Collection of various utilities to aid in Pentesting with BloodHound.

1. Install Podman and docker-compose.

2. Configure rootless containers for Podman.

3. Enable the Podman socket for your user.

   systemctl --user enable --now podman.socket

4. Install this Python package with pipx.

   pipx install git+https://github.com/dadevel/bloodhoundcli.git@main

If you don't want to use BloodHoundCli and are here just for the custom queries run the command below. Otherwise the queries are automatically installed when you create your first BloodHoundCli project.

curl -Lo ~/.config/bloodhound/customqueries.json https://github.com/dadevel/bloodhoundcli/raw/main/bloodhoundcli/data/customqueries.json

The queries are based on work by @luemmelsec and @martinsohn. Thank you!

Projects are managed with Podman containers. Only one project can be active at a time. Each project consists of BloodHound Community Edition, Neo4j and Postgres.

bloodhoundcli setup-project example1
bloodhoundcli shutdown-project example1
bloodhoundcli setup-project example2
bloodhoundcli list-projects
bloodhoundcli destroy-project example1
bloodhoundcli destroy-project example2

• BloodHound Legacy: bolt://localhost:7687/, username neo4j, empty password
• Neo4j: http://localhost:7474/, username neo4j, empty password
• BloodHound Community Edition: http://localhost:7575/, username admin@bloodhound, empty password

Data sources:

• SharpHound: can be imported with bloodhoundcli
• AzureHound: can be imported with bloodhoundcli
• bloodhound.py: must be imported via Legacy BloodHound

Ingest files from AzureHound and SharpHound.

bloodhoundcli import-bhce ./azurehound.json ./*_BloodHound.zip

Quickly fetch data from Neo4j for use with other tools or import data from other tools into BloodHound.

bloodhoundcli query 'MATCH (u:User {enabled: true}) RETURN u.samaccountname' > ./users.txt
bloodhoundcli query -s 'MATCH (u:User {name: toUpper($stdin)} SET u.owned=true RETURN u.name' << EOF
[email protected]
[email protected]
EOF
bloodhoundcli query -s -j 'MATCH (u:User {name: $stdin.name}) SET u.foo=$stdin.value RETURN u.name' << EOF
{"name": "[email protected]", "value": "bar"}
{"name": "[email protected]", "value": "baz"}
EOF

Run a DCSync from impacket-secretsdump with multiple wordlists and rulesets trough Hashcat. LM hashes and pre-created computer accounts are automatically cracked unless --no-lm-brute respective --no-pre2k is specified.

impacket-secretsdump -just-dc -outputfile corp.local -k -no-pass dc01.corp.local
bloodhoundcli generate-wordlist > ./custom-words.txt  # made of usernames, descriptions, etc.
bloodhoundcli hashcat-ntds -t ./clem9669-wordlists/dictionnaire_de ./clem9669-hashcat-rules/clem9669_medium.rule -t ./custom-words.txt ./unicorn-hashcat-rules/unicorn\ rules/SuperUnicorn.rule -t ./weakpass-3.txt ./unicorn-hashcat-rules/unicorn\ rules/Unicorn250.rule -p ./hashcat.potfile ./*.ntds

Import the DCSync output and Hashcat potfile into BloodHound (inspired by @knavesec and @syss-research). This adds Credential objects with nthash, lmhash and password properties and HasCredential as well as AssignedTo edges between users and credentials.

bloodhoundcli import-ntds -p ./hashcat.potfile ./*.ntds

Note: bloodhoundcli assumes that the name of the NTDS file minus the .ntds suffix is the FQDN of the domain. This means a DCSync from dc01.subdomain.corp.local should be named subdomain.corp.local.ntds.

Import nodes for standalone computers and local users by leveraging the SQLite database of NetExec. This includes nthash properties from SAM dumps and AdminTo as well as HasCredential and AssignedTo edges e.g. to identify local admin password reuse.

bloodhoundcli import-netexec ~/.nxc/workspaces/default/smb.db

Add historical session data as well as inferred RDP and local admin edges (original idea from @rantasec). First export recent logons from Windows Event Logs with Get-RecentLogons.ps1, then transfer the JSON output to your computer and finally import it into Neo4j.

bloodhoundcli import-winevents ./logons.json

Assign weights to edges in BloodHound (based on work by @riccardoancarani and @jmbesnard).

bloodhoundcli enrich

Now you can use queries like the following to find the easiest instead of the shortest path to Domain Admin.

MATCH (a {owned: true}) MATCH (b {highvalue: true}) CALL apoc.algo.dijkstra(a, b, '>', 'cost') YIELD path RETURN path;