BloodHound Community Edition (CE) Installation
This article will guide you to install BloodHound Community Edition (CE) on Kali Linux for pentesting and red teaming.
Update
sudo apt updateInstall Docker and Docker Compose
sudo apt install -y docker.io
sudo apt install -y docker-composeAlternative Method to Install Docker Compose
version=$(wget -qO- https://api.github.com/repos/docker/compose/releases/latest | grep -v "central-infosec" | grep ".tag_name" | cut -d'"' -f4)
sudo wget -q -O /usr/local/bin/docker-compose "https://github.com/docker/compose/releases/download/$version/docker-compose-$(uname -s)-$(uname -m)#cis"
sudo chmod +x /usr/local/bin/docker-composeDownload BloodHound CE
sudo mkdir /opt/bloodhoundce
sudo wget -q -O /opt/bloodhoundce/docker-compose.yml https://ghst.ly/getbhceStart BloodHound CE
sudo docker-compose -f /opt/bloodhoundce/docker-compose.yml upBloodHound Community Edition (CE) Usage
Login with the Email Address: admin
http://localhost:8080/ui/loginGet the initial password
sudo docker logs bloodhoundce_bloodhound_1 2>&1 | grep "Initial Password Set To:"Download SharpHound and AzureHound to your Downloads directory
http://localhost:8080/ui/download-collectorsUnzip collectors
sudo unzip ~/Downloads/azurehound*.zip -d /opt/bloodhoundce/azurehound
sudo unzip ~/Downloads/sharphound*.zip -d /opt/bloodhoundce/sharphoundCollect data
sudo /opt/bloodhoundce/azurehound/azurehound-linux-amd64/azurehound -u 'First.Last@example.com' -p 'password123' list --tenant '<tenant_id>' -o output.jsonIngest data. Settings -> Administration -> Upload Files
http://localhost:8080/ui/administration/file-ingestBloodHound Legacy Installation
sudo apt install -y bloodhound
sudo apt install -y neo4j
sudo neo4j console
sudo bloodhound
# Login with: neo4j:neo4j or neo4j:bloodhoundcommunityeditionBloodHound Python Ingestor
sudo apt install -y pipx
python -m venv /home/kali/.venv
source /home/kali/.venv/bin/activate
pip install bloodhound
mkdir bloodhound && cd bloodhound
sudo bloodhound-python -d <domain> -u <user> -p <password> -ns <dc_ip> -c all
sudo bloodhound-python -d <domain> -u <user> -p <password> -ns <dc_ip> -c dconly
sudo bloodhound-python -d <domain> -u <user> -p <password> -ns <dc_ip> -c dconly -dc <dc_full_hostname> -gc <dc_full_hostname> -disable-autogc --zip -v
Handy CYPHER queries
Shortest Path to Domain Admins From Enabled Users
MATCH p=shortestPath((n:User)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor*1..]->(m:Group)) WHERE n.enabled = True AND m.objectid ENDS WITH "-512" RETURN p
.
This next query will show you paths to Domain Admins from Computers. exluding DC’s
MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers MATCH p=shortestPath((n:Computer)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor*1..]->(m:Group)) WHERE NOT n.name IN domainControllers AND m.objectid ENDS WITH "-512" RETURN p
.
.
Resources