BloodHound is a tool used to visualize and identify attack paths in Active Directory Domains. Being that AD is Windows based, some of the default tools for BloodHound (ie. SharpHound ingestor) only run on Windows. Fortunately, there are tools for Unix-like systems that allow us to easily work with BloodHound on Kali and other Linux machines.
It is important to note, that you will need a set of valid Domain Credentials (ie a Username & Password) for the ingestor to be able to run.
I'll be working on a fresh Virtualbox install of Kali, version 2022.1-amd64.
BloodHound Quick Overview
BloodHound consists of 2 main parts: 1.) an ingestor to enumerate / collect Active Directory Domain data. 2.) A GUI application to visualize the relationships between the Active Directory Domain data that was collected by the ingestor.
The GUI Application itself is an electron app backed by a neo4j graph database.
Ingestors
On Kali linux, the easiest way to get running with an ingestor is to use BloodHound.py
Start by creating a new folder on your Desktop, I'm calling mine "BH_tut", this will just help us keep all our working files organized. Then, change directory to your newly created folder.
cd ~/Desktop
mkdir BH_tut && cd BH_tut
Next, we'll need to grab the source code for BloodHound.py ingestor off github. In a web browser, open up https://github.com/fox-it/BloodHound.py. Then, click the green "Code" button and select the Copy To Clipboard icon from the dropdown.
Back in your terminal, run the following command from within the "BH_Tut" folder to copy the source files to your local machine.
git clone https://github.com/fox-it/BloodHound.py
Change directory into the newly downloaded, BloodHound.py folder.
cd BloodHound.py
Note: Typically, I'd reccommend spinning up a new Python virtual enviornment and installing BloodHound.py and its dependencies into the venv as opposed to the system version of Python. However, as of Kali 2022.1 (maybe even earlier, I haven't tested any others) all the python packages required to run BloodHound.py are pre-installed on the system version of Python.
If you follow along with the DBCreator section later on, we will end up needing to create a venv there.
You can confirming that BloodHound.py is working by running:
./bloodhound.py
Without supplying any options to the program, you should just see the banner printed with all the available flags and options.
With that up and running, we can focus on enumerating our AD Domain. It's time to get some data, or as I like to call it, release the hounds!
Here's an example command of how you'd run bloodhound.py on an Active Directory Domain.
./bloodhound.py -c All -u [username] -p [password] -dc [domain controller domain name] -d [domain name] -ns [nameserver ip]
Flags:
- Collection Method: '-c'
- We'll set to all to save everything that BloodHound can grab
- Username: '-u'
- The username of an active user account in this Active Directory Domain
- Password:
-p- The password for the above user account
- Domain Controller (Domain Name not IP): '-dc'
- The domain name of the Domain Controller (typically follows the pattern of 'dc.[domain].com'), this won't work if you just supply the IP address of the domain controller
- Domain (Domain Name not IP): '-d'
- The name of the Active Directory domain (Taking the above example, this typically would be the same as above without the
dc.subdomain, ie '[domain].com')
- The name of the Active Directory domain (Taking the above example, this typically would be the same as above without the
- Name Server (IP Address): '-ns'
- Here, you can specify a custom nameserver IP Address to resolve the above
-dc&-dflags to.
- Here, you can specify a custom nameserver IP Address to resolve the above
I ran my bloodhound.py on a HackTheBox machine I was working on, it's a retired box, but I still kept some info redacted to avoid any spoilers.
Here's what your directory will look similar too after successfully enumerating an AD Domain.
As you can see, separate .json files have been created for each of the categories of collection items bloodhound.py was able to enumerate through.
Generating Sample data w/ DBCreator
NOTE: This shows how to generate sample data, but also covers installing neo4j, which is required to run BloodHound. If you already collected data with an ingestor, feel free to skip ahead to the point where I've written "Neo4j Installation", and make sure you install neo4j on your Kali machine.
If you don't currently have an AD Domain you can run bloodhound.py in, no worries, we can use BloodHound Database Creator to generate some sample data.
Start by going to the BloodHound-Tools Github Repo and grabbing the clone link like we did above for BloodHound.py.
Then, clone that repo into the "BH_tut" folder.
git clone https://github.com/BloodHoundAD/BloodHound-Tools
Once that finshes downloading, change directory into the "BloodHound-Tools" directory and then the "DBCreator" directory inside that
cd BloodHound-Tools
cd DBCreator
Now, we will create a new Python venv to install the DBCreator depencies as these aren't all in the default system Python.
Ensure that the venv module is installed on your Kali machine by running
sudo apt update
sudo apt install python3 python3-venv
With that installed, create the new venv by running:
python3 -m venv venv
Then, activate the venv by running:
source venv/bin/activate
Then install the dependencies for DBCreator by running:
pip install -r requirements.txt
NOTE: I hit an issue running the DBCreator.py generate command. According to the BloodHound-Tools github issues, it seems as if I wasn't the only one.
The workaround I found was to download this updated DBCreator.py file, and replace the existing DBCreator.py file with that new one.
After swapping out those files I was able to sucessfully run the generate command from DBCreator.
DBCreator is now installed, but we still need a neo4j instance running for the generator to save our sample data to
Neo4j Installation
Install neo4j from the apt repository with:
sudo apt install neo4j
After installation completes, start neo4j with the following command:
sudo neo4j console
Then navigate to localhost:7474. Login with the default credentials
username: neo4j
password: neo4j
After you've successfully logged in with the default credentials, you'll be prompted to change the password. I've opted to go with kalilinux for the new password.
Return to the terminal that you installed DBCreator in. Ensure that the venv is activated (that's the venv/bin/activate command), then run:
python DBCreator.py
You'll see a banner "BloodHound Sample Database Creator" and (CMD) appear at the bottom of the terminal. This is where we can set the neo4j configuration options. Type the following command:
dbconfig
You'll be promted for the DB url: the default value
should work, hit enter.
For DB Username, `neo4j`, the default is correct.
For DB Password, supply the new password we created, `kalilinux`.
And finally, No, to "Use encryption".
After hitting "enter" you should see a message "Database Connection Successful!", after which, you can run the command `generate`. (If you hit an error with generate don't forget the updated DBCreator.py file from above)
Now our neo4j database is seeded with sample data and we're ready to install the BloodHound GUI app.
___
## Installing BloodHound w/ Pre-Compiled Binaries
**Note: Don't install the version of BloodHound from the apt repository. It's not maintained by the BloodHoun dev team and as such might be out of date**
Navigate to the [BloodHound Github Repo](https://github.com/BloodHoundAD/BloodHound) at [https://github.com/BloodHoundAD/BloodHound](https://github.com/BloodHoundAD/BloodHound). On the right-hand sidebar, you should see a heading titled "Releases". Immediately below that should be the latest release available. Click to navigate to the binaries page for that.
Scroll down to the "Assets" list where you should see a zip download for Linux x64. Download that zip to your Kali machine.
Move or copy the downloaded file from your downloads folder, to our BH_tut folder on the Desktop.
______
**NOTE:** For this write-up, I'm just installing BloodHound in our BH_tut folder. In the real-world, you should install programs such as this into the Linux /opt directory, ie /opt/BloodHound.
______
```bash
cp ~/Downloads/BloodHound-linux-x64.zip ~/Desktop/BH_tut/BloodHound-linux-x64.zip
Then, from the BH_tut directory, unzip the file and once it's completed unzipped, change into the newly created directory.
unzip BloodHound-linux-x64.zip
cd BloodHound-linux-x64
Ensure that the 'BloodHound' file is executable.
sudo chmod 770 BloodHound
Then run the program with:
./BloodHound
You'll see the BloodHound login screen and be prompted to supply the neo4j credentials that we created earlier. We kept our username the default at neo4j, and set the password to kalilinux.
If you followed along with the DBCreator setup, once logged in you should see a data graph with your sample data loaded up. To view some of the pre-built analysis queries, click "Search Node" dropdown, then "Analysis" tab, then choose one of the pre-built queries to view.
If you used an ingestor to get your data, we still have one more step to load up the data into our neo4j database.
Navigate back to your BloodHound.py folder, and find the .json files that were created earlier. With the BloodHound application window open, click and drag (hold ctrl to select multiple files) the .json files into BloodHound.
You'll see an uploads progress window. Once all of the uploads reach 100% upload completion, feel free to close the window. If you click the "Search for a node" toggle dropdown, then the analysis tab, the pre-built queries should work for however much data your ingestor was able to find.
This walkthrough is certainly only scratching the surface of what's possible with BloodHound. I myself am looking forward to digging into the Analysis queries in more depth, and depending on what I learn, hopefully write a follow-up on that. Hopefully, this is able to help new pentesters looking to get started with AD & BloodHound though.
Top comments (0)