Bloodhound Part 1: A Walkthrough in lateral movements and paths to Domain Admin
This is my walkthrough on how to get started with bloodhound in Kali Linux
Open up terminal in Kali and type the following command:
sudo apt install bloodhound
After you select yes to install and the installation completes we will need to change the default passwords on the neo4j console. Type the following command:
sudo neo4j console
Launch a web browser and navigate to http://localhost:7474
neo4j is both the username and password
From here we need to generate a new password. You can choose your own or have one automatically generated for you.
At this point you can close your browser.
Next launch bloodhound
(Reminder: Keep the previous terminal open when you launched neo4j. Otherwise it will shut down.)
Login to blood hound with the user name: neo4j
Login with the password you set for neo4j.
At this point you should see a screen similar to below:
Now it’s time to unleash the hounds. Lucky for us I have Windows 10 2004 box that is pretty much owned with no privileged access other than standard domain user credentials.
A few house keeping items on my target domain. I used badblood to populate groups, users, and computers in my domain. It’s an excellent security tool for active directory practitioners.
BadBlood by @davidprowe, Secframe.com, fills a Microsoft Active Directory Domain with a structure and thousands of…
Ingestors for bloodhound can be found here:
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
At this point we have dropped the exe on the Windows 10 box and enumerated the entire active directory domain.
Next drop the zip file that was created in the previous step into bloodhound:
This may take a minute to process everything. Grab a coffee.
When its finished you should see the following message:
At this point on the left control panel you should be able to expand and see the DB info we have just ingested into bloodhound.
Are you a lazy hacker? If so you are in luck. Click on the Queries selection. There are a number of pre-built queries at our disposal.
First I will pick to find the shortest paths to domain admins:
Eventually a graphic will render with with who to target and getting lateral escalation.
This is just a quick intro to getting bloodhound running and data ingested for analysis of an active directory domain. This tutorial can also be very useful for Red Teams but blue teams as well. Especially when it comes to monitoring and alerting. I’ll write a part 2 to this series as at some point.