenticated as just a local use (not a domain user) you will get an error that states:
If you have creds to a domain user use the runas utility:
Once that is done or you have a domain compromised account we can proceed:
Powershell Version:
C# method
Both of these will produce a .zip, exfil that file back to bloodhound and simply drag and drop it into the GUI
Once the data is ingested, as mentioned, we can play around with the built in queries to find things like All Domain Admins, Shortest Path to Domain Admins and similar, that may help us as an attacker to escalate privileges and compromise the entire domains/forest.
Mark the user account you have compromised as "Owned" --> Find user you own --> right click --> Mark User as Owned
Now from the Analysis tab a great query is Shortest Path from Owned Principles
If you over over the lines and --> right click --> help it will give you information along with commands to take advantage of vulns
We use this feature for example to mark a list of accounts with their password found on a share as owned, or following a discussion with a customer to set a list of especially interesting targets as high value.
The following command sets all the hosts in “high_value.txt” to high value targets:
The names of users and computers in the text file should match the name shown on the GUI for the node:
We often find ourselves wanting to set the values of attributes in BloodHound in bulk. The tool was written for this purpose. It allows marking a list of computers as owned or a list of users as high value for instance.
