Home

Published

- 6 min read

The Evolution of BloodHound

RedTeaming C2 offensive security Pentesting cybersecurity
img of The Evolution of BloodHound

The Evolution of BloodHound

A Comprehensive Guide for Modern Pentesters

BloodHound has become an indispensable tool for Penetration Testers and Red Teamers, offering a unique insight into the trust relationships within Active Directory (AD) environments.

This article explores the evolution of BloodHound, its various incarnations, functionalities, limitations, and operational methodologies. We’ll cover from its inception to the latest versions, focusing on practical application and command-line examples.

Overview of BloodHound Editions and Capabilities

BloodHound has evolved through various iterations, from its original .exe format to the Python and SharpHound versions, and the distinction between Community Edition (CE) and non-CE. Below is a table summarizing these versions, their capabilities, and limitations.

VersionFormatCapabilitiesLimitationsDeployment
1.0.exeBasic AD graph enumerationLimited analyticsOn-target or remote with credentials
2.0.exe/pyImproved analytics, Python supportPython version less efficientOn-target or remote with credentials
3.0SharpHoundFaster data collection, stealthier operationsRequires .NETOn-target or remote with credentials
4.2SharpHound/CEIntroduction of CE, better UI, more analysis featuresCE version has more limited data collection techniquesOn-target or remote with credentials
4.3+SharpHound/CEEnhanced evasion techniques, Azure AD supportDetection vectors improved on defensive sideOn-target or remote with credentials

Original BloodHound.exe

Deployed initially as a standalone executable, this version was the first to allow Active Directory graph enumeration.

cmd
   $ BloodHound.exe -c All

BloodHound Python

Introduced Python version, for environments where executing a .NET binary might be less desirable.

Remote Enumeration

bash
   $ python bloodhound.py -u <username> -p <password> -d <domain> -gc <domain_controller> -c All

Remote Enumeration without Credentials

Using the LDAP Signed Binding vulnerability or similar vector to enumerate AD without credentials (assuming the environment is vulnerable). The command line args are almost identical.

bash
   $ python bloodhound.py -d <domain> -gc <domain_controller> -c All --no-auth

SharpHound

The BloodHound Ingestor.

The most efficient data collector for BloodHound, written in .NET for better integration with Windows environments. SharpHound 4.x Community Edition (CE) was introduced as a more accessible version with a streamlined interface and additional features for community users.

Basic Collection

powershell
   $ .\SharpHound.ps1 -CollectionMethod All

Stealthy Collection

To reduce the likelihood of detection, you can opt for stealthier methods, that focus on specific collection techniques.

powershell
   $ .\SharpHound.ps1 -CollectionMethod Session,LoggedOn -Stealth

Collecting from Azure AD

powershell
   $ .\SharpHound.ps1 -CollectionMethod AzureAD

Remote Deployment with Credentials

Ideal for when you have valid credentials but cannot - or prefer not to - execute directly on the target system.

powershell
   $ .\SharpHound.ps1 -CollectionMethod All -DomainController <DC IP> -Username <Username> -Password <Password>

Group Membership Enumeration

Identifying group memberships can help in planning privilege escalation paths.

powershell
   $ .\SharpHound.ps1 -CollectionMethod Group

ACL Analysis for Privilege Escalation

Analyzing Access Control Lists (ACLs) can uncover unconventional privesc vectors.

powershell
   $ .\SharpHound.ps1 -CollectionMethod ACL

Windows and Active Directory ACLs and DACLs

Understanding Access Control Lists (ACLs) and Discretionary Access Control Lists (DACLs) is crucial in Pentesting. These mechanisms play a significant role in defining who has access to various resources and how those access permissions are managed and enforced.

In the context of BloodHound, we only want to provide a quick overview to refresh your memory.

ACLs

ACLs in Windows and AD are lists of access control entries (ACEs) that define the permissions for users and groups to objects such as files, directories, and AD objects. These permissions include read, write, execute, and delete among others.

ACL Targets and Tactics

  • Privilege Escalation - Finding objects with misconfigured ACLs that allow a low-privileged user to change settings or permissions, leading to privilege escalation.
  • Lateral Movement - Identifying accounts or services with excessive permissions on remote systems or AD objects to facilitate lateral movement.

DACLs

A DACL is a specific type of ACL that defines the actual permissions that subjects - like users or groups - have to an object. Every object in Windows and Active Directory has a DACL that specifies who can interact with the object and in what way.

And everything in AD is an object.

DACL Targets and Tactics

  • Access Token Manipulation - Exploiting DACLs to manipulate access tokens, potentially elevating the privileges of the attacker’s process.
  • DACL Modification - Modifying the DACLs of critical objects (e.g., files, services, registry keys) to grant attackers access or control, often without direct elevation of the user’s privileges.

Trusts Enumeration

Understanding domain trusts can help in planning inter-domain movement.

powershell
   $ .\SharpHound.ps1 -CollectionMethod Trusts

On-Target Deployment

powershell
   $ .\SharpHound.exe -CollectionMethod All

BloodHound Analysis and Usage

BloodHound’s real power lies in its ability to visualize and analyze complex AD trust relationships, identifying attack paths that would be difficult to discern otherwise.

Querying for High-Value Targets

powershell
   $ Get-BloodHoundData -QueryName "Find-PrincipalsWithAdminCount" -OutFile "AC_Users.json"

Identifying Attack Paths

powershell
   $ Invoke-BloodHound -CollectionMethod ACLAnalysis -Domain <DomainName> -JSONFolder "C:\Temp\"

Database and GUI

Installing Neo4j and Configuring the BloodHound Database

  1. Install Neo4j: Download and install Neo4j Community Edition from the official Neo4j website. Choose the version compatible with your BloodHound version.

  2. Configure Neo4j:

    • Open the Neo4j configuration file, typically found at neo4j.conf.
    • Uncomment and set the dbms.memory.heap.initial_size and dbms.memory.heap.max_size according to your system’s RAM for optimal performance.
    • Uncomment and modify dbms.directories.import to define an import directory, if needed.
    • Start the Neo4j service: Use the Neo4j Console or your system’s service manager to start Neo4j.

  3. Set Neo4j Password:

    • Access the Neo4j browser interface by navigating to http://localhost:7474.
    • Log in using the default credentials (neo4j/neo4j) and set a new password when prompted.

Running BloodHound GUI

  1. Start BloodHound: Launch BloodHound using the shortcut or command line.
  2. Log In to the Database:
    • Enter the credentials for the Neo4j database you configured earlier.
    • Default Username: neo4j
    • Password: The one you set during the Neo4j setup.

Importing Data into BloodHound

We use SharpHound to collect data from the target network:

Collection Example

powershell
   $ .\SharpHound.ps1 -CollectionMethod All -JSONFolder "C:\Path\To\Output"

Importing Collected Data

  • Open BloodHound GUI and navigate to the “Upload Data” section.
  • Drag and drop the JSON files generated by SharpHound into the BloodHound interface or use the import dialogue to select the files manually.

Common Use Cases

  • Identifying High-Value Targets: Use BloodHound to find high-value targets like Domain Admins. This helps in prioritizing targets for credential access or privilege escalation.
  • Uncovering Privilege Escalation Paths: BloodHound can reveal direct and indirect relationships that allow lower-privileged users to escalate their privileges within the AD environment.
  • Mapping Lateral Movement Paths: Analyze trust relationships and session connections to map out how an attacker could move laterally across the network.
  • Finding Misconfigured ACLs: BloodHound can identify misconfigured Access Control Lists that could be exploited to gain unauthorized access or elevate privileges.

Visualizing and Analyzing Data

BloodHound provides a graphical interface to visualize AD environments and analyze relationships. You can use pre-built queries or create custom ones to explore specific aspects of the AD environment.

  • Navigating the Graph: Click on nodes to expand their relationships, or use the search function to locate specific entities.
  • Using Built-in Queries: Leverage BloodHound’s built-in queries to quickly identify common attack paths and vulnerabilities within the network.

Operational Considerations

  • Detection and Evasion: Employing stealth options and timing the execution wisely can help evade detection.
  • Data Handling: Securely handling and analyzing the collected data is crucial. Ensure the BloodHound database is protected.
  • Ethical Use: Always use BloodHound within the boundaries of authorized penetration testing and red teaming engagements.

This guide aims to equip you with a comprehensive understanding of BloodHound’s capabilities across its versions and deployment scenarios. With this knowledge, you’ll have a solid foundation for integrating BloodHound into your security assessment toolkit effectively and ethically.