Around 90% of Fortune 1000 companies use Windows Active Directory to manage their IT infrastructure, and you need to know how to hack these environments. The perfect way to get started is by learning about the Bloodhound tool.
BloodHound is a hacking tool that you can use to identify attack paths left open by security misconfigurations or vulnerabilities in Active Directory environments. These paths allow you to perform lateral movement and compromise the entire environment. Learning how to use BloodHound enables you to effectively assess the security of an Active Directory environment and exploit any weaknesses you find.
This article provides a complete guide to the BloodHound tool. It will take you all the way from installation to discovering highly complex attack paths you can exploit. Get your keyboard ready, and let’s go to work!
What Is BloodHound?
BloodHound is an open-source tool that shows potential attack paths within an Active Directory environment. To do this, it uses graph theory and visually maps the relationships between user accounts, groups, and other Active Directory network components. You can analyze this information using BloodHound’s GUI to uncover security misconfigurations.
The Bloodhound tool is not a standalone executable. Instead, the tool consists of several key parts:
- The SharpHound data collector: This collects the data from the Active Directory environment you are attacking and packages it in a format you can upload to BloodHound for analysis.
- The Neo4j backend: BloodHound uses Neo4j as its backend database to store and process the Active Directory data uploaded to the tool. Neo4j creates a graphical view of the data, allowing it to be queried.
- The BloodHound GUI: This provides a visual representation of the Active Directory information collected and allows you to interact with this information to discover security misconfigurations.
- The BloodHound query language: BloodHound comes with its custom query language called Cypher. This allows you to search the collected data for vulnerabilities, misconfigurations, and reveal hidden relationships between Active Directory entities.
BloodHound’s key features:
- Automating the collection of Active Directory environment information.
- Creating a visual graph of an Active Directory environment.
- Analyzing Active Directory information and identifying potential attack paths.
- A custom query language (Cypher) that lets you search for security weaknesses and attack paths.
- The ability to create reports and documentation based on findings.
Installation and Setup
BloodHound does not come pre-installed on Kali Linux. You need to install and set the tool up to use it. This can be done in four steps on Kali:
Step 1: Install Java
The Neo4j database management system requires Java to run. To install Java on Kali Linux, run the command
sudo apt install openjdk-11-jdk. This installs the Open Java Development Kit and all its required dependencies.
Step 2: Install Neo4j
Install the Neo4j database management system using Kali’s apt package manager by executing the command
sudo apt install neo4j.
Step 3: Setup Neo4j
With Neo4j installed, you can now run it as a service on your Kali machine and begin configuring it. First, you want to start and stop the service to ensure any configuration changes have been applied after you install Neo4j. This can be done by running the commands
sudo systemctl stop neo4j and then
sudo systemctl start neo4j.
Now wait for the Neo4j service to start. To check its status, run the command
systemctl status neo4j.
This command will give you the web address to interact with the Neo4j web console. Open a web browser and navigate to https://localhost:7474/.
You will be greeted by a screen asking you to authenticate. Use the username
neo4j and password
neo4j to authenticate, and then you will then be prompted to change the default password for the
Step 4: Download the BloodHound GUI
To install the BloodHound, you need to download the latest version of the tool from https://github.com/BloodHoundAD/BloodHound/releases. Select the Linux x64 version if you are using Kali Linux.
Once downloaded, unzip the folder and execute BloodHound in the terminal with the
This will spawn the BloodHound GUI and ask for your newly created Neo4j authentication credentials.
Enter these credentials, and the BloodHound interface will greet you. You are now ready to start using this powerful tool!
Once you have BloodHound installed, you can begin using it. BloodHound requires you to collect data about the Active Directory domain you are targeting. To do this, you must gain access to the target Active Directory environment and run the SharpHound data collector.
Running the SharpHound Data Collector
The SharpHound data collector is a C# binary that uses native Windows API and LDAP namespace functions to collect Active Directory data. First, download it to your attack machine from https://github.com/BloodHoundAD/SharpHound/releases. Then you can upload it to the target machine to which you have gained initial access and execute it to collect the data package BloodHound requires.
Here we have a Metepreter shell on the target system which lets you
upload SharpHound to the target machine and then drop it into a
shell to execute it. Use the command
SharpHound.exe -c DcOnly to save domain data in a
SharpHound will generate a ZIP file containing all the information about the Active Directory environment in which you ran the tool. While in a Meterpreter shell, you can
download this archive file to your attack machine, where BloodHound is installed.
If you are targeting an Active Directory environment running in the Azure cloud, you can use AzureHound. This Go binary can be run on any operating system and collects data from AzureAD and AzureRM using MS Graph and Azure REST APIs.
Uploading Data to BloodHound
Once you have collected the data package BloodHound requires for its Active Directory environment analysis, you can upload it to BloodHound. BloodHound will extract and process this data, generating a visual graph representing the relationships between the entities in the Active Directory environment.
To upload the data package to BloodHound, click the Upload Data button in the right-hand menu.
Then select the ZIP file you created using the SharpHound data collector and click Open.
This will upload the data to BloodHound and show you a progress bar.
Once complete, select Clear Finished to remove the progress bar, and you are ready to begin analyzing the Active Directory data using BloodHound.
SharpHound is not the only way to gather information about an Active Directory environment. You can also use native PowerShell commands to avoid running an executable and remain undetected. Try this PowerShell cheatsheet of helpful commands to learn more.
Understanding the Output
BloodHound displays information about the Active Directory environment data you upload in a graph. This graph consists of two building blocks:
- Nodes: The individual components that make up an active environment (e.g., computers, users, GPOs). These are displayed as colored shapes.
- Edges: The relationship between nodes. For instance, if user X was logged into machine Y, this relationship will be shown as a line between the two nodes.
You can use its left-hand menu to populate the BloodHound GUI with graph information. This menu lets you search for individual nodes, create a path between a Start Node and an End Node, filter by edge type, and display information.
The left-hand burger menu contains three main tabs that you can use to query data in BloodHound. These are:
This contains information about the Neo4j Bloodhound database and gives an overview of Active Directory information currently being stored. For instance, you can see the number of users, groups, computers, etc., in the Active Directory environment.
When you select an individual node in the BloodHound graph, this tab is populated with information about that node. For example, you can use the search bar to find for the
stationx-admin user and use the Node Info tab to discover the account’s group membership, local admin rights, execution rights, and more.
This tab allows you to run BloodHound’s built-in analytics queries to populate the graph GUI. It is divided into five query categories:
- Domain Information: These queries display useful information about the current domain.
- Dangerous Privileges: Queries that identify nodes that have been granted privileges that can be potentially abused.
- Kerberos Interaction: Queries related to finding Kerberoastable and AS-REP roastable users.
- Shortest Paths: Path-finding queries that identify the shortest path to a certain target.
- Custom Queries: Queries that you create in BloodHound using the Cypher query language to meet a specific need.
For instance, you can run the Find all Domain Admins query from the Domain Information section to display all accounts that are members of the Domain Admins group:
Here you can see the
stationx-admin user is a member of the Domain Admins group.
You can use a range of other hacking tools to gather information about Active Directory environments. Read 25 Top Penetration Testing Tools for Kali Linux in 2023 for a full breakdown of these tools.
Above, you saw how to use BloodHound’s built-in analytics queries to populate the graph GUI with information about the Active Directory environment you are attacking. These queries help you identify highly complex attack paths a hacker can exploit based on security vulnerabilities or misconfigurations. Let’s take a look at doing this for each query category:
A common Active Directory attack is the DCSync attack. This technique can extract user account password hashes from a domain controller by taking advantage of the Domain Controller Synchronization (DCSync) Kerberos feature. To perform this attack, you must compromise a principal with the DCSync right (either a user account or group).
You can use BloodHound to identify which user accounts and groups have the DCSync right privilege and then focus your efforts on gaining access to one of these. Select Find Principals with DCSync Rights in BloodHound’s Analysis tab to do this.
Here you can see three groups, one machine, and three user accounts have the DCSync privilege. If you compromise one of these nodes, you can perform a DCSync attack.
A popular Active Directory attack is Kerberoasting. This attack allows you to extract the password hashes of service accounts and provides opportunities to perform lateral movement across an Active Directory environment. You can use BloodHound’s pre-built List all Kerberoastable Accounts query to find service accounts to target with this attack.
Here you can see BloodHound identified two accounts. The
krbtgt account is the Key Distribution Centres account, so it is unlikely you have permission to access this account. However, the
mssql_svc account looks like a good account to perform this attack against. To learn how to perform Kerberoasting, read How to Perform Kerberoasting Attacks: The Ultimate Guide.
A major selling point of the BloodHound tool is its ability to use Active Directory information to find paths to further compromise a domain. The tool has several built-in default queries that calculate the shortest path to certain objectives. One of these is Paths to Unconstrained Delegation Systems, which highlights the path you can take to perform the unconstrained delegation attack.
This attack exploits a vulnerability in Kerberos’s delegation features whereby an attacker can impersonate a user and gain unauthorized access to a resource. Execute the Paths to Unconstrained Delegation Systems built-in query to identify a path to machines vulnerable to this attack.
This shows that the
dc01 machine has unconstrained delegation. One path to compromising this machine, and exploiting this vulnerability, is to gain access to the
StationX-admin account. This user account is a member of the
Enterprise Admins group, which has
GenericAll privileges to the
dc01 machine. This is also known as “full control” and allows the trustee to manipulate the target object however they wish.
If you are unsure of how two nodes are connected. You can right-click on the edge that joins them and select the Help option.
This will show you information about what connects the two nodes, how to abuse this connection on Windows and Linux, and any operational security (Opsec) considerations.
The Custom Queries category allows you to create your own search queries in BloodHound using the Cypher query language. BloodHound will save the custom queries you upload so you can use them on other data sets.
You can find BloodHound queries online or learn to build your own. For example, the query
MATCH (n:Group) WHERE n.name CONTAINS "ADMIN" return n will return all groups that contain the word “admin” and is useful for identifying high-value groups to target.
You can test your custom queries using the Raw Query section at the bottom of the BloodHound GUI.
Active directory is the prominent technology that modern organizations use to manage and administer their internal IT networks. To become a successful hacker, you must learn to enumerate Active Directory environments and exploit their common weaknesses. A tool that can help you with this is BloodHound.
BloodHound is capable of identifying security vulnerabilities and misconfigurations in Active Directory. You have seen how to use the SharpHound data collector to gather information about the Active Directory environment you are attacking and how to process this with BloodHound to uncover potential highly complex attack paths.
This guide to BloodHound has given you the knowledge to begin using this tool to attack Active Directory environments. However, you should use it as a jumping-off point on your journey to Active Directory exploitation journey. To continue this adventure, learn how to create your own Active Directory environment to attack in How to Create a Virtual Hacking Lab: The Ultimate Hacker Setup.
Good luck discovering more ways to hack Active Directory!
If you are interested in learning the skills required to perform Active Directory attacks, try one of these training courses: