1. Introduction
BloodHound uses visual graphics to show the relationship in the domain environment. Attackers can use BloodHound to identify highly complex attack paths, and defenders can use BloodHound to identify and defend those same attack paths. Both the blue team and the red team can use BloodHound to easily penetrate the permission relationship in the domain environment.
BloodHound exports relevant information in the domain and imports the data into the Neo4j database for display and analysis after data collection. Therefore, when installing BloodHound, you need to install the Neo4j database.
2. Installation
Because the Neo4j database needs JAVA support, you need to install Java before installing BloodHound. Here, take the installation under Windows system as an example.
Java
JDK needs to download the latest version, otherwise Neo4j may report an error. JDK download address: https://www.oracle.com/java/technologies/javase-downloads.html , after downloading, you can install it directly.
Neo4j
Neo4j directly download the latest version at: https://neo4j.com/download-center/#community
After downloading the latest version, unzip the download file, open the bin directory and execute the command neo4j Bat console, and then open the browser to access http://localhost:7474 Log in to the background and enter the following information to connect to the database, indicating that the installation is completed.
URL: neo4j://localhost:7687 user name(default): neo4j password(default): neo4j
BloodHound
BloodHound project address: https://github.com/BloodHoundAD/BloodHound After downloading, unzip and open bloodhound.com Exe, enter the account and password of Neo4j database to complete the installation.
3. Use
After installing BloodHound, you need to collect and import data. The data can be collected by ps1 script or exe program. The download address of the tool is: https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
Sharphound. Is used here Exe to collect data and send SharpHound.exe Exe to the target and execute SharpHound.exe Exe - C all for data collection.
C:\Users\daniel10>SharpHound.exe -c all --------------------------------------------- Initializing SharpHound at 22:36 on 2021/2/25 --------------------------------------------- Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container [+] Creating Schema map for domain TEAMSSIX.COM using path CN=Schema,CN=Configuration,DC=teamssix,DC=com [+] Cache File Found! Loaded 1332 Objects in cache [+] Pre-populating Domain Controller SIDS Status: 0 objects finished (+0) -- Using 24 MB RAM Status: 673 objects finished (+673 134.6)/s -- Using 43 MB RAM Enumeration finished in 00:00:05.3136324 Compressing data to .\20210225223622_BloodHound.zip You can upload this file directly to the UI SharpHound Enumeration Completed at 22:36 on 2021/2/25! Happy Graphing!
If ps1 script collection is used, the command is:
powershell -exec bypass -command "Import-Module ./SharpHound.ps1; Invoke-BloodHound -c all"
The collected data will be saved in the format of zip compressed package and copied to the host of BloodHound. Click Upload Data in the icon on the right of BloodHound, and then upload the compressed package just generated to import the data.
Or directly drag the zip package to the BloodHound to import the data.
There are three plates in the upper right corner of BloodHound:
1. Database Info, you can view the statistical information of domain users and domain computers in the current database.
2. Node Indo: when you click a node, you can see the relevant information of the corresponding node here.
3. For Analysis query, some query conditions are preset in BloodHound, as follows:
1,Query all domain administrators 2,Find the shortest path to the domain administrator 3,Find with DCSync Subject of permission 4,Users with external domain group membership 5,Group with external domain name group membership 6,Mapping domain trust 7,Shortest path to unconstrained delegation system 8,arrive Kerberoastable User's shortest path 9,from Kerberoastable Shortest path from user to domain administrator 10,The shortest path of the owning principal 11,The shortest path from the owning principal to the domain administrator 12,The shortest path to high-value goals 13,Find computers where domain users are local administrators 14,Find computers where domain users can read passwords 15,The shortest path from domain users to high-value targets 16,Find all paths from domain users to high-value targets 17,Domain users can be found RDP Workstation for 18,Domain users can be found RDP Server 19,Find dangerous permissions for domain user groups 20,Find support from high-value groups kerberoable Members of 21,List all kerberoable user 22,Find most privileged Kerberoastable user 23,Domain management logins found for non domain controllers 24,Find computers that do not support the operating system 25,lookup AS-REP Roastable user(DontReqPreAuth)
For example, the shortest path of the domain administrator can be queried here
The path from coarse to fine indicates that xx has permission or relationship with xx
In general, I think BloodHound is very interesting. You can intuitively see the relationship between hosts in the domain. However, after all, it is an auxiliary tool. We still need to constantly improve our strength and experience to better analyze such a result.
Original link: https://www.teamssix.com/year/210226-190853.html
Reference link:
https://www.freebuf.com/sectool/179002.html
More information, welcome to my WeChat official account: TeamsSix