BloodHound v5.8 releases: Active Directory Toolkit

BloodHound

BloodHound is a single-page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor.

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

Usage

Using the Interface

The BloodHound interface is designed to be intuitive and operationally focused. Because BloodHound is compiled as an Electron app, it is platform-independent and runs on Windows, OSX, and Linux.

Authentication

When you first open BloodHound, you are greeted by the logon prompt:

The “Database URL” is the IP address and port where your neo4j database is running and should be formatted as bolt://ip:7687/

The DB Username is the username for the neo4j database. The default username for a neo4j database is neo4j.

The DB Password is the password for the neo4j database. The default password for a neo4j database is neo4j. The password for the provided example database is BloodHound.

Overview

Upon successful logon, BloodHound will draw any group(s) with the “Domain Admins” in their name, and show you the effective users that belong to the group(s):

Above, the BloodHound interface is split into 5 parts:

1. Menu and search bar
2. Graph drawing area
3. Settings
4. Zoom in/out and reset
5. Raw cypher query

1. Menu and search bar

The search bar and menu are designed to be intuitive and operationally focused. The triple line in the top left will toggle the drop-down for the ‘Database Info’, ‘Node Info’, and ‘Queries’ tabs.

The ‘Database Info’ tab shows basic information about your currently loaded database, including the number of users, computers, groups, and relationships (or edges). You may also perform basic DB management functions here, including logging out and switching DBs, as well as clearing (read: DELETING ALL INFORMATION FROM) your currently loaded DB (be careful!).

The ‘Node Info’ tab will display information about a node that you click on in the graph.

The ‘Queries’ tab will show the pre-built queries we include with BloodHound, as well as additional queries you can build in yourself. More information about this will be available later.

2. Graph drawing area

This is the area where BloodHound will draw nodes and edges. Hitting ctrl will cycle through three options for displaying node labels: Default Threshold, Always Show, Never Show. You may click and hold a node to drag it to a different spot. You may also click a node, and BloodHound will populate the node info tab with information about that node.

3. Settings

1. Refresh – BloodHound will re-calculate and re-draw the current display.
2. Export Graph – BloodHound can export the currently drawn graph to JSON format, or as a PNG.
3. Import Graph – BloodHound will draw an imported graph in JSON format.
4. Upload Data – BloodHound will automatically detect and then ingest CSV formatted data. For more information on this, see CSV ingestion.
5. Change Layout Type – Toggle between hierarchical (dagre) and force directed graph layouts.
6. Settings – Alter node collapse behavior, and switch between low detail mode.

4. Zoom in/out and reset

The plus sign (+) will zoom in. The minus sign (–) will zoom out. The center icon will reset the graph to the default zoom.

5. Raw cipher query

BloodHound allows you to run custom cipher queries against the currently loaded neo4j database. For more information on this topic, see Cypher query language.

Changelog v5.8

• asset group tags to not contain whitespaces by @irshadaj in #437
• remove all whitespace from ag tags, revise migration version by @irshadaj in #441
• Audit log tests by @juggernot325 in #440
• Remove unused agi code by @juggernot325 in #445
• fix: not including AZContains in inbound / outbound control traversal by @mistahj67 in #442
• fix: edge case adding CanAbuseUPNCertMapping relationship if CertificateMappingMethodsRaw is absent by @mistahj67 in #448
• fix: remove incorrect buffer import by @mistahj67 in #456
• fix: plumb ctx into asset-groups db methods by @mistahj67 in #434
• Enhance RemoteContent component with capability to render tables by @elikmiller in #453
• fix: plumb context into client db methods by @mistahj67 in #450
• fix: replaces x/exp/slices with std lib slices by @mistahj67 in #461
• Merge staging post-release 5.7.0 by @maffkipp in #459
• chore: remove tabnine from extension recommendations by @superlinkx in #463
• fix: plumb context into config parameter db methods by @mistahj67 in #464
• fix: plumb context into audit logs db methods by @mistahj67 in #467
• Database Management by @brandonshearin in #423
• Add config flag for disabling ingest by @juggernot325 in #470
• Merge in stage/v5.7.1 by @maffkipp in #469
• Refactor AD entity query handlers by @codydbentley in #446
• Refactored AD related entity queries by @codydbentley in #447
• fix: plumb ctx into ingest db methods by @mistahj67 in #471
• Misc fixes and cleanup by @codydbentley in #455
• bug: typescript error with assetGroupId by @brandonshearin in #473
• Started openapi improvements by @codydbentley in #457
• fix: plumb ctx into user db methods by @mistahj67 in #474
• fix: plumb ctx into permission db methods by @mistahj67 in #475
• fix: plumb ctx into roles db methods by @mistahj67 in #476
• Create usePermissions UI hook by @maffkipp in #413
• fix: plumb ctx into auth token / secrets db methods by @mistahj67 in #477
• fix: plumb ctx into saml providers db methods by @mistahj67 in #478
• fix: plumb ctx into file uploads db methods by @mistahj67 in #479
• chore: replace display text for links in ADCSESC1 edge information panel by @elikmiller in #487
• Extracted ApiExplorer view to bh-shared-ui by @codydbentley in #449
• File upload UI updates by @maffkipp in #443
• ESC4: post processing by @brandonshearin in #439
• fix: plumb ctx into data quality db methods by @mistahj67 in #480
• Esc4 small tasks by @benwaples in #436
• fix: plumb ctx into saved queries db methods by @mistahj67 in #481
• Bed 3922 – Zip File Upload Support by @rvazarkar in #451
• feat: enhance signed request validation performance by @ddlees in #444
• fix: plumb ctx into remaining bh db methods by @mistahj67 in #485
• fix: plumb ctx into feature flag db methods by @mistahj67 in #486
• fix: plumb ctx into session db methods by @mistahj67 in #495
• refactor: audit log action to constant by @mistahj67 in #492
• Strip UTF-8 BOM from json files by @rvazarkar in #497
• Update jira-issue-transfer.yml by @slokie-so in #501
• BED-4265: added new mime types to fix file upload validation bug by @codydbentley in #498
• Set “Content-Type” header correctly for file uploads by @maffkipp in #504
• ESC4 Edge Composition by @brandonshearin in #490
• Bed 4154 esc3 comp update by @benwaples in #484
• fix: handle undefined input in explore search input by @urangel in #494
• chore: bump sharphound versions in dockerfiles by @urangel in #507
• fix: edge arrowhead direction based on edge direction by @urangel in #488
• fix: revert response shape for type=graph related entity queries by @urangel in #509
• fix: typo and wrong format for code snippit by @benwaples in #511
• fix: align node icons for AIACA nodes by @urangel in #513
• chore: update azurehound version in dockerfiles for download resources by @urangel in #515
• fix: BED-4283 – fixed invalid json syntax in swagger doc json by @codydbentley in #516
• Move graph deletion to datapipe by @rvazarkar in #517
• Performant graph delete by @rvazarkar in #524
• chore: gate graph clearing by @urangel in #523

Tutorial

Copyright (C) 2016-2023 Specter Ops Inc

Source: https://github.com/SpecterOps/