Bloodhound
Tool to enumerate an Active Directory Domain.
Use the Cypher language to query information;
Uses collectors (to be run on the Windows target host, or remotely on Linux);
Uses Graph Theory and works over the Neo4J database;
Gives a visual representation of the Active Directory objects and how these objects are interrelated;
Gives a visual inspection of attack paths and relationship between objects;
Requires a domain user accounts (not privileged)
Official GitHubRepo where we can get the binary for BloodHound.
Neo4J
BloodHound requires the Neo4J database to work. On Windows, the easiest solution found is to pull the Neo4J image on Docker and run the database from a Docker container.
BloodHound Ingestors
Sharphound is a data collector for BloodHound to be run from a Windows system. Download the SharpHound binary from the Github repo below.
BloodHound.py can also be used to ingest data remotely from a Linux system.
In a linux terminal run:
In another terminal run:
Upload the .zip file in the terminal.
Custom Queries
Bloodhound gives us the ability to create custom query using the cypher language and save it for later use.
Queries
BloodHound allows us to make a lot of queries. We want to pay attention to the Outbound Object Control
when clicking on a user. This will add to the graph any objects that the user has permissions and rights over.
A cheat sheet of some queries that can be made using the Neo4J console.
Query to enumerate certificate templates
Query to enumerate who can PSRemote on a target system
Query to enumerate SQL Admin rights
Last updated