BloodHoundCE

BloodHound Community Edition (CE) Installation

This article will guide you to install BloodHound Community Edition (CE) on Kali Linux for pentesting and red teaming.

Update

sudo apt update

Install Docker and Docker Compose

sudo apt install -y docker.io
sudo apt install -y docker-compose

Alternative Method to Install Docker Compose

version=$(wget -qO- https://api.github.com/repos/docker/compose/releases/latest | grep -v "central-infosec" | grep ".tag_name" | cut -d'"' -f4)
sudo wget -q -O /usr/local/bin/docker-compose "https://github.com/docker/compose/releases/download/$version/docker-compose-$(uname -s)-$(uname -m)#cis"
sudo chmod +x /usr/local/bin/docker-compose

Download BloodHound CE

sudo mkdir /opt/bloodhoundce
sudo wget -q -O /opt/bloodhoundce/docker-compose.yml https://ghst.ly/getbhce

Start BloodHound CE

sudo docker-compose -f /opt/bloodhoundce/docker-compose.yml up

BloodHound Community Edition (CE) Usage

Login with the Email Address: admin

http://localhost:8080/ui/login

Get the initial password

sudo docker logs bloodhoundce_bloodhound_1 2>&1 | grep "Initial Password Set To:"

Download SharpHound and AzureHound to your Downloads directory

http://localhost:8080/ui/download-collectors

Unzip collectors

sudo unzip ~/Downloads/azurehound*.zip -d /opt/bloodhoundce/azurehound
sudo unzip ~/Downloads/sharphound*.zip -d /opt/bloodhoundce/sharphound

Collect data

sudo /opt/bloodhoundce/azurehound/azurehound-linux-amd64/azurehound -u 'First.Last@example.com' -p 'password123' list --tenant '<tenant_id>' -o output.json

Ingest data. Settings -> Administration -> Upload Files

http://localhost:8080/ui/administration/file-ingest

 

---

when initial pasword does not show up

Try deleting any docker volume it’s created and try again. Personally I download the docker-compose file to my vm and run docker-compose up manually. If you run docker-compose up and don’t see the initial password in the output, you can run ‘docker-compose down -v‘ to wipe the volume, then run ‘docker-compose up’ again. The password only shows when it is the first time it initializes a postgres db.

.

---

BloodHound Legacy Installation

sudo apt install -y bloodhound
sudo apt install -y neo4j
sudo neo4j console
sudo bloodhound
# Login with: neo4j:neo4j or neo4j:bloodhoundcommunityedition

BloodHound Python Ingestor

sudo apt install -y pipx
python -m venv /home/kali/.venv
source /home/kali/.venv/bin/activate
pip install bloodhound
mkdir bloodhound && cd bloodhound
sudo bloodhound-python -d <domain> -u <user> -p <password> -ns <dc_ip> -c all
sudo bloodhound-python -d <domain> -u <user> -p <password> -ns <dc_ip> -c dconly
sudo bloodhound-python -d <domain> -u <user> -p <password> -ns <dc_ip> -c dconly -dc <dc_full_hostname> -gc <dc_full_hostname> -disable-autogc --zip -v

 

Handy CYPHER queries

Shortest Path to Domain Admins From Enabled Users

MATCH p=shortestPath((n:User)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor*1..]->(m:Group))
WHERE n.enabled = True AND m.objectid ENDS WITH "-512"
RETURN p

.

This next query will show you paths to Domain Admins from Computers. excluding DC’s

MATCH (c1:Computer)-[:MemberOf*1..]->(g:Group) WHERE g.objectid ENDS WITH '-516' WITH COLLECT(c1.name) AS domainControllers
MATCH p=shortestPath((n:Computer)-[:Owns|GenericAll|GenericWrite|WriteOwner|WriteDacl|MemberOf|ForceChangePassword|AllExtendedRights|AddMember|HasSession|Contains|GPLink|AllowedToDelegate|TrustedBy|AllowedToAct|AdminTo|CanPSRemote|CanRDP|ExecuteDCOM|HasSIDHistory|AddSelf|DCSync|ReadLAPSPassword|ReadGMSAPassword|DumpSMSAPassword|SQLAdmin|AddAllowedToAct|WriteSPN|AddKeyCredentialLink|SyncLAPSPassword|WriteAccountRestrictions|GoldenCert|ADCSESC1|ADCSESC3|ADCSESC4|ADCSESC5|ADCSESC6a|ADCSESC6b|ADCSESC7|ADCSESC9a|ADCSESC9b|ADCSESC10a|ADCSESC10b|ADCSESC13|DCFor*1..]->(m:Group))
WHERE NOT n.name IN domainControllers AND m.objectid ENDS WITH "-512"
RETURN p

.

Let see the users ACL

MATCH p=(u:User)-[r1]->(n) WHERE r1.isacl=true and not tolower(u.name) contains 'vagrant' RETURN p

 

.

Resources

https://github.com/CompassSecurity/bloodhoundce-resources/blob/main/custom_queries/BloodHound_CE_Custom_Queries.md

https://mayfly277.github.io/posts/GOADv2-pwning-part3/