Setup and Install

  • Install: sudo apt install bloodhound

  • Launch neo4j for Setup: neo4j console

  • Open the link provided by neo4j, connect with default creds: neo4j:neo4j

  • Change the password

  • From the console launch bloodhound

  • Connect with the creds you just set up in neo4j

  • Note: Sometimes Bloodhound will not properly process files. To solve this it can be useful to download a previous version. Here is version 4.1.0 that usually does the trick for me.

Grabbing Data to feed Bloodhound

  • Download and setup an injector for instance invoke-bloodhound for powershell, we can use sharphound

  • Put Sharphound in your target machine

  • From the cmd of your target run: powershell -ep bypass

  • Run Sharphound: . .\SharpHound.ps1

  • Now we can invoke-bloodhound to collect data: Invoke-BloodHound -CollectionMethod All -Domain DOMAIN.local -ZipFilename

  • Copy the zip file in your attacking machine

  • Click on upload data and double click on the zip file

  • In Analysis we can now click to Find all Domains

  • We can also find the shortest path to the domain admins

  • We want to find boxes where a domain admin is logged in.

  • xfreerdp /v:IP /u:user /drive:data,/tmp Transfer data to and from the target host with drive redirection

Grab Data with Sharphound.exe through a Covenant grunt

  • Upload Sharphound.exe with the command upload on Covenant

  • launch it using shell sharphound.exe -c all

  • Once it's done we can copy the file name of the generated zip

  • And use the Covenant download command

  • Once done we can click on the file name it should open a pop up and you will be able to choose where to put the file

Bloodhound Python

  • Note: slower than the PowerShell and C# ingestors

  • Requirements: impacket toolkit, ldap3, and dnspython

  • pip install bloodhound

  • From a linux box not in the domain

    • Edit /etc/resolv.conf

      # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
      # is the systemd-resolved stub resolver.
      # run "systemd-resolve --status" to see details about the actual nameservers.
      domain domain.local
      domain localdomain
      search localdomain
      nameserver IP-ADR
  • bloodhound-python -dc domain-controller.domain.local -gc domain-controller.domain.local -d domain.local -c All -u first.last -p password

Analyzing data

  • Check out Domain Users group and see the rights it has

  • Click on the pathfinding button and enter the domain to see if we have any direct paths to Domain Admin for all users

  • Run some of the Pre-Built Analytics Queries to find additional interesting information

    • Obtain a list of all Domain Admins

    • Look at the Find Shortest Paths to Domain Admins query

    • Find Principals with DCSync Rights Find accounts that can perform the DCSync attack, which will be covered in a later module.

    • Users with Foreign Domain Group Membership Find users that belong to groups in other domains. This can help mount cross-trust attacks.

    • Groups with Foreign Domain Group Membership Find groups that are part of groups in other domains. This can help mount cross-trust attacks.

    • Map Domain Trusts Find all trust relationships with the current domain.

    • Shortest Paths to Unconstrained Delegation Systems Find the shortest path to hosts with Unconstrained Delegation.

    • Shortest Paths from Kerberoastable Users Show the shortest path to Domain Admins by selecting from all users in a dropdown that can be subjected to a Kerberoasting attack.

    • Shortest Path from Owned Principals If we right-click a node and select Mark user as owned or Mark computer as owned, we can then run this query to see how far we can go from any users/computers that we have marked as "owned". This can be very useful for mounting further attacks.

    • Shortest Paths to Domain Admins from Owned Principals Find the shortest path to Domain Admin access from any user or computer marked as "owned".

    • Shortest Paths to High-Value Targets This will give us the shortest path to any objects that BloodHound already considers a high-value target. It can also be used to find paths to any objects that we right-click on and select Mark X as High Value.

  • Look at GPOs as well. In the Enumerating Group Policy Objects (GPOs) section

  • In BloodHound, we can right-click on any edge and click on ? Help in the pop-up menu and receive help on the specific edge with various tabs

    • Info General overview of the edge and what type of access it grants.

    • Abuse Info Specific tools/commands/techniques that can be used to abuse the privilege.

    • Opsec Considerations Opsec Considerations are also documented on the BloodHound wiki. This provides info on how "noisy" a particular command can be and what type of event log ID it will generate.

    • References Additional reading on tactics/tools/techniques that can be used to abuse the privilege.


Icons in Bloodhound

Cypher Query Language for custom queries


Structure of query

  • MATCH (A)-[B]->(C) RETURN A,B,C Here A and C are nodes B is the relationship between A and C

  • MATCH (n:User),(m:Group) MATCH p=(n)-[r:MemberOf*1..3]->(m) RETURN p

Most common Keywords

  • MATCH Used before describing the search pattern for finding one or more nodes or relationships.

  • WHERE Used to add more constraints to specific patterns or filter out unwanted patterns.

  • RETURN Used to specify the results format and organizes the resulting data. Results can be returned with specific properties, lists, ordering, etc.

  • CREATE and DELETE - Used to create and delete nodes/relationships

  • SET and REMOVE - Used to set values to properties and add labels to nodes

  • MERGE - Used to create nodes uniquely without any duplicates.

Example of query

  • MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p Find the members of all groups deemed to be "high-value targets."

  • MATCH (u:User) WHERE ANY (x IN u.serviceprincipalnames WHERE toUpper(x) CONTAINS 'SQL')RETURN u Find users with a keyword in their Service Principal Name (SPN)

  • MATCH (u:User {dontreqpreauth: true}) RETURN u Find users who do not require Kerberos pre-authentication

  • MATCH (u:User) WHERE u.description IS NOT NULL RETURN,u.description Find all users with a description field that is not blank

Edge relationships in Bloodhound

  • MemberOf One node (user, group, or computer) is a member of a second node (group)

  • AdminTo One node (user, group, or computer) has local admin rights on a second node (computer)

  • HasSession One node (user) has a session on a second node (computer)

  • TrustedBy One node (domain) is trusted by a second node (domain)

Exploiting ACEs

A significant amount of ACEs can be misconfigured, and the exploits for each vary. The Bloodhound documentation assists in explaining enumerated ACEs and how they can be exploited.

  • ForceChangePassword: We have the ability to set the user's current password without knowing their current password.

  • AddMembers: We have the ability to add users (including our own account), groups or computers to the target group.

  • GenericAll: We have complete control over the object, including the ability to change the user's password, register an SPN or add an AD object to the target group.

  • GenericWrite: We can update any non-protected parameters of our target object. This could allow us to, for example, update the scriptPath parameter, which would cause a script to execute the next time the user logs on.

  • WriteOwner: We have the ability to update the owner of the target object. We could make ourselves the owner, allowing us to gain additional permissions over the object.

  • WriteDACL: We have the ability to write new ACEs to the target object's DACL. We could, for example, write an ACE that grants our account full control over the target object.

  • AllExtendedRights: We have the ability to perform any action associated with extended AD rights against the target object. This includes, for example, the ability to force change a user's password.

In order to exploit these ACEs, we will need a method to interact with AD to make these requests. The two best options for this are the AD-RSAT PowerShell cmdlets or PowerSploit. Depending on the breach and the detection tools in the environment, one option may be stealthier.

Source: Tryhackme


  • AddMembers To exploit this we just need to add our user to the desired group using powershell Add-ADGroupMember "IT Support" -Members "barbara.reid"

  • Checked that it worked Get-ADGroupMember -Identity "IT Support"

  • ForceChangePassword Identify a member of the group we want to change the password for taking over their account Get-ADGroupMember -Identity "Tier 2 Admins"

  • And then we can change the password. Note: It can take up to 10 minutes to be effective. We also might need to disconnect and reconnect.

$Password = ConvertTo-SecureString "Newpassword1234!" -AsPlainText -Force 
Set-ADAccountPassword -Identity "t2_melanie.davies" -Reset -NewPassword $Password 

Other Tips Bloodhound

  • If we click on a blade in the graph and select help we will have useful info about the specific blade selected. It is really worth having a look at the help and abuse info to have more info and tips on ways of exploitation.

Bloodhound - Resources

Last updated