Bloodhound Cheatsheet

Introduction:

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. It is used for analyzing and understanding Active Directory security.

Basic Commands:

Starting BloodHound:

1. Start Neo4j:
   
   sudo neo4j start

2. Start BloodHound:
   
   bloodhound

BloodHound Interface:

• Nodes: Represent objects like users, groups, computers, and domains.

• Edges: Represent relationships like group memberships, session connections, and ACLs.

Running BloodHound from Metasploit:

1. Enter a SYSTEM level Meterpreter Session

   sessions -i <session_id>

2. Run the Post-Exploitation Module

   meterpreter> run post/windows/gather/bloodhound

3. Document the password, and move the *.zip to your /home/kali/ directory

   mv /home/kali/.msf4/loot/*.zip /home/kali/*.zip

4. Modify the permissions, extract the files, and enter the password

   chmod 777 *.zip && unzip *.zip

5. Upload these files to BloodHound for analysis.

Uploading files into BloodHound:

1. Navigate to the BloodHound interface.

2. Click on the "Upload Data" button to the right side of the interface.

3. Select and upload the .zip files generated by SharpHound or the .json files extracted from the .zip file.

Querying BloodHound:

BloodHound uses Cypher, a query language for Neo4j, to query the data.

Basic Cypher Queries:

• Find all domain admins:
  MATCH (n:User)-[:MemberOf*1..]->(g:Group {name: "DOMAIN ADMINS@"}) RETURN n
  

• Find all sessions:
  MATCH (n:User)-[:HasSession]->(m:Computer) RETURN n, m
  

• Find all local admins:
  MATCH (n:User)-[:AdminTo]->(m:Computer) RETURN n, m
  

• Find all computers with unconstrained delegation:
  MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
  

• Find shortest path to domain admin:
  MATCH p=shortestPath((n:User {name:""})-[:MemberOf*1..]->(g:Group {name:"DOMAIN ADMINS@"})) RETURN p
  

Common Analysis Techniques:

• Shortest Paths: Identifies the shortest path to high-value targets like domain admins.

• Group Memberships: Analyzes group memberships to find nested group memberships.

• ACL Analysis: Identifies users and groups that have specific permissions on objects.

• Session Analysis: Determines which users have active sessions on which computers.

Tips:

• Regularly update BloodHound and SharpHound to the latest versions.

• Use filters in the BloodHound interface to refine your results.

• Combine multiple queries for comprehensive analysis.

Help and Documentation:

• BloodHound GitHub: https://github.com/BloodHoundAD/BloodHound

• SharpHound GitHub: https://github.com/BloodHoundAD/SharpHound

• BloodHound Documentation: https://bloodhound.readthedocs.io/en/latest/

Example Workflow:

1. Start Neo4j and BloodHound.

2. Collect data using BloodHound module in a SYSTEM level meterpreter shell.

3. Upload data to BloodHound.

4. Run Cypher queries to analyze the data.

5. Use the BloodHound interface to visualize and further explore the relationships.