# Active Directory Recognition with BloodHound
###### tags: `AD` `ActiveDirectory` `Recon` `Privesc` `BloodHound` `LDAP` `Queries`
Bloodhound is an application that uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment to make the privilege escalation paths more easy to recon.
Attackers use **BloodHound** to easily identify highly complex attack paths that would otherwise be impossible to quickly identify.
Blue Teams can use it too for identify and eliminate those same attack paths.
### Installing BloodHound
Install BloodHound is a 3 step process, first install bloodhound GUI, then the Neo4j service for the graph database and last is to install the data ingestor.
To install BloodHound in kali is as simple as type the following command on terminal and enter:
```bash
sudo apt install bloodhound -y
```
After installing it we have to configure neo4j for changing default passwords, to do this type:
>sudo neo4j console
After run the command we have to a web browser and paste the following URL:
> http://localhost:7474/
Connect to the database and change the password:
Now its time to start bloodhound typing *bloodhound* on a terminal and enter the credentials:
After that you should see this page:
To fill the BloodHound we have to install the bloodhound ingestor, we are gonna install it with pip3.
```bash
pip3 install bloodhound
```
## Start using Bloodhound
With the Bloodhound tool runing on our attacker machine we have to collect some data. To do it that we have two methods.
### Local Data Ingestor
The first method is to use SharpHound in a machine connected to Domain, execute the Sharphound ingestor that you can found in exe or ps1 format in this [web](https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors), then the program is going to creates a zip with the Bloodhound name in it.
To use it with powershell , we import the modules from the ps1 script , and use it with the following commands, have in mind that this is useful if we cannot run a executable on the target machine.
>powershell -ep bypass
>Import-Module .\SharpHound.ps1
>Invoke-Bloodhound -CollectMethod All
---
But in this case we are gonna use python Bloodhound that we just installed using pip3 and let's extract the data from the Domain.
In my case i have to go to the */home/kali/.local/bin* directory to execute the program.
```bash
bloodhound-python -u Administrador -p Ba66age0 -ns 192.168.1.200 -d ALPHA.local -c All
```
And you should receive a response with the info like this:
This response will generate some json files with the computers, domains, groups and users info that you have to drag to the bloodhound GUI.
Once you drag it to the BloodHound GUI you should see this status window.
Now you have to go to the top left burger menu go to analysis, and select some analysis, to start using bloodhound, the way to look to Domain Admins is in the *Shortest Paths* and as an example click on **Find Shortest Paths to Domain Admins** an see the results.
In my lab the results are some Administrator Groups, the Administrator user and a Service Account that is an Administrator account too. This is only one from a lot of types of queries that has built-in ,can be used to enumerate with BloodHound.
If you want to clear the database you have to open the burguer menu at the top left and go to Database Info, scroll down and click on Clear Database to do it.
## First Steps with Queries
The first to understand is how is formed the queries, mainly we have two instructions, **MATCH** & **RETURN**.
**MATCH** will tell neo4j what to look for and **RETURN** indicates the results you want to see. We are going to show you some examples of how some basic queries could be done, so that you understand how it works and you can create your own complex queries depending on your needs.
This returns all the nodes from the db:
```neo
MATCH (X) RETURN X
```
This returns all users from the db:
```neo
MATCH (X:User) RETURN X
```
Now we are going to make a query to search for users that we will assign to the variable U , then we will search for members of the administrators group and finally we will return the users that belong to the administrators group:
```neo
MATCH (U:User)
MATCH (G:Group {name: "ADMINISTRADOR@ALPHA.LOCAL"})
MATCH (U)-[MemberOF]->(G)
RETURN U
```
There are fast ways to write the query like this:
```neo
MATCH (U:User)-[MemberOf]->(G:Group {name: "ADMINISTRADOR@ALPHA.LOCAL"})
RETURN U
```
### Common queries on BloodHound
#### Node Queries
Let's show some examples of node queries:
Return the nodes in the pc with the name BRAVO:
```neo
MATCH (x:Computer {name: 'BRAVO'}) RETURN x
```
Returns computer nodes whose domain property is equal to 'ALPHA':
```neo
MATCH (x:Computer {domain: 'ALPHA'}) RETURN x
```
Same as the previous one, using the WHERE clause:
```neo
MATCH (X:Computer) WHERE x.domain = 'ALPHA' RETURN x
```
Returns all nodes that have a 'ThisProperty' property (value or not):
```neo
MATCH (n:User) WHERE exists(n.ThisProperty) RETURN n
```
#### Route Queries
All the shortest paths:
```neo
MATCH
(A:User {name: 'amason@ALPHA.LOCAL'}),
(B:Group {name: 'DOMAIN ADMINS@ALPHA.LOCAL'}),
x=allShortestPATHS((A)-[*1..]->(B))
RETURN x
```
It is possible to request all available paths, even the longest ones, if you remove shortestPath() or allShortestPaths() from your queries. However, this is risky, and your query could hang.
Be sure to specify at least one node name when you use it. Do not try this in a query Any to Any.
There a lot more content about this query language but with the previous examples you should be able to edit queries for most of what you need from the Bloodhound database.
## Conclusion
BloodHound is a very powerful tool for the red team, as long as we use it with permission because the data ingestor seems to make a lot of noise and if we use it in a black box pentest surely the blue team will discover our attack. Also keep in mind that for the blue team this is a very good tool to discover security threats.
Sign in with Wallet
Connect another wallet