Setup BloodHound tool on Windows and enumerate Active Directory Objects

BloodHound is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors which come in PowerShell and C# flavours.

• It identifies different attack paths in Active Directory , maps access control lists (ACLs), users, groups, trust relationships and unique AD objects.

Setup

•BloodHound is supported by Linux, Windows, and MacOS. Bloodhound is built on neo4j and depends on it. Neo4j is a graph database management system, which uses NoSQL as a graph database.

•Download the Windows binary from Bloodhound GitHub Page

https://github.com/BloodHoundAD/BloodHound/releases

•Download Neo4J community Server

Thanks for Downloading Neo4j - Neo4j Graph Database Platform

• Open Neo4j Folder and run the Neo4j database for the use of Bloodhound

● Run the bloodhound and connect to the neo4j database by giving username neo4j and password as neo4j

Usage

•Inorder to collect the data of Active Directory, should use Ingestiors like Sharphound and Powershell Script that is given in Bloodhound

https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors

•if you are running on non-AD member first you need to run it as AD member by issuing command

runas /netonly /user:ad.redacted.com\<username> “cmd.exe -nop -executionPolicy bypass”

•Connect to Pulsesecure(VPN) where you connect to your Active Directory to enumerate AD objects

SharpHound.exe Invoke-BloodHound — CollectionMethod All

•The default if this parameter is not supplied is Default:

Default — This performs a collection of the local admins on machines, group memberships, domain trusts, and sessions.

Group — Collects the group memberships only

LocalGroup — Collects just the local admins

GPOLocalGroup — Performs local admin collection using Group Policy Objects

ComputerOnly — Performs local admin collection and session collection

Session — Collects the user sessions on machines on the domain

LoggedOn — Performs privileged session collection (this requires local admin rights on target systems

Usage

Trusts — Enumerates the domain trusts for the specified target domain

ACL — Collects the access control lists from the domain

Container — Performs collection of Containers

All — Performs all Collection Methods listed above.

• Once the command successfully executed it gives you a zip folder , Import the zip in the Bloodhound

• Bloodhound has some default Queries which gives you understanding objects of Domain

Custom Queries Usage

•Custome Queries can also use to query the database

https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

• The command is intended for the graph/GUI or console. For the console, it means they cannot be executed via Bloodhound GUI and must be done via the neo4j console.

References

•https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/

•https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux

•https://github.com/chryzsh/awesome-bloodhound