60f Bloodhound Cheatsheet

Bloodhound Cheatsheet

Introduction:

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. It is used for analyzing and understanding Active Directory security.

Basic Commands:

Starting BloodHound:

  1. Start Neo4j:

    sudo neo4j start
  1. Start BloodHound:

    bloodhound

BloodHound Interface:

Running BloodHound from Metasploit:

  1. Enter a SYSTEM level Meterpreter Session

    sessions -i <session_id>

  1. Run the Post-Exploitation Module

    meterpreter> run post/windows/gather/bloodhound

  1. Document the password, and move the *.zip to your /home/kali/ directory

    mv /home/kali/.msf4/loot/*.zip /home/kali/*.zip

  1. Modify the permissions, extract the files, and enter the password

    chmod 777 *.zip && unzip *.zip

  1. Upload these files to BloodHound for analysis.

Uploading files into BloodHound:

  1. Navigate to the BloodHound interface.
  1. Click on the "Upload Data" button to the right side of the interface.
  1. Select and upload the .zip files generated by SharpHound or the .json files extracted from the .zip file.

Querying BloodHound:

BloodHound uses Cypher, a query language for Neo4j, to query the data.

Basic Cypher Queries:

Common Analysis Techniques:

Tips:

Help and Documentation:

Example Workflow:

  1. Start Neo4j and BloodHound.
  1. Collect data using BloodHound module in a SYSTEM level meterpreter shell.
  1. Upload data to BloodHound.
  1. Run Cypher queries to analyze the data.
  1. Use the BloodHound interface to visualize and further explore the relationships.