Collection of various utilities to aid in Pentesting with BloodHound.
-
Install Podman and docker-compose.
-
Configure rootless containers for Podman.
-
Enable the Podman socket for your user.
systemctl --user enable --now podman.socket
-
Install this Python package with pipx.
pipx install git+https://github.com/dadevel/bloodhoundcli.git@main
If you don't want to use BloodHoundCli and are here just for the custom queries run the command below. Otherwise the queries are automatically installed when you create your first BloodHoundCli project.
curl -Lo ~/.config/bloodhound/customqueries.json https://github.com/dadevel/bloodhoundcli/raw/main/bloodhoundcli/data/customqueries.json
The queries are based on work by @luemmelsec and @martinsohn. Thank you!
Projects are managed with Podman containers. Only one project can be active at a time. Each project consists of BloodHound Community Edition, Neo4j and Postgres.
bloodhoundcli setup-project example1
bloodhoundcli shutdown-project example1
bloodhoundcli setup-project example2
bloodhoundcli list-projects
bloodhoundcli destroy-project example1
bloodhoundcli destroy-project example2
- BloodHound Legacy: bolt://localhost:7687/, username neo4j, empty password
- Neo4j: http://localhost:7474/, username neo4j, empty password
- BloodHound Community Edition: http://localhost:7575/, username admin@bloodhound, empty password
Data sources:
- SharpHound: can be imported with bloodhoundcli
- AzureHound: can be imported with bloodhoundcli
- bloodhound.py: must be imported via Legacy BloodHound
Ingest files from AzureHound and SharpHound.
bloodhoundcli import-bhce ./azurehound.json ./*_BloodHound.zip
Quickly fetch data from Neo4j for use with other tools or import data from other tools into BloodHound.
bloodhoundcli query 'MATCH (u:User {enabled: true}) RETURN u.samaccountname' > ./users.txt
bloodhoundcli query -s 'MATCH (u:User {name: toUpper($stdin)} SET u.owned=true RETURN u.name' << EOF
[email protected]
[email protected]
EOF
bloodhoundcli query -s -j 'MATCH (u:User {name: $stdin.name}) SET u.foo=$stdin.value RETURN u.name' << EOF
{"name": "[email protected]", "value": "bar"}
{"name": "[email protected]", "value": "baz"}
EOF
Run a DCSync from impacket-secretsdump with multiple wordlists and rulesets trough Hashcat.
LM hashes and pre-created computer accounts are automatically cracked unless --no-lm-brute
respective --no-pre2k
is specified.
impacket-secretsdump -just-dc -outputfile corp.local -k -no-pass dc01.corp.local
bloodhoundcli generate-wordlist > ./custom-words.txt # made of usernames, descriptions, etc.
bloodhoundcli hashcat-ntds -t ./clem9669-wordlists/dictionnaire_de ./clem9669-hashcat-rules/clem9669_medium.rule -t ./custom-words.txt ./unicorn-hashcat-rules/unicorn\ rules/SuperUnicorn.rule -t ./weakpass-3.txt ./unicorn-hashcat-rules/unicorn\ rules/Unicorn250.rule -p ./hashcat.potfile ./*.ntds
Import the DCSync output and Hashcat potfile into BloodHound (inspired by @knavesec and @syss-research).
This adds Credential
objects with nthash
, lmhash
and password
properties and HasCredential
as well as AssignedTo
edges between users and credentials.
bloodhoundcli import-ntds -p ./hashcat.potfile ./*.ntds
Note:
bloodhoundcli
assumes that the name of the NTDS file minus the.ntds
suffix is the FQDN of the domain. This means a DCSync fromdc01.subdomain.corp.local
should be namedsubdomain.corp.local.ntds
.
Import nodes for standalone computers and local users by leveraging the SQLite database of NetExec.
This includes nthash
properties from SAM dumps and AdminTo
as well as HasCredential
and AssignedTo
edges e.g. to identify local admin password reuse.
bloodhoundcli import-netexec ~/.nxc/workspaces/default/smb.db
Add historical session data as well as inferred RDP and local admin edges (original idea from @rantasec). First export recent logons from Windows Event Logs with Get-RecentLogons.ps1, then transfer the JSON output to your computer and finally import it into Neo4j.
bloodhoundcli import-winevents ./logons.json
Assign weights to edges in BloodHound (based on work by @riccardoancarani and @jmbesnard).
bloodhoundcli enrich
Now you can use queries like the following to find the easiest instead of the shortest path to Domain Admin.
MATCH (a {owned: true}) MATCH (b {highvalue: true}) CALL apoc.algo.dijkstra(a, b, '>', 'cost') YIELD path RETURN path;