# Bloodhound

## Setup and Install

* Install: `sudo apt install bloodhound`
* Launch neo4j for Setup: `neo4j console`
* Open the link provided by neo4j, connect with default creds: `neo4j:neo4j`
* Change the password
* From the console launch `bloodhound`
* Connect with the creds you just set up in neo4j
* **Note: Sometimes Bloodhound will not properly process files.**\
  **To solve this it can be useful to download a previous version.**\
  [**Here**](https://github.com/BloodHoundAD/BloodHound/releases/tag/4.1.0) **is version 4.1.0 that usually does the trick for me.**

## Grabbing Data to feed Bloodhound

* Download and setup an injector for instance invoke-bloodhound for powershell, we can use [sharphound](https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1)
* Put Sharphound in your target machine
* From the cmd of your target run: `powershell -ep bypass`
* Run Sharphound: `. .\SharpHound.ps1`
* Now we can invoke-bloodhound to collect data: `Invoke-BloodHound -CollectionMethod All -Domain DOMAIN.local -ZipFilename data.zip`
* Copy the zip file in your attacking machine
* Click on upload data and double click on the zip file
* In Analysis we can now click to Find all Domains
* We can also find the shortest path to the domain admins
* We want to find boxes where a domain admin is logged in.
* `xfreerdp /v:IP /u:user /drive:data,/tmp` Transfer data to and from the target host with drive redirection

### Grab Data with Sharphound.exe through a Covenant grunt

* Upload Sharphound.exe with the command `upload` on Covenant
* launch it using `shell sharphound.exe -c all`
* Once it's done we can copy the file name of the generated zip
* And use the Covenant download command
* Once done we can click on the file name it should open a pop up and you will be able to choose where to put the file

## Bloodhound Python

* *Note: slower than the PowerShell and C# ingestors*
* Requirements: impacket toolkit, ldap3, and dnspython
* `pip install bloodhound`
* From a linux box not in the domain
  * Edit /etc/resolv.conf

    ```
    # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
    #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
    # 127.0.0.53 is the systemd-resolved stub resolver.
    # run "systemd-resolve --status" to see details about the actual nameservers.


    domain domain.local
    domain localdomain
    search localdomain
    nameserver IP-ADR
    ```
* `bloodhound-python -dc domain-controller.domain.local -gc domain-controller.domain.local -d domain.local -c All -u first.last -p password`

## Analyzing data

* Check out Domain Users group and see the rights it has
* Click on the pathfinding button and enter the domain to see if we have any direct paths to Domain Admin for all users
* Run some of the Pre-Built Analytics Queries to find additional interesting information
  * Obtain a list of all Domain Admins
  * Look at the `Find Shortest Paths to Domain Admins` query
  * `Find Principals with DCSync Rights` Find accounts that can perform the DCSync attack, which will be covered in a later module.
  * `Users with Foreign Domain Group Membership` Find users that belong to groups in other domains. This can help mount cross-trust attacks.
  * `Groups with Foreign Domain Group Membership` Find groups that are part of groups in other domains. This can help mount cross-trust attacks.
  * `Map Domain Trusts` Find all trust relationships with the current domain.
  * `Shortest Paths to Unconstrained Delegation Systems` Find the shortest path to hosts with Unconstrained Delegation.
  * `Shortest Paths from Kerberoastable Users` Show the shortest path to Domain Admins by selecting from all users in a dropdown that can be subjected to a Kerberoasting attack.
  * `Shortest Path from Owned Principals` If we right-click a node and select `Mark user as owned` or `Mark computer as owned`, we can then run this query to see how far we can go from any users/computers that we have marked as "owned". This can be very useful for mounting further attacks.
  * `Shortest Paths to Domain Admins from Owned Principals` Find the shortest path to Domain Admin access from any user or computer marked as "owned".
  * `Shortest Paths to High-Value Targets` This will give us the shortest path to any objects that BloodHound already considers a high-value target. It can also be used to find paths to any objects that we right-click on and select Mark X as High Value.
* Look at GPOs as well. In the Enumerating Group Policy Objects (GPOs) section
* In BloodHound, we can right-click on any edge and click on ? Help in the pop-up menu and receive help on the specific edge with various tabs
  * Info General overview of the edge and what type of access it grants.
  * Abuse Info Specific tools/commands/techniques that can be used to abuse the privilege.
  * Opsec Considerations Opsec Considerations are also documented on the BloodHound wiki. This provides info on how "noisy" a particular command can be and what type of event log ID it will generate.
  * References Additional reading on tactics/tools/techniques that can be used to abuse the privilege.

> [*Source: ACTIVE DIRECTORY BLOODHOUND on HTB Academy*](https://academy.hackthebox.com/course/preview/active-directory-bloodhound)

## Icons in Bloodhound

* This icon is used to represent a user:\
  ![User Icon](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-937c690f0204f78df1ef2cc47279028d3f21390d%2Fuser-icon.png?alt=media)
* This icon is used to represent a group:\
  ![Group Icon](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-4486faa27b7c33de730b92e84491b665aa1c98de%2FGroup-Icon.png?alt=media)
* This icon is used to represent a GPO:\
  ![GPO Icon](https://1679624655-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEkk28J0B2BeDMuesRMr1%2Fuploads%2Fgit-blob-efc8216898caaa52b6359f4369a7b0bf14b984e7%2FGPO-icon.png?alt=media)\
  we can click on it and check the Node Info

## Cypher Query Language for custom queries

> [*Source: ACTIVE DIRECTORY BLOODHOUND on HTB Academy*](https://academy.hackthebox.com/course/preview/active-directory-bloodhound)

### Structure of query

* `MATCH (A)-[B]->(C) RETURN A,B,C` Here A and C are nodes B is the relationship between A and C
* `MATCH (n:User),(m:Group) MATCH p=(n)-[r:MemberOf*1..3]->(m) RETURN p`

### Most common Keywords

* `MATCH` Used before describing the search pattern for finding one or more nodes or relationships.
* `WHERE` Used to add more constraints to specific patterns or filter out unwanted patterns.
* `RETURN` Used to specify the results format and organizes the resulting data. Results can be returned with specific properties, lists, ordering, etc.
* `CREATE` and `DELETE` - Used to create and delete nodes/relationships
* `SET` and `REMOVE` - Used to set values to properties and add labels to nodes
* `MERGE` - Used to create nodes uniquely without any duplicates.

### Example of query

* `MATCH p=(n:User)-[r:MemberOf*1..]->(m:Group {highvalue:true}) RETURN p` Find the members of all groups deemed to be "high-value targets."
* `MATCH (u:User) WHERE ANY (x IN u.serviceprincipalnames WHERE toUpper(x) CONTAINS 'SQL')RETURN u` Find users with a keyword in their Service Principal Name (SPN)
* `MATCH (u:User {dontreqpreauth: true}) RETURN u` Find users who do not require Kerberos pre-authentication
* `MATCH (u:User) WHERE u.description IS NOT NULL RETURN u.name,u.description` Find all users with a description field that is not blank

### Edge relationships in Bloodhound

* MemberOf One node (user, group, or computer) is a member of a second node (group)
* AdminTo One node (user, group, or computer) has local admin rights on a second node (computer)
* HasSession One node (user) has a session on a second node (computer)
* TrustedBy One node (domain) is trusted by a second node (domain)

## Exploiting ACEs

A significant amount of ACEs can be misconfigured, and the exploits for each vary. The Bloodhound documentation assists in explaining enumerated ACEs and how they can be exploited.

* **ForceChangePassword**: We have the ability to set the user's current password without knowing their current password.
* **AddMembers**: We have the ability to add users (including our own account), groups or computers to the target group.
* **GenericAll**: We have complete control over the object, including the ability to change the user's password, register an SPN or add an AD object to the target group.
* **GenericWrite**: We can update any non-protected parameters of our target object. This could allow us to, for example, update the scriptPath parameter, which would cause a script to execute the next time the user logs on.
* **WriteOwner**: We have the ability to update the owner of the target object. We could make ourselves the owner, allowing us to gain additional permissions over the object.
* **WriteDACL**: We have the ability to write new ACEs to the target object's DACL. We could, for example, write an ACE that grants our account full control over the target object.
* **AllExtendedRights**: We have the ability to perform any action associated with extended AD rights against the target object. This includes, for example, the ability to force change a user's password.

In order to exploit these ACEs, we will need a method to interact with AD to make these requests. The two best options for this are the AD-RSAT PowerShell cmdlets or PowerSploit.\
Depending on the breach and the detection tools in the environment, one option may be stealthier.

> *Source:* [*Tryhackme*](https://tryhackme.com/room/exploitingad)

### Examples

* `AddMembers` To exploit this we just need to add our user to the desired group using powershell `Add-ADGroupMember "IT Support" -Members "barbara.reid"`
* Checked that it worked `Get-ADGroupMember -Identity "IT Support"`
* `ForceChangePassword` Identify a member of the group we want to change the password for taking over their account `Get-ADGroupMember -Identity "Tier 2 Admins"`
* And then we can change the password. *Note: It can take up to 10 minutes to be effective. We also might need to disconnect and reconnect*.

```dos
$Password = ConvertTo-SecureString "Newpassword1234!" -AsPlainText -Force 
Set-ADAccountPassword -Identity "t2_melanie.davies" -Reset -NewPassword $Password 
```

## Other Tips Bloodhound

* If we click on a blade in the graph and select help we will have useful info about the specific blade selected. It is really worth having a look at the help and abuse info to have more info and tips on ways of exploitation.

## Bloodhound - Resources

* [Bloodhound - Lisandre](https://lisandre.com/cheat-sheets/bloodhound)
* [Bloodhound: A Pentester’s best friend by Warren Butterworth](https://medium.com/@warrenbutterworth/bloodhound-a-pentesters-best-friend-d8467aa6c50)
* [Cypher Query Language](https://neo4j.com/developer/cypher/)
* [Edges in Bloodhound](https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html)
* [SharpHound: Target Selection and API Usage - CptJesus](https://blog.cptjesus.com/posts/sharphoundtargeting)
* [Exploiting AD - Tryhackme](https://tryhackme.com/room/exploitingad)
* [BloodHound – Sniffing Out the Path Through Windows Domains - Michiel Lemmens](https://www.sans.org/blog/bloodhound-sniffing-out-path-through-windows-domains/)
* [THE DOG WHISPERER'S HANDBOOK 3 - SadProcessor](https://ernw.de/download/ERNW_DogWhisperer3.pdf)