WARNING: Ensure that you have the necessary permissions and legal authorization to extract data from the Ntds.dit file and import it into BloodHound, you may wish to mount ADDS separately and scan the mounted version of ADDS - follow that guide here
Bloodhound is an absolutely fantastic way to check the security of your domain and be able to visualize weak points, weak authentication mechanisms, lateral movement to privileged accounts, lateral movement generally - not to mention a whole host of other benefits.
Security Warning
Yes, when you do this it will make your security software, in this case Defender go absolutely nuts, which is great for normal circumstances but when you actually want to run these tools it is a pain.....
This alert was very common with file operations:
Then you have the problem with trying to run the powershell:
In the end this needed to occur, I had to completely disabled the Defender antivirus and threat protection, however ironically the firewall did not even detect that malicious software talking to the ADDS services at all
Pingcastle
I would recommend before going straight to bloodhound that you run a ping castle report, This particular program will analyze your domain and advise you on security, weak points, and vulnerabilities, Dispute utility gets updated regularly, so make sure you Download the latest updates before you run it.
I would highly recommend you run this utility before you jump straight into bloodhound, As with bloodhound, you can get some very surprising results.
Pingcastle : Download
Lets get the software from the official website the download link is here
Pingcastle : Extraction
Once you have downloaded it, its just a ZIP file so go ahread and extract it to a folder of your choice, I have used on the folder c:\PingCastle and I have installed it locally on the "FakeDC" computer running "bear.local" as the domain.
That extraction should look like this and you will need to run the "pingcastle" executable highlighted below:
You will then be asked for the domain, if you press enter it will choose the local domain which here is bear.local, so I need press enter:
It will then run its tasks and you need to wait until its says completed then you can press enter this will quit the application as its job is done:
Pingcastle : Report
Pingcastle : Indicators
Bloodhound Prerequisites
Note: Bloodhound will require a server and a client, in this example, I am using Kali For the server and Windows for the client.
Bloodhound is an interactive tool that has many interesting reports and queers that people are going to want to investigate themselves, it’s far safer to give people access to a Windows client then it is to give them access to your Kali server
- Access to Ntds.dit File: Obtain a copy of the Ntds.dit file from a domain controller.
- Sharphound : This needs to be run on the live domain to enumerate objects and get the data
- BloodHound: Have BloodHound installed and ready for use.
Sharphound : Online ADDS scan
First, you need to download the PowerShell file from this location, there is an executable as well, but this guide is about the PowerShell version.
Sharphound Collectors
This is a PowerShell script that is executed like this, first you need to put PowerShell in bypass mode
Import-Module .\SharpHound.ps1
Enable Bloodhound services (server)
This will be done from the Kali linux server that will host the server side of the software
sudo neo4j start
This will start the service like this, this will also give you the port you require, here for example its TCP:7474 as you can see below:
Download Bloodhound client (workstation)
Bloodhound can be downloaded from the link below just use the relevant binaries for your platform
Download Bloodhound Clients
Download Bloodhound x64 Windows Installer
Downloading this will not be as simple as it appears to be, if you try to download it via most browsers, it would be blocked as malicious, because what is to does he considered to be malicious
Browsers are actually quite active at protecting you these days, however if you need to use this application this can easily be fixed if you’re on Windows by starting PowerShell and using "wget" to download the file, that will require this command:
Invoke-WebRequest -Uri "https://github.com/BloodHoundAD/BloodHound/releases/download/v4.3.1/BloodHound-win32-x64.zip" -OutFile "C:\temp\BloodHound-win32-x64.zip"
That will immediately start the download to the current directory you are running the command from;
During the download or on completion of the download fully expect your protection software to also detect this as malicious, and it will immediately be quarantined (which just to be clear, is absolutely the correct action normally) however, if you wish to use this utility, you will need to make a security exception in your protection software - that procedure will absolutely not be covered in this guide.
Running Bloodhound Client
When you start Bloodhound you will see the login screen and you will need to enter the server connection address, if you enter the address correctly you will see a green tick next to the server name as below:
If you enter the connection incorrectly, you will be notified by a "database not found" error like below, check your connection settings:
We then need the valid username and password then click login, if correct the button will change to "Success".....
This will then give you the main interface, where it will query the database as below:
Currently there is nothing in the database to query, so it should tell you "no data returned" and it would be correct we have not imported anything into the database yet!!!!
Sharphound : Import Data into BloodHound
- Open BloodHound.
- Go to "Data Import" within BloodHound.
- Choose the appropriate option to import data. BloodHound supports importing data from CSV files.
- Map the columns in the CSV file to the corresponding BloodHound properties during the import process.
- Once the data is successfully imported, BloodHound will process it and generate a graph visualizing the relationships, permissions, and attack paths within the Active Directory environment.
If you get an talking about "Incompatible collector" then you may need to use Sharphound, if this has come from Sharphound and you were using the PowerShell collector, try the executable collector as well.
Analyze the BloodHound Graph
Explore the generated BloodHound graph to identify potential attack paths, privilege escalation opportunities, vulnerable accounts, and other security-related insights within the Active Directory.
<more coming soon>