[intranet learning notes] 5. Use of BloodHound

1. Introduction

BloodHound uses visual graphics to show the relationship in the domain environment. Attackers can use BloodHound to identify highly complex attack paths, and defenders can use BloodHound to identify and defend those same attack paths. Both the blue team and the red team can use BloodHound to easily penetrate the permission relationship in the domain environment.

BloodHound exports relevant information in the domain and imports the data into the Neo4j database for display and analysis after data collection. Therefore, when installing BloodHound, you need to install the Neo4j database.

2. Installation

Because the Neo4j database needs JAVA support, you need to install Java before installing BloodHound. Here, take the installation under Windows system as an example.


JDK needs to download the latest version, otherwise Neo4j may report an error. JDK download address: https://www.oracle.com/java/technologies/javase-downloads.html , after downloading, you can install it directly.


Neo4j directly download the latest version at: https://neo4j.com/download-center/#community

After downloading the latest version, unzip the download file, open the bin directory and execute the command neo4j Bat console, and then open the browser to access http://localhost:7474 Log in to the background and enter the following information to connect to the database, indicating that the installation is completed.

URL: neo4j://localhost:7687
 user name(default): neo4j
 password(default): neo4j


BloodHound project address: https://github.com/BloodHoundAD/BloodHound After downloading, unzip and open bloodhound.com Exe, enter the account and password of Neo4j database to complete the installation.

3. Use

After installing BloodHound, you need to collect and import data. The data can be collected by ps1 script or exe program. The download address of the tool is: https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

Sharphound. Is used here Exe to collect data and send SharpHound.exe Exe to the target and execute SharpHound.exe Exe - C all for data collection.

C:\Users\daniel10>SharpHound.exe -c all
Initializing SharpHound at 22:36 on 2021/2/25
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain TEAMSSIX.COM using path CN=Schema,CN=Configuration,DC=teamssix,DC=com
[+] Cache File Found! Loaded 1332 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 24 MB RAM
Status: 673 objects finished (+673 134.6)/s -- Using 43 MB RAM
Enumeration finished in 00:00:05.3136324
Compressing data to .\20210225223622_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 22:36 on 2021/2/25! Happy Graphing!

If ps1 script collection is used, the command is:

powershell -exec bypass -command "Import-Module ./SharpHound.ps1; Invoke-BloodHound -c all"

The collected data will be saved in the format of zip compressed package and copied to the host of BloodHound. Click Upload Data in the icon on the right of BloodHound, and then upload the compressed package just generated to import the data.

Or directly drag the zip package to the BloodHound to import the data.

There are three plates in the upper right corner of BloodHound:

1. Database Info, you can view the statistical information of domain users and domain computers in the current database.

2. Node Indo: when you click a node, you can see the relevant information of the corresponding node here.

3. For Analysis query, some query conditions are preset in BloodHound, as follows:

1,Query all domain administrators
2,Find the shortest path to the domain administrator
3,Find with DCSync Subject of permission
4,Users with external domain group membership
5,Group with external domain name group membership
6,Mapping domain trust
7,Shortest path to unconstrained delegation system
8,arrive Kerberoastable User's shortest path
9,from Kerberoastable Shortest path from user to domain administrator
10,The shortest path of the owning principal
11,The shortest path from the owning principal to the domain administrator
12,The shortest path to high-value goals
13,Find computers where domain users are local administrators
14,Find computers where domain users can read passwords
15,The shortest path from domain users to high-value targets
16,Find all paths from domain users to high-value targets
17,Domain users can be found RDP Workstation for
18,Domain users can be found RDP Server
19,Find dangerous permissions for domain user groups
20,Find support from high-value groups kerberoable Members of
21,List all kerberoable user
22,Find most privileged Kerberoastable user
23,Domain management logins found for non domain controllers
24,Find computers that do not support the operating system
25,lookup AS-REP Roastable user(DontReqPreAuth)

For example, the shortest path of the domain administrator can be queried here

The path from coarse to fine indicates that xx has permission or relationship with xx

In general, I think BloodHound is very interesting. You can intuitively see the relationship between hosts in the domain. However, after all, it is an auxiliary tool. We still need to constantly improve our strength and experience to better analyze such a result.

Original link: https://www.teamssix.com/year/210226-190853.html

Reference link:



More information, welcome to my WeChat official account: TeamsSix

Tags: Cyber Security Intranet Penetration

Posted by rhaggert on Fri, 15 Apr 2022 05:58:01 +0930