TL;DR Howto setup BloodHound and find escalation paths that attackers will abuse.
Part I: Howto Setup BloodHound
Part II: Howto Setup BlueHound
Part III: Howto Setup OpenVAS
Background
BloodHound is a handy tool that is used by both attackers and testers alike. Essentially it maps the objects in Active Directory and finds relationships between them. It can identify privilege creep and find escalation paths. This works rather well since normally domain users in AD have read rights to all domain objects.
I was able to find a couple of guides on Google on BloodHound setup, however due to changes, updates, or my lab environment in particular I still had to use a fair amount of trial and error to get BloodHound functioning. https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx was the most straightforward guide, and helpfully included links to the necessary software. I wrote this simply to elaborate on what I had to do that was a bit different than the steps listed on that site.
Our testing environment
Obviously everyone’s setup varies. I used a Windows 10 domain client and a pre-built VM from Paramount Defense as a Domain Controller. Their VM is available at https://blog.paramountdefenses.com/2020/06/active-directory-security-lab-virtual-machine.html. My own Windows Domain lab only has a couple users populated, so their VM was a convenient way to give BloodHound something to analyze. The VM includes a mock company’s domain populated with OUs, groups, users, and computer accounts.
An attacker would most likely only run SharpHound on a compromised domain workstation and run Neo4j Desktop and BloodHound on their system. For simplicity’s sake I ran all components on the domain joined Windows 10 VM.
Setup
BloodHound relies on SharpHound for data collection from Active Directory and Neo4j Desktop for database support. Neo4j Desktop can be found here: https://neo4j.com/download/. SharpHound is included in the BloodHound download from https://github.com/BloodHoundAD/BloodHound/releases.
I downloaded to C:\Temp for two reasons; I wanted to put it in a folder that all users could access and it made configuring a folder exception in Windows Defender easy. Defender flagged SharpHound and automatically deleted some files in the BloodHound download initially. If this happens on your system simply set an exception for the folder and download BloodHound again.
The first step is to simply install Neo4j Desktop. You can either copy/paste the activation code that the download site provides or just skip it. Once Neo4j is installed just run it, create a new DB, name it something that makes sense (I used BloodHound), and set a password (I simply used password).
It’s easy to test the connectivity by hitting Start on the new DB, then navigating to http://localhost:7474. You should be presented with a login page.
The default username is neo4j and the password is the one picked when the DB was created earlier.
Next simply unzip the BloodHound download and run the executable located in C:\Temp\BloodHound-win32-x64\BloodHound-win32-x64 .
The default username is neo4j and the password is the DB password picked earlier and verified by logging into http://localhost:7474. Note that BloodHound will not display anything initially, this is where the data collection via SharpHound comes in.
If you are running Neo4j Desktop, BloodHound, and SharpHound off the same domain workstation as I did in the lab, simply navigate to C:\Temp\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Collectors and run SharpHound.exe as a domain user while connected to your lab’s domain.
By default SharpHound creates the Zip file containing the AD data in the present working directory. Next pull up BloodHound, hit Import Data, select the Zip file that SharpHound created, and wait a few minutes depending on how large the domain is.
The box in the upper left can be used to search for an AD object such as Schema Admin, then right click on the node and select ‘Shortest Paths to Here’.
BloodHound can also search by selecting a starting node and a target node, for example a random user and the DC. This could be particularly useful for an attacker who is picking targets for a spear phishing campaign.
Or BloodHound can find the shortest path to Domain Admins.
Conclusion:
In summary BloodHound is a very useful tool for post exploitation recon in order to find paths to escalate. Setup and testing it out is rather straightforward given up to date instructions. I ran into a few other issues along the way related to the underlying infrastructure, but nothing a quick Google search couldn’t fix. For example the pre-built VM had an incorrect DTG set, so I had to utilize the ‘date’ and ‘time’ commands in Windows to fix that, otherwise the DC and the client will not sync properly. I also had to SSH into ESXi and repair the VM’s *.vmdk after loading it into the hypervisor. The particulars of that are best left to a different post though.
I hope this was helpful and you can get BloodHound up and running without issue. Attackers will use it to find escalation paths the system administrator might not have realized even existed, so it is best to audit, find them, and fix it before that happens!
References:
https://hunter2.gitbook.io/darthsidious/enumeration/bloodhound
https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-admin.aspx
https://blog.paramountdefenses.com/2020/06/active-directory-security-lab-virtual-machine.html
