Hey all, back again with another AD assessment tool. Last week I talked about PingCastle which covers some areas that Bloodhound does and some areas that it does not, so I’d highly recommend going through that one first, and then move to Bloodhound to address escalation paths and things that may have been missed by PingCastle.
Welcome to BloodHound
BloodHound is an absolutely incredible tool developed by @_wald0, @CptJesus, and @harmj0y. While it’s not as simple as PingCastle, it’s capabilities and graph theory are seriously impressive. The goal behind this is to determine both lateral and escalation paths that will move an attacker from lower level permissions to higher level permissions that they can use to access sensitive data or systems, including Domain Admin or SQL admin.
To get started, we need to download the Neo4j Community Edition 3.5.14 database engine (Link), the BloodHound binaries (Link), and to keep things easy, I downloaded the whole master branch from their Github repo (Link).
I extracted all three of these to C:\BloodHound due to file paths getting quite long, and once you do this, you should have a folder that looks similar to this:
The first thing we need to do is gather some data with SharpHound since it will take a while. To start, I would recommend running this with a generic user account that has no permissions. This will reduce the amount of data you are looking at and let you quickly clean up the most important things first. There are a lot of things standard users will not be able to enumerate such as DACL’s on certain AD objects, GPO’s that have been hardened, SAM-R on newer versions of Windows 10, NetSessionEnum, etc. This means that at some point in the future you will probably want to run this again with permissions to those things if you want to see everything it can find.
This took half an hour for me. If your org is large, let this run in the background and keep going.
While SharpHound is running, let’s get the database up and running. This is pretty straightforward since they have a batch script with a command line argument to do it, but you do have to run Command Prompt with Admin privileges since it is installing a service. Change directory into the \bin folder of the neo4j database folder you extracted and run “neo4j.bat install-service” and then start the service with “net start neo4j”.
Now that we have the service running, we can hit the administrative web interface in our browser by going to http://localhost:7474/. To log in, we’ll use neo4j for the username and the password, and then it will ask us to change the password. Create a database, and then launch Bloodhound.
When BloodHound first launches, it will ask us for the database information. The default URL is bolt://localhost:7687, and your username will be neo4j with whatever password you changed it to.
Once BloodHound has logged in, you’ll have a huge blank window. We need to load some data into this, so on the top right navigation tree, we’ll click on the Upload Data icon as seen below and select the zip file from our SharpHound ingestor (assuming it has finished!).
Depending on the size of your org, this could be a real hurry up and wait process… It usually takes a good 5-10 minutes for the data to fully load for me. The Upload Data icon will show progress along the way, and when it’s done, you can click on the Search box and click database info to see how much data it collected. It should look something like this:
The one that I like to click on very first is Find Shortest Path to Domain Admin. Ours used to look much worse than this, so don’t be alarmed if yours is insane looking. You’ll be amazed at how quickly you can clean up some of what it finds. Another thing to keep in mind is that Enterprise Admins, Domain Admins, and special accounts like Azure AD Connect are listed even though they already are Domain Admin equivalent. In the image below, I actually only have 2 legitimate paths that need to be cleaned up.
Some of these queries are absolutely incredible and will give you almost too much data to work with. The example below is from using the Shortest Paths to High Value Targets. It’s pretty interesting to dive into what each of those are and how they can be abused.
If you need additional help, they have a Wiki, but it’s not really the most intuitive or up to date: https://github.com/BloodHoundAD/BloodHound/wiki/Getting-started
All in all, I think this highlights the capabilities, and it should generate some excellent conversations for your SysAdmin team. Even if some things can’t be addressed, at least they are aware and can take it into consideration when building new systems or want to look for alternative ways to mitigate the risks that it finds. Just keep running the SharpHound assessments and keep an eye on things as environments always change over time.
Again, if you have any questions and work in education (higher ed or K12), we would love for you to join us on the OpsecEdu Slack. If you really get into using Bloodhound, you should also consider joining the the BloodHoundGang Slack which I’ve found very enlightening as well 🙂