BloodHound

Bloodhound Legacy

Install

# Install and run neo4j
sudo apt-get install neo4j
sudo neo4j console

# Download Bloodhound legacy binary, unpack and execute
wget "https://github.com/SpecterOps/BloodHound-Legacy/releases/download/v4.3.1/BloodHound-linux-x64.zip"
unzip BloodHound-linux-x64.zip
cd BloodHound-linux-x64
./BloodHound --no-sandbox --disable-gpu 

Ingestors

Standard

# Standard local execution
./SharpHound.exe --CollectionMethods All,GPOLocalGroup
Invoke-BloodHound -CollectionMethod "All,GPOLocalGroup"

ShadowHound

# ShadowHound (PowerShell): https://github.com/Friends-Security/ShadowHound
ShadowHound-DS -Server "DC01.securirty.local" -OutputFile "$PWD\ldap_output.txt"     

# Split large output files if required (https://github.com/Friends-Security/ShadowHound/blob/main/split_output.py)
python3 split_output.py -i ldap_output.txt -o pyldapsearch_ldap -n 100

# use bofhound to convert into JSON data (pipx install bofhound)
python3 bofhound.py -i ./folder -p All --parser ldapsearch

Custom Queries

Replace the customqueries.json with one of the below files to update the custom queries within Bloodhound. Remember to restart Bloodhound after changing the JSON file.

Locate custom queries file

find ~/ -type f -name customqueries.json 2>/dev/null  

Add one of the queries below:

# CompassSecurity
curl -sSL "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/BloodHound_Custom_Queries/customqueries.json" -o ~/.config/bloodhound/customqueries.json

# hausec
curl -sSL "https://raw.githubusercontent.com/hausec/Bloodhound-Custom-Queries/refs/heads/master/customqueries.json" -o ~/.config/bloodhound/customqueries.json

# ZephrFish
curl -sSL "https://raw.githubusercontent.com/ZephrFish/Bloodhound-CustomQueries/refs/heads/main/customqueries.json" -o ~/.config/bloodhound/customqueries.json

Purging Neo4j Database

This will wipe the database of all data. Requires setting new credentials again on http://localhost:7474/browser/

# Remove relevent database files (Ensure to restart neo4j after)
sudo rm -Rf /etc/neo4j/data/databases/* data/transactions/*
sudo rm -Rf /etc/neo4j/data/transactions/*

Bloodhound Community Edition

Install

sudo apt-get install docker-compose
curl -L https://ghst.ly/getbhce | docker compose -f - up

# When finished search through the terminal (if first run) for a generated password.
# go to http://localhost:8080 and login with Admin and the password

Keep in mind that Bloodhound captures a 'snapshot' of the current state of Active Directory at the time of capture and as such results may change when captured again in the future.

Resources

Last updated