# BloodHound

## Bloodhound Legacy

### Install

```bash
# Install and run neo4j
sudo apt-get install neo4j
sudo neo4j console

# Download Bloodhound legacy binary, unpack and execute
wget "https://github.com/SpecterOps/BloodHound-Legacy/releases/download/v4.3.1/BloodHound-linux-x64.zip"
unzip BloodHound-linux-x64.zip
cd BloodHound-linux-x64
./BloodHound --no-sandbox --disable-gpu 
```

### Ingestors

Standard

```bash
# Standard local execution
./SharpHound.exe --CollectionMethods All,GPOLocalGroup
Invoke-BloodHound -CollectionMethod "All,GPOLocalGroup"
```

ShadowHound

```python
# ShadowHound (PowerShell): https://github.com/Friends-Security/ShadowHound
ShadowHound-DS -Server "DC01.securirty.local" -OutputFile "$PWD\ldap_output.txt"     

# Split large output files if required (https://github.com/Friends-Security/ShadowHound/blob/main/split_output.py)
python3 split_output.py -i ldap_output.txt -o pyldapsearch_ldap -n 100

# use bofhound to convert into JSON data (pipx install bofhound)
python3 bofhound.py -i ./folder -p All --parser ldapsearch
```

### Custom Queries 

Replace the `customqueries.json` with one of the below files to update the custom queries within Bloodhound. Remember to restart Bloodhound after changing the JSON file.

**Locate custom queries file**

```
find ~/ -type f -name customqueries.json 2>/dev/null  
```

Add **one** of the queries below:

<pre class="language-bash"><code class="lang-bash"><strong># Exegol
</strong>curl -sSL "https://raw.githubusercontent.com/ThePorgs/Exegol-images/3d6d7a41e46acb6898da996c4198971be02e4d77/sources/bloodhound/customqueries.json" -o ~/.config/bloodhound/customqueries.json  
<strong>
</strong><strong># CompassSecurity
</strong>curl -sSL "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/BloodHound_Custom_Queries/customqueries.json" -o ~/.config/bloodhound/customqueries.json

# hausec
curl -sSL "https://raw.githubusercontent.com/hausec/Bloodhound-Custom-Queries/refs/heads/master/customqueries.json" -o ~/.config/bloodhound/customqueries.json

# ZephrFish
curl -sSL "https://raw.githubusercontent.com/ZephrFish/Bloodhound-CustomQueries/refs/heads/main/customqueries.json" -o ~/.config/bloodhound/customqueries.json
</code></pre>

### Purging Neo4j Database

This will wipe the database of all data. Requires setting new credentials again on <http://localhost:7474/browser/>

```bash
# Remove relevent database files (Ensure to restart neo4j after)
sudo rm -Rf /etc/neo4j/data/databases/* data/transactions/*
sudo rm -Rf /etc/neo4j/data/transactions/*
```

## Bloodhound Community Edition

### Install

```bash
sudo apt-get install docker-compose
curl -L https://ghst.ly/getbhce | docker compose -f - up

# When finished search through the terminal (if first run) for a generated password.
# go to http://localhost:8080 and login with Admin and the password
```

{% hint style="info" %}
Keep in mind that Bloodhound captures a 'snapshot' of the current state of Active Directory at the time of capture and as such results may change when captured again in the future.
{% endhint %}

## Resources

* <https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/>
* <https://sansorg.egnyte.com/dl/zscX9KYH5M/?>
* <https://github.com/BloodHoundAD/BloodHound/releases>