BloodHound v4.2 released: Active Directory Toolkit

BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4jdatabase fed by a PowerShell ingestor.

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

BloodHound is developed by @_wald0, @CptJesus, and @harmj0y.

Usage

Using the Interface

The BloodHound interface is designed to be intuitive and operationally focused. Because BloodHound is compiled as an Electron app, it is platform-independent and runs on Windows, OSX, and Linux.

Authentication

When you first open BloodHound, you are greeted by the logon prompt:

The “Database URL” is the IP address and port where your neo4j database is running and should be formatted as bolt://ip:7687/

The DB Username is the username for the neo4j database. The default username for a neo4j database is neo4j.

The DB Password is the password for the neo4j database. The default password for a neo4j database is neo4j. The password for the provided example database is BloodHound.

Overview

Upon successful logon, BloodHound will draw any group(s) with the “Domain Admins” in their name, and show you the effective users that belong to the group(s):

Above, the BloodHound interface is split into 5 parts:

1. Menu and search bar
2. Graph drawing area
3. Settings
4. Zoom in/out and reset
5. Raw cypher query

1. Menu and search bar

The search bar and menu are designed to be intuitive and operationally focused. The triple line in the top left will toggle the drop-down for the ‘Database Info’, ‘Node Info’, and ‘Queries’ tabs.

The ‘Database Info’ tab shows basic information about your currently loaded database, including the number of users, computers, groups, and relationships (or edges). You may also perform basic DB management functions here, including logging out and switching DBs, as well as clearing (read: DELETING ALL INFORMATION FROM) your currently loaded DB (be careful!).

The ‘Node Info’ tab will display information about a node that you click on in the graph.

The ‘Queries’ tab will show the pre-built queries we include with BloodHound, as well as additional queries you can build in yourself. More information about this will be available later.

2. Graph drawing area

This is the area where BloodHound will draw nodes and edges. Hitting ctrl will cycle through three options for displaying node labels: Default Threshold, Always Show, Never Show. You may click and hold a node to drag it to a different spot. You may also click a node, and BloodHound will populate the node info tab with information about that node.

3. Settings

1. Refresh – BloodHound will re-calculate and re-draw the current display.
2. Export Graph – BloodHound can export the currently drawn graph to JSON format, or as a PNG.
3. Import Graph – BloodHound will draw an imported graph in JSON format.
4. Upload Data – BloodHound will automatically detect and then ingest CSV formatted data. For more information on this, see CSV ingestion.
5. Change Layout Type – Toggle between hierarchical (dagre) and force directed graph layouts.
6. Settings – Alter node collapse behavior, and switch between low detail mode.

4. Zoom in/out and reset

The plus sign (+) will zoom in. The minus sign (–) will zoom out. The center icon will reset the graph to the default zoom.

5. Raw cipher query

BloodHound allows you to run custom cipher queries against the currently loaded neo4j database. For more information on this topic, see Cypher query language.

Changelog v4.2

Big Updates

• AzureHound has been rewritten from the ground up and is 1000% more AWESOME.
• New edges: DCSync, SyncLAPSPassword, and a ton of Azure edges
• New post-processing logic
• Security fixes
• Doc fixes

What’s Changed

• Az help modals by @urangel in #558
• Fix XSS by rewriting help text modals as JSX components by @rtpt-jonaslieb in #560
• Updated ExcludeDomainControllers section by @Argandov in #559
• Convert remaining help texts to JSX by @Jan-Kruse in #561
• fix: (Cloud)AppAdmin informations gathering by @sklaer in #547
• Added the SyncLAPSPassword edge with its documentation by @simondotsh in #564
• Small change to help text for WriteAccountRestrictions by @dirkjanm in #567
• nmp install by @Scoubi in #565

Download & Tutorial

Copyright (c) 2016 Matthew Holt

Source: https://github.com/BloodHoundAD/