HackMD
Active Directory Recognition with BloodHound
tags: AD ActiveDirectory Recon Privesc BloodHound LDAP Queries
Bloodhound is an application that uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment to make the privilege escalation paths more easy to recon.
Attackers use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify.
Blue Teams can use it too for identify and eliminate those same attack paths.
Installing BloodHound
Install BloodHound is a 3 step process, first install bloodhound GUI, then the Neo4j service for the graph database and last is to install the data ingestor.
To install BloodHound in kali is as simple as type the following command on terminal and enter:
sudo apt install bloodhound -y
After installing it we have to configure neo4j for changing default passwords, to do this type:
sudo neo4j console
After run the command we have to a web browser and paste the following URL:
Connect to the database and change the password:
Now its time to start bloodhound typing bloodhound on a terminal and enter the credentials:
After that you should see this page:
To fill the BloodHound we have to install the bloodhound ingestor, we are gonna install it with pip3.
pip3 install bloodhound
Start using Bloodhound
With the Bloodhound tool runing on our attacker machine we have to collect some data. To do it that we have two methods.
Local Data Ingestor
The first method is to use SharpHound in a machine connected to Domain, execute the Sharphound ingestor that you can found in exe or ps1 format in this web, then the program is going to creates a zip with the Bloodhound name in it.
To use it with powershell , we import the modules from the ps1 script , and use it with the following commands, have in mind that this is useful if we cannot run a executable on the target machine.
powershell -ep bypass
Import-Module .\SharpHound.ps1
Invoke-Bloodhound -CollectMethod All
But in this case we are gonna use python Bloodhound that we just installed using pip3 and let's extract the data from the Domain.
In my case i have to go to the /home/kali/.local/bin directory to execute the program.
bloodhound-python -u Administrador -p Ba66age0 -ns 192.168.1.200 -d ALPHA.local -c All
And you should receive a response with the info like this:
This response will generate some json files with the computers, domains, groups and users info that you have to drag to the bloodhound GUI.
Once you drag it to the BloodHound GUI you should see this status window.
Now you have to go to the top left burger menu go to analysis, and select some analysis, to start using bloodhound, the way to look to Domain Admins is in the Shortest Paths and as an example click on Find Shortest Paths to Domain Admins an see the results.
In my lab the results are some Administrator Groups, the Administrator user and a Service Account that is an Administrator account too. This is only one from a lot of types of queries that has built-in ,can be used to enumerate with BloodHound.
If you want to clear the database you have to open the burguer menu at the top left and go to Database Info, scroll down and click on Clear Database to do it.
First Steps with Queries
The first to understand is how is formed the queries, mainly we have two instructions, MATCH & RETURN.
MATCH will tell neo4j what to look for and RETURN indicates the results you want to see. We are going to show you some examples of how some basic queries could be done, so that you understand how it works and you can create your own complex queries depending on your needs.
This returns all the nodes from the db:
MATCH (X) RETURN X
This returns all users from the db:
MATCH (X:User) RETURN X
Now we are going to make a query to search for users that we will assign to the variable U , then we will search for members of the administrators group and finally we will return the users that belong to the administrators group:
MATCH (U:User)
MATCH (G:Group {name: "ADMINISTRADOR@ALPHA.LOCAL"})
MATCH (U)-[MemberOF]->(G)
RETURN U
There are fast ways to write the query like this:
MATCH (U:User)-[MemberOf]->(G:Group {name: "ADMINISTRADOR@ALPHA.LOCAL"})
RETURN U
Common queries on BloodHound
Node Queries
Let's show some examples of node queries:
Return the nodes in the pc with the name BRAVO:
MATCH (x:Computer {name: 'BRAVO'}) RETURN x
Returns computer nodes whose domain property is equal to 'ALPHA':
MATCH (x:Computer {domain: 'ALPHA'}) RETURN x
Same as the previous one, using the WHERE clause:
MATCH (X:Computer) WHERE x.domain = 'ALPHA' RETURN x
Returns all nodes that have a 'ThisProperty' property (value or not):
MATCH (n:User) WHERE exists(n.ThisProperty) RETURN n
Route Queries
All the shortest paths:
MATCH
(A:User {name: 'amason@ALPHA.LOCAL'}),
(B:Group {name: 'DOMAIN ADMINS@ALPHA.LOCAL'}),
x=allShortestPATHS((A)-[*1..]->(B))
RETURN x
It is possible to request all available paths, even the longest ones, if you remove shortestPath() or allShortestPaths() from your queries. However, this is risky, and your query could hang.
Be sure to specify at least one node name when you use it. Do not try this in a query Any to Any.
There a lot more content about this query language but with the previous examples you should be able to edit queries for most of what you need from the Bloodhound database.
Conclusion
BloodHound is a very powerful tool for the red team, as long as we use it with permission because the data ingestor seems to make a lot of noise and if we use it in a black box pentest surely the blue team will discover our attack. Also keep in mind that for the blue team this is a very good tool to discover security threats.
