Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/dadevel/bloodhoundcli

Utilities for Pentesting with BloodHound
https://github.com/dadevel/bloodhoundcli

adsecurity bloodhound offsec

Last synced: about 1 month ago
JSON representation

Utilities for Pentesting with BloodHound

Awesome Lists containing this project

README 

        
# BloodHoundCli



![Screenshot](./assets/demo.png)



Collection of various utilities to aid in Pentesting with [BloodHound](https://github.com/bloodhoundad/bloodhound).



# Setup



1. Install [Podman](https://github.com/containers/podman/) and [docker-compose](https://github.com/docker/compose).

2. [Configure rootless containers](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md) for Podman.

3. Enable the Podman socket for your user.



    ~~~ bash

    systemctl --user enable --now podman.socket

    ~~~



3. Install this Python package with [pipx](https://github.com/pypa/pipx).



    ~~~ bash

    pipx install git+https://github.com/dadevel/bloodhoundcli.git@main

    ~~~



## Custom Queries



If you don't want to use BloodHoundCli and are here just for the [custom queries](./bloodhoundcli/data/customqueries.json) run the command below.

Otherwise the queries are automatically installed when you create your first BloodHoundCli project.



~~~ bash

curl -Lo ~/.config/bloodhound/customqueries.json https://github.com/dadevel/bloodhoundcli/raw/main/bloodhoundcli/data/customqueries.json

~~~



The queries are based on work by [@luemmelsec](https://github.com/LuemmelSec/Custom-BloodHound-Queries) and [@martinsohn](https://gist.github.com/martinsohn/3f6122c7486ca3ffcaa444772f1a35f2).

Thank you!



## Project Management



Projects are managed with [Podman](https://github.com/containers/podman) containers.

Only one project can be active at a time.

Each project consists of [BloodHound Community Edition](https://github.com/specterops/bloodhound), Neo4j and Postgres.



~~~ bash

bloodhoundcli setup-project example1

bloodhoundcli shutdown-project example1

bloodhoundcli setup-project example2

bloodhoundcli list-projects

bloodhoundcli destroy-project example1

bloodhoundcli destroy-project example2

~~~



## Authentication



- BloodHound Legacy: , username *neo4j*, empty password

- Neo4j: , username *neo4j*, empty password

- BloodHound Community Edition: , username *admin@bloodhound*, empty password



## Data Collection



Data sources:



- [SharpHound](https://github.com/bloodhoundad/sharphound): can be imported with bloodhoundcli

- [AzureHound](https://github.com/bloodhoundad/azurehound): can be imported with bloodhoundcli

- [bloodhound.py](https://github.com/dirkjanm/bloodhound.py): must be imported via Legacy BloodHound



Ingest files from AzureHound and SharpHound.



~~~ bash

bloodhoundcli import-bhce ./azurehound.json ./*_BloodHound.zip

~~~



## CLI Integration



Quickly fetch data from Neo4j for use with other tools or import data from other tools into BloodHound.



~~~ bash

bloodhoundcli query 'MATCH (u:User {enabled: true}) RETURN u.samaccountname' > ./users.txt

bloodhoundcli query -s 'MATCH (u:User {name: toUpper($stdin)} SET u.owned=true RETURN u.name' << EOF

[email protected]

[email protected]

EOF

bloodhoundcli query -s -j 'MATCH (u:User {name: $stdin.name}) SET u.foo=$stdin.value RETURN u.name' << EOF

{"name": "[email protected]", "value": "bar"}

{"name": "[email protected]", "value": "baz"}

EOF

~~~



## Enrichment



Execute a set of post-processing queries to mark certain objects with additional attributes and add additional edges for certain situations.



~~~ bash

bloodhoundcli enrich

~~~



These attributes are:



- `tier=0` for a standard set of tier 0 objects

- `highvalue=true` for objects with potential path to tier 0

- `active=true` for accounts with login in last 90 days

- `sensitive=true` for members of *Protected Users*



### Weighted Graph



The enrichment also assigns weights to edges in BloodHound (based on work by [@riccardoancarani](https://riccardoancarani.github.io/2019-11-08-not-all-paths-are-equal/) and [@jmbesnard](https://www.linkedin.com/pulse/graph-theory-assess-active-directory-smartest-vs-shortest-besnard-0qgle)).



This allows to search for the easiest instead of the shortest path to Domain Admin.



~~~ cypher

MATCH (a {owned: true}) MATCH (b {highvalue: true}) CALL apoc.algo.dijkstra(a, b, '>', 'cost') YIELD path RETURN path;

~~~



## NTDS Import



Run a DCSync from [impacket-secretsdump](https://github.com/fortra/impacket) with multiple wordlists and rulesets trough [Hashcat](https://github.com/hashcat/hashcat).

LM hashes and pre-created computer accounts are automatically cracked unless `--no-lm-brute` respective `--no-pre2k` is specified.



~~~ bash

impacket-secretsdump -just-dc -outputfile corp.local -k -no-pass dc01.corp.local

bloodhoundcli generate-wordlist > ./custom-words.txt  # made of usernames, descriptions, etc.

bloodhoundcli hashcat-ntds -t ./clem9669-wordlists/dictionnaire_de ./clem9669-hashcat-rules/clem9669_medium.rule -t ./custom-words.txt ./unicorn-hashcat-rules/unicorn\ rules/SuperUnicorn.rule -t ./weakpass-3.txt ./unicorn-hashcat-rules/unicorn\ rules/Unicorn250.rule -p ./hashcat.potfile ./*.ntds

~~~



Import the DCSync output and Hashcat potfile into BloodHound (inspired by [@knavesec](https://github.com/knavesec/max) and [@syss-research](https://github.com/syss-research/hashcathelper)).

This adds `Credential` objects with `nthash`, `lmhash` and `password` properties and `HasCredential` as well as `AssignedTo` edges between users and credentials.



~~~ bash

bloodhoundcli import-ntds -p ./hashcat.potfile ./*.ntds

~~~



> **Note:**

> BloodHoundCli assumes that the name of the NTDS file minus the `.ntds` suffix is the FQDN of the domain.

> This means a DCSync from `dc01.subdomain.corp.local` must be named `subdomain.corp.local.ntds`.



## ADIDNS Import



Import [adidnsdump](https://github.com/dirkjanm/adidnsdump) into BloodHound to add an `ipaddress` attribute to computers.

For hosts that appear in ADIDNS but don't exist in BloodHound, standalone computer objects are created.



~~~ bash

bloodhoundcli import-adidns corp.local ./records.csv

~~~



## NetExec Integration



Import nodes for standalone computers and local users by leveraging the SQLite database of [NetExec](https://github.com/pennyw0rth/netexec).

This includes `nthash` properties from SAM dumps and `AdminTo` as well as `HasCredential` and `AssignedTo` edges e.g. to identify local admin password reuse.



~~~ bash

bloodhoundcli import-netexec ~/.nxc/workspaces/default/smb.db

~~~



## Manual Session Collection



Add historical session data as well as inferred RDP and local admin edges (original idea from [@rantasec](https://medium.com/@rantasec/bloodhound-for-blue-teams-windows-event-id-4624-a259c76ee09e)).

First export recent logons from Windows Event Logs with [Get-RecentLogons.ps1](./Get-RecentLogons.ps1), then transfer the JSON output to your computer and finally import it into Neo4j.



~~~ bash

bloodhoundcli import-winevents ./logons.json

~~~



## ServiceDetector Integration



Import SMB Signing, WebClient and EFS info from [ServiceDetector](https://github.com/dadevel/servicedetector).



~~~ bash

bloodhoundcli query 'MATCH (c:Computer {active: true}) RETURN c.name' > ./computers.txt

servicedetector -c coercion -d corp.local -u jdoe -p 'passw0rd' $(< ./computers.txt) | tee -a ./servicedetector.json

jq -r 'select(.category=="coercion" and .product=="WebClient" and .state=="running")|.host' ./servicedetector.json | bloodhoundcli query -s 'MATCH (c:Computer {name: $stdin}) SET c.webclient=true RETURN c.name'

jq -r 'select(.category=="coercion" and .product=="EFS" and .state=="running")|.host' ./servicedetector.json | bloodhoundcli query -s 'MATCH (c:Computer {name: $stdin}) SET c.efs=true RETURN c.name'

jq -r 'select(.category=="smb" and .signing==false)|.host' ./servicedetector.json | bloodhoundcli query -s 'MATCH (c:Computer {name: $stdin}) SET c.smbsigning=false RETURN c.name'

~~~